Max-P

There’s also Cockpit if you just want a basic UI

And the instance’s sidebar:

A lemmy server for, but not limited to, leftists in the Midwest USA

I believe you, but I also very much believe that there are security vendors out there demonizing LE and free stuff in general. The more expensive equals better more serious thinking is unfortunately still quite present, especially in big corps. Big corps also seem to like the concept of having to prove yourself with a high price of entry, they just can’t believe a tiny company could possibly have a better product.

That doesn’t make it any less ridiculous, but I believe it. I’ve definitely heard my share of “we must use $sketchyVendor because $dubiousReason”. I’ve had to install ClamAV on readonly diskless VMs at work because otherwise customers refuse to sign because “we have no security systems”. Everything has to be TLS encrypted, even if it goes to localhost. Box checkers vs common sense.

LetsEncrypt certs are DV certs. That a put a TXT record for LetsEncrypt vs a TXT record for a paid DigiCert makes no difference whatsoever.

I just checked and Shopify uses a LetsEncrypt cert, so that’s a big one that uses the plebian certs.

Neither does Google Trust Services or DigiCert. They’re all HTTP validation on Cloudflare and we have Fortune 100 companies served with LetsEncrypt certs.

I haven’t seen an EV cert in years, browsers stopped caring ages ago. It’s all been domain validated.

LetsEncrypt publicly logs which IP requested a certificate, that’s a lot more than what regular CAs do.

I guess one more to the pile of why everyone hates Zscaler.

Capture it interlaced, preferrably as losslessly as possible, then use deinterlacing software where you can fine-tune the settings if you need to.

And keep the original interlaced versions too! You never know in the future you may want to use a newer deinterlater that works better. Or a new codec that can preserve more details in smaller files.

I’d keep the tapes too, you never know when the community will come up with better VCRs like how it’s happening in the retro computer world where we have things like the GreaseMonkey that can store the raw magnetic transitions on the platters and floppies.

Yeah, that didn’t stop it from pwning a good chunk of the Internet: https://en.wikipedia.org/wiki/Log4Shell

IMO the biggest attack vector there would be a Minecraft exploit like log4j, so the most important part to me would make sure the game server is properly sandboxed just in case. Start from a point of view of, the attacker breached Minecraft and has shell access to that user. What can they do from there? Ideally, nothing useful other than maybe running a crypto miner. Don’t reuse passwords obviously.

With systemd, I’d use the various Protect* directives like ProtectHome, ProtectSystem=full, or failing that, a container (Docker, Podman, LXC, manually, there’s options). Just a bare Alpine container with Java would be pretty ideal, as you can’t exploit sudo or some other SUID binaries if they don’t exist in the first place.

That said the WireGuard solution is ideal because it limits potential attackers to people you handed a key, so at least you’d know who breached you.

I’ve fogotten Minecraft servers online and really nothing happened whatsoever.

Lemmy’s format just kind of sucks for discussions and visibility. If you comment on a post from a year ago, you can expect that to not been seen by anyone ever.

Lemmy is primarily a link aggregator, just like Reddit. It also happens to somewhat work for Q&A and help forums, but fundamentally Lemmy is more oriented towards new content.

The more classic forum format is better for discussions because replies bump the thread up to bring new attention to it.

Also a lot of people just don’t give a shit about random people’s random thoughts, that’s why I’m not on Mastodon and never really used Twitter either. I don’t know why people feel the need to dump all their thoughts on the Internet, like I care that a celebrity is on a plane or enjoying a nice meal.

Lemmy is about topics, not people, that’s what I like about it. I don’t care about people.

The trick for this one is mount -t zfs -o zfsutil internal /mnt/some/path

Assuming the root dataset is mountable. If you have a -o canmount=off on the dataset it will refuse to mount.

If it’s -o mountpoint=legacy then you don’t need -o zfsutil, but still need to provide both the source and destination paths. Otherwise you’ll get the fstab error because mount can’t figure out what to mount or where to mount it.

Yep there’s a reason I reached directly for that configuration. WireGuard uses UDP, that’s one of the first things that gets blocked.

Turns out that’s also the kind of protocol corporate VPNs use, reusing port 443 over TCP. They call those “SSL VPN”. They get to weed out all commercial VPNs used to bypass their firewalls as well as most torrent/game activity while still mostly catering to their business guests.

Best bet is probably going to be using something like OpenVPN on port 443 in TCP mode, which basically looks like regular HTTPS. It’s a hotel, I doubt they’re going to be doing deep analysis to detect signs it’s OpenVPN. It’s detectable easily but they wouldn’t spend the money on that advanced of a firewall.

My guess is they went for an allowed list of ports rather than blocked, so it lets DNS (53), HTTP (80), HTTPS (443), probably also POP/IMAP/SMTP (110, 995, 143, 993, 465)

The problem with that is, can you really trust most instances out there? If you’re a sketchy admin, it’s not that hard to convince a handful of people to use your instance and have a couple dozen anonymous votes at your disposal to influence certain topics. There’s no way to detect it, not even the other users.

That would then mean that small instances would have to prove themselves before being accepted in the wider network of instances and just end up centralizing the fediverse.

With the votes being public, while you can create as many accounts as you want, you still have to publicly use a bunch of bot accounts which makes it more easily detectable. And of course, there’s no way your instance can get away with impersonating you, because you could see it sneaking votes or comments.

I wish it could be more private, but I can’t think of a way you can prevent vote manipulation without revealing who actually voted for what or rely on trust. Another way to look at it would be, what if Lemmy didn’t use instances but instead some sort of decentralized system where each user is its own entity. How would we obfuscate the votes then? Anyone can publish a message to the network, so you need to tie it to some identity, and you circle right back to the problem.

For privacy, there’s always alt accounts and recycling accounts often. Or treat the votes as if you were commenting “+1” or “-1”.

Unless someone comes up with some crypto scheme to somehow anonymously prove that a user has voted, and has voted only once, and the user has credible history being a real person.

Personally, it’s a tradeoff I chose as the price of entry for being able to participate in this while being fully independent of some benevolent person/organization/company/private equity firm. Nobody can take away my API or my apps or shove me ads. I can post entire 4K HDR clips if I want. I can have an offline copy of it if I want to read on a plane trip. I can index Lemmy, I can search Lemmy.

Probably my KeePass database since it holds the keys to everything else.

I wish Jitsi was actually good. It’s a pain in the ass to setup and I’ve yet to get anything more than maybe 480p on it across both Firefox and Chome as well as the mobile apps on iOS and Android. It even reports poor internet connection when the server is literally 5ms away over the Internet, so even if it has to fall back to routed traffic I’ve still got a full gigabit of connectivity between me and my server in a datacenter which is way more than enough. None of the open instances I tried were any different either.

It feels like a ridiculously overcomplicated WebRTC demo app, the end performance is essentially identical.

I’ve not seen any, but I’m also not subscribed to the kind of communities that would be prone to it. I did still manage to get some transphobia directed at me, which is wild because I’m cis.

That’s the thing with the fediverse, every instance has a slightly different view of the thing as a whole. That’s why picking an instance that aligns with your values matters. You’re not going to see much of that on blahaj or beehaw because those users get banned quickly, and problematic instances are defederated as a whole. The matching opposite instances exist too, some are made to be safe heavens for the extreme right, with all the *ism and *phobias going on there.

I recommend people of color to pick instances that supports them, which in turn means they have admins watching their back and shutting down racism quick.

The fediverse will have every problem that plagues other social medias, and it will be worse because unlike Reddit/Twitter, there isn’t a centralized authority to say no, that’s enough. The only way to deal with it is most big instances saying no and defederating those, but it’ll never go away fully, just hidden away.

That worked but federated only this direct thread up to the fedia.io post.

Tagging @[email protected] for testing, that should make it to Mastodon and make this thread discoverable there as well.

They’d have to mention the community, then it would show up, but I don’t think it’s possible to access standalone, at least not until Lemmy lets you follow people.

Separate components that do one thing and only that thing and does it well are good. Extra containers are basically free.

• The exporters provide the metrics. They can be standalone executables like the node exporter, can also be included in apps themselves easily since it’s just HTTP. It’s trivial to add metrics to just about anything without needing extra ports. Its protocol is also easier and more efficient than SNMP.
• Prometheus scrapes those metrics and stores it into its database. In other apps that’d be the role things like PostgreSQL have: you don’t really use it directly, but it’s no less important.
• Grafana is the frontend you slap in front of Prometheus to actually display your metrics.
• Alertmanager looks at the metrics and sends alerts. It’s separate because if your Prometheus box goes down, how are you gonna be alerted of that?

All 4 of those can be swapped with something else equivalent and it all still works. Don’t like the UI? Replace Grafana. Don’t like Prometheus? There’s VictoriaMetrics and InfluxDB

It looks silly on a small scale, but it scales up very well. Couple hundred VMs per Prometheus install, node exporters on every VM and a single Grafana cluster to visualize the data for the whole infrastructure at once.

That makes it all well liked in enterprise which means there are exporters for damn near anything (even the Lemmy server has a built-in exporter I can scrape with Prometheus), which in turn makes it the easy solution for self-hosters too, and here we are.

I feel like it’s easier to set up than some of the all in one solutions I’ve used previously, despite being several components. They’re all components that basically just work out of the box.