moonpiedumplings

@ moonpiedumplings @programming.dev

Posts

29
Comments

572
Joined

3 yr. ago

moonpiedumplings @programming.dev

moonpiedumplings @programming.dev 11h ago

Database performance on btrfs is miserable compared to zfs, whereas bcachefs was doing much better.

I say was because... see the other comment in the thread. :/

Linux @programming.dev

18h ago

systemd 260 Released: mstack, SysV Service Scripts Removed & AI Agents Documentation

www.phoronix.com /news/systemd-260-Released

2d ago

How could you manage a large number of servers, clients and users the way AD does, in an all-Linux environment?

https://talks.nixcon.org/nixcon-2024/talk/R8ZBWW/

See this old but still relevant comment I made on another thread: https://programming.dev/post/11284326/8200514 . TLDR: There are plenty of ways to do it. But you have to do it yourself and it's not an all in one solution. Users are the easiest part though. Servers are second easiest. Clients are more difficult.

Further solutions and quick notes since then:

Authentik is what I use for shared logins. It supports ldap as well as oidc.
Nubus by univention for user management. It's a wrapper around openldap and keycloak, so it comes with both those in one solution which looks nice
Himmelblau is authentication of local desktops via oidc. Maybe not needed but interesting regardless.
Firefox has policies: https://support.mozilla.org/en-US/kb/customizing-firefox-using-policiesjson which let you control and enforce certain settings like preinstalled extensions and default settings. You will probably need this for clients.
Linux's Realmd respects some group policies. Not all and it depends, but I've discovered it respects some, converting values to analogs. I'm assuming that Red Hat's freeIPA/389 directory server can serve group policies as well. I don't know how reliable this is for top down config though.

I'm going to focus on clients because users and servers are basically solved although you will have to pick and implement a solution.

If I was in an all linux environment... it depends on how much control I have over the current setup. The best would probably be to push configuration (but that also supports regular pull as well) from the top down to the users, via something like building immutable images or NixOS configs and then shipping them to clients. This would be an all in one solution that comprehensively covers every part of config.

I do agree with the other user in the thread, that user config management is a bit more difficult. Firefox policies cover the biggest thing, the browser, but the rest is annoying. Nix user config, or home manager config could do it, but hmmm.

And then the other thing is client security. When it comes to the specific kind of client security that IT environments want, Linux isn't as ahead. I would really want an alternative AppLocker, or something similar to restrict app execution. I can guess three possible ways to do this:

Mounting home directory noexec
SELinux
Apparmor

But, I think you would want to restrict software installation and execution. Not just to prevent malware, but having users install proprietary licensed software in an enterprise environment without actually purchase it could quickly turn into a nightmare for everybody.

edit: ooh, check this out:

https://clan.lol/docs/25.11/getting-started/creating-your-first-clan

https://github.com/nix-community/awesome-nix?tab=readme-ov-file#deployment-tools

Edit2: also check out meshcentral.

2d ago

Made a Riddle app that only shows answer when you are right

It's codeberg pages... It is generated directly from codeberg, which has doesn't allow private repos.

Source code: https://codeberg.org/purpleweb/Riddles_0-385_App

2d ago

a VPN that is easily self-hostable and resistant to blocking?

hides as regular HTTPS traffic so it’s not blockable by Firewalls

From OP's post, of course. If OP does not need to evade firewalls that are that aggressive, then they should have settled for a less stealthy VPN solution, as many of these HTTPS proxy solutions have performance and usability (can often only proxy TCP traffic) tradeoffs.

Perhaps they have already tried the wireguard on port 443 solution, and it didn't work for them. My high school would auto detect and block wireguard to any port. Perhaps they are in a similar situation.

2d ago

Note taking app that I can link between my laptop and phone ?

https://github.com/anyproto/anytype-ts?tab=License-1-ov-file#readme

Seems to be the case:

https://github.com/anyproto/anytype-kotlin?tab=License-1-ov-file#readme

The sync server is MIT though: https://github.com/anyproto/any-sync?tab=MIT-1-ov-file#readme

Interesting.

2d ago

a VPN that is easily self-hostable and resistant to blocking?

Many of the prominent https VPN protocols are for evading the great firewall of China. OP had that as a requirement, so it is not an unreasonable assumption.

If you are evading less locked down firewalls, then you don't need as stealthy VPNs.

2d ago

a VPN that is easily self-hostable and resistant to blocking?

Yes because they are all designed to evade the great firewall of China, which automatically catches almost all other VPN's and proxies.

Github is blocked in China. The fact that these repos are on Github and Chinese is proof of their effectiveness.

2d ago

How to "upgrade" from Gitea to Forgejo (not for the faint of heart!)

https://forgejo.org/compare-to-gitea/#security

If you are not a Gitea customer, you are not being informed of security updates in a timely manner:

Gitea repeatedly makes choices that leave Gitea admins exposed to known vulnerabilities during extended periods of time. For instance Gitea spent resources to undergo a SOC2 security audit for its SaaS offering while critical vulnerabilities demanded a new release. Advance notice of security releases is for customers only.

Also, ForgeJo was promising federation which is still a WIP several years later.

Oh no, it doesn't do the big feature™. I guess it's unusable now.

I wish people would realize that software still works and is excellent even without the various flagship features. I use Kubernetes on a single node. I know there are people who use matrix without federation and e2ee because it's actually a really good chat app, it just struggles with the performance demands of federation, and the e2ee ux isn't quite there yet.

2d ago

If you're self-hosting for privacy, spend 10 minutes hardening your VPS first

Surely everyone not using cloud hosting sticks some sort of router/firewall at the edge and runs the VPS inside with port forwarding?

I would really like to see a setup guide for this. Because if you are throwing a VPS up, they usually just give you a public ip address. I don't really know how you would put a router/firewall in front.

2d ago

Note taking app that I can link between my laptop and phone ?

I spun up a test, and it doesn't let you edit encrypted notes :(. It's so nice though, I might be willing to give it up e2ee for less sensitive data.

2d ago

How to "upgrade" from Gitea to Forgejo (not for the faint of heart!)

Yes. But this is a lot. It may be easier to use Forgejo's built in migration tools, to copy over repositories along with their issues and other info. You would have to rebuild the admin parts of the site, like "organizations" and user privileges. (Well if you are using oauth and mapping users from oautb groups then you don't...). And I don't know if it's automated for a many, many repos. But it's just a click click click in the gui.

I remember there was a tool, I think it was related to forgefed, that could do batch repo migrations via the cli. I can't find it anymore though.

2d ago

a VPN that is easily self-hostable and resistant to blocking?

https://programming.dev/comment/22662028

It's not quite a VPN, but it is very resistant against blocking:

3d ago

Your logging is probably down

https://github.com/pgautoupgrade/docker-pgautoupgrade

moonpiedumplings @programming.dev 3d ago

Or if you are on k8s, you can use cloudnativepg.

5d ago

Your logging is probably down

https://wiki.hackerspaces.org/List_of_Hacker_Spaces

moonpiedumplings @programming.dev 5d ago

https://infosecmap.com/

Also check out meetup.com for linux user groups and other events.

6d ago

Permanently Deleted

Mindustry (open source)

6d ago

Remote KVM recommendations

Also check out meshcentral. Important thing aboout meshcentral is that it lets you hijack the users screen, show you can show them step by step through things. RDP doesn't do that, it kicks the other user out.

6d ago

Finally, an optimal monitor configuration!

https://sprocketfox.io/xssfox/2021/12/02/xrandr/

Edit: someone already posted it somewhere is in the thread lmao

6d ago

Permanently Deleted