Former Reddfugee, found a new home on feddit.de. Server errors made me switch to discuss.tchncs.de. Now finally @ home on feddit.org.
Likes music, tech, programming, board games and video games. Oh… and coffee, lots of coffee!
I � Unicode!
Does Trafik also allow DNS based challenges with additional certbot plugins, or does it only work by serving a challenge in /.well-known/?
I’ve set up my internal homelab with LE certificates, but if I could get rid of certbot and do this automagically, it’d be nice…
At that point it isn’t your ram anymore…
Tech Enthusiasts: Everything in my house is wired to the Internet of Things! I control it all from my smartphone! My smart-house is bluetooth enabled and I can give it voice commands via alexa! I love the future!
Programmers / Engineers: The most recent piece of technology I own is a printer from 2004 and I keep a loaded gun ready to shoot it if it ever makes an unexpected noise.
Security technicians: takes a deep swig of whiskey I wish I had been born in the neolithic.
At least we’re constantly told to be ready to act to reroll secrets, etc and try to automate the change/deployment of changed passwords and such.
Depending on the system you’re working with, this may still be a PITA, but at least we do have plans for even the “problematic” systems and we have probably done this a few times. Although maybe not at this scale, tbh.
So, imagining I were tasked to do that for $hyperscaler in “my” systems… I feel some dread, as even if everything is automated ä, there’s always something that doesn’t go as planned - but at least I know what can be done in which way and which timeframe is realistic (and which parts will be the most sensitive). If you do not have plans, well… Good luck. You’ll need it.
Ok, who of you guys is working with Oracle Cloud and has not yet rerolled all API/Access Keys, passwords and so on? And what company do you happen work for? ^Just asking for a friend^
Maybe I didn’t search right, but since I found podlet first, while looking for a tutorial, I was lazy and gave it a try. It’s result was enough to get me there. Maybe, had I completely read the podlet docs and checked all optional arguments, o could have gotten a perfect result. But that way, I learned better about quadlets.
I’m currently trying to migrate my stack on my VPS from docker to podman. Bonus points if I get it running rootless.
Somehow, podman compose just wouldn’t work with my existing docker compose file. I quickly found out that podman has many options, but quadlets are preferred. It took me a while to understand what they even are and their concept. I did get the idea and the concept from the docs, but everything else was demonstrating how to set up a very simple one (think a hello world container). Or I found some blog posts with ready made complex examples for some random stacks that were way over my head. But a simple tutorial on how to map the fields/parts of a docker compose to a .container, .network or .volume file for my stack consisting of several containers in a few networks with a reverse proxy in front of it? Nope.
I’m the end I found podlet and used that to convert a docker-compose. While the result wasn’t completely working (e.g. a problem with some environment vars that got passed and switched in a few “layers” that podlet understandably messed up), it was enough to understand all of it with the docs and complete the quadlet. Now I just need to experiment with the rootless part.
Currently, my first and foremost pet peeve is, that different distros use different approaches and utilities, but many blog posts or guides don’t tell you what distro they’re for. If you google the problem and find the fourth guide on how to solve it and realize halfway through, that it’s again e.g. for Debian based systems, while you’re running on SUSE or RedHat or Arch or… can be very frustrating.
I also got this survey and I had the same feeling. It felt more like a patron for their game preservation program with possible features like a members-only-community, interviews or documentation about the preserved games, their publishers/studios and the efforts to keep them running or some kind of loyalty rewards/discount coupons. Maybe even ‘special builds’ like ‘experience the OG version 1.0 of $game’.
There was one option, that I interpreted like ‘maybe we will put future compatibility updates after purchase (e.g. supporting Windows 12 or whatever) behind the membership’ - but that’s purely my interpretation of a single bullet point style line in that whole several page long survey
I’m currently experimenting if I can convert my stack to rootless podman.
I found in my notes, that
A user-mode networking tool for unprivileged network namespaces must be installed on the machine in order for Podman to run in a rootless environment.
Podman supports two rootless networking tools: pasta (provided by passt) and slirp4netns.
Could this be your problem?
Taken from https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
If done correctly, those may only be open from the internet, but not from the local network. While SSH may only be available from your local network - or maybe only by the fixed IP of your PC. Other services may only be reachable, when coming from the correct VLAN (assuming you did segment your home network). Maybe your server can only access the internet, but not to the home network, so that an attacker has a harder time spreading into your home network (note: that’s only really meaningful, if it’s not a software firewall on that same server…)
Instead of thinking with layers, you should use think of Swiss cheese. Each slice of cheese has some holes - think of weaknesses in the defense (or intentional holes as you need a way to connect to the target legitimately). Putting several slices back to back (in random order and orientation) means that the way to penetrate all layers is not a simple straight way, but that you need to work around each layer.
So, the land where everything is trying to kill you is very anti violence?
…But will it run DOOM?
Exactly what I meant with
LAN != internet
Most routers allow you to set child safety settings for devices to block them from accessing the internet in specific timeframes or completely. You can still access the local network from the affected device or access that device from your local network
Why? Does the printer need to be connected to the internet at all, if not for firmware upgrades? (Note: LAN != internet)
Phones, etc? Just sync to the mentioned Nextcloud, PC downloads from there and everything gets then into the aforementioned backups.
Homeserver? See “PC” above. With the caveat that some VMs/containers are not in the backup cycle, as they do not store any valuable data besides temp files, etc. For these, only things like docker compose files, custom config, ansible playbooks,… are in my backup.
Somewhat, I read a German news article that explicitly warned that USB transfer will be blocked. I just searched for an English article to post here afterwards, but I didn’t read it. So… yeah, „lost in translation“
So I’d suggest, unless you really really need some obscure feature, Calibre+Kindle is nowadays perfectly fine, and maybe you shouldn’t risk bricking your device.
Uhm… Well about that… You will not be able to transfer books onto you kindle via USB in about a week. Amazon is going to remove that feature from all Kindles next week. The only way to do that may be through the method you described. But how long will they offer that, if they say they are removing the USB feature because of piracy? You cannot pirate books onto your kindle, when you cannot transfer books from outside of Amazon onto it. (Also this is a nice reason for them to block you from buying books anywhere else than on Amazon, of course)
https://www.theverge.com/news/612898/amazon-removing-kindle-book-download-transfer-usb
I already use certbot with my DNS provider, so it should generally be supported. And indeed, O found the docs, where all supported providers are listed.
https://doc.traefik.io/traefik/https/acme/#providers