smiletolerantly

joined 1 year ago
[–] [email protected] 7 points 2 weeks ago

Managing 30+ machines with NixOS in a single unified config, currently sitting at a total of around 17k lines of nix code.

In other words, I have put a lot of time into this. It was a very steep learning curve, but it's paid for itself multiple times over by now.

For "newcomers", my observations can be boiled down to this: if you only manage one machine, it's not worth it. Maaaaaybe give home-manager a try and see if you like it.

Situation is probably different with things like Silverblue (IMO throwing those kinds of distros in with Guix and NixOS is a bit misleading - very different philosophy and user experience), but I can only talk about Nix here.

With Nix, the real benefit comes once you handle multiple machines. Identical or similar configurations get combined or parametrized. Config values set for Host A can be reused and decisions be made automatically based on it in Host B, for example:

  • all hosts know my SSH pub keys from first boot, without ever having to configure anything in any of them
  • my NAS IP is set once, all hosts requiring NAS access just reuse it implicitly
  • creating new proxmox VMs just means adding, on average, 10 lines of nix config (saying: your ID will be this, you will run that service) and a single command, because the heavy lifting and configuring has already been done, once -...
[–] [email protected] 1 points 2 weeks ago

Chat, is this AI-generated ads on Lemmy?

[–] [email protected] 8 points 3 weeks ago (1 children)

Are we talking permanent background tracking? Or sending a message "hey, I'm here"?

[–] [email protected] 10 points 1 month ago (3 children)
[–] [email protected] 8 points 1 month ago* (last edited 1 month ago) (6 children)

Sure! As long as it's nixpkgs.

[–] [email protected] 3 points 1 month ago

I still find it hilarious that since dd-wrt and OpenWrt are just… Linux, you could install Super Mario Bros on there. I checked, nobody seems to have tried.

Oh, definitely, but there are varying degrees of difficulty, esp. with what kinds of packages / package management you have available :D

Ah, that make sense. Is Wireguard P2P?

Yes, in the sense that each node/device is a peer. But the way I'd suggest you configure it in your case is more akin to a client/server setup - your devices forward all traffic to the "server", but it never takes initiative to talk "back" to them, and they do not attempt to communicate with each other. Unless you have a separate usecase for that, of course.

You both are perfect for each other, so don’t screw it up!

❤️

Closing in on 8 years

[–] [email protected] 3 points 1 month ago (2 children)

I’m actually surprised nobody suggested simply using the Pi with OpenWrt as my own router. Though, that would make it hard to host Jellyfin.

A brief internet search shows that surprisingly, hosting Jellyfin on OpenWRT should work.... No idea how well though. Come to think of it, having OpenWRT on the pi might make it a lot easier to configure, with graphical settings available and so on.

Could you explain Wireguard vs. Tailscale in this scenario?

I've never used tailscale, I'm afraid. Normally I would say: just use whatever seems easier to set up on your device/network; however, note that tailscale needs a "coordinate server". No actual traffic ever goes through it, it just facilitates key exchanges and the like (from what I understand), but regardless, it's a server outside your control which is involved in some way. You can selfhost this server, but that is additional work, of course...

Thank you all so much for your help! This is likely the solution I will go with, combined with another one, so again thank you so much!

Glad I could help, after being so unhelpful yesterday :)

P.S. I don’t care if you wrap an ethernet cord around her finger, get going!

Eh... Marriage is not really common in either of our families. We agreed to go sign the papers if there ever is a tax reason, lol. Sorry if that's a bit unromantic :D Nice rings though ^^

[–] [email protected] 3 points 1 month ago* (last edited 1 month ago) (1 children)

I am actually considering getting an EV for transporting my Cello :/

It's unfortunately not possible to reliably transport it by bike (strong winds, icy conditions on my rather hilly ride to the city). Makes me miss out on re-joining an orchestra.

Everything else (groceries, work,...) would still be by bike, just... That.

[–] [email protected] 1 points 1 month ago

That's great. Hope other states follow suite.

[–] [email protected] 12 points 1 month ago* (last edited 1 month ago) (5 children)

Hi again.

How about the following idea:

Set up ProtonVPN on the raspberry pi.

On all other devices (or at least those you want to use Jellyfin on), switch from using Proton to using Wireguard. Unlike your phone, the raspberry pi has no trouble running multiple VPNs. I think the ProtonVPN limitations in regard to not allowing split tunneling don't apply here, since all outgoing traffic will still go via Proton.

Essentially, the Pi would function as a proxy for all of your traffic, "and also" host Jellyfin. You would still connect to http://192.168.20.10:8096/ (or whatever) on your devices, but that address would only resolve to anything when you are connected to the pi via Wireguard. No HTTPs, but "HTTP over Wireguard", if you will.

Nots that this requires you trusting the pi to the same degree that you trust your phone.

For your static devices (PC, TV) this should solve the problem. Devices which you take with you, like your phone, unfortunately will loose internet connectivity when you leave your home until you switch off Wireguard, and switch on Proton, and not be able to connect to Jellyfin when you return home, until you switch them back.

Essentially, you would have a "home" VPN and a "on the go" VPN, though you never need to connect to both. There might be ways to automate this based on WiFi SSID on Android, but I have not looked into it.

The Pros:

  • this should meet all your requirements. No additional expenses, no domain, no dynDNS; no selfsigned certificate or custom CA; traffic is never unencrypted; works on all common devices.
  • Wireguard is sufficiently lightweight to not bog down the pi, normally
  • this is actually well within the intended use-cases for Wireguard, so no "black magic" required in configuring it
  • if you ever do decide to get a domain, you can configure everything to always be connected to your pi via Wireguard, even on the go! Not required though.

The Cons:

  • when you are new to selfhosting, Wireguard is a bit daunting to set up. It is not the easiest to debug (don't worry, it's easy to tell IF it is working, but not always WHY it isn't working). Some manual route handling is probably also required on the pi. It should definitely be doable though, but might turn this Jellyfin thing from a weekend project to a 2 week project...
  • I have no experience with how well the pi runs Jellyfin. If the answer is "barely", then adding multiple concurrent Wireguard sessions might be a bad experience. Though in this case, you could only switch Proton to Wireguard whenever you want to watch Jellyfin.
  • the manual switching might be annoying, but that is the price to pay here, so to speak

Edit: someone else already mentioned setting up your own trusted network with a second router. IMO that is the better, more hassle-free option IF you are willing to shell out the money. My suggestion is the "free" version of that, essentially 😄

[–] [email protected] 7 points 1 month ago

Hi again. Sorry for being so rude yesterday. Your new post actually clears the situation up a lot.

We might have an idea for you, will comment on the new post.

[–] [email protected] 44 points 1 month ago* (last edited 1 month ago) (3 children)

Hi. I am a software engineer with a background in IT security. My girlfriend is a literal network security engineer.

I showed her this thread and she said: don't bother, just use http on your local network.

Anyways, I am going to disengage from this thread now. Skepticism against things one doesn't fully understand can be healthy, but this is an insane mix of paranoia and naïveté.

You are not a target; the things you are afraid of will never happen; and if they did, they would not have the consequences you think they would.

Your router will NOT magically expose your traffic to the internet (what would that even mean?? Like, if it spontaneously started port forwarding to your Jellyfin server (how? By just randomly guessing the port and IP???), someone would still need to actively request that traffic, AND know your login credentials, AND CARE).

Your ISP does not give a shit about you owning or streaming copyrighted material over your local network. It has no stake in that.

Graphene is not an ultimate arbiter of IT security, but the reason it "distrusts networks" is because you take your phone with you, constantly moving into actual untrusted networks (i.e. ones you do not own).

Hosting Jellyfin on Graphene will not make it more secure, whatsoever.

If every device is assumed compromised, and compromising devices with knowledge that you watch media is a threat in your model, then even putting an SD card with media in your phone and clicking play is dangerous. Which is stupid.

If you actually assume your router is malicious, then please assume that when you initially downloaded your VPN client, it was also compromised and your VPN is not trustworthy.

The way I see it, you have two options:

  1. educate yourself on network security to the point of being able to trust your network setup; or
  2. forget about hosting anything
 

Five years ago, I bought a Supernote A5. It was (and mostly still is) a great device for reading and writing on an eInk display, and it runs plain old linux.

The deciding reason I went for this device instead of the competition is that I was "under the impression" that they were about to enable full SSH access to the device! Awesome!

"Why were you under that impression?", I hear the skeptics ask. Well, their spokesperson has stated that they would do so. Via mail, and on reddit, publicly, multiple times. I was still torn, so sent them a DM, asking if this was ineed factual. "Yes", they said, "the next quarterly update will enable SSH access!".

Great!

Well, it's been 5 years. They did not follow through. A couple updates were published, none contained the promised functionality, the spokesperson stopped answering questions about SSH. The last software update I received is from 2.5yrs ago. Mentions of the original Supernote A5 have largely been scrubbed from their website.

Let me be clear, the device still functions perfectly. But it is in danger of becoming e-waste because it is so needlessly complicated to get stuff on the device. I'm currently in need of an ebook reader with (ideally) OPDS capability, and I am pretty confident I'd be able to get something like koreader running on this, or at least just run a script to sync files over SSH. Also, I frankly feel wounded in my pride having a Linux device in my possession which refuses to do my bidding (I'm joking of course, but also I am 100% serious).

Here's all I know:

  • plugging it in via USB, the device reads as an MTP device, with access only to the documents/books/... stored on it
  • you can place an update.zip file (obtained from the SN website) into the root of that MTP directory, and upon reboot, the device will update. To me, this appears to be the most promising route of gaining access.
  • unfortunately, the zip file is encrypted. The decryption key clearly has to be known to the device, but since I have no access to it,...

I'm a software engineer, but I have zero knowledge of the "dark arts", so to speak. If anyone could help me (or point me into the right direction!), I would really be grateful. I don't want this (generally nice) product to turn into a paperweight instead of a paper replacement :(

 

Basically, the title. After years of inactivty, I'll be taking music (cello) lessons again, with my teacher of yesteryear, from whom I've moved half a country away.

She has suggested Zoom but is open to alternatives. I don't particularly like Zoom, plus I have a feeling better quality can be had through a custom solution - but I'm at a bit of a loss as to what exactly would be a good fit for this project.

Maybe Jitsi? Does someone here have experience with it and could tell me if it's possible to set something like a "target" audio quality?

For hardware, I basically have two options. Both are already in use, for different things, and have sufficient processing capabilities - albeit no GPU:

  • host everything at home. Plus: lowest possible latency from me to the server. Not sure how much that is worth though.
  • root server in the Hetzner cloud: much faster network speed. Again though, not sure how beneficial that is, the ultimate bottleneck will always be my upload speed (40Mbit)

OK, I realize that this post is a but of a random assortment of thoughts. I'd be really happy about suggestions and / or hearing about other's experiences with similar use-cases!

28
submitted 10 months ago* (last edited 10 months ago) by [email protected] to c/[email protected]
 

Hi,

not sure where else to post this. For a while now, I've unsuccessfully been trying to get WireGuard to work with Crunchyroll.

Setup is as follows:

  • dedicated server hosts a wg-quick instance in [neighboring country]
  • OPNSense acts as peer on a single IP
  • I have a rule for routing the entire traffic of some source device via that IP

This works just fine. Handshake successful, traffic is routed via the server. traceroute shows the server as the hop immediately after my device's local gateway. The connection is stable, and fast.

...except for Crunchyroll. The site / app itself is fine, but I can not, for the life of me, get a video to play. It just keeps loading forever.

I don't think this is an issue with CR recognizing that I'm not where I say I am - looking online, it seems pretty easy to use CR with a VPN. I've also tried from multiple other devices, all with the same symptom.

If anyone has suggestions, I'd love to hear them 😅

EDIT: ~~It was MTU. Had to manually set it to 1500 on both devices.~~

Nope, still the same issues. I was using the fallback interface there briefly.

EDIT: It WAS MTU related, I had to enable MSS clamping on the OPNSense.

view more: next ›