Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

Molecular0079

@Molecular0079@lemmy.world

This profile is from a federated server and may be incomplete. Browse more on the original instance.

Molecular0079 , (edited )

LOL, same. I did a docker-compose pull and restarted, came here to look at the release notes, and almost started panicking whether I omitted some important upgrade steps. Turns out everything upgraded smoothly automatically though.

Molecular0079 ,

No port forwarding though :(

I used to use Mullvad but after they disabled port forwarding I switched over to Proton.

Molecular0079 ,

I love Nextcloud Talk, but my biggest annoyance with it is that text chats don't properly scroll to the bottom when new messages come in.

Molecular0079 ,

I think there was some bad vibes when they got bought by a less than reputable company a while back. I know a lot of people, myself included switched to Mullvad. I am on Proton now though for the port forwarding.

How do you guys handle reverse proxies in rootless containers?

I've been trying to migrate my services over to rootless Podman containers for a while now and I keep running into weird issues that always make me go back to rootful. This past weekend I almost had it all working until I realized that my reverse proxy (Nginx Proxy Manager) wasn't passing the real source IP of client requests...

Molecular0079 OP ,

Pasta is the default, so I am already using it. It seems like for bridge networks, rootlesskit is always used alongside pasta and that's the source of the problem.

Molecular0079 OP ,

Yeah, I thought about exposing ports on localhost for all my services just to get around this issue as well, but I lose the network separation, which I find incredibly useful. Thanks for chiming in though!

Molecular0079 OP ,

I see! So I am assuming you had to configure Nginx specifically to support this? Problem is I love using Nginx Proxy Manager and I am not sure how to change that to use socket activation. Thanks for the info though!

Man, I often wonder whether I should ditch docker-compose. Problem is there's just so many compose files out there and its super convenient to use those instead of converting them into systemd unit files every time.

Molecular0079 OP ,

I am guessing you're not running Caddy itself in a container? Otherwise you'll run into the same real IP issue.

Molecular0079 OP ,

I see. And the rest of your services are all exposed on localhost? Hmm, darn, it really looks like there's no way to use user-defined networks.

Molecular0079 OP ,

Interesting solution! Thanks for the info. Seems like Nginx Proxy Manager doesn't support Proxy Protocol. Lmao, the world seems to be constantly pushing me towards Traefik all the time 🤣

[Thread, post or comment was deleted by the author]

    •
    Molecular0079 ,

    How is this relevant? If an OS performs better on old hardware, it's still an indication that it is more optimized.

    Molecular0079 ,

    All of this is still irrelevant. If given the same hardware, one OS performs better than another, then one OS is obviously more optimized...

    You're saying a lot of words but it all just boils down to "throw more hardware at the problem".

    Molecular0079 ,

    My biggest issue with Syncthing is that it becomes unusable for large amounts of data due to the lack of selective sync (ignore lists are cumbersome as hell) and lack of virtual file system support. I have about 8TB of data on my NAS that I want to access remotely and it is not feasible to have duplicate copies of that much data on all of my devices.

    Molecular0079 ,

    The preloaded spyware OS

    Nowhere in that video did it say this. I am all for DIY NAS and I have an Arch-based one at home, but saying this while implying that that's what the source video you linked said is a bit disingenuous.

    To be honest, nothing about this UGREEN is any different from any of the other off-the-shelf NAS solutions out there like QNAP, Synology, etc. If you don't trust the UGREEN pre-installed OS, you shouldn't trust any of the other ones either. I am not saying you should, but my point is that this pretty par for the course as far as pre-built NASes go.

    Most companies do not provide support if you install a custom OS. That isn't a sign of vendor lock-in, just a matter of keeping support feasible in the long-term, especially since they're relatively new at this. If you want a custom OS, it is far easier and cheaper to just build your own.

    Molecular0079 ,

    You shouldn't trust ANY brand's pre-installed OS when it comes to your personal data to be honest.

    Molecular0079 ,

    I have zero trust in QNAP. QNAP knowingly sold several NASes with a known clock-drift defect in their Intel J1900 CPUs and then refused to provide any support. A bunch of community members had to figure out how to solder a resistor to temporarily revive their bricked NASes in order to retrieve their data. https://forum.qnap.com/viewtopic.php?t=135089

    I had a TS-453 Pro and my friend had a TS-451. Both mine and his exhibited this issue and refused to boot. After this debacle and the extreme apathy from their support, I vowed to never buy a pre-built NAS.

    Molecular0079 ,

    Man, I have GOT to try Truenas Scale one of these days. I see it recommended so often, but I was just too used to a standard Linux ecosystem to bother learning something new. I am assuming it gets you closer to the feel of a pre-built NAS during administration tasks compared to Cockpit and a SSH session lmao.

    I think I am just always afraid of being locked into a specific way of doing things by a vendor. I feel like I would get annoyed if something that I could do easily on standard Linux was harder to do on Truenas Scale.

    Molecular0079 ,

    What are good places to store your encryption keys? I am trying to find solutions that aren't just store a piece of paper in some security deposit box.

    Molecular0079 ,

    encrypted file stored on a free tier data storage (many are free for the first year)

    I am confused, aren't you just pushing the problem further up the chain? Now you need to worry about storing the key that decrypts the file storing the key you wanted to protect in the first place.

    Same goes with tarsnap, now you need to worry about where to store the tarsnap keys.

    Molecular0079 ,

    I use podman with the podman-docker compatibility layer and native docker-compose. Podman + podman-docker is a drop-in replacement for actual docker. You can run all the regular docker commands and it will work. If you run it as rootful, it behaves in exactly the same way. Docker-compose will work right on top of it.

    I prefer this over native Docker because I get the best of both worlds. All the tutorials and guides for Docker work just fine, but at the same time I can explore Podman's rootless containers. Plus I enjoy it's integration with Cockpit.

    Molecular0079 ,

    I mean, I don't think I would mind forced updates if they didn't take so damned long and fail half the time. And then, just when you think you've finished installing all updates, you reboot and there's more updates! Why can't they just install it all at once?

    Plus, after each major update, Microsoft wastes your time by advertising to you about Edge, Office 365, and OneDrive before they even let you get back into the desktop.

    Forced security updates is addressing a symptom but not addressing the root cause, which is that the Windows update process is just painful for a myriad of reasons. In Linux, I run one command, wait 5 minutes, reboot, and I am back to work.

    Molecular0079 ,

    There is occasional weirdness if you don't powercycle though. In particular, certain KDE updates will make the desktop misbehave until you reboot. I get where you're coming from though. Quick updates and the ability to decide when you want to restart means that I have no qualms about updating frequently.

    I am on Arch too and pacman -Syu is usually a snack I have with my morning tea.

    Molecular0079 ,

    I legitimately haven’t had a windows update take more than 5 minutes during the reboot phase for years.

    I wasn't just talking about the reboot phase...

    Downloading gigabytes worth of updates, waiting for them to install, rebooting, see more updates, reboot again takes WAY more than 5 minutes.

    Molecular0079 ,

    Problem with this is that it's really hard to figure out whether some update to some minor library is going to affect an application. Sometimes you don't even know which applications are using that library.

    Molecular0079 ,

    The longest update I’ve had took about 15 minutes.

    Asking someone to take 15 minutes out of their work time to do updates is exactly why people DON'T want to update. Even 15 minutes is insane. That's a whole standup meeting, that's a whole presentation, that's work disruption for a bunch of people.

    Linux updates in a minute. That's the kind of performance we SHOULD be expecting in the modern age and that Microsoft refuses to deliver.

    Molecular0079 ,

    I am guessing you run your computer all the time instead of putting it to sleep, because it's never a process that completes transparently in the background for me. It will always build up and then I have to go in and manually trigger it. Or I have to restart because I installed a new application that requires it and then it decides to do them all at once and takes forever.

    Molecular0079 ,

    Most updates on my system are handled overnight, outside the active hours I’ve set in the settings.

    Not everyone leaves their computer on draining power. I always put it to sleep when I am not using it. If your argument is that, yeah updates aren't a problem, you just let your computer run and chew on it for a long time, that's still a problem...

    Molecular0079 ,

    is a YOU problem.

    Wtf is this crap? How is it MY problem when other OSes do a much better job with the update process? You talk about 15 minutes or leaving updates running overnight as if that's decent. I can do a Linux update within 2 minutes and get my system back up by minute 3. That's the kind of performance I am expecting and I don't even need a super fast NVMe drive to do it.

    The fact that you're okay with putting up with Window's comparatively slow update speed and then have to make excuses for it by saying that the USER needs to constantly baby it or waste power by leaving it overnight is honestly hilarious. To be quite frank, you just don't know how updates could be better because you're just used to what Windows has always offered you.

    Don't put the blame on users for a problem that Microsoft can definitely solve but never does.

    Molecular0079 ,

    I turn off modern standby. I don't want my computer turning on when I am not around or when I am asleep. For laptops, modern standby is famous for turning it on while its in your laptop bag, causing overheating and battery drainage.

    I think if an update process is annoying enough to require something like Modern Standby in order to be "seamless", it needs to be improved.

    Molecular0079 ,

    Settings and internet are fine. I dunno what to tell you. Very frequently Windows update shows its head, like I'll randomly want to restart my computer because I installed a piece of software that required it, and then it kicks off a long round updates when I just want to use my computer.

    I still think having to leave it on and let it run in the background is still just addressing the symptoms. An update process should be way faster than that so that such a thing isn't needed.

    Molecular0079 ,

    Not true. Cumulative updates also take a while, so do the .NET runtimes. Maybe you have a system with a super fast NVMe drive and a new CPU so you don't realize it, but other OSes can do much more with much less powerful hardware.

    PSA: Docker nukes your firewall rules and replaces them with its own.

    I use nftables to set my firewall rules. I typically manually configure the rules myself. Recently, I just happened to dump the ruleset, and, much to my surprise, my config was gone, and it was replaced with an enourmous amount of extremely cryptic firewall rules. After a quick examination of the rules, I found that it was...

    Molecular0079 ,

    If you use firewalld, both docker and podman apply rules in a special zone separate from your main one.

    That being said, podman is great. Podman in rootful mode, along with podman-docker and docker-compose, is basically a drop-in replacement for Docker.

    Molecular0079 ,

    podman-compose is different from docker-compose. It runs your containers in rootless mode. This may break certain containers if configured incorrectly. This is why I suggested podman-docker, which allows podman to emulate docker, and the native docker-compose tool. Then you use sudo docker-compose to run your compose files in rootful mode.

    Molecular0079 ,

    It isn't that much better. I use it as drop-in docker replacement. It's better integrated with things like cockpit though and the idea is that it's easier to eventually migrate to rootless if you're already in the podman ecosystem.

    Molecular0079 ,

    I am using it as a migration tool tbh. I am trying to get to rootless, but some of the stuff I host just don't work well in rootless yet, so I use rootful for those containers. Meanwhile, I am using rootless for dev purposes or when testing out new services that I am unsure about.

    Podman also has good integration into Cockpit, which is nice for monitoring purposes.

    Molecular0079 ,

    Your containers show up in Cockpit under the "Podman containers" section and you can view logs, type commands into their consoles, etc. You can even start up containers, manage images, etc.

    Are there any tutorials on how to do this from Cockpit?

    I have not done this personally, but I would assume you need to create a bridge device in Network Manager or via Cockpit and then tell your VM to use that. Keep in mind, bridge devices only work over Ethernet.

    Molecular0079 ,

    Cockpit definitely has the ability to create bridge devices. I haven't found a tutorial specifically for cockpit, but you can follow something like this and apply the same principles to the "Add Bridge" dialog in Cockpit's network settings.

    Molecular0079 ,

    God, it's like they don't want RCS to succeed.

    Molecular0079 ,

    Not OP, but I've been looking into Cloudflare tunnels on my end as well and ended up not going with them because you're forced to use their own certs so they can decrypt and see the data. I mean most likely they aren't doing anything untoward, but it's still a consideration with regards to data privacy.

    Molecular0079 ,

    I was thinking the same thing regarding VPS and Wireguard. I use Wireguard personally to VPN into my home network for remote management, but I still haven't looked up how to make a VPS as a proxy using it. I know they can join the same network and talk with each other but what's the best way to route port 80 and 443 on the VPS to my server at home? Iptables?

    Molecular0079 ,

    Thanks! Yeah i am already using a nginx reverse proxy in a docker container to expose my other docker containers so I was thinking two reverse proxies in a row might be too inefficient. Will definitely look into nftables. Nftable rules are temporary though right? What's the correct way to automate running these rules on boot?

    Molecular0079 ,

    And also Firefox on mobile is kind of a hot mess. Videos regularly are unable to play and dark mode is wonky until you restart the app.

    Molecular0079 ,

    I have auto dark mode during night time. In the morning, my phone will switch to light mode, but parts of the Firefox UI do not. It will be half in and out of dark mode. Bottom toolbar will be dark, but the top bar (notifications, battery, etc.) will be white text against white background. In the mornings, Youtube videos frequently wont play until I restart the app.

    Molecular0079 ,

    It does have a bottom toolbar and was configured like that by default before. They must have changed the default some time ago.

    System UI is just standard Google Pixel UI and it reacts to apps signaling to it what color theme it's in. Firefox just isn't signaling it correctly. It also should be reacting normally to dark mode toggle but it doesn't because the main Fx toolbar doesn't change to light mode in the mornings. No other app has this issue.

    Molecular0079 ,

    The reader itself leaves a lot to be desired though. There's literally no UI besides the arrow keys and no way to configure font rendering etc. It's cool that the functionality is there, but it needs work.

    Molecular0079 ,

    My DIY NAS runs Arch

    • LTS kernel
    • BTRFS snapshots on root fs
    • 4 drive NVMe array using ZFS raidz1
    • podman for my docker containers

    It's been working fantastically so far.

    Molecular0079 ,

    I run Nextcloud and two Jellyfin instances behind Nginx Proxy Manager. I also run a Palworld server. All of them are running under podman. I do use cockpit for checking container status, logs, and viewing the console for each container. I also use docker-compose to create all of my containers (using podman-docker of course). Unfortunately, all of them are running rootful instead of rootless, mostly because most proxies require root and setting things up for rootless like enabling low ports for regular users and allowing processes to run after logout are a pain in the ass.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • incremental_games
  • meta
  • All magazines
    •