pcouy

@pcouy@lemmy.pierre-couy.fr

• Let's Encrypt is 10 years old today !letsencrypt.org ↗
  Submitted ⁨⁨2⁩ ⁨days⁩ ago⁩ to ⁨selfhosting@slrpnk.net⁩ | ⁨0⁩ ⁨comments⁩
• Let's Encrypt is 10 years old today !letsencrypt.org ↗
  Submitted ⁨⁨2⁩ ⁨days⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨7⁩ ⁨comments⁩
• Let's Encrypt is 10 years old today !letsencrypt.org ↗
  Submitted ⁨⁨2⁩ ⁨days⁩ ago⁩ to ⁨technology@lemmy.world⁩ | ⁨48⁩ ⁨comments⁩
• ⁨Comment⁩ on ⁨Open-source and self-hosted enterprise?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:

  I can recommend some stuff I’ve been using myself :

  • Dolibarr as an ERP + CRM : requires some work to configure initially. As most (if not all) features are disabled by default, it requires enabling them based on what you need. It also has a marketplace with a bunch of modules you can buy
  • Gitea to manage codebases for customer projects. It can also do CI but I’ve not looked into it yet
  • Prometheus and its ecosystem (mostly promtail and grafana) for monitoring and alerting
  • docker mail server : makes it quite easy to self host a full mail server. The guides in their doc made it painless for me to configure dmarc/SPF/other stuff that make e-mail notoriously hard to host
  • Cal.com as a self hostable alternative to calendly
  • Authentik for single sign-on and centralized permission management
  • plausible for lightweight analytics
  • a mix of wireguard, iptables and nginx to basically achieve the same as cloudflare proxying and tunnels

  I design, deploy and maintain such infrastructures for my own customers, so feel free to DM me with more details about your business if you need help with this

• Increase privacy by using nginx as a caching proxy in front of a map tile serverpierre-couy.dev ↗
  Submitted ⁨⁨2⁩ ⁨months⁩ ago⁩ to ⁨privacyguides@lemmy.one⁩ | ⁨0⁩ ⁨comments⁩
• ⁨Comment⁩ on ⁨Follow-up: Temporary fix for Immich's shady third-party API⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  They told me about hosting their own tile server earlier today. I’m really impressed by how fast they moved !

  A pull request for a privacy page during the onboarding is in the works, and I’ve been working with them to update the settings page and documentation (with the goal of providing an easy way to switch map providers). They are also working on a privacy policy, and want to ship all of this in a few weeks as part of a single release.

  Once again, I’m really impressed with how well they’re handling this

• ⁨Comment⁩ on ⁨Reddit blocking all major search engines, except Google⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  With all the botting going on on Reddit, this whole Google AI deal makes me think of the recent paper that demonstrates that, as common sens would suggest, deep learning models collapse when successive generations are trained on the previous generations’ output

• ⁨Comment⁩ on ⁨Lots of dead Lemmy/Kbin domains have CNAME records pointing to a domain parking company⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  never stopped POSTing, even though I configured nginx to always respond 403 to anything from them for about a year now.

  Lol, there are definitely some stubborn stuff out there. I’ve been serving 418 to a bunch of SEO crawlers - with fail2ban configured to drop all packets from their IPs/CIDR ranges after some attemps - for a few months now. They keep coming at the same rate as soon as they get unbanned. I guess they keep sending requests into the void for the whole ban duration.

  Using the 418 for undesirable requests instead of a more common status code (such as 403) lets me easily filter these blocks in fail2ban, which can help weed out a lot of noise in server logs.

• ⁨Comment⁩ on ⁨Lots of dead Lemmy/Kbin domains have CNAME records pointing to a domain parking company⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  Your sensitive data and logins are tied to email addresses, which are tied to domains. Lose your domain, someone can access everything.

  I recently stumbled upon an article showing how bad this can be when the expiring domains are used for important stuff

• ⁨Comment⁩ on ⁨Lots of dead Lemmy/Kbin domains have CNAME records pointing to a domain parking company⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  I think they do get marked as dead after the Bodis subdomain does not act as a Lemmy instance. But I was wondering if a large number of instances “waking up from the dead” and acting maliciously could cause some trouble. Or would such “undead” instances pose no more threat to the fediverse than the same number of newly created malicious instances ? I’m mainly thinking about stuff like being in a privileged position to DoS most instances at once, or impersonation of accounts that used to actually exist on these “undead” instances

• Lots of dead Lemmy/Kbin domains have CNAME records pointing to a domain parking company
  Submitted ⁨⁨3⁩ ⁨months⁩ ago⁩ to ⁨fediverse@lemmy.world⁩ | ⁨7⁩ ⁨comments⁩
• ⁨Comment⁩ on ⁨[HELP NEEDED] Unable to figure out directory permissions⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  Is named actually running as the bind user inside the container ? Maybe a USER bind line below the RUN lines will help.

• ⁨Comment⁩ on ⁨Why do so many people use NGINX?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  I’ll probably look into newer fancier options such as Caddy one day, but as far as I remember Nginx has never failed me : it’s stable, battle tested, and extremely mature. I can’t remember a single time when I’ve been affected by a breaking change (I could not even find one by searching changelogs) and the feature set makes it very versatile. Newer alternatives seem really interesting, but it seems to me they have quite frequent breaking changes and are not as feature rich.

  That being said, I’d love to see side-by-side comparison of Nginx and Caddy configs (if anyone wants to translate to Caddy the Nginx caching proxy for OSM I shared earlier this week, that would make a good ad useful example), as well as examples of features missing from Nginx. This may give me enough motivation to actually try Caddy :)

• ⁨Comment⁩ on ⁨Follow-up: Temporary fix for Immich's shady third-party API⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  I don’t use nginx-proxy-manager, but if you want to share what you tried, I will try to help you figure what’s not working

• ⁨Comment⁩ on ⁨Immich relies on a third-party service that seems shady to me⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  It’s the clients (web/android app, probably iOS too) that are making these requests.

  To the best of my knowledge, the Immich server inside the container is not making requests to the outside. It is merely sending a style.json to the client displaying a map, which then fetches tiles from the Cofractal URL inside this JSON.

• ⁨Comment⁩ on ⁨Immich relies on a third-party service that seems shady to me⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  Or you can quite easily configure nginx as your personal caching proxy with an arbitrarily long TTL/retention duration (you can check out my follow-up post for instructions on doing that)

• ⁨Comment⁩ on ⁨Follow-up: Temporary fix for Immich's shady third-party API⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  I used to wonder what kind of nerd notices this kind of thing, now I’m one of them

• ⁨Comment⁩ on ⁨Follow-up: Temporary fix for Immich's shady third-party API⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  I don’t use Traefik myself, but [this documentation page seems to suggest that Traefik only allows in-memory cache (which would eat RAM and not persist across reboots). You can probably run Nginx with this config inside a container for the caching, then use Traefik to handle requests to immich.your-domain.tld/map_proxy/* with the caching proxy container.

• ⁨Comment⁩ on ⁨Immich relies on a third-party service that seems shady to me⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  What do you mean ? Can you give me the exact link that’s not working ?

• ⁨Comment⁩ on ⁨Follow-up: Temporary fix for Immich's shady third-party API⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  At this point, I’ll just assume you are trolling and stop replying

• ⁨Comment⁩ on ⁨Follow-up: Temporary fix for Immich's shady third-party API⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  How does an nginx config fit as a “diff” when the Immich repo and docker images do not include nginx (or any other reverse proxy) ?

• ⁨Comment⁩ on ⁨Follow-up: Temporary fix for Immich's shady third-party API⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  Blocking the DNS was the first thing I did. This is intended to restore the map feature without having to trust a random company I’ve never heard of.

  What do you mean by “a diff of a code fix” that would be simpler ?

• ⁨Comment⁩ on ⁨Follow-up: Temporary fix for Immich's shady third-party API⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  You can, but you would not be able to display the map. Might as well disable the map server-wide

• ⁨Comment⁩ on ⁨Follow-up: Temporary fix for Immich's shady third-party API⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  Not yet, but I will probably submit a PR to include this guide in the docs

• Follow-up: Temporary fix for Immich's shady third-party API
  Submitted ⁨⁨3⁩ ⁨months⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨27⁩ ⁨comments⁩
• ⁨Comment⁩ on ⁨Immich relies on a third-party service that seems shady to me⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  I’ll try clarifying what I had in mind :

  I tried running maptiler to generate tiles from OSM’s data, which required an insane amount of time and resources (not doable for most self-hosters including myself, even for a single country) to process the data and store the results. I was wondering if there would be a way to ask maptiler (or another equivalent tool) to only generate tiles that contain points from a given set (in this case, photos) and maybe the tiles adjacent to them. What about doing this for every zoom level ? This would require generating at most zoom_levels * n_photos ( * 9 if we include adjacent) tiles, and a lot less for the typical person taking several photos at the same place.

• ⁨Comment⁩ on ⁨Immich relies on a third-party service that seems shady to me⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  Thanks for sharing your experience and for the links.

  Do you think it would be doable to make/host a tileserver that only generates the first few zoom levels for the whole planet by default, and is able to generate tiles for more detailed zoom levels only for specific locations ? I’m thinking of a feature where Immich asks the tile server to generate the appropriate tiles based on the locations of photos. Since we only ever zoom on locations where photos have been taken, and we often take several photos at the same locations, could this decrease the requirements enough for self-hosting ?

• ⁨Comment⁩ on ⁨Immich relies on a third-party service that seems shady to me⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  No need to be rude…

• ⁨Comment⁩ on ⁨Immich relies on a third-party service that seems shady to me⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  Thanks for the detailed feedback. According to one Immich dev, they used to use OSM’s raster tile provider but switched away from it since they were causing too much load on OSM’s servers.

  There does not seem to be any non-commercial vector-tile provider at the moment (though OSM seems to be currently working on it), and it seems really overkill to try and self-host a tile provider (at least with the default level of details). Maybe the way is to find a balanced level of details that makes it reasonable to self host

• ⁨Comment⁩ on ⁨Immich relies on a third-party service that seems shady to me⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:

  Quoting one dev from the conversation I had on Discord :

  the one run by OSM is not intended for general purpose use because that results in way too much load on their system. We used to use theirs, but as Immich grew we decided that we should relieve them of that

  I guess you (and they) are talking about raster tiles, since OSM does not seem to provide vector tiles