Skip Navigation
Playboy image from 1972 gets ban from IEEE computer journals
  • It does not seem like you heard the arguments presented in the article. It isn't about being offended by any left or right wing politics, but because women engineers and scientists were uncomfortable about it for a variety of reasons. In a field which struggles to attract and keep female talent, this is a pretty big thing. The model herself spoke out and asked to be "retired from tech".

  • What are you working on this week? (Mar. 2, 2024)
  • I'm working on a music collection manager with a TUI for myself. I prefer to buy and own music instead of just streaming and I have a selhosted server with ZFS and backups where I keep the music and from which I can stream or download to my devices. There are websites which help you keep track of what you own and have wishlists, but they don't really satisfy my needs so I decided to create my own. Its main feature is to have an easier overview of what albums I own and don't own for the artists I'm interested in and to maintain a wishlist based on this for my next purchases. I'm doing it in Rust, because it's a hobby project and I want to get better at Rust. However, it has paid off in other ways. The type system has allowed me to create a UI that is very safe to add features to without worrying about crashes. Sometimes I actually have to think why it didn't crash only to find that Rust forced me to correctly handle an optional outcome before even getting to an undefined situation.

  • Paying people to work on open source is good actually
  • Many open source projects are not developed by unpaid volunteers. The Linux kernel, for example, is primarily developed by professionals on paid time. I'm not convinced the Linux kernel development would continue without business contribution. I'm not convinced all open source projects could just continue without any payment.

  • Is weird that I like and use both Fedora and Debian?
  • I do the same. Fedora on my laptop because I want a balance of stability and having the newest features. Servers run Debian, because I don't have time to fix and update things.

  • What are the most paranoid network/OS security measures you've implemented in your homelab?
  • Logcheck. It took ages to make sure innocent logs are ignored, but now I get an email as soon as anything non-routine happens on my servers. I get emails with logs from every update, every time I log in, etc. This has given me the most confidence that nothing unexpected is happening on my servers. Of course, one needs to make sure that the firewall is configured well, and that you use ssh keys etc., but logcheck is how I know I'm doing enough.

  • How often do you back up?
  • How do you upload a snapshot?

    Basically, as you said. Mount the data somewhere and back up its contents.

    I back up snapshots rather than current data, because I don't want to stop the running containers that read and write from that data. I'd rather avoid the situation where the container is writing data while it's being backed up. The back up happens shortly after the daily snapshot is made so the difference between current and snapshot data is small.

  • How often do you back up?
  • As others have said, with an incremental filesystem level mechanism, the backup process won't be too taxing for the CPU. I have ZFS set up which makes this easy and I make hourly snapshots using sanoid which also get sent to another mirrored pair of connected drives using syncoid. Then, once a day, I upload encrypted daily snapshots to a bucket in the cloud using restic. Sounds complicated, but actually sanoid/syncoid and restic do all the heavy lifting. All I did is automate their schedules using systemd timers and some scripts to backup the right directories.

  • Moving away from Kindle
  • It's worth noting that you don't even need to still have the Kindle device physically with you. I had to throw mine out (I still had the original first ever model), but it's still registered and the token is valid for Calibre's DeDRM.

  • Document Management System for Linux?
  • Looks perfect! Exactly what I was looking for. Thanks!

  • Document Management System for Linux?

    I'm looking to organise my paper mail with the help of a scanner and some document management system for Linux.

    Does anybody have any suggestions?

    The paperless-ngx project is sort of what I'm looking for, but I don't really want or need to run it in a selfhosted manner. I have a selfhosted server on which I could easily add it, but since I don't really need or want this to be available online in any way (even on my local home network) I don't really want that overhead.

    I would prefer an application in the manner of what Calibre is for ebooks. That is, it operates on a locally stored library and that's it. No web server.

    7
    GameVault Update - What's happened 4 months after initial release
  • Very interesting project! However, I can't help shake the feeling that whilst you pitch it as a platform for sharing DRM-free games, it will get used for sharing games against the licenses and wishes of publishers. I don't really care about the publishers, but do you not think there is a great risk that once your app gets enough attention, it will draw their ire and force you to shut down? Perhaps not directly, but e.g., removing you from the windows store etc.

  • Looking for Advice with networking between VPS, Homelab and Cloudflare
  • For caching, are you sure you're generating enough traffic to benefit from it? Plus, CDN caching's strength only really comes into play when the users are geographically distributed which isn't really the case for most self hosters.

    For DDoS check if your VPS host does DDoS protection. Some do and include it for free. I've been monitoring my server traffic lately. Since I've ditched Cloudflare, I haven't needed DDoS protection.

    You can still use Cloudflare DNS without redirecting traffic via their CDN. I do that.

    The point about not revealing the IP address is a personal one it seems. I think it indeed does matter if that IP address is if your home, but not so much of it's of a VPS in some data center. But anyway, this point seems personal.

    However, everything is a trade off and everybody has a personal take on which trade off they want to take. When I was in a similar situation, I ditched CDN proxying via Cloudflare though I still kept them for DNS.

  • You just finished setting up all your services and it works fine - how do you now prepare for eventual drive failure?
  • My configuration and deployment is managed entirely via an Ansible playbook repository. In case of absolute disaster, I just have to redeploy the playbook. I do run all my stuff on top of mirrored drives so a single failure isn't disastrous if I replace the drive quickly enough.

    For when that's not enough, the data itself is backed up hourly (via ZFS snapshots) to a spare pair of drives and nightly to S3 buckets in the cloud (via restic). Everything automated with systemd timers and some scripts. The configuration for these backups is part of the playbooks of course. I test the backups every 6 months by trying to reproduce all the services in a test VM. This has identified issues with my restoration procedure (mostly due to potential UID mismatches).

    And yes, I have once been forced to reinstall from scratch and I managed to do that rather quickly through a combination of playbooks and well tested backups.

  • Looking for Advice with networking between VPS, Homelab and Cloudflare
  • What benefit do you get from running a Cloudflare proxy if you're directing it to a VPS? I used to run with a Cloudflare proxy when my reverse proxy was hosted at home. Since then, I've moved it to a VPS and I no longer use the Cloudflare proxy, because I only expose the IP address of the VPS which is fine. Arguably Cloudflare provides you with DDoS protection, but that's so far never been a problem for me.

  • Dutch residents will have to ditch their cars for sustainable transport system
  • I wish :( The city centers are very walkable and there's plenty of safe bicycle infrastructure, but cars are still very clearly the dominant mode of transport. Every weekend there's queues to the parking garages in every part of the city.

  • Dutch residents will have to ditch their cars for sustainable transport system
    nltimes.nl Dutch residents will have to ditch their cars for sustainable transport system

    To build a fully climate-neutral transport system in the Netherlands, many citizens will have to give up their cars, Jan Willem Eirsman, the government’s new chief climate adviser as chairman of the Scientific Climate Council, told the AD.

    Dutch residents will have to ditch their cars for sustainable transport system

    To build a fully climate-neutral transport system in the Netherlands, many citizens will have to give up their cars, Jan Willem Eirsman, the government’s new chief climate adviser as chairman of the Scientific Climate Council, told the AD.

    47
    What's the best way to prevent IPv6 from leaking when using Wireguard?
  • Wireguard easily supports dual stack configuration on a single interface, but the VPN server must also have IPv6 enabled. I use AirVPN and I get both IPv6 and IPv4 with a single wireguard tunnel. In addition to the ::/0 route you also need a static IPv6 address for the wireguard interface. This address must be provided to you by ProtonVPN.

    If that's not possible, the only solution is to entirely disable IPv6.

  • A ’90% chance of theft’ causes insurer to cancel plans for one type of e-bike
  • The Netherlands recently passed a law requiring helmets on mopeds. This makes mopeds less interesting leading to fat bikes being more attractive, because a helmet is not required on a fat bike.

  • How are you keeping on top of fleet updates?
  • Correct. And getting the right configuration is pretty easy. Debian has good defaults. The only changes I make are configuring it to send emails to me when updates are installed. These emails will also then tell you if you need to reboot in subject line which is very convenient. As I said I also blacklist kernel updates on the server that uses ZFS as recompiling the modules causes inconsistencies between kernel and user space until a reboot. If you set up emails, you will also know when these updates are ready to be installed because you'll be notified that they're being held van.

    So yea, I strongly recommend unattended-upgrades with email configured.

    Edit: you can also make it reboot itself if you want to. Might be worth it on devices that don't run anything very important and that can handle downtime.

  • How are you keeping on top of fleet updates?
  • A few simple rules make it quite simple for me:

    • Firstly, I do not run anything critical myself. I cannot guarantee that I will have time to resolve issues as they come up. Therefore, I tolerate a moderate risk of a borked update.
    • All servers run the same be OS. Therefore, I don't have to resolve different issues for different machines. There is then the risk that one update will take them all out, but see my first point.
    • That OS is stable, in my case Debian so updates are rare and generally safe to apply without much thought.
    • Run as little as possible on bare metal and avoid third party repos or downloading individual binaries unless absolutely necessary. Complex services should run in containers and update by updating the container image.
    • Run unattended-upgrades on all of them. I deploy the configuration via Ansible. Since they all run the same OS, I only need to figure out the right configuration once and then it's just a matter of using Ansible to deploy it everywhere. I do blacklist kernel updates on my main server, because it has ZFS through DKMS on it so it's too risky to blindly apply.
    • Have postfix set up so that unattended-upgrades can email me when a reboot is required. I reboot only when I know I'll have some time to fix anything that breaks. For the blacklisted packages I will get an email that they've been held back so I know that I need to update manually.

    This has been working great for me for the past several months.

    For containers, I rely on Podman auto update and systemd. Actually my own script that imitates its behavior because I had issues with Podman pulling images which were not new, but which nevertheless triggered restarts of the containers. However, I lock the major version number manually and check and update major versions manually. Major version updates stung me too much in the past when I'd update them after a long break.

  • How do you facilitate remote access?
  • I expose my services to the web via my own VPS proxy :) I simply run only very few of them, use 2FA when supported, keep them up to date, run each service as rootless podman, and have a very verbose logcheck set up in case the container environment gets compromised, and allow only ports 80 and 443, and, very importantly, truly sensitive data (documents and such) is encrypted at rest so that even if my services are compromised that data remains secure.

    For ssh, I have set up a separate raspberry pi as a wireguard server into my home network. Therefore, for any ssh management I first connect via this wireguard connection.

  • Using systemd-networkd vs ifupdown on Debian

    Does anybody have experience with both systems enough to compare them?

    I'm currently using ifupdown on my Debian server as that's the default, but it seems that the modern way of managing the local network is via systemd-networkd so I'm contemplating putting the effort in to migrate.

    Would those of you who have experience with it, recommend it?

    In my short investigation, I have made the following observations:

    • using networkd means you can use networkctl to manually control the interfaces which is quite convenient
    • networkd aims to be fully declarative
    • networkd separates the creation of virtual interfaces (netdev files) from their configuration (network files)
    • networkd doesn't support all networking features (e.g. namespaces)
    • networkd is systemd, but surprisingly I can't find information on how to create other unit files that depend on the individual network files going up or down, other than networkd-dispatcher. I don't like dispatcher because just like ifupdown it triggers all the scripts and you need if tests to exclude all interfaces you don't need to be affected. I'd like to write unit files that can be targeted to activate and deactivate when a particular interface goes up or down.
    • networkd, other than via dispatcher, does not seem to support adding arbitrary commands to run like ifupdown supports via e.g. pre-down, post-up, etc.
    14
    Trying to understand the different selfhosted monitoring solutions

    Note: It seems my original post from last week didn't get posted on lemmy.world from kbin (I can't seem to find it) so I'm reposting it. Apologies to those who may have already seen this.

    I'm looking to deploy some form of monitoring across my selhosted servers and I'm a bit confused about the different options.

    I have a small network of three machines that I would like to monitor. I am not looking for a solution that lets me monitor tens, hundreds, or thousands of nodes. Furthermore, I am more interested in being able to observe metrics for each node individually rather than in aggregate. Each of these machines performs a different task so aggregate metrics from these machines are not particularly meaningful. However, collecting all the metrics centrally so that I can have a single dashboard to view them all in one convenient place is definitely something I would like.

    With that said, I have been trying to understand the different (popular) options that are available and I would like to hear what the community's experience is with these options and if anybody has any advice on any of these in light of my requirements above.

    Prometheus seems like the default go-to for monitoring. This would require deploying a node\_exporter on each node, a prometheus service, and a grafana dashboard. That's all fine, I can do that. However, from all that I'm reading it doesn't seem like Prometheus is optimised for my use case of monitoring each node individually. I'm sure it's possible, but I'm concerned that because this is not what it's meant for, it would take me ages to set it up such that I'm happy with it.

    Netdata seems like a comprehensive single-device monitoring solution. It also appears that it is possible to run your own registry to help with distributed monitoring. Not gonna lie, the netdata dashboard looks slick. An important additional advantage is that it comes packaged on Debian (all my machines run Debian). However, it looks like it does not store the metrics for very long. To solve that I could also set up InfluxDB and Grafana for long-term metrics. I could use Prometheus instead of InfluxDB in this arrangement, but I'm more likely to deploy a bunch of IoT devices than I am to deploy servers needing monitoring which means InfluxDB is a bit more future-proof for me as it could be reused for IoT data.

    Cockpit is another single-device solution which additionally provides direct control of the system. The direct control is probably not so much of a plus as then I would never let Cockpit be accessible from outside my home network whereas I wouldn't mind that so much for dashboards with read-only data (still behind some authentication of course). It's also probably not built for monitoring specifically, but I included this in the list in case somebody has something interesting to say about it.

    What's everybody's experience with the above solutions and does anybody have advice specific to my situation? I'm currently leaning to netdata with my own registry at first and later add InfluxDB and Grafana for long-term metrics.

    29
    Is it possible to completely hide all reverse proxy traffic from a VPS provider?

    I run a self-hosted server at home on which I have run a bunch of personal stuff (like nextcloud etc.). To prevent pointing DNS servers at my home router, I run a reverse proxy on a VPS that I rent (from Scaleway FWIW).

    Today I was trying to figure to what extent that exposes my data to my VPS provider and whether I can do something about it. Disclaimer: this is just a hobby exercise. I'm not paranoid, I just want to learn for my own self how to improve security of my setup.

    My reverse proxy terminates the SSL connection and then proxies the connection over a wireguard connection to my home server. This means that (a) data is decrypted in the RAM of the VPS and (b) the certificates live unencrypted in the storage of the VPS. This means that the VPS provider, if they want to, can read all the traffic unencrypted to and from my home server.

    I was thinking that I can solve both problems by using Nginx's SSL pass-through feature. This would allow me to not terminate SSL on the VPS solving (a) and to move the certificates to my home server solving (b).

    But just as I was playing around with it, I realised that SSL pass-through would not solve the problem of trying to protect my data from the VPS provider. As long as my DNS records point at the VPS provider's servers, the VPS provider can always get their own certificates for my domains and do a MitM attack. Therefore, I might as well keep the certificates on the VPS since I still have to trust them not to make their own behind my back.

    In the end I concluded that as long as I use a VPS provider to route my traffic to my home server, there is no fool-proof way to secure my data from them. Intuitively it makes sense, the data crosses their hardware physically and thus they will have access to it. The only way to stop it would be to update the DNS records to point directly at my home server which I don't want to do.

    Is this correct thinking or is there some way to prevent the VPS provider from seeing my data?

    Again, I'm trying to solve this problem as a hobby exercise. The most sensitive data that I have is stored encrypted at the filesystem level and I only decrypt it locally on my own machine to work on it. Therefore, the actually sensitive data that would be cost me a lot if compromised is never available unencrypted on the VPS. Due to the overhead of this encryption and other complications, I don't do this for all my files.

    40
    dr_robot dr_robot @kbin.social
    Posts 5
    Comments 43