i_am_not_a_robot

@i_am_not_a_robot@discuss.tchncs.de

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨How many containers are you all running?⁩ ⁨⁨7⁩ ⁨hours⁩ ago⁩:
I have 1 podman container on NixOS because some obscure software has a packaging problem with ffmpeg and the NixOS maintainers removed it. docker: command not found
⁨Comment⁩ on ⁨What's the laziest way to create a website that looks really nice and is maintainable?⁩ ⁨⁨1⁩ ⁨day⁩ ago⁩:
Quarto and Docusaurus are for documentation. You may be looking for a more general static site generator like 11ty.
⁨Comment⁩ on ⁨Immich face recognition is peak⁩ ⁨⁨4⁩ ⁨days⁩ ago⁩:
Image
⁨Comment⁩ on ⁨Where are you running your wireguard endpoint?⁩ ⁨⁨4⁩ ⁨weeks⁩ ago⁩:
Wireguard normally runs with higher than root privileges as part of the kernel, outside of any container namespaces. If you’re running some sort of Wireguard administration service you might be able to restrict its capabilities, but that isn’t Wireguard. Most of my devices are running Wireguard managed by tailscaled running as root, and some are running additional, fixed Wireguard tunnels without a persistent management service.
⁨Comment⁩ on ⁨Offline TTS in 2026?⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
Check the README for piper. It moved to github.com/OHF-Voice/piper1-gpl
⁨Comment⁩ on ⁨Nextcloud logs me out whenever I leave and rejoin my local network⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Nextcloud shouldn’t be seeing your MAC address. However, my guess is that Nextcloud has been configured to invalidate the session if the client IP changes, and randomizing the MAC address is one way that can happen.
⁨Comment⁩ on ⁨Are there any VPNs that support dedicated IPv6 addresses?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Are you looking for a VPN or are you looking for an IPv6 tunnel broker like Hurricane Electric?
⁨Comment⁩ on ⁨How to propperly Ansible and selfhost without burning out?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
An immutable distro… like NixOS? Or do you mean your root filesystem is immutable? NixOS can do that too. You could normally mount your nix store as readonly and remount rw during updates if you really care about filesystem immutability, or use some snapshot system if you’re paranoid about adding new files to the store corrupting other files already in the store during an update.

The nixpkgs VM creation module, which I’ve never seen documentation for, has a mode where it generates a kernel, initrd, kernel command line, and erofs image containing a prepopulated /nix directory and that’s enough to boot the VM.

Ansible is disappointing as an IAC tool. It’s good for doing things, but it’s not good for converging systems to a desired state. Too often you end up with playbooks that are not idempotent or rely on something that was done during a previous execution of the playbook or just don’t do something that was done by a previous version, and then unless you are constantly recreating your systems you won’t notice until it’s a problem and you can’t get your system back.
⁨Comment⁩ on ⁨Family Email w/ Custom Domain⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
You can host a Proton mail bridge to use different apps running on different machines, including phones.

Self hosting e-mail, particularly SMTP, will likely require a static IP from a reputable provider. Mail servers may reject incoming mail based on the reputation of the sending server. You can avoid this by relaying through another SMTP server and configuring your DNS rules to allow that server to send mail on your behalf, but that’s not really self hosting anymore.
⁨Comment⁩ on ⁨Every single time I think of restructuring my homelab storage. What do you use for storage engines and how does it benefit you?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
You can use OpenEBS to provision and manage LVM volumes. Host path requires you to manually manage the host paths.
⁨Comment⁩ on ⁨Autograding tool⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
That sounds like build automation. You can use some Git forge software.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Some attackers check services that have already cataloged the services you are running, even on uncommon ports. You won’t hear from them unless you are running a potentially vulnerable service.
⁨Comment⁩ on ⁨How to make a Tailscale-like mesh VPN work without the internet?⁩ ⁨⁨4⁩ ⁨months⁩ ago⁩:
If you’re self hosting Headscale you can configure your network such that Headscale is reachable on your network with or without internet access and available from the internet.
⁨Comment⁩ on ⁨State of federation in git forges⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
Don’t expect Gitea to make progress on federation. Forgejo is a fork of Gitea and anybody that cares about federation is probably on the Forgejo side of the fork.
⁨Comment⁩ on ⁨Best Practice Ideas⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
If you’re running Kubernetes, what is the point of LXC or Proxmox in this setup? Kubernetes will give better scaling and utilization.
⁨Comment⁩ on ⁨Microsoft breaks Windows reset and recovery⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
Nix isn’t just for reproduction. It has immutability so if you break your system configuration you can revert to a previous profile, and the way installations are managed allows you to install software that uses incompatible versions of the same dependencies at the same time.
⁨Comment⁩ on ⁨Exposing docker socket to a container⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
Giving a container access to the docker socket allows container escapes, but if you’re doing it on purpose with a service designed for that purpose there is no problem. Either you trust Watchtower to manage the other containers on your system or you don’t. Whether it’s managing the containers through a mounted docker socket or with direct socket access doesn’t make a difference in security.

I don’t know if anybody seriously uses Watchtower, but I wouldn’t be surprised. I know that companies use tools like Argo CD, which has a larger attack surface and a similar level of system access via its Kubernetes service user.
⁨Comment⁩ on ⁨Exposing docker socket to a container⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
Mounting the docker socket into Watchtower is fine from a security perspective, but automatic updates can definitely cause problems. I used to use Rennovate and it would open a pull request to update the version.
⁨Comment⁩ on ⁨Recommendations for a version control system⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
Git does have a server component. When git connects to an ssh remote it executes an ssh command that needs to be present.
⁨Comment⁩ on ⁨Recommendations for a version control system⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
You’re missing GitLab. I’d be looking at GitLab or Forgejo.

But you might not need this. When you access a private Git repository, you’re normally connecting over SSH and authenticating using SSH keys. By default, if you have Git installed on a server you can SSH to and you have a Git repository on that server in a location you can access, you can use that server as a Git remote. You only really want one these services if you want the CI pipelines or collaboration tools.
⁨Comment⁩ on ⁨Changes to Bitnami Catalog on August 28th⁩ ⁨⁨5⁩ ⁨months⁩ ago⁩:
The issue says at the bottom that SealedSecrets is unaffected.
⁨Comment⁩ on ⁨Home server advice⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:
At least in the past, if you had a fixed amount of work to complete, underclocking would increase overall power consumption.
⁨Comment⁩ on ⁨Got my first script kiddy⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:
Port scanning isn’t abuse but automatically filing frivilous abuse reports is.
⁨Comment⁩ on ⁨PSA: If the first Smart Search in Immich takes a while⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:
It’s not normal for - model-cache:/cache to be deleted on restart or even upgrade. You shouldn’t need to do this.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:
The server responds with a 404 error. If you’re using a reverse proxy, make sure the reverse proxy rules are right. Does it work when you connect directly?
⁨Comment⁩ on ⁨Cloudflare blocking AI crawlers⁩ ⁨⁨6⁩ ⁨months⁩ ago⁩:
It’s relatively easy for Cloudflare to profile clients as being web scrapers. A concerning amount of internet traffic goes through their servers in plain text.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
Is this a lost karma bot?
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
A less intrusive solution would be to just put your sensitive data in LUKS and configure services that use that data to depend on the partition being mounted. That doesn’t require modifying the normal system startup process. You’re less likely to mess up your startup process at the expense of needing to be more mindful about where you’re putting your files.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
Tang and Clevis have already been mentioned as a way for one server to boot using another server.

You can also create an environment where the server boots into a phase 1 where it obtains network connectivity and then waits for you to provide it the key to continue booting. The first phase is unencrypted, so don’t put sensitive data in there.
⁨Comment⁩ on ⁨Someone Experimented With a 1997 Processor and Showed That Only 128 MB of Ram Were Needed to Run a Modern AI⁩ ⁨⁨8⁩ ⁨months⁩ ago⁩:
In the 2020s we have new active USB to PS2 dongles like HIDman.