DeltaTangoLima

DeltaTangoLima , 7 days ago (edited 7 days ago)

General rule of thumb for me is, if LPL can't open it in 30 seconds or less, I'm probably safe from most of the fuckwits that live in my area.

DeltaTangoLima , 7 days ago

Mullvad is great for outbound VPN, but inbound is a PITA without port forwarding (as you've said). I just host a Wireguard container for inbound connectivity now, and it works flawlessly.

DeltaTangoLima , 7 days ago

Yeah, this is why I jumped ship to Immich last year. I was donating to PP, with the understanding that donating users would get access to multi-user features when they happened.

Then they put them behind a paid recurring subscription. For self-hosted users. That move broke all the trust with me.

DeltaTangoLima , 7 days ago

This may take us down a bit of a rabbit hole but, generally speaking, it comes down to how you route traffic.

My firewall has an always-on VPN connected to Mullvad. When certain servers (that I specify) connect to the outside, I use routing rules to ensure those connections go via the VPN tunnel. Those routes are only for connectivity to outside (non-LAN) addresses.

At the same time, I host a server inside that accepts incoming Wireguard client VPN connections. Once I'm connected (with my phone) to that server, my phone appears as an internal client. So the routing rules for Mullvad don't apply - the servers are simply responding back to a LAN address.

I hope that explains it a bit better - I'm not aware of your level of networking knowledge, so I'm trying not to over-complicate just yet.

DeltaTangoLima , 7 days ago

You do need to be able to reach your public IP to be able to VPN back in. I have a static IP, so no real concerns there. But, even if I didn't, I have a Python script that updates a Route53 DNS record for me in my own domain - a self-hosted dynamic DNS really.

You certainly can run Wireguard server in a docker container - the good folks over at Linuxserver have just the repo for you.

DeltaTangoLima , 6 days ago

Yep - they introduced paid subscription tiers and put multi-user support into those:
https://www.photoprism.app/editions#compare

DeltaTangoLima , 18 days ago

Don't be a dick, mate. Engage just a little bit of critical thinking before calling people names like that.

By law where I am, our kids aren't allowed to have their phones at school. My daughter's school's policy, then, is that phones are left at the school office.

We want to give our soon-to-be 10yo daughter her first phone later this year (times with a planned family trip, so it can be her new camera as well). But if she takes it to school and has to leave it at the office, I can guarantee she'll absolutely forget on more than one occasion to pick it up before coming home.

So, her phone will have to stay home. But we're also getting to the point where she can be trusted to let herself in and wait for one of us to get home (like OP, maybe an hour or so). So a presence detection option can't be based on whether the phone has moved into the geo zone in HA.

This is a legitimate question for modern parents. Denigrating OP without knowing or understanding all the facts certainly does shine a light on ignorance at play here. Just not OP's ignorance.

DeltaTangoLima , 18 days ago

I've been thinking about exactly the same problem.

We want to give our near-10yo daughter her first phone, but she's not allowed to have it at school. She's also getting to the point where she can be trusted at home for an hour or so before one of us gets home from work, so I also need a presence detection method that doesn't use a mobile phone.

My best theoretical solutions are like those already suggested here: an ESP32 BT proxy detecting a homebrew BLE beacon in her school bag, or detect activity on her iPad/the TV. But neither of those are reliable for all scenarios - she obviously doesn't take her school bag to her friend's house, and doesn't always use her iPad or the TV.

The only other thing I'm pondering is if I could setup facial recognition using our video doorbell. I use Frigate with a Coral TPU, so hoping there's a project out there that could possibly do that.

DeltaTangoLima , 18 days ago

I use an ESP32 board as a wifi-based proxy for the BT temp sensors on my barbecue. Works a treat! It's doable in esphome, so easily plugs into HA.

Details here:
https://esphome.io/components/sensor/inkbird_ibsth1_mini.html

DeltaTangoLima , 19 days ago

increasingly uncomfortable with paying forever

And paying more and more as time goes on. The thing that shits me the most is the increased prices but decreased range/quality of content. That's clearly not a business model aimed at customer satisfaction.

DeltaTangoLima , 19 days ago

Dat port number in the compose file

DeltaTangoLima , 20 days ago

Please use a personal email. My email is ‘mail’ @ ‘my actual name’. It does not get more personal than that

It's a legit rule they're enforcing, IMO. Generic email addresses are usually unmonitored mailboxes that don't bounce. Easy to use if you're spamming contact forms and stuff like that.

Instead they advised me (3 times) to create a personal email on a service like Yahoo, Outlook, Gmail, Orange, etc

I think this is more a boilerplate suggestion, to lower the barrier to entry for people. Gotta remember, those of us that host our own email and/or use our own personal domains are definitely in the minority.

DeltaTangoLima , 24 days ago

Not really. Here in Australia, our supermarket duopoloy does the same thing, offering discounts per litre. At the time it all started, the supermarket chains started buying into/acquiring petrol stations and rebranding them. This has been going on for over 20 years.

Recently, both supermarkets sold off their petrol station chains, but the sales included long-standing agreements to continue to offer discounts and loyalty program points for those that shop at the associated supermarket brand.

DeltaTangoLima , 25 days ago

For my wife, I have a separate library folder, mapped to just her account in Plex. It doesn't appear in my library at all, so I don't really care. Even better, I've spun up an Overseerr instance for her, so she can just search and auto-add anything she wants for herself.

DeltaTangoLima , 1 month ago

• Phone: yoda
• Desktop: bb8
• Firewall: c3po
• Switch: macewindu
• NASes:
  • anakin
  • r2d2
• Wireless APs:
  • biggs
  • garven
  • poe
  • typho
  • thane
  • wedge (virtual controller)
• Proxmox nodes:
  • chewy
  • hansolo
  • obiwan
• Raspberry PIs:
  • bobafett
  • lando
  • jangofett
  • quigon
  • rey
  • finn

DeltaTangoLima , 1 month ago (edited 1 month ago)

Not heaps, although I should probably do more than I do. Generally speaking, on Saturday mornings:

• Between 2am-4am, Watchtower on all my docker hosts pulls updated images for my containers, and notifies me via Slack then, over coffee when I get up:
  • For containers I don't care about, Watchtower auto-updates them as well, at which point I simply check the service is running and purge the old images
  • For mission-critical containers (Pi-hole, Home Assistant, etc), I manually update the containers and verify functionality, before purging old images
• I then check for updates on my OPNsense firewall, and do a controlled update if required (needs me to jump onto a specific wireless SSID to be able to do so)
• Finally, my two internet-facing hosts (Nginx reverse proxy and Wireguard VPN server) auto-update their OS and packages using unattended-upgrades, so I test inbound functionality on those

---

What I still want to do is develop some Ansible playbooks to deploy unattended-upgrades across my fleet (~40ish Debian/docker LXCs). I fear I have some tech debt growing on those hosts, but have fallen into the convenient trap of knowing my internet-facing gear is the always up to date, and I can be lazy about the rest.

DeltaTangoLima , 1 month ago

It's not just about data hoarding, though. It's also about a social media company having considerable influence over the messaging seen by a very large part of the voting population.

Yes, it's no different to other social media companies, but with one exception: the company in question is subject to the whims of the Chinese government. Something the US government is clearly fearful of.

DeltaTangoLima , 1 month ago

Yep, agreed, but at least the government of the day can try and reign them in with legislation and regulation. Not saying they are (or will), but they'd have the option, if they had the balls to do it.

DeltaTangoLima , 1 month ago

It all comes down to what you trust each type of device to do and how you want to handle their traffic.

I have seven VLANs, with each one's traffic being treated very specifically. The subnets for each VLAN route to specific interfaces on a virtualised OPNsense firewall, which is where my traffic handling and policy enforcement takes place.

Also remember VLANs are just plain useful for segregating traffic, particularly broadcast traffic, without having to invest in separate switching/routing for each subnet. Having a single managed switch that limits the broadcast domains for you is a really efficient way to (physically) setup your network.

DeltaTangoLima , 1 month ago

Yeah, 100% agree on the client devices. One of my VLANs is for the kids' devices. I don't trust their schools' admins or their shitty BYOD policies, so I just let them access Plex (via Nginx reverse proxy); Pi-hole; and the internet.

DeltaTangoLima , 1 month ago

Believe it or not, a Netgear. Specifically this one. I don't have any fibre connected gear (yet!) and 180W of PoE+ was more than enough for my few PoE cameras and WAPs.

DeltaTangoLima , 1 month ago

Anything Fry does is just pure gold. I loved his 7 Deadly Sins podcast series .

DeltaTangoLima , 1 month ago (edited 1 month ago)

Aaargh! Audible did this to the Stephen King Dark Tower series. Don't get me wrong - Frank Muller did OK in the books he read, but George Guidall (books 1, 5, 6 & 7) has an almost Johnny Cash quality to his voice, that just made his reading really fantastic to listen to.

DeltaTangoLima , 1 month ago

After 10 years on Android, I just switched back. Because I admire Apple's commitment to privacy, and simply don't trust Google any more.

DeltaTangoLima , 1 month ago (edited 1 month ago)

I need to use my phone for work, which means I can’t use custom ROMs due to our BYOD policies.

For me, iOS is still by far the better option, especially as I use privacy-respecting apps and services (Firefox, self-hosted Immich, etc).

DeltaTangoLima , 1 month ago

I have an always-on Wireguard VPN, and use my Piholes at home. So far, so good!

DeltaTangoLima , 1 month ago

Yep - not sure what point you're making, though?

A commercial use is one primarily intended for commercial advantage or monetary compensation

My phone isn't used "primarily for commercial advantage or monetary compensation". It's my own phone that my company reimburses me some of the monthly cost of running, for being able to use it to contact me.

DeltaTangoLima , 1 month ago

Yep. I get all that, but that’s not an option with my employer.

I’m comfortable with the separation I have, and iOS is key to part of that satisfaction.

DeltaTangoLima , 1 month ago

Jesus - I thought COVID wiped all these twits out already.

DeltaTangoLima , 1 month ago

fknlol - like people WFH are working from their bed. I can't think of a more uncomfortable location for my to do my job from. Except the office five days a week of course...

DeltaTangoLima , 1 month ago

Adjacent question: is there a compelling reason to run HAOS? I run my HA setup in docker on a Proxmox CT, using Portainer/Watchtower to manage, so genuinely wondering if there would be benefits I'm missing out on.

DeltaTangoLima , 1 month ago

Sorry - not sure what you mean? I use HACS in my setup. Are there extra features in HACS when running HAOS?

DeltaTangoLima , 1 month ago

Ah, gotcha. Thanks for that.

DeltaTangoLima , 1 month ago

Interesting about the backups bit. The functionality's there in the UI to create backups, so kinda weird you can't restore them. Like most docker containers, my HA config sits on a bind mount, and I just back that up nightly.

When you say add-ons, are there specific ones I'm missing out on? I have HACS, and frequently install all manner of integrations and front-end Lovelace add-ons.

DeltaTangoLima , 1 month ago

Ah, got it. Thanks - this makes a lot of sense now. Looks like it's so the HAOS Supervisor container can manage all the things that, in theory, I already handle myself with external tools.

Cheers!

DeltaTangoLima , 1 month ago

Interesting (kinda) coincidence. I've just switched from Android back to iPhone, after about 10 years away from the platform.

But I use an always-on Wireguard VPN back to my home network, with my DNS set to my Pi-hole servers and my firewall rules blocking access to all external DNS servers, except from my Pi-holes for upstream resolution.

I'm yet to do some p-caps to see what I'm missing in this setup - while I'm confident it did a great job of protecting me from a lot of Google's data-harvesting shenanigans, I'm yet to investigate what I need to do to achieve a similar outcome for my iPhone.

DeltaTangoLima , 1 month ago

if you disable “Allow Apps to Request to Track”, it prevents non-Apple apps from tracking entirely cross-site/apps.

Thanks for that - great tip for new players.

DeltaTangoLima , 1 month ago (edited 1 month ago)

Are you able to share any additional details about your setup? How are you running HA?

Scratch that - I just realised that you mentioned the Supervisor container, so that kinda tells me how you're running it. I suspect the problem is that both Portainer and the Supervisor container want to maintain a lock of some sort on docker.sock.

But I run HA in its own container, so I don't have any experience with the Supervisor container myself. I do run everything with Portainer though, and I've seen other things that wanted to use docker.sock have problems with it.

DeltaTangoLima , 1 month ago

I edited my reply above. Could it be that both want to lock docker.sock?

DeltaTangoLima , 1 month ago

I use Nginx Proxy Manager and Authelia for just this. Authelia supports a wide range of identity and MFA providers.

Edit: although Authelia has an article on how to set it up, I found it still missed some key info. This article was the one that helped me most in getting it to work.

DeltaTangoLima , 2 months ago

I run Proxmox with a few nodes, and each of my services are (usually) dockerized, each running in a Proxmox Linux container.

As I like to keep things segregated as much as possible, I really only have one shared Postgres, for the stuff I don't really care about (ie. if it goes down, I honestly don't care about the services it takes with it, or the time it'll take me to get them back).

My main Postgres instances are below - there's probably others, but these are the ones I backup religiously, and test the backups frequently.

1. RADIUS database: for wireless auth
2. paperless-ngx: document management indexing & data
3. Immich: because Immich has a very specific set of Postgres requirements
4. Shared: 2 x Sonarr, 3 x Radarr, 1 x Lidarr, a few others

DeltaTangoLima , 2 months ago

I believe they used the middle finger on their right hand, and depressed it on the second (right) button of their mouse.

They could possibly be using their mouse in left-handed mode, which might've meant using the index finger on their left hand to achieve the same action.

Then again, it's possible that they're using their mouse in mirrored, left-handed mode, and they could've used the middle finger on their left hand to depress the primary (left) button of their mouse.

Of course, this only covers hand use of a traditional mouse. I can't speak as to whether OP is using an upright, ergonomic mouse of some sort, of even a stylus and tablet. There's just so many possibilities!

DeltaTangoLima , 2 months ago

I think I remember some kids' rhyme about an old lady who swallowed a fly..?

Edit: this one

DeltaTangoLima , 3 months ago

If you're starved for RAM, there's nothing wrong with a shared instance, as long as you're aware of the risk of that single instance bringing down multiple services.

I run a three node Proxmox cluster, and two nodes have 80GB RAM each, so my situation is very different to yours. So, I have four Postgres instances:

1. Mission critical: pretty much my RADIUS database, for wireless auth and not much else (yet)
2. Important: paperless-ngx, and other similarly important services
3. Immich: because Immich has a very specific set of Postgres requirements
4. Meh: 2 x Sonarr, 3 x Radarr, 1 x Lidarr (not fussed if this instances goes down and takes all of those services with it)

DeltaTangoLima , 3 months ago

Lol - Immich is one of those stacks that I let Watchtower auto-upgrade. I don't consider it mission critical if it breaks and it takes me a day or so to notice it (all my photos and videos are also backed up using Syncthing).

I've gotten used to just going to the repo if the error message for the container doesn't immediately lead me to the fix.

DeltaTangoLima , 3 months ago

Each to their own. Immich devs themselves strongly recommend not relying on Immich as a backup solution.

I don't, therefore I don't consider it critical enough to worry about.

DeltaTangoLima , 3 months ago

Hmmm - maybe I should be using "fewer" less times than I should be using "less" fewer times...

¯\_(ツ)_/¯

DeltaTangoLima , 3 months ago

Backblaze don't have a POP in my country, unfortunately.