irotsoma

@irotsoma@piefed.blahaj.zone

• ⁨Comment⁩ on ⁨swapping out the router maybe?⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

  If configured properly, it can usually bypass the router altogether. In my setup I have several VLANs for different traffic, so for me it’s important to have a Layer 3 switch that can handle the routing between VLANS. But if you don’t use VLANs, a layer 2 switch will build a mac address table and bypass the router once it knows where the traffic is going. That way only your DNS queries and similar get sent to the router for internal traffic on the LAN. Then the issue is just traffic going to the internet.

  For the internet side you just need to configure the firewall to drop packets on ports (not reject, just drop/ignore) you don’t use and use something like fail2ban or crowdsec to make your router outright drop malicious and LLM bot kinds of traffic to ports you do use that otherwise have to be processed. That generally will reduce processing load unless you have self-hosted services that really generate a ton of traffic in which case you can move those to VPSs outside of your network.

  Those are my general strategies at a very high level.

• ⁨Comment⁩ on ⁨swapping out the router maybe?⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

  Wow, I run opnsense in proxmox along with a pihole and a couple of other small services and never hit 100% CPU on an Intel N100. My miniPC box has 4 2.5 gigabit network ports though I only use 2 of them, one for LAN and one to the modem. I do also have a managed switch, though, that has a couple of 10 gigabit ports a couple of 2.5 and the rest 1. Likely the switch is taking some of load off of the router I suppose. Might try getting a low-end managed switch. If you’re in the US do it quick, though as a lot of networking equipment is about to spike in price since the administration banned all new foreign made equipment and none is made I’m he US.

• ⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

  I use OpnSense on a miniPC with an N100 processor. I got a decent one from HUNSN and added memory. I installed ProxMox and OpnSense runs in that along with a pihole instance and a few other services and it is really fast compared to any router I’ve had in the past.

  I also use a RAM disk for OpnSense caching and logs, and anything I want to keep gets copied out to my NAS for permanent storage. That helps a lot with performance and SSD drive wear, but with memory so expensive from the LLM bubble, it might be more expensive now than a few years ago when I got mine.

• ⁨Comment⁩ on ⁨Single Sign in for Home Assistant now possible with OpenID⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:

  Problem is that the user has to be presented that webpage anf the results have to make their way back to teach component. If you have a bunch of microservices that aren’t user facing (whether internet or private network) then how do those services get the user data to do their things. Monolithic server applications are bad practice outside of extremely simple web apps if you want something scalable. So you still need a database of local users that the services can share privately. That means a built-in user database that is just linked to the SSO user by the service that is user facing. Otherwise, all micro-services have to authenticate separately with the user once every time the token expires. Which means lots of browser sessions somehow getting from a micro-service with no web front end to the user.

  Anyway, just an example, but when a local user database is required anyway, then SSO is always addition development work and exerts possibly significant limitations on the application architecture. This is why it’s not commonly implemented at first. There needs to be better protocols that are open source and well tested. OIDC is my current favorite in many cases, but it has limitations like logging out or switching between users on the same browser is a pain. Most proprietary apps use proprietary solutions because of the limitations and they feel (often incorrectly) like it’s obfuscated enough to not be susceptible to attacks despite the simplicity. Doing SSO right is hard, so having to implement something from scratch isn’t feasible and when done is usually vulnerable.

• ⁨Comment⁩ on ⁨SSL certificates for things inside the lab⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:

  My router has Caddy to reverse proxy all http sites which uses a certificate it gets from let’s encrypt.

• ⁨Comment⁩ on ⁨Single Sign in for Home Assistant now possible with OpenID⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:

  Problem is requiring a browser if it’s not primarily a web interface. Even if initial setup is web-based, a lot of times background processes exist that don’t traverse the internet, especially in higher security situations, so exposing those components to the internet just to get external credentials is not worth it, so then an additional proxying component is required. Anyway, the idea is that it can add a significant amount of complexity if it’s something more complex than a simple, single component web application.

• ⁨Comment⁩ on ⁨New ntfy.sh v2.18.0 was written by AI⁩ ⁨⁨4⁩ ⁨weeks⁩ ago⁩:

  Yeah, it could easily have added a couple of lines of code that sends everything to Northern Korean hackers because it found that in a bunch of repositories or just logging passwords to public logs or other things an experienced developer would never do. “AI” only replicates what it sees most often and as more spam and junk repos are added to its training data because “AI” companies are too concerned with profit to teach it properly, it could do tons of random stuff. It’s like training a developer by giving them random examples from the internet rather than specific ones. Of course they pick up bad habits. Even if it “works” it is almost never efficient or secure.

• ⁨Comment⁩ on ⁨Keycloak or alternative?⁩ ⁨⁨4⁩ ⁨weeks⁩ ago⁩:

  Keycloak has some learning curve, but it’s the best OpenID Connect client and the most configurable and feature rich open source SSO system with the fewest major issues that I’ve used. And I use traefik for a reverse proxy, so for things that don’t support SSO directly thomseddon/traefik-forward-auth works flawlessly with Keycloak to provide an auth layer to those apps.

• ⁨Comment⁩ on ⁨Using VPS for remote access of my server - some questions⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:

  Fail2ban, crowdsec, or similar is still nice to have on the VPS side to reduce the load on your internet connection from abusive bots and LLM scrapers and such.

  Personally, I’ve been having good luck with Pangolin, but I have several services that I expose via different subdomains.

• ⁨Comment⁩ on ⁨Self-hosted voice assistant with mobile app⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:

  You have to run an LLM of your own and link it, if you want quality even close to approaching Google, but the Home Assistant with the Nabu Casa “Home Assistant Voice Preview Edition” speakers are working well enough for me. I don’t use it for much beyond controlling my home automation components, though. But it’s still very early tech anf it doesn’t understand all that much unless you add a lot of your own configurations. I eventually plan to add an LLM, but even just running on the home assistant yellow hardware with a raspberry pi compute module 5 works ok for the basics though there is a slight delay.

  I haven’t tried, but Nabu Casa also offers a subscription service for the voice processing if you want something more robust and can’t host your own LLM, but thst means sending your data out, even if they have good privacy policies, which I’m not interested in, because while I somewhat trust Nabu Casa’s current business model and policies, being hosted in the US means it’s susceptible to the current regime’s police-state policies. I’m waiting for hardware costs to recover from the AI bubble to self host an LLM, personally.

• ⁨Comment⁩ on ⁨You NEED To Selfhost⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:

  Yeah, the issue is that it drove up the price to justify price-gouging even though it’s likely these won’t actually get purchased. They shouldn’t reserve nearly all of their product for pending transactions. They should fulfill actual demand before theoretical ones. This is clearly only possible because of the industry consolidation into essentially a monopoly. If they still had real competitors, they’d have to actually sell for a fair price and they’d be concerned that they likely won’t get paid for these “reservations”.

• ⁨Comment⁩ on ⁨You NEED To Selfhost⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:

  Yep, Western Digital said they were sold out of drives for all of 2026. Since 2026 is just starting, they haven’t actually produced those drives or gotten actual money for them.

  Hopefully the bubble pops soon, though I hate that Americans’ 401Ks and IRAs will take the brunt of the “losses” when it does.

• ⁨Comment⁩ on ⁨SSH Client for Linux Desktop and Android - Alternative to Termius⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:

  The primary issue is I don’t always access devices from only those 3 systems. If I’m traveling or I wipe my device or get a new one, I would have to add the new key to many servers as authorized keys, and I’d need to have password access enabled in order to add the keys in the first place. Also, I want a key backed up in case of disaster since all of my devices are in my home most of the time. A few people use these systems, but only I maintain them.

• SSH Client for Linux Desktop and Android - Alternative to Termius
  Submitted ⁨⁨1⁩ ⁨month⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨24⁩ ⁨comments⁩