non_burglar
@non_burglar@lemmy.world
- Comment on Sharing Jellyfin 13 hours ago:
Oof, a lot of vitriol in this thread.
In the end, security is less about tooling and config, and more about understanding the risks and acting accordingly.
I expose jellyfin to the internet, but only to a specific public IP. That reduced my risk considerably.
- Comment on I don't get the love for Nextcloud - alternative for just files? 1 day ago:
There are a number of ways to install nextcloud, and docker is only one of those.
Yes, NC isn’t ideal in many ways, but it shouldn’t be as painful as you’re describing to run it.
- Comment on Self-hosted PDF manager? 6 days ago:
Paperless-ngx is great, but it is particularly bad at handling PDF documents. Roughly half my documents just won’t import.
github.com/paperless-ngx/paperless-ngx/…/3933
- Comment on How do I best deal with lots of Errors and Warnings after setting up Turnkey-Nextcloud? 1 week ago:
Turnkey images are usually built on popsicle sticks and chewing gum; they use old packages, their configs are often really janky and they do not like being updated.
I’m not kidding you, you’d be better off building nextcloud in a generic debian container.
As for the errors, as others have mentioned these are more or less easily fixed one at a time.
- Comment on Ansible iptables best practices? 2 weeks ago:
There’s a bunch of posts about the iptables-save function of the built-in iptables module not working in many cases, so I figured it was a safer bet to suggest the playbook include an actual command invocation.
In my personal experience, the module doesnt actually save the persistent rule in about half the cases. I haven’t looked into it much, but it seems happen more on systems where systemd iptables-firewall is present. (Not trying to start a flame war)
- Comment on Ansible iptables best practices? 2 weeks ago:
Generally, you set up a rule + command playbook, where the command invokes the iptables-save command.
- Comment on How do I securely host Jellyfin? (Part 2) 2 weeks ago:
I read the old thread and now this one.
As I understand it, you want to create connection between clients on your lan, but you don’t trust your lan, so it’s like having a raspberry pi server and some client both on the coffee shop network and you want them to communicate securely?
Tailscale is what you want. Easy setup, free, and allows exactly this to happen.
- Comment on How do I securely host Jellyfin? (Part 2) 2 weeks ago:
I was looking for this. Op seems to be obsessed with “zero trust”, so creating a trusted area for this stuff would be an easy win.
- Comment on help with generating ssl for freedns in nginx 2 weeks ago:
Do you have port 80 to nginx open? Certbot dry run will give you some diagnostics, but that is the most common issue (port 80 being closed).
- Comment on Basic networking/subnetting question. 2 weeks ago:
The effect is similar to sticky ports, but sticky ports is just filtering based on Mac address, which can be spoofed.
802.11x allows traffic from a device only if they also have the correct EAP certificate.
- Comment on Basic networking/subnetting question. 2 weeks ago:
en.m.wikipedia.org/wiki/IEEE_802.1X
802.1x are a set of protocols that allow port access to be locked to specific devices, which would preclude your need for multiple subnets. You would likely need a few extra physical ports on your white box router, the unmanaged switch could later become overwhelmed passing traffic in a more complicated setup, and you would still need to keep trusted and untrusted traffic separate at the gateway subnet.
Your use case is exactly why vlans were invented.
However, I suspect from your other answers that you are actually looking for an open source managed switch so your entire networking stack is auditable.
There are a few solutions like opx, but hardware supporting opx is prohibitively expensive and it is almost always cheaper to build a beige box and use Linux or get a 2nd hand supported device and use openwrt.
- Comment on Basic networking/subnetting question. 2 weeks ago:
For simple cases you might be able to use 802.1x authentication if “trust” is the issue. This doesnt scale well as a solution on a larger network though.
- Comment on Basic networking/subnetting question. 2 weeks ago:
Op specified they have a dumb switch
- Comment on XCP-NG vs PROXMOX security hardening? 3 weeks ago:
Kind of a vague question, but I take it you mean OS-level hardening, which should be fine with CIS hardening.
In a virtualized environment, there are many security layers to take care of: network access, storage, api control, identity access, cluster config, backups, etc.
- Comment on Would there be any potential problem of hosting public and/or private (vpn) services in a school office? 3 weeks ago:
Don’t be flippant.
This is like going to a car enthusiast forum and asking “any potential problems with driving a car that may or may not be stolen?”
You have indicated that you’re aware of the potential repercussions of running a personal project in a publicly-funded environment.You’ve already been told that this is unethical everywhere and illegal in many places.
- Comment on Would there be any potential problem of hosting public and/or private (vpn) services in a school office? 3 weeks ago:
If you are so sure of your indemnity because it’s “your device”, why are you asking on Lemmy?
- Comment on Selfhosting Sunday - What's up? 3 weeks ago:
It can manage KVM, so I don’t see why not .
- Comment on Selfhosting Sunday - What's up? 3 weeks ago:
Side question, but where are you hearing this about incus?
I’m wrapping up 9 years of using proxmox and I have very specific reasons for switching to incus, but I this is the third time I’m fielding questions in the last month about incus.
- Comment on Selfhosting Sunday - What's up? 3 weeks ago:
I think so.
It is LXD + KVM, so way more and finer tune control on lxc instances. It can run OCI images as well, so for docker instances with only a few configs and no persistent storage, it is actually quite handy. For docker instances that need pretty complicated compose files, I just run docker inside an lxc for now, until I figure that out.
- Comment on Selfhosting Sunday - What's up? 4 weeks ago:
Bash variables are really, really fun.
- Comment on Selfhosting Sunday - What's up? 4 weeks ago:
More incus:
- mounting persistent storage into containers (cheating by exporting NFS from my proxmox zfs into the incus host.
- wrote a pruning backup script for containers, runs daily
- passed through hardware (quicksync) into jellyfin container (it works!)
- launched an OCI container (docker home assistant) natively in incus (this is a game-changer!)
Next:
- build 2nd incus node
- move all containers from proxmox to incus
- decom proxmox
- setup Debian with NFS export
- Comment on lightweight blog ? 4 weeks ago:
I use eleventy. Similar to other static site generators.
- Comment on Do I really need a firewall for my server? 4 weeks ago:
Because NAT acts as a firewall with a “default deny” policy for incoming packets, but no other rules. You cannot prevent a device on the private subnet side of a NAT from attempting to communicate with an “outside” ip with nat alone, nat doesnt understand the concepts of accept/deny/drop.
All nat does is rewrite address headers.
The machines behind a NAT box are not directly addressable because they have private IP addresses. Machines out on the general Internet cannot send IP packets to them directly. Instead, any packets will be sent to the address of the NAT box, and the NAT box looks at its records to see which outgoing packet an incoming packet is in reply to, to decide which internal address the packet should be forwarded to. If the packet is not in reply to an outgoing packet, there’s no matching record, and the NAT box discards the packet.
It’s a confused topic because for a lot of people, nat does essentially everything they want. As soon as you get into more complex networking where a routing table needs to be updated, or bidirectional fw rules, it becomes apparent why routing + fw + nat is the most common combo.
- Comment on How best to store a media library in proxmox? 4 weeks ago:
Yes, Lxc, docker, whatever cgroup2 isolation environment, but not VMS, true.
Vms can achieve the same thing through shares
- Comment on Do I really need a firewall for my server? 4 weeks ago:
NAT simply maps IPS across subnet boundaries in such a way that upstream routing tables don’t need updating.
If you use destination NAT forward rules to facilitate specific destination port access, you are using a firewall.
- Comment on How best to store a media library in proxmox? 4 weeks ago:
Each cgroup container mounts a host path. That’s it.
- Comment on Do I really need a firewall for my server? 4 weeks ago:
Op means, as they said, a firewall on the server itself.
NAT is, effectively, a firewall.
No it isn’t. Stop giving advice on edge security.
- Comment on How best to store a media library in proxmox? 4 weeks ago:
Zfs (and most modern filesystems) are fine with concurrency.
I mount the same data store into several instances, it works well. Just needs some planning for permissions.
- Comment on How best to store a media library in proxmox? 4 weeks ago:
Yes, not course. I forgot about the gui, that’s valid.
- Comment on How best to store a media library in proxmox? 4 weeks ago:
If it’s a private ZFS pool not on the network you’re fucked.
Sorry, i didn’t word that correctly. I understand why you might need a share, I just think a whole truenas instance just for a few shares is way overkill. If I needed a samba share, NFS export, or an iscsi lun i would just spin up a Debian container and be done with it.