TCB13

TCB13 , 1 month ago

Still no proper way to mirror the thing and have it working offline / on internal networks. Great job self-hosters and sovereign citizens ;)

TCB13 , 1 month ago

Touche. Centralized and un-mirrorable.

TCB13 , 1 month ago

Unmirrorable

Yes, unlike apt repositories, it wasn’t designed to be mirrored around, run isolated servers etc.

TCB13 , 1 month ago

Thinking about it, I wonder if there’s enough “core features” with ‘create-usb’ that its just matter of scripting something together to intercept requests, auto-create-usb what’s being requested and then serve the package locally?

The issue is that… there aren’t enough “core features”. It doesn’t even handle different architectures and their dependencies correctly. It wasn’t made to be mirrored, nor decentralized.

Apt for instance was designed in a much better way, it becomes trivial to mirror the entire thing or parts and for the end tool it doesn’t even matter if the source is a server on the internet, a local machine, a flash drive or a local folder, all work the same.

TCB13 , 1 month ago

Yeah sure, just try to mirror Flathub into your repo.

TCB13 , 1 month ago

Did you ever try doing that with public packages?

TCB13 , 1 month ago

Yes… wiki.debian.org/InstallingDebianOn/Apple/M1

TCB13 , 1 month ago

since I already have a Mac for work I was wondering how suitable a Mac Mini M1/M2 would be for a homelab?

Suitable yes, if you want to do it… maybe or maybe not. Here’s a few pointers:

• Debian can be installed on those machines, however I’m not sure how power management works properly:
• Installation isn’t as straightforward and as easy as in another systems because Apple decided to keep pushing the usual ARM bullshit of not including a proper UEFI with the system;
• Some stuff will be broker, but you most likely don’t need it for self-hosting;
• If you keep macOS around you may have good luck with virtualizing Debian using UTM or VMware. Debian’s arm64 images will run at optimal performance on that hardware.

If you’re about to spend money I would grab an HP Mini unit with a “T” CPU, those will downclock really hard and you can get a i5-10500T (on ebay) for around 250€… and everything will work fine out of the box. An i7-8500T model also sells for 150€ or something like that.

Have a look at those CPU benchmarks (last one is probably yours):

https://lemmy.world/pictrs/image/02065e37-3547-49bf-84d4-9f1aa337138c.png

If you’re looking for power efficiency the newer CPUs are always better. Those mini units will downclock and idle at around 9-12W depending on hardware configuration but Apple should be able to do better - at least assuming you’ve power management working.

cpubenchmark.net/…/Apple-M1-8-Core-3200-MHz-vs-Ap…

TCB13 , 1 month ago

I’m using a C920 on Debian and I don’t have focus issues. I remember that once it was permanently stuck out of focus but unplugging and plugging again fixed the issue. Never had any other issues in years.

TCB13 , 1 month ago

Well, Apple is, Apple.

Maybe a Logitech StreamCam will deliver better results for you? I don’t have complaints about my C920 but I don’t push it so far like you seem to do.

TCB13 , 1 month ago

Here’s typical Mozilla not being the all mighty savior people think of them.

TCB13 , 1 month ago

lol

• borncity.com/…/firefox-installer-weist-dem-browse…
• support.mozilla.org/en-US/questions/1093955
• …locals.com/…/firefox-money-investigating-the-biz…
• support.mozilla.org/en-US/questions/1276793
• github.com/mozilla/addons/issues/3145

and so many others…

TCB13 , 1 month ago

Now it’s on Windows XP that runs quite well but doesn’t support modern SSL certificates so it can’t browse the internet (idk how to fix it ok?).

Yes there are modernized versions of Windows XP with updated certificates and whatnot.

The only thing I remember is that it’s not i686 so 99% of modern 32 bit distros don’t work on it (stuck right after grub).

Debian has images for i386: cdimage.debian.org/debian-cd/current/i386/

But… frankly the power consumption of that thing will be just crazy. Take for example this example, a more modern Pentium D vs a Pi:

https://lemmy.world/pictrs/image/59448465-4373-46f6-a58a-dec35fc8774f.png

browser.geekbench.com/v6/cpu/compare/6390478?base…

TCB13 , 1 month ago

Wordpress + Woocomerce.

TCB13 , 1 month ago

Next step: macOS.

TCB13 , 1 month ago

there is a very good reason why steam hasn’t been hit by the enshittification that otherwise permeates human existence in 2024.

Come again? Steam is enshitifed af. from forcing CS:GO players to move to CS:2 to adding DRM left and right, they do it all. They even release remasters of old games that are essentially always broken one or another.

TCB13 , 1 month ago

PineTab 2 works but no WiFi or Bluetooth driver for now

Are you sure those drivers will come at any point? I’m not.

TCB13 , 1 month ago

A suggestion for you: Microsoft and Qualcomm are working on ARM based laptops with impressive numbers right now. I believe in a year after those are released you’ll see tablets using the same CPUs that will be way better to run Linux than the garbage we’ve available today.

The issue with most ARM / Android tablets right now is that besides having locked bootloaders (so much bitching about Apple and then they do the same) they don’t have an UEFI and that means the OS needs to be responsible for the low level shenanigans of booting the systems, initializing the hardware etc. making it so you’ve to create a tweaked kernel for each device. It isn’t feasible to support so much hardware thus there’s little to no Linux support on those devices.

Whatever is coming from Qualcomm right now will feature an UEFI and will be a more open platform like a generic x86 computer and we’ll get Linux support really fast.

TCB13 , 1 month ago

github.com/philpagel/debian-headless

It is possible but I wouldn’t do it. Too much effort for too little result.

Just plug your main monitor / keyboard into the server, run the setup and don’t install a DE. Afterwards login, enable SSH, unplug the monitor and do whatever you need over SSH.

Let’s face it, you’ll have to do this procedure once every xyz years, there’s no point in complicating this stuff. Also depending on your motherboard you may or may not be able to boot into the installer without a screen / keyboard attached. Another option is to install the OS in another computer and the move the hard drive to the target server - this is all fine until you run into UEFI security or another detail and it doesn’t boot your OS.

TCB13 , 1 month ago

Yeah at those price points it isn’t worth it at all to attempt a headless install.

TCB13 , 1 month ago

Well I see your problem, but you’re going to have a bad time without a screen. Maybe you can get something second hand / cheap or even ask a friend to borrow one for a few days?

TCB13 , 1 month ago

Oh well…

• appdb.winehq.org/objectManager.php?sClass=version…
• appdb.winehq.org/objectManager.php?sClass=version…

One day ReactOS will be able to run those just fine while Wine will still not deliver anything usable.

https://lemmy.world/pictrs/image/16c7e2fc-accd-4198-86cf-d7616d4d0252.png

TCB13 , 1 month ago

Yeah, it seems impressive until you actually try to use it and find out that their “silver” is not even close to something you can work with.

Adobe products even when they say Silver you’ll get artifacts when moving objects, resizing the window sometimes ends up on a full screen black square and whatnot.

Office 2016 kind of works, poor rendering but works, the thing is that if I only needed Office 2016 features I would survive mostly fine with LibreOffice. I indeed need features from 2019 that wont run properly.

TCB13 , 1 month ago

You know that ReactOS development has been speeding up lately don’t you? Either way it’s kinda of stuck in NT5 because they threw out the most competent people of the project.

However… it still runs a ton of stuff better than Wine :)

TCB13 , 1 month ago

It’s probably easier to hack ReactOS/Windows XP to run Office 2021 than do the same in Wine.

TCB13 , 1 month ago

I don’t disagree with you, but at the same time:

• They threw Alex Ionescu out: the guy that actually wrote the majority of they only kernel that actually worked;
• Martin Fuchs fired: the guy that made the explorer and a ton of GUI components. His code was later on bastardized by everyone else causing the issues you were told about;
• … and many others.

They had competent people making the thing happen, then they decided to push them away and eventually replace their code with Wine backports and whatnot.

There are still a few pieces of software that require Windows and it would nice to have the kernel portion combined with Wine.

To be fair, if Microsoft was able to create WSLv1 without a kernel and it run just fine, why would Wine not be able to do the same? :) No drivers yes, but the software (including GUI stuff) run just fine and that’s not the case with Wine + the mainstream Windows’ software.

TCB13 , 1 month ago

Actually you seem to have reinvented Syncthing’s versioning feature… or this.

Still great work.

TCB13 , 1 month ago

The technology has “been there” for a while, it’s trivial do setup what you’re asking for, the issue is that games have anti cheat engines that will get triggered by the virtualization and ban you.

TCB13 , 1 month ago

Most likely everything Steam + VAC or Denuvo. There’s a lot of discussion on that topic around the web.

TCB13 , 1 month ago

If you’ve a large number of small files and you care about your data then use Syncthing. I personally sync all my data to a ARM SBC (like a Raspberry Pi) and have all my devices configured to sync to and from that device. Works flawlessly.

I also use iOS and for that I’ve WebDAV setup on the SBC that provides me with seamless iOS integration. I also have FileBrowser running on the SBC pointed at the same data so I can have a nice WebUI to manage all files.

TCB13 , 1 month ago (edited 1 month ago)

@foremanguy92_ ,

Step 1: get a cheap VPS, or even a free one (www.oracle.com/cloud/free/)

Step 2: If you’ve a static IP at home great, if you don’t get a dynamic DNS from freedns.afraid.org or www.duckdns.org

Step 3: Install nginx on the VPS and configure it as reverse proxy to your home address. Something like this:

<span style="color:#323232;">server {
</span><span style="color:#323232;">    listen 80;
</span><span style="color:#323232;">    server_name example.org; # your real domain name you want people to use to access your website
</span><span style="color:#323232;">    location / {
</span><span style="color:#323232;">        proxy_pass http://home-dynamic-dns.freeprovider... # replace with your home server IP or Dynamic DNS.
</span><span style="color:#323232;">        proxy_set_header Host $host;
</span><span style="color:#323232;">        proxy_set_header X-Real-IP $remote_addr;
</span><span style="color:#323232;">        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
</span><span style="color:#323232;">        proxy_redirect off;
</span><span style="color:#323232;">    }
</span><span style="color:#323232;">}
</span>

Step 4: Point your A record of example.org to your VPS.

Step 5: there’s a potential security issue with this option: nginx.org/en/docs/…/ngx_http_realip_module.html#s… and to get around this you can do the following on the home server nginx config:

<span style="color:#323232;">http {
</span><span style="color:#323232;">(...)
</span><span style="color:#323232;">        real_ip_header    X-Real-IP;
</span><span style="color:#323232;">        set_real_ip_from  x.x.x.x; # Replace with the VPS IP address.
</span><span style="color:#323232;">}
</span>

This will make sure only the VPS is allowed to override the real IP of the client.

Step 6: Once your setup works you may increase your security by using SSL / disabling plain HTTP setup letsencrypt in both servers to get valid SSL certificates for real domain and the dynamic DNS one.

Proceed to disable plain text / HTTP traffic. To do this simply remove the entire server { listen 80 section on both servers. You should replace them with server { listen 443 ssl; so it listens only for HTTPs traffic.

Step 7: set your home router to allow incoming traffic in port 443 and forward it into the home server;

Step 8: set the home server’s firewall to only accept traffic coming from outside the LAN subnet on port 443 and if it comes from the VPS IP. Drop everything else.

---

Another alternative to this it to setup a Wireguard tunnel between your home server and the VPS and have the reverse proxy send the traffic through that tunnel (change proxy_pass to the IP of the home server inside the tunnel like proxy_pass http://10.0.0.2). This has two advantages: 1) you don’t need to setup SSL at your home server as all the traffic will flow encrypted over the tunnel and 2) will not require to open a local port for incoming traffic on the home network… however it also has two drawbacks: you’ll need a better VPS because WG requires extra processing power and 2) your home server will have to keep the tunnel connected and working however it will fail. Frankly I wouldn’t bother to setup the tunnel as your home server will only accept traffic from the VPS IP so you won’t gain much there in terms of security.

TCB13 , 1 month ago

You aren’t wrong but the things you’re mentioned are always an issue, even if he was running the entire website on a VPS.

VPS happily tries to forward 1Gbits, fully saturating your home ISP line. Now you’re knocked offline.

Yeah, but at the same time any VPS provider worth it will have some kind os firewalling in place and block a DDoS like that one. People usually don’t ever notice this but big providers actually have those measures in place and do block DDoS attacks without their customers ever noticing. If they didn’t hackers would just overrun a few IPs and take all the bandwidth the provider has and take their all their customers down that way.

I’m not saying anyone should actually rely only on the VPS provider ability to block such things but it’s still there.

The OP should obviously take a good read at nftables rate limiting options and fail2ban. This should be implemented both at the VPS and his home server to help mitigate potential DDoS attacks.

Say someone abuses a remote code execution bug from the application you’re hosting in order to create a reverse shell to get into your system, this complex stack introduced doesn’t protect that.

It doesn’t and it was never supposed to mitigate that as the OP only asked for a way to reverse proxy / hide is real IP.

TCB13 , 1 month ago

Digital Ocean ?

TCB13 , 1 month ago

Can you share details into that?

TCB13 , 1 month ago

Now that you say that once I had Microsoft refusing to receive email sent by a DO IP but I filled some form and the block was lifted in a few hours.

TCB13 , 1 month ago

I like github.com/apankrat/nullboard very much.

TCB13 , 1 month ago

HP EliteBook 840 G5 or other EliteBook models. Even on Debian everything works fine after a clean install (including special keys), they never die and have a pleasant design. You can get one second hand, modern i7 (8th gen +) CPU + 16 GB of RAM for around 500€.

TCB13 , 1 month ago

Did you ever try an EliteBook? Even on Debian everything works fine after a clean install (including special keys), they never die and have a pleasant design.

TCB13 , 1 month ago

HP EliteBook 840 G5 or another EliteBook model. Even on Debian everything works fine after a clean install (including special keys), they never die and have a pleasant design.

TCB13 , 1 month ago

Maybe that’s a specific Ubuntu thing?

TCB13 , 1 month ago

I’m just going to point out that besides containers, systemd can now manage virtual machines:

systemd version we added systemd-vmspawn. It’s a small wrapper around qemu, which has the point of making it as nice and simple to use qemu as it is to use nspawn.

The idea is that we provide a roughly command line equivalent interface to VMs as for containers, so that it really is as easy to invoke a VM as it already is to invoke a container, supporting both boot from DDIs and boot from directories.

TCB13 , 1 month ago (edited 1 month ago)

Yeah, meanwhile I’ll keep using LXD / Incus for both containers and VMs.

Incus has a few advantages: an image repository, a nicer container manager (cli tools) and sane security defaults. By default Incus assumes your containers should be isolated and secure environments while systemd-nspawn is more about quick and dirty containers useful to compile something or run some trusted task.

TCB13 , 1 month ago

Yes…

• selectel.ru/…/systemd-containers-introduction-sys…
• rucore.net/…/systemd-and-containers-an-introducti…

And now also virtual machines.

TCB13 , 1 month ago

Yeah, I was typing from my phone while being distracted by other people. Fixed now.

TCB13 , 1 month ago

Yes 😂 😂 😂

TCB13 , 1 month ago

YESS!!

TCB13 , 1 month ago (edited 1 month ago)

Not “oh yeah” that’s a major concern and the biggest issue with ARM adoption. SBCs and ARM tablets are a mess when it comes to Linux support and one of the biggest reasons for it is the lack of an UEFI. Long term support as said is another very big concern, if you take any x86 box new or old things will work predictably because the OS doesn’t need to know the details of the boot process / low level hardware control.

TCB13 , 1 month ago

I don’t disagree with you, but maybe we can aim for UEFI right now on ALL ARM CPUs/boards from the vendors?