rentar42

rentar42 , 28 days ago

I second that. This practice comes from a time where domain names were expensive, in many ways: SNI didn't exist/wasn't wide-spread, so each domain name on HTTPS needed a dedicated IP, Certificates weren't democratized yet via letsencrypt/acme and most hosts were big enough to run multiple services, because virtualization wasn't as widely available yet. So putting apps on sub-paths made sense.

Now all of those things are basically dealt with and putting each app on its own sub-domain just makes way more sense.

rentar42 , 29 days ago

He's already #blessed since 2020, by the catholic church. That's a precondition to becoming a saint.

rentar42 , 29 days ago

But is it any more bullshit than any other saint? I don't think it is.

rentar42 , 29 days ago

At a quick, manual count the roman catholic church has canonized about 40 new saints since 2000. Not all those other fuckers are in the distant past ;-)

I hear you, but I still think that the idea of the church and saints hasn't gotten any worse: it's "just" that the rest of the world has moved on when they haven't (which is basically their founding principle).

Or put differently: saints haven't gotten stupider, but our standards have changed.

Edit: I have to put my own point into relation: the only saints that actually lived in the 21st century from that list seem to be a pope and 21 IS beheading victims, so yeah, even among those recently canonized saints a huge chunk has bean dead for 100+ years.

rentar42 , 29 days ago

That's probably not a popular opinion here, but: parents do not have a right to their child. If the child was cool with this, then that is the important part (and from what I read I'd guess he would be).

Let's posit it the other way around: a deeply religious pair of parents raises a kid that ends up being strongly anti-religion and comes to some "fame" due to that. Would you describe those celebrating that kid as "cunts" as well? And if not: why?

And no, I'm not religious myself and think a lot of that stuff is stupid and much of it is dangerous, but "those parents deserve better" is an argument that's used in exactly the opposite way in other areas: to oppress kids that don't "submit to the norm" that their parents think are best.

rentar42 , 29 days ago

Do that two more times after you've died and you might have a shot!

rentar42 , 1 month ago

That's a huge part of the reason why it took so long to put out that official classification: They made sure that their classification would hold up in court. No one is served by getting it in a bit earlier, just for it to be thrown out at the first level of court, because someone got a bit lazy on collecting all the evidence and writing up a thorough report.

rentar42 , 1 month ago

I think the equivalent would be to let the fox guard the hen house.

And no, it's not about having a scapegoat, it's about putting exactly the wrong person with ... let's say "misaligned incentives" into some position (usually one of power).

rentar42 , 1 month ago

That's oversimplifying it. There's a difference between a politician being untruthful of what they promise or some corporation doing some bullshit PR about how much they love cause X and coordinated fake news campaigns to stoke anger and emotions to undermine functioning systems.

The former have to at least try to present with a straight face and can be called on their lies a few month down the line.

The later can make up all manner of bullshit and don't have to hold back, because they have no "public face" other than that piece of fake news. And they don't have to be able to stand up to any amount of journalistic scrutiny because as soon as enough people have read it, it's had its effect: it doesn't matter if it's all proven to be made up after the fact, because the emotions that the initial reaction raised are the whole point: they are not trying to convince anyone about any facts, all they want is to influence emotions and behaviors.

rentar42 , 1 month ago

I went with iDrive e2 https://www.idrive.com/s3-storage-e2/ 5 TB is 150$/year (50% off first year) for S3-compatible storage. My favorite part is that there are no per-request, ingress or egress costs. That cost is all there is.

rentar42 , 1 month ago

First: love that that's a thing, but I find the blog post hilarious:

We believe this choice must include the one to migrate your data to another cloud provider or on-premises. That’s why, starting today, we’re waiving data transfer out to the internet (DTO) charges when you want to move outside of AWS.

and later

We believe in customer choice, including the choice to move your data out of AWS. The waiver on data transfer out to the internet charges also follows the direction set by the European Data Act and is available to all AWS customers around the world and from any AWS Region.

But sure: it's out of their love for customer choice that they offer this now. The fact that it also fulfills the requirements by the EDA is purely coincidental, they would have done it for sure.

Remember folks: regulation works. Sometimes corporations need the state(s) to force their hand to do the right thing.

rentar42 , 1 month ago

without trusting anyone.

Well, except of course the entity that gave you the hardware. And the entity that preinstalled and/or gave you the OS image. And that that entity wasn't fooled into including malicious code in some roundabout way.

like it or not, there's currently no real way to use any significant amount of computing power without trusting someone. And usually several hundreds/thousands of someones.

The best you can hope for is to focus the trust into a small number of entities that have it in their own self interest to prove worthy of that trust.

rentar42 , 2 months ago (edited 2 months ago)

Like many other security mechanisms VLANs aren't really about enabling anything that can't be done without them.

Instead it's almost exclusively about FORBIDDING some kinds of interactions that are otherwise allowed by default.

So if your question is "do I need VLAN to enable any features", then the answer is no, you don't (almost certainly, I'm sure there are some weird corner cases and exceptions).

What VLANs can help you do is stop your PoE camera from talking to your KNX and your Chromecast from talking to your Switch. But why would you want that? They don't normally talk to each other anyway. Right. That "normally" is exactly the case: one major benefit of having VLANs is not just stopping "normal" phone-homes but to contain any security incidents to as small a scope as possible. Imagine if someone figured out a way to hack your switch (maybe even remotely while you're out!). That would be bad. What would be worse is if that attacker then suddenly has access to your pihole (which is password protected and the password never flies around your home network unencrypted, right?!) or your PC or your phone ...

So having separate VLANs where each one contains only devices that need to talk to each other can severely restrict the actual impact of a security issue with any of your devices.

rentar42 , 2 months ago

Without any text it's really hard to guess what you want and that's why you get so many different questions.

Do you want to

• host a copy of wikipedia for yourself locally? Then download the database from https://en.wikipedia.org/wiki/Wikipedia:Database_download (thanks zygo_histo_morpheus) and the sofware from https://www.mediawiki.org and get going. Both are freely available
• host a site that works like wikipedia but doesn't contain its content, but your own? Just use MediaWiki.
• host a wiki, but not necessarily the one that powers wikipedia? Then pick one from https://github.com/awesome-selfhosted/awesome-selfhosted?tab=readme-ov-file#wikis

Note that I suspect you actually want the third one, in which case I suggest you avoid MediaWiki. Not because it's bad, but because it's almost certainly overkill for your use-case and there's way simpler, easier-to-setup-and-maintain systems with fewer moving parts out there.

rentar42 , 2 months ago

I'm sorry that my attempt to find out what you want to be able to provide useful help annoyed you.

rentar42 , 2 months ago

Oh, I'm 100% there with you on syntax. But having multiple pieces of software that support the same syntax seems useful.

Personally I've turned into more markdown kind of person rather than the traditional wiki syntax. And at least that one gained some level of standardization over time ...

rentar42 , 2 months ago

Since most of those are run commercially and don't make their data easily accessible, that'll be a much different process, I assume. You'll basically have to scrape them like any other web site, except you'll specifically be targeting the edit/source view pages. Then find a wiki implementation that has as close a syntax as possible to the one they use (that could be tricky ...) and upload there. So unless you happen to find some code from someone who wanted to do the exact same thing, I'm afraid this would involve quite some programming/scripting.

rentar42 , 2 months ago

Increase the attack surface compared to what? If you don't allow/enable any access to services inside your network from outside, then by definition you have fewer attack surfaces than if you add a VPN to that empty list.

So trivially the answer is "yes, it adds an attack surface".

But what are the alternatives? If you directly expose each individual service on a dedicated port, for example, then you'd add many more (and usually less well hardened) attack surfaces instead.

So if the comparison is "expose 5 web-based services directly" vs. "expose one VPN like wireguard", then the second option is almost always the clear winner when it comes to security (and frequently also when it comes to ease of setup as well as comfort).

rentar42 , 2 months ago (edited 2 months ago)

I've not found a good solution for actual constant monitoring and I'll be following this thread, but I have a similar/related item: I use healthcheck.io (specifically a self-hosted instance) to verify all my cron jobs (backups, syncs, ...) are working correctly. Often even more involved monitoring solutions do not cover that area (and it can be quite terrible if it goes wrong), so I think it'll be a good addition to most of these.

rentar42 , 2 months ago

This isn't specific to just netdata, but I frequently find projects that have some feature provided via their cloud offering and then say "but you can also do it locally" and gesture vaguely at some half-written docs that don't really help.

It makes sense for them, since one of those is how they make money and the other is how they loose cloud customers, but it's still annoying.

Shoutout to healthcheck.io who seem to provide both nice cloud offerings and a fully-fledged server with good documentation.

rentar42 , 2 months ago

At a big enough LAN even just getting everyone to change that setting is probably harder than setting up a central cache. Don't underestimate the amount of people that listen to instructions, say sure and then just either not do it, or fail to do it correctly.

rentar42 , 2 months ago

USB SATA controllers are also very hit-and-miss. There's plenty of really, really bad ones out there. Either missing features, slow, getting hot or all of the above. If you found one that works well, good for you, but I'd avoid most noname brands, unless I had specific knowledge about the product or the very least the chipset they use.

rentar42 , 2 months ago

If the only thing I knew about a given law is that those three complained about it I would immediately and wholeheartedly support and endorse that law. It's probably awesome and badly needed.

rentar42 , 2 months ago

Don't you have it exactly the wrong way around?

Also, since the hate itself is already irrational, any additional "quirks" in that hate shouldn't be surprising anyone.

rentar42 , 2 months ago

The problem with your attitude is ...

No. That's your problem with my attitude.

"Free speech" absolutists don't convince me with their hypotheticals.

Believe it or not: absolute free speech is not the end goal and not as valuable as you all believe.

Forbidding some kind of speech can be okay.

Because not forbidding it creates an awful lot of very real and very current pain. Somehow the theoretical pain that a similar law could create is more important for your argument, than the real and avoidable pain thatthis law is attempting to prevent.

but e.g. American free speech would be nonexistent

And I say that the specific American flavor of free speech is not very valuable at all.

rentar42 , 2 months ago

Even if the state apparatus is bloated and needs to be improved, simply firing 10% of your workforce isn't going to magically improve things (especially when done so quickly). You basically can't know if you fire useful people or bloat. And for each "unnecessary" person you fire you also fire someone who was the only one in their department understanding their job and doing their actual work.

rentar42 , 2 months ago

I understand your argument and there's some truth to it. But on the other hand exactly these kinds of decisions (joining/leaving the EU/NATO/...) have an incredibly strong possible effect, so them being done only based on the decisions of some politicians that were elected on some promises possibly quite unrelated to that decision has its own set of problems.

rentar42 , 2 months ago

I've got the same setup! What I love about authentik is that I can even add a Google login as an authentication method. That severely increases the spouse-acceptance factor, as they don't have to "remember yet another password" or "carry around another thingie". Personally I use a YubiKey anyway, but for others who aren't into it "for fun" or for philosophical reasons reducing the friction as much as possible is paramount.

rentar42 , 2 months ago

That example makes sense to me, because it's an alternative to something like hosting a blog on some third party site: generate it statically and host the result somewhere.

rentar42 , 2 months ago

Now you make me feel old. In "the olden days" before streaming of media over the internet was as commonplace as it was now, that was the standard way that tech-savy people consumed media: Either on their PC or with some set-top box with built-in storage. I fondly remember my PopcornHour, which was basically a line of desktop-boxes that ranged from "basically a hard disk, video decoder and HDMI out" all the way to "can automatically rip your BlueRays".

rentar42 , 2 months ago

I suggest to avoid the temptation to get one of the many cheap Android boxen meant for media playback from Ali Express or the like, as they have a strong tendency to be heavily loaded with malware. Definitely not all of them, but it's really hard to tell which specific one you'll get.

rentar42 , 2 months ago

That's a great answer if one already has a NAS (which is not unlikely, given the name of the community). But if that's not already present (or desired for other reason) then a simple media-PC with some built-in storage is simpler to set up.

rentar42 , 3 months ago

A custom "source available" license that may not be as clear-cut as intended and depends on "we know it when we see it" by the authors of the license? You don't say!

rentar42 , 3 months ago

I've not tried that myself, but AFAIK VLC can be remote controlled in various ways, and since the API for that is open, multiple clients for it exist: https://wiki.videolan.org/Control_VLC_from_an_Android_Phone

There's also Clementine which offers a remote-control Android app.

rentar42 , 3 months ago

https://lemmy.world/post/12995686 was a recent question and most of the answers will basically be duplicates of that.

One slight addition I want to add: "Docker" is just one implementation of "OCI containers". It's the one that broke through initially in the hype, but you can just as easily use any other (podman being a popular one) and basically all of the benefits that people ascribe to "docker" can be applied to.

So you might (as I do) have some dislike for docker (the product) and still enjoy running containers.

rentar42 , 3 months ago

I personally prefer podman, due to its rootless mode being "more default" than in docker (rootless docker works, but it's basically an afterthought).

That being said: there's just so many tutorials, tools and other resources that assume docker by default that starting with docker is definitely the less cumbersome approach. It's not that podman is signficantly harder or has many big differences, but all the tutorials are basically written with docker as the first target in mind.

In my homelab the progression was docker -> rootless docker -> podman and the last step isn't fully done yet, so I'm currently running a mix of rootless docker and podman.

rentar42 , 3 months ago

Somewhere a monkey paw finger curls and you're moved to the timeline where the world is in a nuclear winter ...

rentar42 , 3 months ago

In the immortal words of Jake the Dog:

Dude, suckin’ at something is the first step to being sorta good at something.

We are or were all noobs once. Going away from the keyboard is often an undervalued step in the solution-finding process. Kudos!

rentar42 , 3 months ago

You've got a single, old HDD attached via USB. There's plenty of places that could be the bottleneck here, but that's among the first I'd check. Can you actually read from that HDD significantly faster than your network transfer speed? Check that locally first. No use in optimizing anything network-related when your underlying disk IO is slow.

rentar42 , 3 months ago

Given the very specific dependencies that Immich has wrt. the Postgres plugins it needs, I'm certain that it's not currently packaged as an RPM and I would even bet that it never will be (at least not as one of the officially supported packages put out by the developers).

rentar42 , 3 months ago

Can confirm the statistics: I recently consolidated about a dozen old hard disks of various ages and quite a few of them had a couple of back blocks and 2 actually failed. One disk was especially noteworthy in that it was still fast, error-less and without complaints. That one was a Seagate ST3000DM001. A model so notoriously bad that it's got its own Wikipedia entry: https://en.wikipedia.org/wiki/ST3000DM001
Other "better" HDDs were entirely unresponsive.

Statistics only really matter if you have many, many samples. Most people (even enthusiasts with a homelab) won't be buying hundreds of HDDs in their life.

rentar42 , 4 months ago

Was about to post this, this works well for me.

In my case I'm storing the DB on my Google Drive for now, but Keepass2Android supports many different systems, including "generic" things like WebDAV, so really anything should work.

While Keepass2Android is integrated with the syncing and will always check for conflicts (i.e. check for latest version before saving), the same isn't necessarily true for the desktop client. But since I rarely edit from both devices at the same time, anything that syncs to the Desktop in a somewhat realtime fashion should work just fine.

And for the few (long ago) cases where updates were overwritten, the "previous version" feature of Google Drive was god-sent! (And KeepassX can simply merge the old overwritten version into the current one and you'll get the correct merge).

rentar42 , 4 months ago

I think the difference is at what level:

• don't implement your own storage redundancy system at the kernel level with a small team in a closed-source fashion, because that's the kind of thing that needs many eyes, lots of experience and many millions of hours real-world usage to fully debug and make sure it work.
• do build your own system by combining pre-existing technologies that are built by experienced teams and tested/vetted by wide/popular usage.

I feel OPs critique has some truth to it. I personally would rather stay with raidz by zfs, exactly because of it's open nature (yes, they too have bugs, nothing is perfect).

rentar42 , 4 months ago

I honestly have no real opinion on this (yet), as I don't know if that would help or not.

But 90% of all policy proposals from the UK end up being terrible ideas, so I'll just assume this is stupid.

rentar42 , 4 months ago

I find that to be a tricky thought experiment.

Can you run a country in a way that peppers the general population with "all is well" propaganda thoroughly and still manages to capture all the necessary information to make properly informed decisions at some high level?

You'd need some "elite" layer of people who get to see unfiltered, honest information, but how would you even collect that information if even local, low-level government actors are subject to (and meant to believe) the propaganda?

Basically what I'm asking is: if I ignored moral concerns, is there a world where keeping the majority ignorant could actually lead to more efficiency than letting knowledge of the state of things spread?

rentar42 , 4 months ago

Do you have any devices on your local network where the firmware hasn't been updated in the last 12 month? The answer to that is surprisingly frequently yes, because "smart device" companies are laughably bad about device security. My intercom runs some ancient Linux kernel, my frigging washing machine could be connected to WiFi and the box that controls my roller shutters hasn't gotten an update sind 2018.

Not everyone has those and one could isolate those in VLANs and use other measures, but in this day and age "my local home network is 100% secure" is far from a safe assumption.

Heck, even your router might be vulnerable...

Adding HTTPS is just another layer in your defense in depth. How many layers you are willing to put up with is up to you, but it's definitely not overkill.

rentar42 , 4 months ago (edited 4 months ago)

They are in fact the same image, as you can verify by comparing their digest:

$ docker pull ghcr.io/linuxserver/plex
Using default tag: latest
latest: Pulling from linuxserver/plex
Digest: sha256:476c057d677ff239d6b0b5c8e7efb2d572a705f69f9860bbe4221d5bbfdf2144
Status: Image is up to date for ghcr.io/linuxserver/plex:latest
ghcr.io/linuxserver/plex:latest
$ docker pull lscr.io/linuxserver/plex
Using default tag: latest
latest: Pulling from linuxserver/plex
Digest: sha256:476c057d677ff239d6b0b5c8e7efb2d572a705f69f9860bbe4221d5bbfdf2144
Status: Image is up to date for lscr.io/linuxserver/plex:latest
lscr.io/linuxserver/plex:latest
$

See how both images have the digest sha256:476c057d677ff239d6b0b5c8e7efb2d572a705f69f9860bbe4221d5bbfdf2144. Since the digest uniquely identifies the exact content/image, that guarantees that those images are in fact byte-for-byte identical.

rentar42 , 4 months ago

As others have mentioned (and also explained in quite some detail) you're trying to bite off a lot at once. First, for Jellyfin locally you can ignore most of that.

And if you really want to learn the ins and outs of all that (and I can recommend it, it's useful), then I suggest you start with some simple web app. Something like note taking or maybe even something trivial like a whoami service, which basically just echos some information it was sent back to you. That's super useful because you know that it is unlikely to be broken, so you can focus on the networking/port forwarding issues. And once you've got that working and have a rough feeling how this all works you can go on to more complex setups that actually do something useful.