Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

lemmyvore

@lemmyvore@feddit.nl

This profile is from a federated server and may be incomplete. Browse more on the original instance.

How do I setup my own FOSS shopping website for my business?

Hello, I don't have much experience in self-hosting, I'm buying a ProtonVPN subscription and would like to port forward. I have like no experience in self-hosting but a good amount in Linux. I'm planning on using Proxmox VE with a YunoHost VM. I already have a domain name from Njalla. I'm setting up a website for my computer...

lemmyvore ,

LOL, getting GPT to write code for the most unholy combination of the worst the blog and e-commerce have to offer, that should work well.

lemmyvore ,

The IBM-PC predates that campaign by almost two decades. PC was firmly associated with Microsoft Windows by the time the ad campaign ran in late 2000's. I don't think the ads even mention Windows, they just say "PC".

lemmyvore ,

They're just desperate to curb botting. They've also started to reduce the amount of things you can do as a user who hasn't verified their phone number for this reason. (Also so they can cross-track you on Amazon but that's pure bonus.)

lemmyvore , (edited )

Install Tailscale on the remote server and leave it up. Whenever you need to connect to it launch Tailscale on another device that you have access to, and you'll be able to connect to the remote server at its Tailscale IP.

Tailscale consists of a config tool called tailscale and a daemon called tailscaled. The daemon needs to be up for connectivity, and it will raise a network interface called tailscale0 when it works. To connect/disconnect from the tailnet you say tailscale up or down. This is independent of whether the daemon runs or not – that's a separate issue that's usually dealt with by systemd or whatever service manager you use.

Tailscale doesn't need public IPs because all the clients connect outward to a pairing server, which uses STUN to negociate direct connections between the nodes. The connection keys always stay with each client machine, the established connections cannot be snooped by Tailscale, and the clients are FOSS to make sure of that.

If by any chance the ISP of any node does aggressive UDP filtering STUN may not work and result in connections being relayed through a network of so-called DERP servers maintaned by Tailscale. These servers are reduced in number and locations so relayed connections will be bandwidth- and latency-limited. If STUN succeeds you'll only be limited by each node's internet connection.

Tailscale can provide DNS names for the enrolled nodes if you want, but you can also assign fixed IPs to each node in the range 100.64.0.0/10. I'm not a huge fan of the provided DNS because it's a bit invasive (works by replacing /etc/resolv.conf temporarily with a version that resolves via 100.100.100.100 on the tailnet, and integrating it with local DNS can be a chore as you can imagine). There's an option for tailscale nodes to not accept this DNS.

Make sure that services on the remote server that you want to access via Tailnet (also) bind to the Tailscale IP (or to 0.0.0.0).

Should you mess up, so long as the Tailscale client is still up on the remote server and it has an internet connection you can still reach it by enabling the Tailscale "fake" ssh service, which works through the tailscale client rather than a real ssh daemon. But please read up on what it involves to have this fake ssh access available (you don't want to have to issue a command on the remote server to enable it).

lemmyvore ,

You can't reach a Tailscale device from the internet the way you're trying because their IPs are from private ranges reserved for CGNAT use. They're not routable on public internet.

What you want is called Tailscale Funnel but it uses their domain (.ts.net) not yours.

You can also try using a CloudFlare Tunnel but they force you to host your DNS server with them.

Both Tailscale and Cloudflare will be decrypting and re-encrypting your HTTPS traffic so please note that.

lemmyvore ,

Subnets seem to work for me with 1.62.0 docker image. In what way were they broken?

lemmyvore ,

An administration that were really looking to liberate itself of proprietary software and develop a sustainable policy would analyze its needs and look for software that matches them, not shape their needs around the proprietary software they're already using.

If you start by thinking "what software does things exactly the same as this one I'm using" of course you'll never move on. Microsoft obfuscates their software on purpose so you can never find 100% compatible stuff.

lemmyvore ,

Unfortunately the ISO certification process for office document formats was subverted by Microsoft to require their OOXML formats instead of the ODF (Open Document Format) that was being prepared for this role. And then they continued by not implementing the certified format correctly in Office anyway.

As a result it's virtually impossible for any law-abiding, taxpayer-answering government to argue for adopting ODF over OOXML

It's also impossible to find any other software that supports existing documents, because Microsoft introduces differences from the spec on purpose and any software that tries to stick to the official OOXML format can't process them 100% correctly.

Any government that wants to wean itself off Microsoft documents would have to first conduct an investigation, explain why ODF is the better format, demonstrate that Microsoft doesn't follow their own spec, then accept the fact they're gonna partially lose their existing documents if they move away, and only then they'd be able to start the process of looking for ODF-supporting software and companies, and convert their docs and processes.

lemmyvore ,

Have a look at "pattern rewrites" too if you use lots of aliases. It's sort of like catch-all aliases with wildcards.

lemmyvore ,

Manjaro offers a stable branch, pamac, upgrade snapshots, package manager, kernel manager, driver manager, and is optimized for LTS kernels. It takes a lot of the edge off Arch.

If that's not something you need that's fine. Some of us do.

lemmyvore ,

They avoid releasing packages with outstanding bugs. So at least there's that.

As for AUR... it's really not a standard for stability in any shape or form. Heck, if AUR packages really didn't work on Manjaro that would definitely improve its stability. 😄

But that's really not proven (that they don't work). All the ones I tried worked fine. YMMV. A third of AUR packages are abandoned or have never been updated after being added. There is no quality bar beyond "some random person decided to add a package". I really don't think we should use the AUR as proof of anything.

lemmyvore ,

When Verge tested the EQS in September these turquoise lights weren't road-legal yet. It's been proposed as a standard by the SAE but each jurisdiction will have to approve it individually.

lemmyvore ,

40 mph top speed on approved roads in 2 states only if a car is in front of you in the daytime is entirely useless.

It's specifically designed to navigate traffic congestion, which happens under 30 mph. It can keep up with the lane, deal with lane changes, honk if someone backs into you, let ambulances through, things like that. Not sure why the article presents it as generic driving.

lemmyvore ,

You should never be expected to edit anything in /usr, /opt or /var. That's highly unusual. For which software did you have to do this?

lemmyvore ,

Hardware decoding is the whole point. Hardware support is notorious for lagging greatly behind software. Desktop support is not great either right now. It makes you wonder what Google's reason is, they have to be aware that must people won't be able to use it properly.

lemmyvore ,

Let me save you some time, it doesn't. I have no idea what Google is thinking, very few phones have it right now.

lemmyvore ,

...massively better for whom? I mean I understand if they start using it and offering it to devices that support it. But if they push something that needs software decoding when there are other formats that have hardware support it's going to be a shit fest.

Right now AVC (H264) has hardware 4k support and HEVC (H265) has hardware 2k, while AV1 only has 1080p software. What's the point of offering AV1 4k?

lemmyvore ,

They've delivered the VLC software decoder over-the-air to all devices with Android 12 which enables them to do 720p. Some Android 11 devices may have come with an older software decoder and may be able to do 1080p. Either way, software-decoding AV1 is gonna suck even with the new decoder.

Hardware support is present starting with Exynos 2xxx, Snapdragon 8 gen 2, and Dimensity 1xxx, 8xxx and 9xxx.

Here's a gsmarena filter, you can further refine it to restrict to recent years, by brand etc.:

https://gsmarena.com/search.php3?sAvailabilities=1&sChipset=125,116,118,84,126,117,108,128,129,112,130,131,110,113,98,99,121,69

lemmyvore ,

None of that is going to benefit you if your phone barfs its guts trying to decode it. Until you get a phone with hardware support it's going to be purely theoretical. And if Google forces you to decode 720p AV1 in software when you have a perfectly good AVC and HEVC hardware decoder just sitting there is going to be downright stupid.

lemmyvore ,

Well, he would know.

lemmyvore ,

There's a core tenet in EU consumer protection law that if clauses aren't clear enough to understand by laymen, they can be challenged.

lemmyvore ,

Well yeah but you guys are already used to paying data collection agencies for protection just so you can have some basic quality of privacy (like not getting sales calls or having your identity stolen).

I imagine that paying a tech giant for it is just the logical next step.

If Apple came out with a paid service that said "I'll make sure those other companies don't have your data" it would sell like hotcakes and nobody would think twice about the irony.

lemmyvore ,

By this same logic I take it you'd be ok with the day care saying "you can pay with your money or we can use your kid for manual labor"?

lemmyvore ,

Lol, from an Ars comment:

Discord finally has working search

lemmyvore ,

Doesn't it store deduplicated chunks?

lemmyvore ,

Can Immich show external libraries separately or does it mix all the photos together?

lemmyvore ,

Uff that's a bit of a deal breaker.

I've tried Immich before and it's fine for uploaded photos because it detects it's the same photo even if you rename it. But as long as it doesn't do that for photos from external libraries I can't trust to put anything into its albums. And if I can't use its albums to organize and everything is dumped into one big pile it's a show stopper.

The only workaround I can think of would be to make multiple users and load different external libraries to different users, but it's not a great solution. The mobile app doesn't support multiple users anyway, I'd have to logout and login all the time.

lemmyvore ,

Thanks anyway but until Immich can deduplicate photos from libraries it's a no-go for me. If I move or rename photos on folders I would lose album association as it is now.

lemmyvore ,

Over here we use bar codes and QR codes exclusively and they deliver them through whatever method you want — PDF or image in email, text message, download PDF, you can even take a screenshot of the web page after you're done paying if you want.

Which I've done many times (the screenshot thing) esp for things like movie tickets where I don't bother with creating an account because I don't go that often. I look up the movie or event, pick the seats, pay, take a screenshot of the QR code, send it to whoever's going on Whatsapp, done.

I'm not sure I understand what the problem is. The venue already got their money. Either someone will show up to redeem the seat or they won't, they don't care either way. And it's trivial to make sure the codes can't be faked and that only the first scanned code gets in.

The fact there's no way to check you're not getting scammed has actually led to an almost total disappearance of scalping. The only resales happen only through friends or friend of a friend sort of thing.

Every once in a while there's some organizer who thinks they're smart and issue paper tickets and those are pretty much the only times you see tickets scalped online or outside the venue the night of the concert.

lemmyvore ,

I'm using scalping with the obvious definition of gouging profit.

I'm saying scalping is enabled by making tickets hard to counterfeit. You can't criminalize the act of reselling itself but you can deter it by making it inherently untrustworthy. Reselling should be possible, but it needs to stop short of getting out of hand.

When you create a trustworthy ticket resell market you're basically creating a hotbed of scalping. If people can reliably find clients for ever-increasing ticket prices, then ticket prices will keep going up. That's exactly what Ticket Nation & friends have done, and they profit by taking a fat percentage.

lemmyvore ,

circular dependency

What's in/etc/resolv.conf inside the dns container?

What's the upstream dns for the dns servers in the dns container?

lemmyvore ,

OK yeah, that might be a problem. You want to set the dns in the dnsmasq so it can resolve stuff upstream (probably with DoT or DoH), and the dns in pihole to the IP of dnsmasq. Look into the "dns", "dns_search" and "dns_opt" compose directives.

You may also want to consider simplifing your stack by using only dnsmasq or only pihole. Both of them can do pretty much the same things if you add some plugins.

I'm using dnsmasq as lan dns server with DoH upstream as well as dhcp server. The dnsmasq is advertising itself as dns to all the dhcp clients. Also it runs on the router which allows it to hijack port 53 so any client attempting to do clear dns elsewhere ends up going through dnsmasq anyway. It also has an adblock plugin.

lemmyvore ,

CalenGoo? It doesn't look amazing out of the box but it's very customizable. It can do events and tasks (aka todo or reminders).

lemmyvore ,

Not necessarily, there are lots of completely passive beacon technologies. I seem to remember reading a few years ago about beacons powered by Wifi signals.

Obviously you also need other phones to be able to pick up those signals so it might take until phones with Android 15 become commonplace which might take a while. But it's definitely doable.

lemmyvore ,

Thieves simply use tinfoil to block all signals. They have pockets and bags lined with tinfoil, they don't bother turning anything off.

Could still work against opportunity theft.

lemmyvore ,

If you control the software stack at both ends you may want to consider Chisel which is a HTTP tunnel for TCP and UDP.

The connections would go SSH client > Chisel client > HTTP reverse proxy > Chisel server > SSH server. The Chisel elements speak HTTP to each other so that segment between them can be routed by domain.

Chisel can also do its own encryption so you can use HTTP and avoid the HTTPS-specific issues about extracting the domain name from the HTTPS connection.

what will be my next server operating system (Fedora Server, Fedora CoreOS, NixOS), your experience and opinion

I want to reset my server soon and I'm toying with the idea of using a different operating system. I am currently using Ubuntu Server LTS. However, I have been toying with the idea of using Fedora Server (I use Fedora on my laptop and made good experiences with it) or even Fedora CoreOS. I also recently installed NixOS on my...

lemmyvore ,

Just that compiling packages on a server is not ideal.

lemmyvore ,

Are all those packages available in binary format? Not familiar with Nix but that's certainly not the case for Arch. Arch has 85k packages in the AUR as source recipes but not as binaries.

I still think Debian makes a better use case for a server since it provides everything as binaries.

If you're going to use binaries what's the point of using Nix anyway? The declarative aspect is nice in an abstract sort of way but you can achieve a system deploy or restore just as fast by installing a vanilla system and a few config files.

lemmyvore ,

If the proxy gets compromised it will have access to the services whether it's in a DMZ or VLAN or whatever. I'm unclear on what scenario you are trying to prevent or mitigate.

If the proxy has a remote exploit and it's publicly exposed you're screwed anyway.

Put it behind an encrypted authenticated tunnel if you're worried about this i.e. not publicly exposed. Or expose it and keep up with the security fixes.

Also not sure what you mean when you say your current proxy is a "bouncer" and that it "could" expose your services if something goes wrong. Isn't that its job, to expose them? Is it doing any authentication right now?

lemmyvore ,

It's not an odd question actually it's a very good question.

Many people don't realize that "internal" services are just as exposed as "external" ones. That's because a reverse proxy doesn't care about domain name resolution, it receives the domain name as a HTTP header and anybody can put anything in there. So as long as an attacker can guess your "private" naming scheme and put a correct domain name in their request, they can use your port forward to reach "private" services. All it takes is for that domain name to be defined in your reverse proxy.

In order to be safe you should be adding allow/deny rules to each proxy host to only allow LAN IPs to access the private hosts (and also exclude the internal IP of the router that's doing the forward, if your router isn't doing masquerading to show up as the remote IP of the visitor).

Whether the proxies are one or two doesn't help in any way, they just forward anything that's given to them. If you want security you have to add IP allow/deny rules or some actual authentication.

lemmyvore ,

Oh yes, if they're completely separate and the internal proxy can't be reached from port forward that's fine.

I was stuck thinking about two chained proxies for some reason.

lemmyvore ,

maybe some browsers interpret a bare hostname without protocol specifier as an http address, and some as an https address.

And if you have a browser that does the former I would suggest finding a better one soon. The internet is moving away from unencrypted HTTP, a browser that doesn't default to HTTPS nowadays is pretty strange.

lemmyvore ,

It redirects me to the https site too, but https://txdmv.gov shows a different site than https://www.txdmv.gov? Lol, what is going on.

Looking for the Perfect USB Flash Drive

I've been using some cheap flash drives for things like installing OSs and the like, but now I've picked up a Dell Wyse 3040 system to play with which only has 8gb of storage. So I'm installing the OS onto a flash drive permanently (don't worry, just for messing with, nothing of value will be lost if/when the drive craps out)....

lemmyvore ,

Check the chipset maker. If it's JMicro that's the problem, they suck. Look for something with Realtek or Asmedia chipset.

lemmyvore ,

The enclosure chipset.

lemmyvore ,

Tailscale [...] install the client, have the users sign in, and then add them to your tailnet

You can just have them pass you the device enrollment links and add their devices to your tailnet. That way nobody else has to make an account.

lemmyvore ,

I hope that your router has a good amount of storage if it's an embedded router because the Tailscale binaries are rather large. Last time I tried I had to run the tailscaled binary through a compactor, and I ran the tailscale client only for the setup and then deleted it (the daemon doesn't need it in order to run).

lemmyvore ,

https://nethackwiki.com/wiki/Cat

  • All
  • Subscribed
  • Moderated
  • Favorites
  • incremental_games
  • meta
  • All magazines
    •