Cyber
@Cyber@feddit.uk
- Comment on What external services do you use for your selfhosting setup? 1 week ago:
- Lets Encrypt…
- Backblaze (for now, until I find an alternative closer to home)
- Comment on Jellyswarrm - reverse proxy all your Jellyfin servers from a single interface, presenting as a standard Jellyfin server, clients should work out of the box. 1 week ago:
🤗
- Comment on Docker or Proxmox? Something else entirely? 2 weeks ago:
Hmm, I setup a Proxmox machine a while back because, well, all the cool kids seemed to do it - and plenty of “support” on youtube
I found Incus and it just seemed better, but it was harder to find info on (back then) and seemed a little unready
Now, I regret not sticking with my gut instinct as I’ve got to basically rip out Proxmox to get Incus in, which means all my VMs are prisoners (and us: 1 VM is Home Assistant!)
So, do you know if it’s possible to migrate my VMs across to Incus, or is it literally wipe drive, start again?
(Obviously the data in each VM can be backed up & restored into new VMs)
- Comment on choosing a NIC for OPNsense 2 weeks ago:
Ah, ok, good to know, thanks
- Comment on Am I corrupting my data? 2 weeks ago:
I think you’ve misunderstood
Ok, OMV needs a separate (small) boot drive to install on (ie consider a M.2 / SSD on a USB adapter)
But, then all your (large) storage is used for the NAS.
OMV will run Docker containers, but their data would also be pointed to the large NAS storage.
| Small | Large | |-----------+----------------| | OMV | Files | | Docker| Data, etc |
- Comment on choosing a NIC for OPNsense 2 weeks ago:
Why the MTU change?
- Comment on Am I corrupting my data? 2 weeks ago:
I always prefer bare metal for the core NAS functionality. There’s no benefit in adding a hypervisor layer just to create an NFS / SMB / iSCSI share
OMV comes with it’s own bare metal installer, based on Debian, so it’s as stable as a rock.
If you’ve used it before, you’re probably aware that it needs it’s own drive to install on, then everything else is the bulk storage pool… I’ve used various USB / mSATA / M.2 drives over the years and found it’s a really good way to segregate things.
I stopped using OMV when - IMO - “core” functions I was using (ie syncthing) became containers, because I have no use for that level of abstraction (but it’s less work for the OMV dev to maintain addons, so fair enough)
So, you don’t have to install docker, OMV automatically handles it for you.
How much OMV’s moved on, I don’t know, but I thought it would simplify your setup.
- Comment on Am I corrupting my data? 2 weeks ago:
You should have all your data separately stored, it shouldn’t be locked inside containers, and using a VM hosted on a device to serve the data is a little convoluted
I personally don’t like TrueNAS - I’m not a hater, it just doesn’t float my boat (but I suspect someone will rage-downvote me 😉)
So, as an alternative approach, have a look at OpenMediaVault
It’s basically a Debian based NAS designed for DIY systems, which serves the local drives but it also has docker on, so feels like it might be a better fit for you.
- Comment on Help diagnosing server freeze issue 2 weeks ago:
Definitely suspect.
You should be able to let memtest run for days with no problems, so a reboot would either be a faulty stick or possibly a faulty motherboard slot.
Swap the RAM between slots to isolate the root cause
- Comment on Securing a 'public' service for family 3 weeks ago:
GeoIP blocking
You mention a firewall, but for any open ports still restrict the source IPs to limited ranges not “all”.
Personally, at my home’s edge firewall I have pfSense with pfBlocker and that uses a GeoIP database, so I can just pick the countries I want to allow in… you want to block as early as possible (ie at the VPS?), so you might have to look at options
If your family are in the same region, then it should be relatively easy to limit to a few ranges on the VPS
Here’s a quick search result: lite.ip2location.com/ip-address-ranges-by-country
- Comment on Looking for suggestions: Task scheduler ideally with reminders 3 weeks ago:
I have basically the same setup, but with Radicale.
Radicale is really lightweight, but quite basic - which is fine for my needs.
Out of curiosity, what pulled you to use Baikal?
- Comment on Router suggestions for a complete noob 3 weeks ago:
Ruckus … R500 I think (can’t check atm) from ebay.
MIMO, multiple SSIDs, etc, so work really well with the load of 2.4Ghz wifi home automation gadgets I have around the house, with 2 of us working from home on Zoom / Teams calls.
Reflash them with the “unleashed” firmware and you don’t need their controller.
- Comment on Router suggestions for a complete noob 3 weeks ago:
You’ll probably need 2 devices: one actually connected to the external line (ie the modem part) and then your actual router / wifi access point(s).
Personally, I have a Fritzbox router configured into bridge mode so it just deals with the line signal and passes all the PPPoE / internet comms to a pfSense box I built (ie anything… an old thin client, new microATX, etc…)
I then have separate POE WAPs for wifi around the house, but pfSense can deal with radio drivers too if separate WAPs are too much today.
This way, if something goes wrong I can always go back to a single domestic router, keep the family happy, download anything I need to fix my setup and then move forwards again.
I like having separate components with an up/downgrade path
- Comment on Just a little server 1 month ago:
Have a look at Patrick Kennedy’s reviews on yoochoob under ServeTheHome - there’s some fantastic hardware available now
I ended up buying something from AliExpress, which I was initially reluctant to do - but Patrick’s reviews convinced me
For detailed reviews his site’s got the details from the videos: www.servethehome.com
- Comment on Custom remote backup 1 month ago:
It depends on the sync / backup software
Syncthing uses a stored list of hashes (which is why it takes a long time for the initial scan), then it can monitor filesystem activity for changes to know what to sync.
Rsync compares all source and destination files with some magical high speed algorithm
Then, backup software does… whatever.
Back in the day on FAT filesystems they used the archive bit on each file’s metadata, which was (IIRC) set during a backup and reset with any writes to that file. The next backup could then just backup those files.
Your current strategy is ok - just doing an offline backup after a bulk update, maybe it’s just making that more robust by automating it…?
I suspect you have quite a large archive as photos don’t compress well, and +2TBs won’t disappear with dedupe… so, it’s mostly about long term archival rather than highly dynamic data changes.
So that +2TB… do you drop those files in amongst everything else, or do you have 2 separate locations ie, “My Photos” + “To Be Organised”?
Maybe only backup “MyPhotos” once a year / quarter (for example), but fully sync “To Be Organised”… then you’ve reduced risk, and volume of backup data…?
- Comment on Custom remote backup 1 month ago:
The main point is that sync (like RAID) isn’t a backup. If ransomware got in and started encrypting all your files, how would you know / protect yourself…
There’s a lot of focus on 3-2-1 backups, so offsite is good, but consider your G-F-S strategy too - as long as this remote copy isn’t your only long-term backup option, then sync might be ok for you
So, syncthing / rsync / etc is fine… but maybe just point it to your monthly / weekly / daily backup folder(s) rather than the main files?
You also had some other suggestions I think, like zfs / btrfs snapshots… which would be a point in time copy of your files.
Or burn the photos to DVD / Bluray and store them at the other location? No power requirements there…
- Comment on Custom remote backup 1 month ago:
Wake on LAN won’t work remotely, so you’d either need to have access to a VPN at their location, or have a 2nd always on device that you can connect to and that could then WoL to your device… or… get a device with an IPMI which you remote into. (All non-VPN forms of remote connection are open to abuse)
I suspect (guess) you’re not going to be able to setup a VPN, so perhaps an always on pi is going to be necessary - so maybe it’ll be that with drives set to spin down when idle?
OpenMediaVault was my preferred choice until everything went docker on it which was getting too complex for a NAS… so I just created my own, which powers on at certain times of the day and off again when CPU / network IO was low enough.
Data transfer with syncthing is great, but I don’t really recommend sync for snapshot backups… (consider your files are all corrupted, it’ll happily sync those corruptions) but I have enough space for a few versions of my files, so in theory I can roll back, but it’s cetainly not a Grandfather, Father, Son strategy.
- Comment on Calendar app 1 month ago:
Not sure why you’ve been down voted - I think the fossify apps are really good.
I even contribute towards their app development
- Comment on Calendar app 1 month ago:
Vivaldi has a CalDav Calendar built in.
If you’re open to that possibility, I’ve been using it on both Windows and Linux laptops and works well with my radicale server.
- Comment on The Way Ubuntu Boots on Raspberry Pi is Changing 1 month ago:
Ansible is an automation tool to setup systems to a known desirable end state.
TBH, for a single device, it’s overkill, but you seem like someone who keeps good notes and has some custom files to copy across… you could convert your setup note into an Ansible file, and it will also copy over your custom config files.
For Ansible you define the desired outcome and it does “all” (kinda) the work for you… so… say you want Apache, MariaDB and PHP, it doesn’t matter if half are installed already, or not, or their dependencies - you just say:
Do an update Install packages: A B C Copy my config files over Start the services Relax
Yep, it’ll take 10 times as long to get it working up front, but the day you want to duplicate it / start on a fresh Pi / VM, it’s all there for you.
I use it to setup all my Pi Zeros thr same way (they’re doing BLE presence detection) and for their regular updates
I’ve also got some VMs setup that way
But… I tried it on a laptop and as it’s a single device I just ended up setting it up manually and now the ansible script is woefully out of date… just some balanced feedback.
- Comment on The Way Ubuntu Boots on Raspberry Pi is Changing 1 month ago:
Thanks. No need for the setup notes (but thanks for the kind offer), it was more about the experience, but I think you’ve already answered my question with less surface area (I do have 1 Pi that’s internet facing for Radicale)
Have you looked at Ansible? That might also cover what you’re trying to do.
- Comment on The Way Ubuntu Boots on Raspberry Pi is Changing 1 month ago:
I went with Arch Linux on ARM for a minimal approach - did you try that?
Genuninely interested in your experience of Alpine Linux as I’d not considered it on a Pi (only VMs so far…)
- Comment on What else should I self-host? 1 month ago:
If you’re just looking for something to chew up CPU cycles and don’t know what to host, consider something like BOINC where you’re “self-hosting” (extremely loose term) scientific research, like cancer, new drugs, etc.
- Comment on Photo management - storing friends' photos 1 month ago:
If they’re sharing it with me, then sure, I’ll add it to the folder for that party, holiday, event
Immich would scan it and faces are taken care of and if there’s metadata in there, great, if not, dunno if I could be bothered to edit it… maybe date stamp if that was wildly off.
- Comment on Photo management - storing friends' photos 1 month ago:
I commented elsewhere here, but E2E encryption is just between the server and the end user (ie a VPN)
You’re thinking about encryption at rest, on the storage.
Immich would have to setup a whole new design to be able to store all the metadata on a per-user basis… but… you could have multiple Immich instances if you were to host it for your friends, but I think we’re drifting into “why bother” now…
- Comment on Photo management - storing friends' photos 1 month ago:
Well… E2E is still feasible, that’s your VPN for example.
Encryption at rest is where de-dupe, search, etc, can break.
- Comment on You Should Run a Certificate Transparency Log 1 month ago:
I guess this is mainly targeted at Universities and organisations that mirror repos?
They’re the kinda place (I presume) that would be able to support this…
- Comment on Let’s Encrypt Begins Supporting IP Address Certificates 1 month ago:
Is that the same
i
as the squareroot of -1? - Comment on How to combat large amounts of Ai scrapers 1 month ago:
If you’re able to, use GeoIP ranges to only allow access from the countries you want.
That immediately limits a lot of everything
Then - again if you’re able to - use a block list that covers known scrapers in case they’re in your country.
I use pfBlockerNG on my pfSense firewall for exactly this.
- Comment on Just a small question. 2 months ago:
Take a backup and go for it.
Personally, I ditched OMV for standard Arch Linux and just added the packages I wanted…