Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

tofubl

@tofubl@discuss.tchncs.de

This profile is from a federated server and may be incomplete. Browse more on the original instance.

tofubl ,

It's that, plus "notifications can disrupt your sleep."

“A much greater issue [than the blue light] is likely to be the content viewed,” says Peirson. “Reading work emails relating to impending deadlines is clearly going to cause anxiety, and anxiety is strongly related to insomnia.”

tofubl ,

Gimp might be able to perform that little logo-transformation favour for you libre of charge, but at least give it a call after for heaven's sake.

tofubl ,

Gimp believes in you and loves you in a non clingy way.

tofubl ,

Storage box is self-serviced storage on a single server, as far as I'm aware. If you need replication, you need to rent storage at a second location and do it yourself.

tofubl ,

I have a Raspberry Pi 3 with a Hifiberry DAC running OSMC (nicely packaged Kodi on top of Debian) acting as my media center and recently installed Jellycon with the hopes of being able to use server side transcoding for a few formats my old TV doesn't support.

My verdict: Menu navigation is slow, but it's a native kodi integration (supports widgets) and playback works great once you made your way through the menus. You can selectively set transcoding options per file type which is exactly what I needed.

Best solution I've seen so far, as it also does IR remote passthrough over HDMI if your TV supports it. The addon works in any kodi setup of course. I think there might be a way to start playback from the Jellyfin web UI but haven't bothered with it. This would fully remedy the menu slowness, I think.

tofubl ,

Is that a way of saying you think he's wrong?

I thought the book had an interesting core idea, even if his grasp on technology seems rather loose and I really disliked the literary device he used to explain said idea.

What's your take on it?

tofubl ,

Hm, interesting. I didn't read it like that, but as an economist trying to make sense of what's going on and explain it to others. I didn't question whether the thoughts are original, neither do I know if there are holes in his concepts that I as a non-economist am blind to. My personal opinion, anyway, is that the message is important today (or better yet 15 years ago but nobody would have listened 😉), no matter whether he is primarily motivated by his ego or what.

Maybe this makes me part of the people he caters to, but that line of thinking doesn't lead anywhere meaningful anyway, I think.

I liked the end of the book: A call to action for us to come up with tools and technological solutions for "users" to stand together so we can create resistance against overly powerful cooperations and demand our rights. I don't think it's hypocritical for him to ask for this either. We need people to point problems out and problem solvers, both.

Have you read more of what he wrote or how did you come by that opinion on him? Technofeudalism and a number of interviews leading up to the book release was the first I was exposed to him.

tofubl ,

By god, lemmy is civilised. 😂 I love it.

I can see what you mean, too, but am still on the liking him side I guess. And anyway, l'art pour l'art and all that, right? 😅

tofubl ,

And I'm sure the fish he caught that one time really was YEA big. And boy the fight he gave him.

tofubl ,

I strongly disagree with this statement. Just because it's hard to do doesn't mean it isn't what you rationally decide you want to do. The reason for staying and the reason for leaving are orthogonal to one another or else there wouldn't be a conflict. Compare to substance addiction: You decide you want to stop, but you need.

tofubl ,

It's only fair.

tofubl ,

Have your parents and siblings changed their everything as well? That's how I would try to find someone I went to school with.

tofubl OP ,

One proxy with two NICs downstream? Does that solve the "single point of failure" risk or am I being overly cautious?

Plus, the internal and external services are running on the same box. Is that where my real problem lies?

tofubl OP ,

The services run on a separate box; yet to be decided on which VLAN I put it. I was not planning to have it in the DMZ but to create ingress firewall rules from the DMZ.

tofubl OP ,

Right, I could have been more precise. I'm talking about security risk, not resilience or uptime.

"It’ll probably be the most secure component in your stack." That is a fair point.

So, one port-forward to the proxy, and the proxy reaching into both VLANs as required, is what you're saying. Thanks for the help!

tofubl OP ,

Right, I agree with proxy exploit means compromised either way. Thanks for your reply.

I am trying to prevent the case where internal services that I don't otherwise have a need to lock down very thoroughly might get publicly exposed. I take it it's an odd question?

Re "bouncer": Expose some services publicly, not others, discriminated by host with public dns (service1.example.com) or internal dns (service2.home.example.com), is what I think I meant by it. Hence my question about one proxy for internal and one public, or one that does both.

tofubl OP , (edited )

This is exactly the type of answer I was looking for. Thanks a bunch.

So but in that way, having a proxy on the LAN that knows about internal services, and another proxy that is exposed publicly but is only aware of public services does help by reducing firewall rule complexity. Would you say that statement is correct?

tofubl OP ,

I never specified, I think, and probably wasn't too clear on it myself. Thanks for your insights, I'll try to take them to my configuration now.

tofubl OP ,

This is a good hint, I'm going to take a look at that. Thank you!

tofubl OP ,

Haha, why do I even ask.

tofubl OP ,

The answer seems to always be "not segmented enough". ;)

tofubl ,

selfh.st

selfh.st is an independent publication created and curated by Ethan Sholly. [...] selfh.st draws inspiration from a number of sources including reddit's r/selfhosted subreddit, the Awesome-Selfhosted project on GitHub, and the / communities on Mastodon.

and also

This Week in Self-Hosted is sponsored by Tailscale, trusted by homelab hobbyists and 4,000+ companies. Check out how businesses use Tailscale to manage remote access to k8s and more.

awesome-selfhosted.net

This list is under the Creative Commons Attribution-ShareAlike 3.0 Unported License. Terms of the license are summarized here. The list of authors can be found in the AUTHORS file. Copyright © 2015-2024, the awesome-selfhosted community

tofubl ,

Here's the docker stats of my Nextcloud containers (5 users, ~200GB data and a bunch of apps installed):

https://discuss.tchncs.de/pictrs/image/bf157029-ddd1-4e77-b576-748e06cf9df4.png

No DB wiz by a long shot, but my guess is that most of that 125MB is actual data. Other Postgres containers for smaller apps run 30-40MB. Plus the container separation makes it so much easier to stick to a good backup strategy. Wouldn't want to do it differently.

Password Manager that supports multiple databases/syncing?

I currently use keePass, and use it on both my PC and my phone. I like it because I can keep a copy of my DB on my phone and export it through a few different means. But I can't seem to find an option to actually sync my local DB against a remote one. I've thought about switching to BitWarden but from what I can see it uses a...

tofubl ,

This is the setup I have (Nextcloud, Keepass Desktop, Keepass2android+webdav) and k2a handles file discrepancies very well. I always pick "merge" when it is informing me of a conflict on save. Have been using it like that for years without a problem.

Edit: added benefit, I have the Keepass extension installed in my Nextcloud, so as long as I can gain access to it, I have access to my passwords, no devices needed.

tofubl ,

Slow and unreliable with sqlite, but rock solid and amazing with postgres.

Today, every document I receive goes into my duplex ADF scanner to scan to a network share which is monitored by Paperless. Documents there are ingested and pre-tagged, waiting for me to review them in the inbox. Unlike other posters here, I find the tagging process extremely fast and easy. Granted, I didn't have to bring in thousands of documents to begin with but started from a clean slate.

What's more, development is incredibly fast-moving and really useful features are added all the time.

tofubl ,

You can do batch operations in a document view. Select multiple documents and change the attributes in the top menu. Which commands are you missing?

tofubl ,

Page loading times, general stability. Everything, really.

I set it up with sqlite initially to test if it was for me, and was surprised how flaky it felt given how highly people spoke about it. I'm really glad I tried with postgres instead of just tearing it down. But my experience is highly anecdotal, of course.

tofubl ,

You can easily host the community edition in Docker or otherwise. Odoo has a steep learning curve but it's very versatile. It can definitely do what you describe.

tofubl ,

No worries. It has a stripe integration, too, so it's easy to handle payments without having to hold customers' credit card info.

tofubl ,

Nextcloud doesn't like changes on disk in its own file structure, but you can mount "external storage" where Nextcloud is okay with changes and happily scans the location when you access it (a network share, or a local file path also works; SMB share will probably get you around the permissions problem though.)

Don't know about immich as I haven't used it, but you will probably have to decide on one of the two services to be "in charge" of the files, I think.

tofubl ,

That sounds reasonable. I would do the same.

tofubl ,

Incus looks cool. Have you virtualised a firewall on it? Is it as flexible as proxmox in terms of hardware passthrough options?

I find zero mentions online of opnsense on incus. 🤔

tofubl ,

Very informative, thank you.

I am generally very comfortable with Linux, but somehow this seems intimidating.

Although I guess I'm not using proxmox for anything other than managing VMs, network bridges and backups. Well, and for the feeling of using something that was set up by people who know what they're doing and not hacked together by me until it worked...

tofubl ,

OPNsense running in the Incus live demo. Fun!

https://discuss.tchncs.de/pictrs/image/2e293d41-293f-4225-a113-345d8905d387.png

tofubl ,

With Incus only officially supported in Debian 13, and LXD on the way out, should I get going with LXD and migrate to Incus later? Or use the Zabbly repo and switch over to official Debian repos when they become available? What's the recommended trajectory, would you say?

tofubl ,

Absolutely. Great intel; thank you!

tofubl ,

Okay, I think I found a bit of a catch with Incus or LXD. I want a solution with a web UI, and while Incus has one, it seems to have access control either browser certificate based or with a central auth server. Neither are a good solution for me - I would much prefer regular user auth with the option to use an auth server at some point (but I don't want to take all of this on all at once.)

I hope it's okay that I keep coming back to you with these questions. You seem to be a strong Incus-evangelist. :)

I guess I could only expose the web UI on localhost and create an SSH tunnel in order to use it...? Not so good on mobile though, which is the strongest reason for a webui.

tofubl , (edited )

Thanks for your patience. I appreciate it and I'm learning a lot. 🙏

There's a chance yet!

edit: That actually seems simple enough and should integrate nicely with the rest of my network. Cool!

tofubl ,

I have another question, if you don't mind: I have a debian/incus+opnsense setup now, created bridges for my NICs with systemd-networkd and attached the bridges to the VM like you described. I have the host configured with DHCP on the LAN bridge and ideally (correct me if I'm wrong, please), I'd like the host to not touch the WAN bridge at all (other than creating it and hooking it up to the NIC).

Here's the problem: if I don't configure the bridge on the host with either dhcp or a static IP, the opnsense VM also doesn't receive an IP on that interface. I have a br0.netdev
to set up the bridge, a br0.network to connect the bridge to the NIC, and a wan.network to assign a static IP on br0, otherwise nothing works. (While I'm working on this, I have the WAN port connected to my old LAN, if it makes a difference.)

My question is: Is my expectation wrong or my setup? Am I mistaken that the host shouldn't be configured on the WAN interface? Can I solve this by passing the pci device to the VM, and what's the best practice here?

Thank you for taking a look! 😊

tofubl ,

My config was more or less identical to yours, and that removed some doubt and let me focus on the right part: Without a network config on br0, the host isn't bringing it up on boot. I thought it had something to do with the interface having an IP, but turns out the following works as well:

user@edge:/etc/systemd/network$ cat wan0.network
[Match]
Name=br0

[Network]
DHCP=no
LinkLocalAddressing=ipv4

[Link]
RequiredForOnline=no

Thank you once again!

tofubl ,

You know your stuff, man! It's exactly as you say. 🙏

tofubl ,

OSMC on a rpi3 with a hifiberry+ has served me well for many years. Most things just work, even passthrough TV remote over i2c if the TV supports it (brand name for the implementation varies by TV manufacturer I think).
My setup has been really slow in recent months, but I probably just need a new sd card...
Streaming service integration in kodi isn't perfect but e.g. Netflix works well enough.

It's a bit of tinkering to get it just the way you want it, but not too much and then it's great with a lot of flexibility. I have slapped an IR LED onto a GPIO, for example, and I have a service running that checks for audio output and turns my old hifi system on and off accordingly.

tofubl OP ,

I appreciate you taking a look. It does indeed have standard rules to drop private networks (192.168, 10.0 and so on), but I have them disabled.

The forward specifies range 8888-8888 and translates it to 8888.

tofubl OP , (edited )

I wrote it in reply to another comment, but the traffic reaches the service on 10.0.0.22:8888. The problem seems to be with the return path, i.e. Hairpin NAT, but I don't know what it is.

edit: scratch that, it's not hairpinning.

tofubl OP ,

And I'm happy to see what sticks!

Pointing DNS to 192.168.0.1 doesn't change anything, and I'm anyway able to talk out from behind the firewall to the 192.168 net, so that would mean that address resolution works in that direction, no?

I do agree, though, that it seems like the responses are not making their way back correctly, as I can see the requests coming in and replied to in the apache logs.

tofubl OP ,

Please take a look at my updated original post. I have added some information and a tcpdump.

tofubl OP , (edited )

Son of a gun!!! Thank you so much! I spent HOURS changing every setting except this one and actually came to the conclusion that it must be something to do with my ISP's modem or DNS or something.

The rule is the "associated filter rule" OPNsense automatically creates (interfaces are WAN and LAN) and it triggers as a "pass" just fine when I send a request. (I'm attaching another screenshot from the live log below.)

You don't happen to have a clue WHY this rule breaks everything?

Associated filter rule

https://discuss.tchncs.de/pictrs/image/fbc4e084-fdba-44cc-92f6-ad9dabbaae4d.png

Live log with associated filter rule active (leads to curl: (56) Recv failure: Connection reset by peer)

https://discuss.tchncs.de/pictrs/image/50e1e271-8e21-41c9-85b6-2b08acf9f328.png

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • incremental_games
  • meta
  • All magazines
    •