• 0 Posts
  • 39 Comments
Joined 3 years ago
cake
Cake day: July 29th, 2023

help-circle



  • mlg@lemmy.worldtoSelfhosted@lemmy.worldRecommended mini pc for a homelab?
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    8 days ago

    If you want something that fits the SFF cube shape so you can throw it next to a TV or desk for video output, you can probably go for the SYS-A22GA-NBRT.

    Easy to upgrade CPU & RAM later down the line if you start doing more stuff with it, plus space for dedicated GPU if you ever want to do heavy media server stuff.

    Would avoid pi due to the underperformance for the price. Plus best bang for buck usable storage will always be HDDs. SD cards are nice but you have to disable journaling to keep the writes low as to not wear down usable blocks.




    • Anything that you can shove hardware into (CPU, RAM, HDDs, maybe a PCI slot), so any used workstation is a great start, and don’t bother splurging initially, just follow the quality tool rule and only buy when something becomes inadequate. If you want to jump straight into loud and noisy severs, you can pick up used servers for cheap like R730s which there’s a ton of out there. Just avoid 2.5" drive bays because 3.5" HDDS are way cheaper per Gb.

    • Would recommend podman over docker as its matured to the point where it has a lot of better features like rootless, quadlets, etc that you might want to take advantage of in the future. OS is whatever linux you prefer, but I recommend you stay away from Ubuntu. If you want something RedHat but not as cutting edge as Fedora, I’ve heard OpenSUSE is pretty nice.

    For apps, If you want to do HTTPS via GUI then npmplus is nice option, Otherwise caddy can do the same with text config. Rest is whatever you want to try out :)

    EDIT: If you start making an *arr stack, I would recommend recyclarr to handle the quite expansive content filter settings for sonarr and radarr.


  • I hate to break the news but the issue with Bitwarden is that the client sucks total ass, and there are no drop in 3rd party replacements for the browser plugin.

    Been running Vaultwarden for a while now and even though the sync implementation is nice and clean, it’s just not worth the end user experience.

    This is really dumb when compared to literally every other password manager, open source and enterprise which does a much better job of actually being a password manager and not a glorified encrypted text file.

    I’m eventually going to switch back to KeePassXC and just suggest setting a master password with Firefox’s builtin password manager for everyone else who just wants a painless user experience and not have to deal with syncing vaults.


  • Wireguard.

    Dunno if Cloudflare does effective auth for the tunnel or if you have to set that up yourself, but I don’t bother trying to expose services to the internet in any way because some of this stuff was just never designed for proper web security (cough Jellyfin).

    It’s still worth setting up a wildcard cert with ACME so you get nice https and a real domain.


  • I’ve been trialing Vaultwarden for a while and while I do like the server sync setup and clean web access, the Bitwarden browser plugin is just okay despite being an “enterprise” solution. It misses probably about 20% of websites when creating a new account, forcing you to grab the password from the generator history and make a new entry manually.

    KeepassXC is much better in that regard, and it’s almost as good as the default credential handler of Firefox, and it lets you set up a bunch of custom stuff to extend the functionality if you want. Plus it has some neat kbdx options aside from AES256.

    Only downside is syncing, which I’m debating how I’ll deal with something better than syncthing on android (protocol is great, android makes it a PITA to have a background process if its not Google spyware).


  • (I don’t need strong censorship resistance; it just has to work in offices and hotel WiFis.

    Wireguard on 443 or OpenVPN + Stunnel on 443

    Wireguard is easier to setup because there’s no OpenVPN app that packages stunnel (afaik), so you have to run 2 apps on your phone to make it work.

    A server like caddy can also accept HTTPS traffic for some regular websites next to the VPN server.

    Wireguard uses UDP, so just run whatever you want on 443 TCP with caddy (unless you want QUIC for some reason?)

    Anything beyond that and you’d be looking at using a proper obfuscation solution like Shadowsocks or obfs4, in which case you should look into Amnezia or Tor bridges.


  • Use our easy bash oneliner to install our software!

    Looks inside script

    if [ $(command -v apt-get) ]; then apt-get install app; else echo “Unsupported OS”

    Still less annoying than trying to build something from source in which the dev claims has like 3 dependencies but in reality requires 500mb of random packages you’ve never even heard of, all while their build system doesn’t do any pre comp checking so the build fails after a solid hours of compilation.




  • mlg@lemmy.worldtoSelfhosted@lemmy.worldDocker security
    link
    fedilink
    English
    arrow-up
    17
    arrow-down
    1
    ·
    7 months ago

    How I sleep knowing Fedora + podman actually uses safe firewalld zones out of box instead of expecting the user to hack around with the clown show that is ufw.

    I could be wrong here but I feel like the answer is in the docs itself:

    If you are running Docker with the iptables or ip6tables options set to true, and firewalld is enabled on your system, in addition to its usual iptables or nftables rules, Docker creates a firewalld zone called docker, with target ACCEPT.

    All bridge network interfaces created by Docker (for example, docker0) are inserted into the docker zone.

    Docker also creates a forwarding policy called docker-forwarding that allows forwarding from ANY zone to the docker zone.

    Modify the zone to your security needs? Or does Docker reset the zone rules ever startup? If this is the same as podman, the docker zone should actually accept traffic from your public zone which has your physical NIC, which would mean you don’t have to do anything since public default is to DROP.




  • Ubuntu and Docker.

    Really? Netplan alone disqualifies Ubuntu as a “friendly stable starter distro”, and I can guarantee you that your guide will somehow become outdated with a single new Ubuntu release, or some poor soul who accidentally selected an LTS release.

    Docker doesn’t matter as much, but there’s a reason beyond just FOSS licensing why podman exists.

    Would highly recommend Debian instead.

    I started on Ubuntu similar to this many years ago and both the server and desktop experience was not fun at all.