dgdft

@dgdft@lemmy.world

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Is this mail something I should be concerned about?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
What kind of vulnerabilities are you worried about from such a sudo call?
⁨Comment⁩ on ⁨Is this mail something I should be concerned about?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
That’s how it already works — Caddy doesn’t require elevated privileges in general. You can toss a binary + config + certs anywhere in the homedir and it’ll go fine if you bind to a non-privileged port.

But users want software to do stuff like help set up certs and serve on ports 80 & 443, so what better option is there than to limit scope of execution by doing pinhole actions with sudo?
⁨Comment⁩ on ⁨Is this mail something I should be concerned about?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
What would be the correct way for caddy to run actions like this that require elevated permissions, in your view?
⁨Comment⁩ on ⁨Round Two: Can I manage to set up Jellyfin correctly this time?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
Rt, my bad for the personal attack; I was trying to be saucy with that opener and missed the mark.

That being said, your opinion is still utter hot garbage. It’s not hard at all to host dynamic services publicly with minimal risk if you know what you’re doing, and Jellyfin is pretty damn low risk.

The argument you’re making is comparable to going on a car forum and saying no one should ever drive on a public road because you might crash, and there are drivers doing things you can’t control. It’s factually true that you mitigate all risk by doing so, but misses the fact the people can and do drive on public roads all the time without much hurrah.
⁨Comment⁩ on ⁨Round Two: Can I manage to set up Jellyfin correctly this time?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
Sorry, I assumed you were intelligent and sanewashed your comment.

I assumed you were talking about the fact that internal web servers that services like Jellyfin run are often DoSable without a proxy.

Jellyfin is quite literally a web app and perfectly safe to host on the web. Wanna prove me wrong? I’ll happily spin up an instance and throw a $500 bounty on there for you.
⁨Comment⁩ on ⁨Round Two: Can I manage to set up Jellyfin correctly this time?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
Did you read the thread body? Op is using Caddy to reverse proxy.

The smoothbrain top comment is claiming that Jellyfin “wasn’t designed to be exposed to the internet” AT ALL, reverse proxy or not. You’re poking at a strawman here, and putting words in my mouth that I didn’t say.
⁨Comment⁩ on ⁨Round Two: Can I manage to set up Jellyfin correctly this time?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
Yeah, you’ll probably want to give your Pi a static internal IP too, but the details for that will depend on the specifics of your router and network.
⁨Comment⁩ on ⁨Round Two: Can I manage to set up Jellyfin correctly this time?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
Yeah, fair point — I was only talking RCE.

That’s a real risk if you get hit by a lazy stuffing script, and I personally SSH tunnel my self-hosted to a public VPS to avoid that sorta thing.

@Op, if you do notice slowdowns for your whole network & suspicious noise in your Jellyfin logs, the easy move is to configure fail2ban and ask your ISP to rotate your router’s IP for you.
⁨Comment⁩ on ⁨Round Two: Can I manage to set up Jellyfin correctly this time?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
Assuming you’ve forwarded ports 80 & 443 on your router, that’ll do just fine.

Speaking as a hacker and SWE, the cringelords telling you that exposing Jellyfin is some major liability are LARPers who don’t know what they’re talking about.
⁨Comment⁩ on ⁨Tool to move watched files from on Plex lib to another⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Just a thought, but you might be able to do this easier by looking at atime and mtime rather than fiddling with the API.
⁨Comment⁩ on ⁨Leaving GitHub. Music server alternatives?⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Lemmy is optional, and the project is hosted on Github.

github.com/LemmyNet/lemmy
⁨Comment⁩ on ⁨Automating Restic backups⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
Seconding this answer. The error message and description scream envvar issue.

This is my first time using systemd, so I’m not sure if I am overlooking an obvious step or what.

@gedaliyah@lemmy.world Did you run a systemctl daemon-reload after making the PassEnvironment change to your service file?
⁨Comment⁩ on ⁨My first post ever – life in a tent⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
Welcome to Lemmy! Sincerely hope you can find some reprieve from your physical circumstances here.

As a friendly heads up, you posted this thread to a tech-related board. Your post may be removed for that reason, but you should consider reposting on a more general comm such as !casualconversation@piefed.social.
⁨Comment⁩ on ⁨How to enhance Caddy's basic_auth?⁩ ⁨⁨4⁩ ⁨weeks⁩ ago⁩:
Yeah, you don’t need to extend Caddy at all for that.

Add a properly-formatted Authorization header to any requests you make to the server and it’ll work. See Wikipedia page for header string format:

en.wikipedia.org/…/Basic_access_authentication
⁨Comment⁩ on ⁨How to enhance Caddy's basic_auth?⁩ ⁨⁨4⁩ ⁨weeks⁩ ago⁩:
How does programmatic access tie into the desire for a login form?

Either way, you can do a login form -> basic auth forwarding page by rigging up some simple JS, or access programmatically in a direct way by simply setting a manual Authorization header.
⁨Comment⁩ on ⁨Hackers Are Finding New Ways to Hide Malware in DNS Records⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
Not to detract from the article, but this has actually been a long time coming and known as a vector for decades.

DNS backed website PoC from a few years ago: news.ycombinator.com/item?id=27598164
⁨Comment⁩ on ⁨Immich Flatpak⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
It’s extra work to maintain and test another release format — and the core developers want to focus on making software.

No one is stopping you from rolling your own flatpak.
⁨Comment⁩ on ⁨Medieval medicine was smarter than you think—and weirdly similar to TikTok trends⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
No personal disrespect to you OP, but gotta call a spade a spade: this article is dogwater clickbait and an awful fit for this comm.
⁨Comment⁩ on ⁨Tape drive backups⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:

tape drives seem to be the best

Tape drives are the keytars of the tech world. They seem cool and a pro can really jam with them… but they’re not the most practical and you should really get a guitar or a keyboard until you know what you’re doing.

Yeet your shit onto rsync.net or anything else simple and call it a day, unless you’re in it for the meme.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I respect the spirit you’re going for, but FYI, Libby and Overdrive are private-equity owned and just as exploitative (if not more so) than the major publishers were.

They do not give libraries an unlimited license for digital books, but rather make them pay what they would for a physical book, and allow them to loan out the digital copy a relatively small number of times (usually around ~4-5 IIRC) under the guise that a physical book would have been irreparably degraded after having been lent out that many times. There’s a stream of billions of dollars being moved from non-consenting taxpayers going right to a monopolistic gatekeeper.

If we’re talking physical books, libraries are definitely still great for that, but I find that the vast majority of the time I look to check if they have a specific book I’m after, there are zero physical copies anywhere in the system, and all the digital “copies” are already “checked out”. E.g., I went looking for a copy of PKD’s Valis last week, and my options were: library audiobook (vomit), wait two weeks for a “checked out” digital copy from the library (vomit), buy from Amazon (vomit), or sail the seas.

So no, that’s a shitty substitute – and your moral high-ground has a sinkhole beneath it.
⁨Comment⁩ on ⁨Got my first script kiddy⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Absolutely not — the issue here is OP knowingly submitting false abuse reports.

Port scans of public hosts are not considered abuse per the CFAA or Amazon’s AUP without other accompanying signs of malicious intent.

aws.amazon.com/aup/

Amazon may take action against egregious mass-scanning offenders per the “…to violate the security, integrity, or availability of any user, network…” verbiage, especially if they’re fingerprinting services or engaging in more sophisticated recon, but OP’s complaints are nowhere near meeting that threshold.
⁨Comment⁩ on ⁨WhisperX — Automated Transcripts w/ Timestamps and Speaker Tagging⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
You should be able to get decent results from that if you pipe your tracks through demucs first to isolate the vocals.

github.com/adefossez/demucs
⁨Comment⁩ on ⁨WhisperX — Automated Transcripts w/ Timestamps and Speaker Tagging⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:

Are you self hosting the long context llm, of do what are you using?

I did a lot of my exploration back when GPT4 128K over API was the only long-context game in town.

I imagine the options are much better these days between Llama 3/4, Deepseek, and Gemini, and Qwen — but haven’t tried them locally myself.
WhisperX — Automated Transcripts w/ Timestamps and Speaker Tagginggithub.com ↗
Submitted ⁨⁨1⁩ ⁨month⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨28⁩ ⁨comments⁩
⁨Comment⁩ on ⁨Keeping track of different targets in terminal⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
You’ll get used to it eventually, but you can e.g. tweak your PS1 to an all-caps hostname, or use a custom tmux layout with dedicated panes for each box you connect to.
⁨Comment⁩ on ⁨Hardware Suggestions For A Beginner?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
If you really want something upgradeable, used enterprise SFF is the way to go: discountelectronics.com

However, the hardware market is in a weird spot right now; you’ll get far more bang for your buck with an Intel N150. You can find a 16GB DDR5 w/ 1 TB SSD around the $200 mark, and that’s what I’d roll with in your shoes, assuming you don’t mind living without a spinning disk. Your Jellyfin and Immich instances will run far smoother.

Obligatory reminder that you’ll be missing out on most of the commonly-cited benefits of a VPN by self-hosting at home.
⁨Comment⁩ on ⁨Cow eggs⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Bovines are ungulates, and thus have hooves. These eggs do not have hooves, and therefore are not bovine eggs.

QED
⁨Comment⁩ on ⁨Archaeology dig helps Tonkawa Tribe rediscover Texas roots⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
I got back yesterday from working on this dig, and had a great time. It was my first field school experience — but despite the fuckery that is tent-camping in central Texas midsummer, I can safely say I’ll be back every chance I get.

The project was a beautiful reminder that even in rural Texas, there are plenty of unsung heroes out in the wild who dedicate their entire lives to building community and looking out for others.
Archaeology dig helps Tonkawa Tribe rediscover Texas rootswww.fox7austin.com ↗
Submitted ⁨⁨2⁩ ⁨months⁩ ago⁩ to ⁨archaeology@mander.xyz⁩ | ⁨1⁩ ⁨comment⁩
⁨Comment⁩ on ⁨Got any security advice for setting up a locally hosted website/external service?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:

Please tell me more, which firewall would you recommend that plays nice with Docker?

Firewalld

No NAT?

Another user in this thread suggested DMZing, so combine your advice with theirs and boom. It’s not uncommon. Most people don’t knowingly choose to use a firewall that they don’t intend to work, like you would.

why would you copy paste a docker compose without reading it?

There’s more than one way to use docker. Spinning up an official mysql image using the official docker run OR docker compose call suggested by the docs would start up a server wide open to the entire internet if DMZ’d.