That’s a good point, and I don’t really have enough insights to properly respond to that. I did think about Peertube, and I believe that a site like TikTok is different, because it relies on the ability to broadcast a large number of short videos, specifically with lots of skips.

Streaming one video for several minutes, and skipping between numerous videos every couple of seconds, is orders of magnitude more expensive. Video compression works on the idea that you store entire pictures rarely, and then just encode the difference between each frame. When you constantly need the start of videos, you constantly need the full picture of the first frame. This induces a much higher bandwidth requirement than with video that streams for several minutes continuously. Also consider the response time that is required to make the TikTok experience work. Then also consider that you need to attract enough content contributors to make this work. You can’t just upload some ancient archive of 45 minute videos. You need to drive the machine.

So, to produce a TikTok experience, you also need to design for an attractive ingress of free content.

This is just not replicable in a free environment.

Nobody pays for that much bandwidth without the ability to manipulate you through profiling and impressions. You are the product. The product is not sharing videos. There is no fediverse platform that makes you its whore. If you were to make a video sharing platform, it would never work, because that is not the product, it’s only a feature of what makes up the dopamine machine.

Lemmy will also never outgrow commercial platforms, because the commercial platforms also never were about content.

I’ve been maintaining multiple release channels for most of my projects. I always have a nightly build and a dev build that I run manually or on every push. Actually versioned releases either happen directly after completing a milestone or when the release schedule calls for it.

Reddit is free. Other people paying for your free service is a very weak argument to bring up. If Lemmy dies today, nobody but hobbyists and amateurs will care. Just like with LE.

I’ve been there. Not every CA is equal. Those kind of CAs were shit. LE is convenient. There are more options though.

I actually agree. For the majority of sites and/or use cases, it probably is sufficient.

Explaining properly why LE is generally problematic, takes considerable depth of information, that I’m just not able to relay easily right now. But consider this:

LE is mostly a convenience. They save an operator $1 per month per certificate. For everyone with hosting costs beyond $1000, this is laughable savings. People who take TLS seriously often have more demands than “padlock in the browser UI”. If a free service decides they no longer want to use OCSP, that’s an annoying disruption that was entirely not worth the $1 https://www.abetterinternet.org/post/replacing-ocsp-with-crls/

LE has no SLA. You have no guarantee to be able to ever renew your certificate again. A risk not anyone should take.

Who is paying for LE? If you’re not paying, how can you rely on the service to exist tomorrow?

It’s not too long ago that people said “only some sites need HTTPS, HTTP is fine for most”. It never was, and people should not build anything relevant on “free” security today either.

People who have actually relevant use cases with the need for a reliable partner would never use LE. It’s a gimmick for hobbyists and people who suck at their job.

If you have never revoked a certificate, you don’t really know what you’re doing. If you have never run into rate-limiting issues with LE that block a rollout, you don’t know what you’re doing.

LE works until it doesn’t, and then it’s like every other free service on the internet: no guarantees If your setup relies on the goodwill of a single entity handing out shit for free, it’s not a robust setup. If you rely on that entity to keep an OCSP responder alive for free so all your consumers can verify the validity of your certificate, that’s not great. And people do this to save their company $1 a month for the real thing? Even running the shitty certbot in compute has a larger cost. People are so blindly in love with this “free” garbage. The fanboys will never die off

Can’t disagree with any of that. But I still like doing it

Bro, I’m an AWS Cloud Solution Architect and I seriously don’t know what you’re talking about. And, no, when I waste time on Lemmy, then there is literally nothing better to do.

AWS made S3. People built software to integrate S3 as a storage backend. Other people didn’t want to do AWS, and built single-node imitations of the S3 service. Now you use those services and think that is S3, while it is only a crude replica of what S3 really is. At this point the S3 API is redundant and you could just as well store your assets close to your application. You have no real, global S3 delivery service anyway. What’s the point?

Most people misuse AWS S3. Using stuff like minio is even more misguided.

I don’t follow. S3 is an AWS service that these tools emulate locally by providing the same API. But I’m happy to accept that there’s just some misunderstanding 😃

Buy a different domain. Let them pay for this one until the end of time.

Fuck that. People like to act like running an SMTP server or a CA is some major shit, while everyone is fucking up on these subjects every single day.

S3 goes beyond the scope you describe. You disqualify yourself with such statements

I disagree. Local files access is always superior. If you disagree, your target solution is likely poor to begin with

So it compares to existing products, but it’s less mature? Why should anyone care?

S3 storage is simpler than local files? I think you need to elaborate

I roll out Step CA to my workstation with an Ansible role. All other clients on the lab trust this CA and are allowed to request certificates for themselves through ACME, like LetsEncrypt.

All my services on all clients on the network are exposed through traefik, which also handles the ACME process.

When it comes to Jellyfin, this is entirely counter-productive. Your media server needs to be accessible to be useful. Jellyfin should be run with host networking to enable DLNA, which will never pass through TLS. Additionally, not all clients support custom CAs. Chromecast or the OS on a TV are prime candidates to break once you move your Jellyfin entirely behind a proxy with custom CA certificates. You can waste a lot of time on this and achieve very little. If you only use the web UI for Jellyfin, then you might not care, but I prefer to keep this service out of the fancy HTTPS setup.

I prefer having a convenient pull mechanism that I can trigger from a workstation in the lab network. I maintain the setup with Ansible

PathPrefix no longer being regex stood out

Sharing the network space with another container is the way to go IMHO. I use podman and just run the main application in one container, and then another VPN-enabling container in the same pod, which is essentially what you’re achieving with with the network_mode: container:foo directive.

Ideally, exposing ports on the host node is not part of your design, so don’t have any --port directives at all. Your host should allow routing to the hosted containers and, thus, their exposed ports. If you run your workloads in a dedicated network, like 10.0.1.0/24, then those addresses assigned to your containers need to be addressable. Then you just reach all of their exposed ports directly. Ultimately, you then want to control port exposure through services like firewalld, but that can usually be delayed. Just remember that port forwarding is not a security mechanism, it’s a convenience mechanism.

If you want DLNA, forget about running that workload in a “proper” container. For DLNA, you need the ability to open random UDP ports for communication with consuming devices on the LAN. This will always require host networking.

Your DLNA-enabled workloads, like Plex, or Jellyfin, need a host networking container. Your services that require internet privacy, like qBittorrent, need their own, dedicated pod, on a dedicated network, with another container that controls their networking plane to redirect communication to the VPN. Ideally, all your manual configuration then ends up with a directive in the Wireguard config like:

PostUp = ip route add 192.168.1.0/24 via 192.168.19.1 dev eth0

Wireguard will likely, by default, route all traffic through the wg0 device. You just then tell it that the LAN CIDR is reachable through eth0 directly. This enables your communication path to the VPN-secured container after the VPN is up.