i_am_not_a_robot
@i_am_not_a_robot@discuss.tchncs.de
- Comment on Element/Matrix Official Docker Install Method? 6 days ago:
Kubernetes is much more complicated and powerful than Docker, and Docker Compose is more similar to the way you work directly with Kubernetes than it is to Helm, which adds in a templating system. Basically, from a Docker perspective, Helm allows you to configure your compose file, but not just by substituting variables. Helm can make structural changes such as completely adding or removing sections based on the variables used when loading the chart. The output of Helm is YAML, sort of like a compose file.
Kubernetes has a much more complicated system for describing workloads and their resources than Docker Compose, and it is extensible. For example, if you are running on AWS you can have Kubernetes attach EBS volumes to your pods, or if you’re on bare metal you might use LVM, and it’s not limited to things that Kubernetes natively understands like storage volumes: Cert Manager is a common piece of software that is deployed into Kubernetes that takes care of issuing and renewing TLS certificates for other software in Kubernetes.
I used to run Kubernetes at home with ArgoCD, but I’ve moved on to NixOS instead. NixOS is less powerful because it doesn’t have dynamic workload scheduling, but I don’t actually need dynamic workload scheduling or all the configuration necessary to facilitate dynamic workload scheduling in my house, and Nix is much nicer to work with than Helm’s gotmpl templating. Unless you like this kind of stuff or want to get into Kubernetes, you probably want to avoid it for running a few things on one host.
- Comment on Element/Matrix Official Docker Install Method? 6 days ago:
Helm is what is used for real world software deployments. It has its problems but it’s better than Docker Compose.
- Comment on Is H9me Assistant recommended? 1 week ago:
Just be careful with SD cards if you’re using SBCs. Home Assistant does a lot of writing and if your SD card can’t handle repeated writes you may suddenly lose everything. Keep backups to another device and have a replacement SD card ready if extended downtime is going to be a problem for you.
- Comment on $69 in 2026 Gets You a Tool to Rejuvenate Old Computers 2 weeks ago:
In old computers, CD audio worked by physically connecting an audio cable between the optical drive and the sound card. PC emulators can emulate this, but it’s more complicated for CD emulators running on a real computer.
- Comment on How many containers are you all running? 2 weeks ago:
I have 1 podman container on NixOS because some obscure software has a packaging problem with ffmpeg and the NixOS maintainers removed it.
docker: command not found - Comment on What's the laziest way to create a website that looks really nice and is maintainable? 3 weeks ago:
Quarto and Docusaurus are for documentation. You may be looking for a more general static site generator like 11ty.
- Comment on Immich face recognition is peak 3 weeks ago:
- Comment on Where are you running your wireguard endpoint? 1 month ago:
Wireguard normally runs with higher than root privileges as part of the kernel, outside of any container namespaces. If you’re running some sort of Wireguard administration service you might be able to restrict its capabilities, but that isn’t Wireguard. Most of my devices are running Wireguard managed by tailscaled running as root, and some are running additional, fixed Wireguard tunnels without a persistent management service.
- Comment on Offline TTS in 2026? 1 month ago:
Check the README for piper. It moved to github.com/OHF-Voice/piper1-gpl
- Comment on Nextcloud logs me out whenever I leave and rejoin my local network 2 months ago:
Nextcloud shouldn’t be seeing your MAC address. However, my guess is that Nextcloud has been configured to invalidate the session if the client IP changes, and randomizing the MAC address is one way that can happen.
- Comment on Are there any VPNs that support dedicated IPv6 addresses? 2 months ago:
Are you looking for a VPN or are you looking for an IPv6 tunnel broker like Hurricane Electric?
- Comment on How to propperly Ansible and selfhost without burning out? 2 months ago:
An immutable distro… like NixOS? Or do you mean your root filesystem is immutable? NixOS can do that too. You could normally mount your nix store as readonly and remount rw during updates if you really care about filesystem immutability, or use some snapshot system if you’re paranoid about adding new files to the store corrupting other files already in the store during an update.
The nixpkgs VM creation module, which I’ve never seen documentation for, has a mode where it generates a kernel, initrd, kernel command line, and erofs image containing a prepopulated /nix directory and that’s enough to boot the VM.
Ansible is disappointing as an IAC tool. It’s good for doing things, but it’s not good for converging systems to a desired state. Too often you end up with playbooks that are not idempotent or rely on something that was done during a previous execution of the playbook or just don’t do something that was done by a previous version, and then unless you are constantly recreating your systems you won’t notice until it’s a problem and you can’t get your system back.
- Comment on Family Email w/ Custom Domain 2 months ago:
You can host a Proton mail bridge to use different apps running on different machines, including phones.
Self hosting e-mail, particularly SMTP, will likely require a static IP from a reputable provider. Mail servers may reject incoming mail based on the reputation of the sending server. You can avoid this by relaying through another SMTP server and configuring your DNS rules to allow that server to send mail on your behalf, but that’s not really self hosting anymore.
- Comment on Every single time I think of restructuring my homelab storage. What do you use for storage engines and how does it benefit you? 3 months ago:
You can use OpenEBS to provision and manage LVM volumes. Host path requires you to manually manage the host paths.
- Comment on Autograding tool 3 months ago:
That sounds like build automation. You can use some Git forge software.
- Comment on Do bots/scrapers check uncommon ports? 4 months ago:
Some attackers check services that have already cataloged the services you are running, even on uncommon ports. You won’t hear from them unless you are running a potentially vulnerable service.
- Comment on How to make a Tailscale-like mesh VPN work without the internet? 5 months ago:
If you’re self hosting Headscale you can configure your network such that Headscale is reachable on your network with or without internet access and available from the internet.
- Comment on State of federation in git forges 5 months ago:
Don’t expect Gitea to make progress on federation. Forgejo is a fork of Gitea and anybody that cares about federation is probably on the Forgejo side of the fork.
- Comment on Best Practice Ideas 5 months ago:
If you’re running Kubernetes, what is the point of LXC or Proxmox in this setup? Kubernetes will give better scaling and utilization.
- Comment on Microsoft breaks Windows reset and recovery 5 months ago:
Nix isn’t just for reproduction. It has immutability so if you break your system configuration you can revert to a previous profile, and the way installations are managed allows you to install software that uses incompatible versions of the same dependencies at the same time.
- Comment on Exposing docker socket to a container 5 months ago:
Giving a container access to the docker socket allows container escapes, but if you’re doing it on purpose with a service designed for that purpose there is no problem. Either you trust Watchtower to manage the other containers on your system or you don’t. Whether it’s managing the containers through a mounted docker socket or with direct socket access doesn’t make a difference in security.
I don’t know if anybody seriously uses Watchtower, but I wouldn’t be surprised. I know that companies use tools like Argo CD, which has a larger attack surface and a similar level of system access via its Kubernetes service user.
- Comment on Exposing docker socket to a container 5 months ago:
Mounting the docker socket into Watchtower is fine from a security perspective, but automatic updates can definitely cause problems. I used to use Rennovate and it would open a pull request to update the version.
- Comment on Recommendations for a version control system 6 months ago:
Git does have a server component. When git connects to an ssh remote it executes an ssh command that needs to be present.
- Comment on Recommendations for a version control system 6 months ago:
You’re missing GitLab. I’d be looking at GitLab or Forgejo.
But you might not need this. When you access a private Git repository, you’re normally connecting over SSH and authenticating using SSH keys. By default, if you have Git installed on a server you can SSH to and you have a Git repository on that server in a location you can access, you can use that server as a Git remote. You only really want one these services if you want the CI pipelines or collaboration tools.
- Comment on Changes to Bitnami Catalog on August 28th 6 months ago:
The issue says at the bottom that SealedSecrets is unaffected.
- Comment on Home server advice 7 months ago:
At least in the past, if you had a fixed amount of work to complete, underclocking would increase overall power consumption.
- Comment on Got my first script kiddy 7 months ago:
Port scanning isn’t abuse but automatically filing frivilous abuse reports is.
- Comment on PSA: If the first Smart Search in Immich takes a while 7 months ago:
It’s not normal for
- model-cache:/cacheto be deleted on restart or even upgrade. You shouldn’t need to do this. - Comment on [deleted] 7 months ago:
The server responds with a 404 error. If you’re using a reverse proxy, make sure the reverse proxy rules are right. Does it work when you connect directly?
- Comment on Cloudflare blocking AI crawlers 7 months ago:
It’s relatively easy for Cloudflare to profile clients as being web scrapers. A concerning amount of internet traffic goes through their servers in plain text.
