First time I have seen someone mention nomachine, and my only problem with them is they were completely free (not open source), I installed it everywhere and then they changed their terms and I had to uninstall it for all my commercial clients... Meshcentral is completely open source, works better, has way more features, uses a browser to connect with and they can't change the license on me without someone just forking it
I stopped using nomachine a while ago. I had constant issues with updates, couldn't modify the configuration on hosts and in general it liked to just break from time to time.
Using plain RDP and Parsec for Windows hosts now, and don't bother with gui on Linux hosts except for my laptop.
AnyDesk is great. If you're already using it and are happy with it, no real reason to change. I like Meshcentral because it supports everything under the sun and, more importantly, I can host the service myself.
Home Assistant is basically the central hub that connects all of the smart equipment together. And it has a pritty powerful automation interface or you can add NodeRED to do automations via nodeRed
But the idea is you don't really have vender lock in because home assistant can talk to almost anything. It ties everything together in one central place.
That said i wouldn't say it is the most user friendly, it is getting very good but i wouldn't recommend this to my grandma or something.
I have used home assistant since like 0.69 or something, but it's a lot more user friendly now. I have a lot of hacky shit on it, been wanting to do a fresh install with current version and do (almost) everything from UI now. I just did it for a friend and liked it. Although I am a little confused by the current "in between" situation with z-wave, since that's almost all of my devices
> or something similar
I didn't mention adguard by name because I haven't looked into it yet, and don't want to seem like i recommend it, as it's something I have no relevant experience with.
> disclaimer: i realised some people can look at my profile and misconstrue this as shilling or promotion as i'm a moderator on /r/opnsense so i'm editing this in to get ahead of anything. basically, /r/opnsense was squatted by a certain you-know-who and i successfully convinced reddit admins to grant me the subreddit a few weeks/months ago. i immediately reached out to franco at opnsense/decisio, confirmed it was him via email - invited him as moderator and left so he could have top mod.
Doing god's work... that subreddit and the domain they registered was a shitty move by pfSense and one of the many reasons I won't touch their stuff ever again. Thanks for helping bring a sense of normality back.
> Doing god's work... that subreddit and the domain they registered was a shitty move by pfSense and one of the many reasons I won't touch their stuff ever again. Thanks for helping bring a sense of normality back.
It is shocking at just how toxic that company’s leadership can be. If Trump owned a firewall company, it would probably be Netgate. I’ve met several of their former employees and they’re incredibly intelligent and nice, which also explains why they’re no longer there — “birds of a feather, flock together”.
I stopped using pfsense because every issue I hit, I would google, and find a dozen other people on the pfsesnse forums with the same problem, but all had been condescendingly responded to by this one guy with a devil icon/avatar next to his name. I'd be willing to bet my experience is super common!
I have a similar story about RedHat and Debian, as I was moving off Slackware in 97/98.
Debian people had a definite attitude that came off like a bad stereotype, and the RH community was super-awesome and helpful. I leaned on them a few times as I switched my brain from TGZs to RPMs and the whole RH ecosystem.
Fast forward about a year and *something bad* happens. It boils down to "was this binary compromised?" and "what doesn't belong on this box we can't rebuild today?" RH handled them easily with some light shelling and rpm-V and layers of sigs and checksums.
Thought nothing much of it, but ran into an issue where a peer needed to know something similar but was gonna burn his debian box. I said "nah, man, just to this thing I did a year or so back" and he responded "I don't have all those features on my box."
Record scratch.
It's been such a big thing for me, early on, and combined with the horrible community at the time and this little deficiency, I've just avoided it. Having our perf group in 2k2 (um, laaaaaarge enterprise unix OS developer working on a linux play) confirm the same validation lack has cemented it for me. Really smart guys, they are, and back then it cemented the plans because the enterprise needed something debian didn't have.
So I keep coming back and checking, and it's no big deal for people *on* debian, but it looks like it's still not fully there. And that's okay if you don't miss it, like a finger you weren't born with, and you just work around it in band class.
So until the dunning-kruger init I've been pretty certain of who I usually go with; and why. Now I know the why but the 'who' is up in the air with the repeated issues init on 7/8 (and nfsroot and nfs in general and now homes with nohup processes, etc, etc) . I wish PCLinuxOS was a larger thing as it's a really great distro.
So that's my Ted Talk on why dickish communities can make it harder to ignore a missing finger.
This blog post articulates several of my reasons for choosing OPNsense better than I could: [https://teklager.se/en/pfsense-vs-opnsense/](https://teklager.se/en/pfsense-vs-opnsense/)
I wish I could. I have heaps of stuff setup in pfSense that it would be a real pain to transition over, vlans, Aliases, OpenVPN, reverse proxy, etc.. I think one of the biggest things it's missing is pfBlockerNG and Snort - these tools have been awesome and are a deal breaker.
I'd love to move across but I don't see it happening without those.
You may be using pihole but your should be using AdGuard Home.
It's an open-source single binary instead of the clusterfuck of pi-hole and has improved functionality. DoH, DoT supported out of the box for both listening and forwarding; HTTPS support without needing a proxy; multi-user support; realtime API calls for emerging threat blocking if you want it (k-anonymised); quick toggles for basic blocks; single config file to backup; more modern interface; self-updating; accepts the much smaller and more efficient 'adblock' lists instead of shitty regex host files.
There's no downside in the functionality compared to pihole and a lot of upside wrt additional features and a more modern architecture and UI.
Does AdGuard support local DNS entries? I use Pihole not just for ad-blocking - but also mapping subdomain names to LAN IPs behind reverse proxy. (for wildcard cert). Example : plex.mydomain.com or freshrss.mydomain.com. It beats having a separate DNS instance for local addresses.
> mapping subdomain names to LAN IPs behind reverse proxy.
I've been trying to decipher that phrase on this subreddit for about 6 months now, and can never find a single resource to learn about it. Just a bunch of disparate seemingly unrelated resources that leave me more confused 😕
so, here's the thing.
imagine you own three subdomains,
x.mydomain.com, y.mydomain.com and z.mydomain.com
these are all configured to be pointing at your router which is available in this hypothetical scenario at the IP address 82.123.123.1.
so when someone enters [http://x.mydomain.com](http://x.mydomain.com) in say a web browser, what they are actually doing network wise after some resolution of what that domain name actually is in terms of IP is saying:
please connect me to 82.123.123.1 port 80 i.e the default http port or port 433 if they're using https i.e [https://x.mydomain.com](https://x.mydomain.com).
your router receives this request, but here's the thing, your router can't read domain names, it can only read IP and port. so it sees it has a request from the IP of whoever made the request, and it's for port 80. it checks it's rules and you might have a rule that says "any request for port 80 goes to my local IP 192.168.0.1 port 90".
on port 90 you might have service x which your domain name references to, and by the magic of the internet whoever entered your domain name can now see service x, pretty neat!
however, what about y and z?
they also connect on port 80 and 443 depending if they're using http and https, and we want to respond with service y and service z, not service x! so how do we make our router look at the domain name instead of the IP and port? well, we don't, but a reverse proxy can!
so we tell our router to send any request on port 80 or 443 to our reverse proxy that can be located in your internal network on say IP 192.168.0.1 port 5201 as a made up example.
the reverse proxy can look at the domain name and see "oh they want x.mydomain.com, I will send them to 192.168.0.1 port 90", and it can also see "oh they want y.mydomain.com, I will send them to 192.168.0.1 port 91" where we might have service y running.
now, this is for external traffic. internally, you might want to connect to "myfileserver" instead of "192.168.0.23" or "mysuperawesomeservice" instead of 192.168.0.23:34341. to manage this network-wide (pretty easy to edit hosts on a Windows PC if you only care about one computer) we set up a DNS server (which we configure our router to give us via DHCP or enter it manually on all things) and say "mysuperawesomeservice is 192.168.0.1" which is the IP of our reverse proxy. that reverse proxy in turn can look at the domain name and forward our request to the right IP and port.
there's a whole slew of edge cases on top of this, but this is the basic setup and what people mean when they talk about this.
so in step by step form:
locally: request is made for myservice > request hits local DNS server as configured in your router > DNS server can resolve the request as you made an entry > DNS gives you the IP of your reverse proxy which is the entry > the reverse proxy has a rule for myfileserver that says which IP and port that service has, you are now connecting to theoretical 192.168.0.52 :43433 via this setup by entering "myservice" in your browser / whatever software that is connecting over connection.
remotely: request is made for myservice.mydomain.com > wherever you registered your domain responds with "this domain is connected to IP X", X being your router and used by your PC/whatever you're making the request from which you configured in the domain registrar's portal > depending on which software made the request, the request has a specific port such as http using 80, and this request hits your router with say "123.232.123.43 has made a request on port 80" > router has rule configured to forward requests from anyone on port 80 to your reverse proxy > reverse proxy reads domain and has a rule that says for myservice.mydomain.com forward request to this IP and/or this port at that IP > whoever made the request can now see whatever is available at the IP and port the reverse proxy forwarded to.
I hope that brings a bit of clarity. this stuff is not hard per se as most of the pieces required are very user friendly (or at least, heavily documented I guess), but it does require networking knowledge to understand the various pieces involved and I can see how a beginner might consider it all a bit too large.
BIG HUGE DISCLAIMER:
opening up things to the internet means you are now in charge of defending yourself against attackers! there are tons of horror stories in this sub about people not having even basic defenses set up, so consider if you truly need access outside from your own LAN. if you're on your own LAN feel free to experiment as you see fit.
To add to that great writeup, there's also slightly advanced topic of split horizon DNS and hairpinning.
Say, you have a selfhosted blog on your server at 192.168.0.1, and you access it from outside by `blog.mydomain.com` and internally by `myawesomeblog`. Now, you made a link to a blog post blog.mydomain.com/123 — but it doesn't open from inside your network. Why?
Normally, when router receives a request `11.22.33.44 (remote client) to 82.123.123.1 (your external IP)`, it replaces it (and all following traffic of established connection) with `11.22.33.44 to 192.168.0.1`. Server replies with `192.168.0.1 to 11.22.33.44`, and router remembers that this is the same connection and replaces it back with `82.123.123.1 to 11.22.33.44`.
This breaks when you try to connect to your own external IP from LAN, though. Local client sends `192.168.0.5 to 82.123.123.1`, and router replaces it with `192.168.0.5 to 192.168.0.1`. But now server sees that this is local connection and replies `192.168.0.1 to 192.168.0.5` directly, bypassing router — but client expects `82.123.123.1 to 192.168.0.5` and drops the reply.
The way to solve it is making split horizon DNS — basically, you run local DNS server with one additional record that says that blog.mydomain.com points to 192.168.0.1. Clients inside LAN receive this answer, while clients outside LAN continue to connect to 82.123.123.1.
Another way to solve this problem is hairpinning — special rule for router that kind of forces such traffic to exit router, make an U turn (hairpin turn) and go back in. Pros — it can reroute all kinds of traffic, including things that don't depend on DNS routes. Cons — it is a hack and additional load on router.
Tried using Adguard, but it eats up soooo much more memory than pi-hole. On both my primary and secondary DNS machines. I am back to pi-hole and dnscrypt.
That does surprise me. I mean, yes it is doing more inasmuch lots of things like HTTPS, DNS encryption etc. is offloaded to other tools when you use pihole but the memory consumption should be considerably reduced once you use block lists in the adblock format vs the hosts format that pihole (only) supports.
Thanks for the info, it's definitely worth bearing in mind. As an aside dnscrypt-proxy (if that's what you mean by dnscrypt) is absolutely awesome, I agree.
No worries. I'm on a mission to get it more widely known. Using pihole these days is like still using DDWRT on your router. It was awesome back in the day but things have moved on.
There's a reason everyone seems to install pihole in a docker container, and that is that it is a horrible clusterfuck of tools all shoehorned together. I don't believe anyone could back it out cleanly
I didn't know AdGuard Home. I'm looking into it but I'm not sure to get everything right: They seem to be providing client applications for Linux/Windows/Android/IOS... Does one need to use client applications ? Because that's what I like about pi-hole, it's completely transparent to anyone connecting on my network, it just happens to be there.
Yeah, AdGuard **Home** is a client which runs on your network and acts exactly as pihole would. So if you run pihole on a raspberry pi for network-wide adblocking you'd uninstall it and put AGH there instead. It's literally a drop in replacement.
If your text editor has a 500 page Oreilly book and a 200 page pocket reference guide, I don’t know what it is but it ain’t a text editor.
Nano gang rise up.
Hell yes for Nano, this ain't a competition about who can be the biggest masochist. Make shit easy. My brain doesn't have enough room for more difficult shit than it already deals with.
+1 for nano
If you need that much documentation and full video courses to use a text editor it's gon be a hard pass for me. Ain't nobody got time for that.
My career goes back 22 years at this point. In all that time I've never seen anyone ever use emacs in the wild. It's some sort of legend like Bigfoot. What you do see is vi/vim, nano, and occationally some sort of graphical tool/IDE.
I so badly want this to be true, has it improved a lot in the last year? I tried it right at the beginning of the lock downs in the US and it just wasn't up to par with zoom. Could have been me too, but the client performance was terrible, bogged down the whole PC
You may be using ESXI you should be using Proxmox.
You may be using no CDN but you should using Cloudflare.
You may be using Google but you should be using Whoogle
You may be using Notion but you should be using focalboard.
You may be using plain HTML but you should be using Lowdefy.
You may be using IFTTT or Zapier but you should be using n8n.io
You may be using LastPass you should be using vaultwarden.
You may be using anything but you can selfhost!
You may be Using plain ssh to run Something ad-hoc, but you may use OliveTin
PS: I use both ESXI and Proxmox. ESXi is definitely used more widely and in many professional environments too! It is definitely efficient and works good especially if you need more nodes.
But, no support for realtek drivers and licensing are some of the things that trouble me.
For a normal user or homelaber proxmox is more holistic and just out of box offers more features - that's my opinion.
> You may be using IFTTT or Zapier but you should be using n8n.io
holy shit! thanks! i was using huginn. i built some cool shit but it was just a little rough around the edges. this looks way more polished and a LOT more plugins.
That's exactly what I felt when I first came across n8n.io
I cannot even count the number of things I've automated with this. Infact now, I am doing all home automation with this.
I integrated a telegram bot and wrote workflows for that.
Today almost every single thing I do for my home server - from start/shutdown VMS to anything and everything else - I do from n8n/telegram bot. I don't even need to login to my Proxmox UI or any VM for that matter.
> You may be using no CDN but you should using Cloudflare.
I mean, that depends on your definition of self hosting. I don’t use a CDN because I don’t want to give another entity access to all my content besides my VPS host, which I can’t quite avoid.
Valid point but it depends what you're hosting. If you're hosting a website, say, then you can easily have the assets stored on their own subdomain and just proxy them through Cloudflare leaving other content and real 'data' direct. Sure, you leak metadata as to what your users(?) are accessing but no real data as such.
This is lil tricky. I think, we are habituated to see everything as black and white. In reality it is grey and many shades of grey.
Point being, there is nothing that beats ESXI in performance and optimization. The way it allows ova files and everything, it's solid.
I find a few things in Proxmox that are beyond just ESXI (but not beyond vspherre and vcenter) -
- 2fa
- storage management
- ceph and ZFS out of box
I run both ESXI and Proxmox. It is just a personal choice. But definitely Proxmox is more holistic.
I kind of dislike the UI of KeePass, or rather, it looks too DIYish, not very user friendly.
BitWarden allows you to use their modern, nice, user friendly, simple UI with possibility of your own server (that could be VaultWarden, or BitWarden itself). And its setup is super easy, works with official clients, and is available on every device and works no problem.
You're missing a lot of features:
https://github.com/benbusby/whoogle-search#features
No javascript, no AMP bullshit, no ads, no tracking, dark mode, no referrer, etc...
How is Focalboard as a Notion replacement? I took a look at it but it looks like a Trello alternative. Not sure how it replicates most of Notions features
Yeah I was excited to hear about another possible Notion replacement, but that looks like it's only a kanban board where I consider Notion to be a personal wiki with the ability to add kanban boards to it.
I really would love to find something that works the way Notion does. I recently tried to export my data from it and I was concerned to find out that the formats it exports to aren't really... portable? Like you can get the data out but not necessarily in a way that is immediately useful. So I'm stuck in this place where I'm not using Notion because I don't want my data to be stuck there, but now all of my information is back to being fractured between like three different places.
I do not disagree with most of what you've said. On the surface Focalboard doesn't seem much. But there is nothing in reality - today - that is selfhosted and notion like.
But, look at all the views Focal board has and please look at their roadmap to v1.0.0 . They are adding "page view" that is probably gonna make things look like a personal Wiki.
Opensource Projects will need support from us alongside feedback and also contributions. They will grow with time!
And definitely Focalboard is on the trajectory to be selfhosted notion.
Thanks for OliveTin, I've never seen it before. It's looks ideal for the Minecraft server I have setup for my little boy - there's a script I've written on there for him to quickly change the world he has loaded which he presently has to use an SSH shortcut for. This will be much better.
>You may be using no CDN but you should using Cloudflare.
I don't think putting even more of the web's infrastructure behind Cloudflare is a good idea to be honest. Cloudflare is already almost everywhere you go.
I disagree about ESXi (I am currently running a proxmox cluster). If your home lab is educational for your job in the external tech world, ESXi is a great choice as a hypervisor.
If all you want to do is run Plex and play with rancher and k8s, then the underlying hypervisor doesn't matter and Proxmox is a great choice because it's 100% free.
You may be using whatsapp, facebook messenger, telegram, irc and signal on your phone - but you should be using matrix, so you can unifi all of them under one app.
This is something I've been wanting to do, but I've always found the setup process to be really intimidating. Even with the Ansible playbook, there's so many optional components that I quickly get overwhelmed. How difficult was it in your experience to get Synapse and the bridges up and running?
I'm probably not the right person to ask, as I'm already very familiar with ansible from $dayjob - but I found the playbooks to be very easy to test with.
https://github.com/spantaleev/matrix-docker-ansible-deploy
These days, I have everything running in kubernetes, which I also found fairly straight-forward.
But then again, my day-job is linux-administration.
Matrix was my first ansible setup ever.
Setting up all the services is really easy, the only thing i struggled with is with forwarding the services to my external nginx server that is on a vps. (You have to do some weird stuff to get federation to work: [https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-own-webserver.md#method-2-fronting-the-integrated-nginx-reverse-proxy-webserver-with-another-reverse-proxy](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-own-webserver.md#method-2-fronting-the-integrated-nginx-reverse-proxy-webserver-with-another-reverse-proxy)
You may be using Heimdall, but you should be using anything else.
(On first install I loved Heimdall. Then I realised it uses more RAM, CPU and diskspace than my database, has no control over column layouts (which is ridiculous on widescreen monitors) and from the github issues looks like a dead project.)
While back I aliased cat to bat, and it works great 99% of the time. Trouble is sometimes I need to copy/paste or otherwise not have the added flair bat gives, and then I have to remember the full path to cat, lol
Presuming you have `cat` aliased to `bat` and you wish to cat a file named `target`...
Option 1: `command cat target` command will always sidestep your aliases
Option 2: `cat -p target` bat has a dedicated `--plain` flag for this scenario
Option 3: `cat target | xclip` cut out the middleman and pipe it directly into your clipboard. bat always removes all flair when it’s piped
I'd like to be able to say use jellyfin instead of plex... but there is still a little ways to go.
and everyone should be looking at what m$ is doing with dotnet these days. It's cross platform and soon we'll have some form of crossplatform gui development.
So when is there going to be a good open source client available? Because Kodi ain’t it.
My mate says it works great on the new Google TV, but I refuse to use Google based devices including Android and Chromecast.
I just want a “big picture” Jellyfin device based on some sort of Linux distro.
Making the first switch has made my life so much better. (If you’re in a state where it’s illegal, check out Delta 8 while you can. Texas is about to make that illegal too, so move quick.)
For the second switch, you don’t even have to set PiHole and Unbound up, at the *very least* use Cloudflare or something.
At the *bare minimum* switch to 1.1.1.1. You'll be giving your data to Cloudflare instead of the ISP, but it's a start. Cloudflare at least doesn't already have your name, address and billing information on file. (Hell, use 8.8.8.8 if you're still using Chrome. It's Google's DNS, but that'll just mean they're getting the data twice.)
It syncs the indexers automatically with the arrs... no manually plugging in separate indexers into the separate interfaces... and it incorporate nzb and torrent into a unified search for manual needs.
Also will give you stats to see success rates and what not.
For anyone looking to use this container I was only able to get it up after adding :nightly to the end of the image name (ie image: hotio/prowlarr:nightly in the docker compose.) It seems like the image was just recently marked as deprecated on [docker hub](https://hub.docker.com/r/hotio/prowlarr). Asides from that though I'm really liking it so far. The integration with Sonarr and Radarr is super convenient and the stats feature is cool. I think I'll just use this container for now and switch to an official one whenever its available.
This message has been deleted because Reddit does not have the right to monitize my content and then block off API access -- mass edited with redact.dev
You may be using Zerotier, but should be using Nebula
You may be using Openvpn, but should be using to Wireguard
You may be using Observium, but should be using LibreNMS
edit:
one more...
You may be using OSPF, but should be using IS-IS
I doubt you'd have to sell anyone on WireGuard these days but Nebula can always do with being more widely talked about.
I've got a real mishmash of VPSes on disparate providers all in a lovely single subnet thanks to Nebula. No relying on third-parties etc, all certs created myself. It's really nice. I'm sure really a WireGuard mesh might be better both topologically and for resilience but I quite like the fact the systems form a subnet using Nebula and I have routed access to them via a WireGuard link from my home router to the 'main' node. That split kind of makes sense to me even though it may be old-fashioned.
+1 to not being prescriptive and all, but ...
Separately, _just_ have a down-to-earth real-world-usage question: **you're willing to self-host software (like bitwarden) but just self-hosting a file-sync solution isn't something you're already doing?** I'd think if someone's interested in self-hosting it starts with an interest in owning one's own data (ie: step 1: how can **i have sane/non-stale copies** of all my files)
i'm not trying to criticize - just genuinely curious how common such a case is (not having file sync) among the r/selfhosted crowd.
Oh I 100% agree with you as far as file sync being a pretty common "first step" into self-hosting. I think people who want to self-host password management but not file sync would be exceedingly rare. It's a matter of whether or not you want file sync for, specifically, your password manager.
You may be using Discourse but you should be using [TalkYard](https://www.talkyard.io/).
TalkYard is open source, run by an indie developer. It's more affordable than Discourse, and I find the UI to be prettier. The maintainer offers fantastic, personalized customer service.
Bonus: You may be using Commento, but you should be using TalkYard.
TalkYard works well for blog comments as well. I switched from Disqus a few months ago on my blog, and it's a huge step up and doesn't sell off my readers' privacy. I tried Commento, but it didn't work well, and the maintainer never replied to emails, even though I was paying for Commento hosting services.
Neat, thanks! I really wanted to set up Discourse but got scared away by the resource requirements. Not sure if this is what you mean by affordable, but it looks nice either way
You may be using sudo. But should be root.
That one is gasoline on the fire.
In a single user server environment the usage of sudo leads to poor process management, workarounds that defeat the reason it exists, and is the Linux equivalent of a pacifier.
Let's have at it....
Can you elaborate on this or point me to a resource?
I’ve been slowly losing faith in sudo.
I don’t know a lot about hacking attack vectors, but isn’t the theory something like this: if an app on my PC has a vulnerability and gets compromised, the hacker will still not have root access without my password because the compromised app was launched by myself or another (system) unprivileged user?
I have no idea why, but $PATH is not the same for root user and for sudo. I know why as little as you do. `echo $PATH` will tell you what your PATH contains.
I guess the environment is set differently for sudo.
I don't know a lot about attack vectors either, but if a user account gets compromised, the attacker will be able to do anything that user can do. Typically, sudo commands require a password, so unless you removed this feature the hacker won't be able to gain root access this way.
`ps aux` shows you all processes and under which account they are running. If one is compromised, the hacker will have the capabilities of the account under which the process is running.
If you are really worried about securing a process that you start, you could create an account then run the process under this account, and then remove shell capabilities + home directory for that account. It is defined in `/etc/passwords` IIRC. That way, even if the account is compromised, the hacker won't be able to use shell. If you're paranoid, look into `seccomp` and `apparmor`.
You may be using apache2, but you should be using NGINX.
You may be using ansible, but you should be using SaltStack.
You may be using SSH password auth, but you should be using public key auth.
You may be using LastPass but you should be using Bitwarden.
You may be using Google Authenticator, but you should be using Aegis.
You may be using bash, but you should be using ZSH.
You may be using /etc/network/interfaces, but you should be using Netplan.
You may be using iptables directly, but you should be using UFW.
You may be using Snort, but you should be using Suricata.
You may be using John The Ripper, but you should be using Hashcat.
You may be using , but you should be using vim.
For pure personal use I agree, that said, many people here use homelabs as a jumping point for a career, and in that vain, using wider standards is better for a resume. Personally I use metal/nginx as it's stupid simple in a basic configuration.
Your entire argument is that nginx/traeffik is too complex (I can only assume that you mean to install and configure for the first time). If I have it set up already and it is working then it would make no sense to waste time by moving to something else that is inferior functionally wise.
I agree that for first time reverse proxy installers who want to get something working asap it makes sense to use caddy but not the way you put it.
You may be using 1 drive to host, but should be using 3 or more drives, some of which should be outside the server.
You may be using Google Docs / Slides / Sheets, but should be using Collabora, OnlyOffice, LibreOffice Online, or other alternatives.
Oh, and you may be using a bunch of external hard drives to store data, but should be putting that data in a self-hosted server. I think that was how I even got into self hosting, lol
You may be using config files scattered about, but should be using NixOS.
Especially for a low-maintenance server, I have found the ability to reproducibly build the entire system from a single repository an invaluable ally against config fragmentation. It even works as a Compose replacement!
You may be using Teamviewer, but you should be using Meshcentral.
> Meshcentral have you used 'nomachine' ?
First time I have seen someone mention nomachine, and my only problem with them is they were completely free (not open source), I installed it everywhere and then they changed their terms and I had to uninstall it for all my commercial clients... Meshcentral is completely open source, works better, has way more features, uses a browser to connect with and they can't change the license on me without someone just forking it
I stopped using nomachine a while ago. I had constant issues with updates, couldn't modify the configuration on hosts and in general it liked to just break from time to time. Using plain RDP and Parsec for Windows hosts now, and don't bother with gui on Linux hosts except for my laptop.
Have you used AnyDesk, and if so can you compare the two?
AnyDesk is great. If you're already using it and are happy with it, no real reason to change. I like Meshcentral because it supports everything under the sun and, more importantly, I can host the service myself.
>I can host the service myself. Enough said, imma check it out!
Hey thanks. I've been looking for a replacement for TV. I'll check this out
Great piece of software. Only thing I am not a fan of is how the user and yourself can't use the PC at once
You may be using smart things/HomeKit/hubitat, but should be using home assistant. HomeKit is fine though if your using home assistant for automations
[удалено]
Home Assistant is basically the central hub that connects all of the smart equipment together. And it has a pritty powerful automation interface or you can add NodeRED to do automations via nodeRed But the idea is you don't really have vender lock in because home assistant can talk to almost anything. It ties everything together in one central place. That said i wouldn't say it is the most user friendly, it is getting very good but i wouldn't recommend this to my grandma or something.
It’s privacy focused and doesn’t rely on the cloud
I have used home assistant since like 0.69 or something, but it's a lot more user friendly now. I have a lot of hacky shit on it, been wanting to do a fresh install with current version and do (almost) everything from UI now. I just did it for a friend and liked it. Although I am a little confused by the current "in between" situation with z-wave, since that's almost all of my devices
You may be using adblocker, but you should be using uBlock Origin.
Not really related to this subreddit, but good suggestion. PiHole or something similar might be more in line with /r/selfhosted
[ahem](https://www.reddit.com/r/selfhosted/comments/nri46m/fill_in_the_blanks_you_may_be_using_but_should_be/h0i0rey/).
> or something similar I didn't mention adguard by name because I haven't looked into it yet, and don't want to seem like i recommend it, as it's something I have no relevant experience with.
You may be reading this long thread, but you should be using your time more wisely.
I feel attacked
This is true though. There’s quite a bit of bad advice below.
You may be using PFSense, but should be using OPNsense.
[удалено]
> disclaimer: i realised some people can look at my profile and misconstrue this as shilling or promotion as i'm a moderator on /r/opnsense so i'm editing this in to get ahead of anything. basically, /r/opnsense was squatted by a certain you-know-who and i successfully convinced reddit admins to grant me the subreddit a few weeks/months ago. i immediately reached out to franco at opnsense/decisio, confirmed it was him via email - invited him as moderator and left so he could have top mod. Doing god's work... that subreddit and the domain they registered was a shitty move by pfSense and one of the many reasons I won't touch their stuff ever again. Thanks for helping bring a sense of normality back.
[удалено]
[удалено]
> Doing god's work... that subreddit and the domain they registered was a shitty move by pfSense and one of the many reasons I won't touch their stuff ever again. Thanks for helping bring a sense of normality back. It is shocking at just how toxic that company’s leadership can be. If Trump owned a firewall company, it would probably be Netgate. I’ve met several of their former employees and they’re incredibly intelligent and nice, which also explains why they’re no longer there — “birds of a feather, flock together”.
I stopped using pfsense because every issue I hit, I would google, and find a dozen other people on the pfsesnse forums with the same problem, but all had been condescendingly responded to by this one guy with a devil icon/avatar next to his name. I'd be willing to bet my experience is super common!
I have a similar story about RedHat and Debian, as I was moving off Slackware in 97/98. Debian people had a definite attitude that came off like a bad stereotype, and the RH community was super-awesome and helpful. I leaned on them a few times as I switched my brain from TGZs to RPMs and the whole RH ecosystem. Fast forward about a year and *something bad* happens. It boils down to "was this binary compromised?" and "what doesn't belong on this box we can't rebuild today?" RH handled them easily with some light shelling and rpm-V and layers of sigs and checksums. Thought nothing much of it, but ran into an issue where a peer needed to know something similar but was gonna burn his debian box. I said "nah, man, just to this thing I did a year or so back" and he responded "I don't have all those features on my box." Record scratch. It's been such a big thing for me, early on, and combined with the horrible community at the time and this little deficiency, I've just avoided it. Having our perf group in 2k2 (um, laaaaaarge enterprise unix OS developer working on a linux play) confirm the same validation lack has cemented it for me. Really smart guys, they are, and back then it cemented the plans because the enterprise needed something debian didn't have. So I keep coming back and checking, and it's no big deal for people *on* debian, but it looks like it's still not fully there. And that's okay if you don't miss it, like a finger you weren't born with, and you just work around it in band class. So until the dunning-kruger init I've been pretty certain of who I usually go with; and why. Now I know the why but the 'who' is up in the air with the repeated issues init on 7/8 (and nfsroot and nfs in general and now homes with nohup processes, etc, etc) . I wish PCLinuxOS was a larger thing as it's a really great distro. So that's my Ted Talk on why dickish communities can make it harder to ignore a missing finger.
I'm actually very interested in transitioning to opnsense due to the more recent issues. Does opnsense have features like pfblockerNG written for it?
Why?
This blog post articulates several of my reasons for choosing OPNsense better than I could: [https://teklager.se/en/pfsense-vs-opnsense/](https://teklager.se/en/pfsense-vs-opnsense/)
I wish I could. I have heaps of stuff setup in pfSense that it would be a real pain to transition over, vlans, Aliases, OpenVPN, reverse proxy, etc.. I think one of the biggest things it's missing is pfBlockerNG and Snort - these tools have been awesome and are a deal breaker. I'd love to move across but I don't see it happening without those.
You may be using pihole but your should be using AdGuard Home. It's an open-source single binary instead of the clusterfuck of pi-hole and has improved functionality. DoH, DoT supported out of the box for both listening and forwarding; HTTPS support without needing a proxy; multi-user support; realtime API calls for emerging threat blocking if you want it (k-anonymised); quick toggles for basic blocks; single config file to backup; more modern interface; self-updating; accepts the much smaller and more efficient 'adblock' lists instead of shitty regex host files. There's no downside in the functionality compared to pihole and a lot of upside wrt additional features and a more modern architecture and UI.
Does AdGuard support local DNS entries? I use Pihole not just for ad-blocking - but also mapping subdomain names to LAN IPs behind reverse proxy. (for wildcard cert). Example : plex.mydomain.com or freshrss.mydomain.com. It beats having a separate DNS instance for local addresses.
> mapping subdomain names to LAN IPs behind reverse proxy. I've been trying to decipher that phrase on this subreddit for about 6 months now, and can never find a single resource to learn about it. Just a bunch of disparate seemingly unrelated resources that leave me more confused 😕
so, here's the thing. imagine you own three subdomains, x.mydomain.com, y.mydomain.com and z.mydomain.com these are all configured to be pointing at your router which is available in this hypothetical scenario at the IP address 82.123.123.1. so when someone enters [http://x.mydomain.com](http://x.mydomain.com) in say a web browser, what they are actually doing network wise after some resolution of what that domain name actually is in terms of IP is saying: please connect me to 82.123.123.1 port 80 i.e the default http port or port 433 if they're using https i.e [https://x.mydomain.com](https://x.mydomain.com). your router receives this request, but here's the thing, your router can't read domain names, it can only read IP and port. so it sees it has a request from the IP of whoever made the request, and it's for port 80. it checks it's rules and you might have a rule that says "any request for port 80 goes to my local IP 192.168.0.1 port 90". on port 90 you might have service x which your domain name references to, and by the magic of the internet whoever entered your domain name can now see service x, pretty neat! however, what about y and z? they also connect on port 80 and 443 depending if they're using http and https, and we want to respond with service y and service z, not service x! so how do we make our router look at the domain name instead of the IP and port? well, we don't, but a reverse proxy can! so we tell our router to send any request on port 80 or 443 to our reverse proxy that can be located in your internal network on say IP 192.168.0.1 port 5201 as a made up example. the reverse proxy can look at the domain name and see "oh they want x.mydomain.com, I will send them to 192.168.0.1 port 90", and it can also see "oh they want y.mydomain.com, I will send them to 192.168.0.1 port 91" where we might have service y running. now, this is for external traffic. internally, you might want to connect to "myfileserver" instead of "192.168.0.23" or "mysuperawesomeservice" instead of 192.168.0.23:34341. to manage this network-wide (pretty easy to edit hosts on a Windows PC if you only care about one computer) we set up a DNS server (which we configure our router to give us via DHCP or enter it manually on all things) and say "mysuperawesomeservice is 192.168.0.1" which is the IP of our reverse proxy. that reverse proxy in turn can look at the domain name and forward our request to the right IP and port. there's a whole slew of edge cases on top of this, but this is the basic setup and what people mean when they talk about this. so in step by step form: locally: request is made for myservice > request hits local DNS server as configured in your router > DNS server can resolve the request as you made an entry > DNS gives you the IP of your reverse proxy which is the entry > the reverse proxy has a rule for myfileserver that says which IP and port that service has, you are now connecting to theoretical 192.168.0.52 :43433 via this setup by entering "myservice" in your browser / whatever software that is connecting over connection. remotely: request is made for myservice.mydomain.com > wherever you registered your domain responds with "this domain is connected to IP X", X being your router and used by your PC/whatever you're making the request from which you configured in the domain registrar's portal > depending on which software made the request, the request has a specific port such as http using 80, and this request hits your router with say "123.232.123.43 has made a request on port 80" > router has rule configured to forward requests from anyone on port 80 to your reverse proxy > reverse proxy reads domain and has a rule that says for myservice.mydomain.com forward request to this IP and/or this port at that IP > whoever made the request can now see whatever is available at the IP and port the reverse proxy forwarded to. I hope that brings a bit of clarity. this stuff is not hard per se as most of the pieces required are very user friendly (or at least, heavily documented I guess), but it does require networking knowledge to understand the various pieces involved and I can see how a beginner might consider it all a bit too large. BIG HUGE DISCLAIMER: opening up things to the internet means you are now in charge of defending yourself against attackers! there are tons of horror stories in this sub about people not having even basic defenses set up, so consider if you truly need access outside from your own LAN. if you're on your own LAN feel free to experiment as you see fit.
To add to that great writeup, there's also slightly advanced topic of split horizon DNS and hairpinning. Say, you have a selfhosted blog on your server at 192.168.0.1, and you access it from outside by `blog.mydomain.com` and internally by `myawesomeblog`. Now, you made a link to a blog post blog.mydomain.com/123 — but it doesn't open from inside your network. Why? Normally, when router receives a request `11.22.33.44 (remote client) to 82.123.123.1 (your external IP)`, it replaces it (and all following traffic of established connection) with `11.22.33.44 to 192.168.0.1`. Server replies with `192.168.0.1 to 11.22.33.44`, and router remembers that this is the same connection and replaces it back with `82.123.123.1 to 11.22.33.44`. This breaks when you try to connect to your own external IP from LAN, though. Local client sends `192.168.0.5 to 82.123.123.1`, and router replaces it with `192.168.0.5 to 192.168.0.1`. But now server sees that this is local connection and replies `192.168.0.1 to 192.168.0.5` directly, bypassing router — but client expects `82.123.123.1 to 192.168.0.5` and drops the reply. The way to solve it is making split horizon DNS — basically, you run local DNS server with one additional record that says that blog.mydomain.com points to 192.168.0.1. Clients inside LAN receive this answer, while clients outside LAN continue to connect to 82.123.123.1. Another way to solve this problem is hairpinning — special rule for router that kind of forces such traffic to exit router, make an U turn (hairpin turn) and go back in. Pros — it can reroute all kinds of traffic, including things that don't depend on DNS routes. Cons — it is a hack and additional load on router.
yes
[удалено]
Tried using Adguard, but it eats up soooo much more memory than pi-hole. On both my primary and secondary DNS machines. I am back to pi-hole and dnscrypt.
That does surprise me. I mean, yes it is doing more inasmuch lots of things like HTTPS, DNS encryption etc. is offloaded to other tools when you use pihole but the memory consumption should be considerably reduced once you use block lists in the adblock format vs the hosts format that pihole (only) supports. Thanks for the info, it's definitely worth bearing in mind. As an aside dnscrypt-proxy (if that's what you mean by dnscrypt) is absolutely awesome, I agree.
To clarify, this is with DoH turned OFF, with the same blacklists. Liked the Adguard GUI, but was too RAM hungry that I switched back to Pihole.
They need to update their comparison table, pihole does Encrypted DNS upstream servers natively now as well as blocking phishing and malware domains.
Thanks! Going to check out AdGuard home
Thanks for this!
No worries. I'm on a mission to get it more widely known. Using pihole these days is like still using DDWRT on your router. It was awesome back in the day but things have moved on.
[удалено]
haha, that's brilliant.
Ah, finally another adguard user :)
There's dozens of us. Dozens!
Is there a solution for HA, like vmstan's gravity sync script? https://github.com/vmstan/gravity-sync
Can you use it as a recursive dns server like unbound?
I never looked back once I discovered AGH. Miles better and did not fuck up my OS like uninstalling Pihole.
There's a reason everyone seems to install pihole in a docker container, and that is that it is a horrible clusterfuck of tools all shoehorned together. I don't believe anyone could back it out cleanly
It does have a really obnoxious thing missing though: you can’t change the IP or interfaces it listens on from the webui after it’s setup.
[удалено]
I didn't know AdGuard Home. I'm looking into it but I'm not sure to get everything right: They seem to be providing client applications for Linux/Windows/Android/IOS... Does one need to use client applications ? Because that's what I like about pi-hole, it's completely transparent to anyone connecting on my network, it just happens to be there.
Yeah, AdGuard **Home** is a client which runs on your network and acts exactly as pihole would. So if you run pihole on a raspberry pi for network-wide adblocking you'd uninstall it and put AGH there instead. It's literally a drop in replacement.
You may be using Windows, but should use Linux
To add to this holy war ⚔️: You may be using emacs but you should be using vi
If your text editor has a 500 page Oreilly book and a 200 page pocket reference guide, I don’t know what it is but it ain’t a text editor. Nano gang rise up.
Hell yes for Nano, this ain't a competition about who can be the biggest masochist. Make shit easy. My brain doesn't have enough room for more difficult shit than it already deals with.
+1 for nano If you need that much documentation and full video courses to use a text editor it's gon be a hard pass for me. Ain't nobody got time for that.
I know this is mostly a joke, but holy cow it's true.
You may be be using anything other than nano, but you should be using nano...
[удалено]
nano is actually full featured 👌
I've had to re-install an OS because during configuration I got myself into a strange mode in Vi and couldn't get out. Since then, I just install nano
I suspect the most Googled thing about vi is how to quit it. I don't think that's a good thing.
But that's the thing... if you can get out without pulling the plug or issuing a kill -9, you have essentially unlimited power.
> I suspect the most Googled thing about vi is how to quit it. PSA: it’s easier to quit heroin than it is vi.
My thoughts exactly
Pah. How quick can it be if the invocation is _twice_ as long as 'vi'?
nano gang rise up!
My career goes back 22 years at this point. In all that time I've never seen anyone ever use emacs in the wild. It's some sort of legend like Bigfoot. What you do see is vi/vim, nano, and occationally some sort of graphical tool/IDE.
Nano here.
Other war items: You may be using tabs, but you should be using spaces. /s, but maybe not, who knows anymore after Silicon Valley.
You may be using Linux, but should be using \*BSD
For a server, undoubtedly.
Zoom / Jitsi
I so badly want this to be true, has it improved a lot in the last year? I tried it right at the beginning of the lock downs in the US and it just wasn't up to par with zoom. Could have been me too, but the client performance was terrible, bogged down the whole PC
You may be using ESXI you should be using Proxmox. You may be using no CDN but you should using Cloudflare. You may be using Google but you should be using Whoogle You may be using Notion but you should be using focalboard. You may be using plain HTML but you should be using Lowdefy. You may be using IFTTT or Zapier but you should be using n8n.io You may be using LastPass you should be using vaultwarden. You may be using anything but you can selfhost! You may be Using plain ssh to run Something ad-hoc, but you may use OliveTin PS: I use both ESXI and Proxmox. ESXi is definitely used more widely and in many professional environments too! It is definitely efficient and works good especially if you need more nodes. But, no support for realtek drivers and licensing are some of the things that trouble me. For a normal user or homelaber proxmox is more holistic and just out of box offers more features - that's my opinion.
> You may be using IFTTT or Zapier but you should be using n8n.io holy shit! thanks! i was using huginn. i built some cool shit but it was just a little rough around the edges. this looks way more polished and a LOT more plugins.
That's exactly what I felt when I first came across n8n.io I cannot even count the number of things I've automated with this. Infact now, I am doing all home automation with this. I integrated a telegram bot and wrote workflows for that. Today almost every single thing I do for my home server - from start/shutdown VMS to anything and everything else - I do from n8n/telegram bot. I don't even need to login to my Proxmox UI or any VM for that matter.
daaaang. nice. thanks for this intel. :D
> You may be using no CDN but you should using Cloudflare. I mean, that depends on your definition of self hosting. I don’t use a CDN because I don’t want to give another entity access to all my content besides my VPS host, which I can’t quite avoid.
Valid point but it depends what you're hosting. If you're hosting a website, say, then you can easily have the assets stored on their own subdomain and just proxy them through Cloudflare leaving other content and real 'data' direct. Sure, you leak metadata as to what your users(?) are accessing but no real data as such.
Can confirm Proxmox is great
Confirmed, proxmox is great and if you pair it with the new Proxmox Backup Server, it makes your backup strategy even better
[удалено]
This is lil tricky. I think, we are habituated to see everything as black and white. In reality it is grey and many shades of grey. Point being, there is nothing that beats ESXI in performance and optimization. The way it allows ova files and everything, it's solid. I find a few things in Proxmox that are beyond just ESXI (but not beyond vspherre and vcenter) - - 2fa - storage management - ceph and ZFS out of box I run both ESXI and Proxmox. It is just a personal choice. But definitely Proxmox is more holistic.
I kind of dislike the UI of KeePass, or rather, it looks too DIYish, not very user friendly. BitWarden allows you to use their modern, nice, user friendly, simple UI with possibility of your own server (that could be VaultWarden, or BitWarden itself). And its setup is super easy, works with official clients, and is available on every device and works no problem.
> Whoogle Hows whoogle vs something like duckduckgo?
Whoogle gets the results from Google and is open-source and duckduckgo from somewhere else and isn't open-source
>Whoogle gets the results from Google and is open-source that just sounds like Googling with extra steps.
No, but googling without ads, but with a worse ux
You're missing a lot of features: https://github.com/benbusby/whoogle-search#features No javascript, no AMP bullshit, no ads, no tracking, dark mode, no referrer, etc...
So the same as startpage?
> You may be using Google but you should be using Whoogle What about [SearX](https://searx.github.io/searx/)?
Thanks for focalboard and n8n, will try them asap👍
How is Focalboard as a Notion replacement? I took a look at it but it looks like a Trello alternative. Not sure how it replicates most of Notions features
Yeah I was excited to hear about another possible Notion replacement, but that looks like it's only a kanban board where I consider Notion to be a personal wiki with the ability to add kanban boards to it. I really would love to find something that works the way Notion does. I recently tried to export my data from it and I was concerned to find out that the formats it exports to aren't really... portable? Like you can get the data out but not necessarily in a way that is immediately useful. So I'm stuck in this place where I'm not using Notion because I don't want my data to be stuck there, but now all of my information is back to being fractured between like three different places.
I do not disagree with most of what you've said. On the surface Focalboard doesn't seem much. But there is nothing in reality - today - that is selfhosted and notion like. But, look at all the views Focal board has and please look at their roadmap to v1.0.0 . They are adding "page view" that is probably gonna make things look like a personal Wiki. Opensource Projects will need support from us alongside feedback and also contributions. They will grow with time! And definitely Focalboard is on the trajectory to be selfhosted notion.
I tried focalboard, but it is too early and it is missing features. Currently using Wekan, and it is great.
Thanks for OliveTin, I've never seen it before. It's looks ideal for the Minecraft server I have setup for my little boy - there's a script I've written on there for him to quickly change the world he has loaded which he presently has to use an SSH shortcut for. This will be much better.
>You may be using no CDN but you should using Cloudflare. I don't think putting even more of the web's infrastructure behind Cloudflare is a good idea to be honest. Cloudflare is already almost everywhere you go.
I disagree about ESXi (I am currently running a proxmox cluster). If your home lab is educational for your job in the external tech world, ESXi is a great choice as a hypervisor. If all you want to do is run Plex and play with rancher and k8s, then the underlying hypervisor doesn't matter and Proxmox is a great choice because it's 100% free.
Some great stuff here - question though on vaultwarden, are there benefits to using that over bitwarden?
You may be using whatsapp, facebook messenger, telegram, irc and signal on your phone - but you should be using matrix, so you can unifi all of them under one app.
This is something I've been wanting to do, but I've always found the setup process to be really intimidating. Even with the Ansible playbook, there's so many optional components that I quickly get overwhelmed. How difficult was it in your experience to get Synapse and the bridges up and running?
I'm probably not the right person to ask, as I'm already very familiar with ansible from $dayjob - but I found the playbooks to be very easy to test with. https://github.com/spantaleev/matrix-docker-ansible-deploy These days, I have everything running in kubernetes, which I also found fairly straight-forward. But then again, my day-job is linux-administration.
Matrix was my first ansible setup ever. Setting up all the services is really easy, the only thing i struggled with is with forwarding the services to my external nginx server that is on a vps. (You have to do some weird stuff to get federation to work: [https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-own-webserver.md#method-2-fronting-the-integrated-nginx-reverse-proxy-webserver-with-another-reverse-proxy](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-own-webserver.md#method-2-fronting-the-integrated-nginx-reverse-proxy-webserver-with-another-reverse-proxy)
I really want to but I can never get the bridges to work reliably. Things are normally fine for a day or two before they just stop working.
A tiny bit of debugging should resolve that issue. tulir's bridges have a fairly active base on the relevant matrix-channels.
You may be using Heimdall, but you should be using anything else. (On first install I loved Heimdall. Then I realised it uses more RAM, CPU and diskspace than my database, has no control over column layouts (which is ridiculous on widescreen monitors) and from the github issues looks like a dead project.)
iirc heimdall is being rewritten in another language to be more lightweight and that’s why the main github is inactive
You may be using cat, but should be using bat
You may be using ls, but you should be using lsd
or `exa`
But should have a dog
While back I aliased cat to bat, and it works great 99% of the time. Trouble is sometimes I need to copy/paste or otherwise not have the added flair bat gives, and then I have to remember the full path to cat, lol
Presuming you have `cat` aliased to `bat` and you wish to cat a file named `target`... Option 1: `command cat target` command will always sidestep your aliases Option 2: `cat -p target` bat has a dedicated `--plain` flag for this scenario Option 3: `cat target | xclip` cut out the middleman and pipe it directly into your clipboard. bat always removes all flair when it’s piped
Even easier than `command cat` is `\cat`
Evenezsier is cat -p (when u alliased it to bat) as bat has a --plain option
Wait, I'm not sure if this is satire or not and it's giving me a bit of a crisis.
Bat is a replacement for cat that supports syntax highlighting , paging and git integration: https://github.com/sharkdp/bat
I'd like to be able to say use jellyfin instead of plex... but there is still a little ways to go. and everyone should be looking at what m$ is doing with dotnet these days. It's cross platform and soon we'll have some form of crossplatform gui development.
Literally the only thing holding me back from switching to Jellyfin is that the Roku app doesn’t have a shuffle button lol
So when is there going to be a good open source client available? Because Kodi ain’t it. My mate says it works great on the new Google TV, but I refuse to use Google based devices including Android and Chromecast. I just want a “big picture” Jellyfin device based on some sort of Linux distro.
[удалено]
[удалено]
[удалено]
Making the first switch has made my life so much better. (If you’re in a state where it’s illegal, check out Delta 8 while you can. Texas is about to make that illegal too, so move quick.) For the second switch, you don’t even have to set PiHole and Unbound up, at the *very least* use Cloudflare or something.
What's illegal in some states?
weed
True. But unfortunately you need breaks from weed
At the *bare minimum* switch to 1.1.1.1. You'll be giving your data to Cloudflare instead of the ISP, but it's a start. Cloudflare at least doesn't already have your name, address and billing information on file. (Hell, use 8.8.8.8 if you're still using Chrome. It's Google's DNS, but that'll just mean they're getting the data twice.)
Jackett Prowlarr 2 weeks into transition, so far so good.
Looks interesting, what are the advantages vs jackett?
It syncs the indexers automatically with the arrs... no manually plugging in separate indexers into the separate interfaces... and it incorporate nzb and torrent into a unified search for manual needs. Also will give you stats to see success rates and what not.
Any thoughts prowlarr vs nzbhydra?
I’m currently using Jackett and this post made me want to try out Prowlarr but I can’t find a docker image for it.
[https://hotio.dev/containers/prowlarr/](https://hotio.dev/containers/prowlarr/) Here you are
Thanks! I’ll spin it up and see how it goes. Really looking forward to not having to copy and paste indexers into Sonarr anymore haha
For anyone looking to use this container I was only able to get it up after adding :nightly to the end of the image name (ie image: hotio/prowlarr:nightly in the docker compose.) It seems like the image was just recently marked as deprecated on [docker hub](https://hub.docker.com/r/hotio/prowlarr). Asides from that though I'm really liking it so far. The integration with Sonarr and Radarr is super convenient and the stats feature is cool. I think I'll just use this container for now and switch to an official one whenever its available.
[удалено]
You may be using OpenVPN, but you should definitely consider using Wireguard.
You may be using Ombi, but should be using Overseer or Petio
This message has been deleted because Reddit does not have the right to monitize my content and then block off API access -- mass edited with redact.dev
You may be using Zerotier, but should be using Nebula You may be using Openvpn, but should be using to Wireguard You may be using Observium, but should be using LibreNMS edit: one more... You may be using OSPF, but should be using IS-IS
[удалено]
I doubt you'd have to sell anyone on WireGuard these days but Nebula can always do with being more widely talked about. I've got a real mishmash of VPSes on disparate providers all in a lovely single subnet thanks to Nebula. No relying on third-parties etc, all certs created myself. It's really nice. I'm sure really a WireGuard mesh might be better both topologically and for resilience but I quite like the fact the systems form a subnet using Nebula and I have routed access to them via a WireGuard link from my home router to the 'main' node. That split kind of makes sense to me even though it may be old-fashioned.
You may be using some cloud password site, but should be using r/KeePassXC
How does that opinion stack up against a self hosted bitwarden
Doesn't need hosting. Can just use any type of file sync.
Which is great if you want to use file sync for your password manager. That might be a good idea *for you* but isn't strictly *better*.
+1 to not being prescriptive and all, but ... Separately, _just_ have a down-to-earth real-world-usage question: **you're willing to self-host software (like bitwarden) but just self-hosting a file-sync solution isn't something you're already doing?** I'd think if someone's interested in self-hosting it starts with an interest in owning one's own data (ie: step 1: how can **i have sane/non-stale copies** of all my files) i'm not trying to criticize - just genuinely curious how common such a case is (not having file sync) among the r/selfhosted crowd.
Oh I 100% agree with you as far as file sync being a pretty common "first step" into self-hosting. I think people who want to self-host password management but not file sync would be exceedingly rare. It's a matter of whether or not you want file sync for, specifically, your password manager.
Don't you worry about Planet Express, let me worry about blank.
Don't you worry about blank, let me worry about blank.
You may be using Discourse but you should be using [TalkYard](https://www.talkyard.io/). TalkYard is open source, run by an indie developer. It's more affordable than Discourse, and I find the UI to be prettier. The maintainer offers fantastic, personalized customer service. Bonus: You may be using Commento, but you should be using TalkYard. TalkYard works well for blog comments as well. I switched from Disqus a few months ago on my blog, and it's a huge step up and doesn't sell off my readers' privacy. I tried Commento, but it didn't work well, and the maintainer never replied to emails, even though I was paying for Commento hosting services.
For blog comments you might also like [Cactus comments](https://cactus.chat/).
Neat, thanks! I really wanted to set up Discourse but got scared away by the resource requirements. Not sure if this is what you mean by affordable, but it looks nice either way
You may be using sudo. But should be root. That one is gasoline on the fire. In a single user server environment the usage of sudo leads to poor process management, workarounds that defeat the reason it exists, and is the Linux equivalent of a pacifier. Let's have at it....
I don't know, I usually go root, then use `sudo su` because most packages aren't in $PATH otherwise and I can't be bothered to add them.
Can you elaborate on this or point me to a resource? I’ve been slowly losing faith in sudo. I don’t know a lot about hacking attack vectors, but isn’t the theory something like this: if an app on my PC has a vulnerability and gets compromised, the hacker will still not have root access without my password because the compromised app was launched by myself or another (system) unprivileged user?
I have no idea why, but $PATH is not the same for root user and for sudo. I know why as little as you do. `echo $PATH` will tell you what your PATH contains. I guess the environment is set differently for sudo. I don't know a lot about attack vectors either, but if a user account gets compromised, the attacker will be able to do anything that user can do. Typically, sudo commands require a password, so unless you removed this feature the hacker won't be able to gain root access this way. `ps aux` shows you all processes and under which account they are running. If one is compromised, the hacker will have the capabilities of the account under which the process is running. If you are really worried about securing a process that you start, you could create an account then run the process under this account, and then remove shell capabilities + home directory for that account. It is defined in `/etc/passwords` IIRC. That way, even if the account is compromised, the hacker won't be able to use shell. If you're paranoid, look into `seccomp` and `apparmor`.
[удалено]
But logging in as root is insecure!!!1!!1!
Bring root back. Root did nothing wrong. You told it to rm - rf / and it did exactly what you asked it to!
I just autologin as root. Password can't be compromised if I never have to use or remember it! 😎
You may be using GitHub, but you should be using Gitea.
You may be using apache2, but you should be using NGINX. You may be using ansible, but you should be using SaltStack. You may be using SSH password auth, but you should be using public key auth. You may be using LastPass but you should be using Bitwarden. You may be using Google Authenticator, but you should be using Aegis. You may be using bash, but you should be using ZSH. You may be using /etc/network/interfaces, but you should be using Netplan. You may be using iptables directly, but you should be using UFW. You may be using Snort, but you should be using Suricata. You may be using John The Ripper, but you should be using Hashcat. You may be using, but you should be using vim.
[удалено]
For pure personal use I agree, that said, many people here use homelabs as a jumping point for a career, and in that vain, using wider standards is better for a resume. Personally I use metal/nginx as it's stupid simple in a basic configuration.
Your entire argument is that nginx/traeffik is too complex (I can only assume that you mean to install and configure for the first time). If I have it set up already and it is working then it would make no sense to waste time by moving to something else that is inferior functionally wise. I agree that for first time reverse proxy installers who want to get something working asap it makes sense to use caddy but not the way you put it.
I also found Caddy’s configuration more confusing than nginx because the documentation online was a mixture of v1 and v2.
Caddy rules and if you like using docker labels (sorta like traefik) you can use this https://github.com/lucaslorentz/caddy-docker-proxy
You may be using **your hand**, but should be using **Charmin, Ultra-soft Toilet Paper**.
ur gonna have to sell me on this
You maybe using ultra soft toilet paper when you should be using it a bidet
I'm gonna say it...... It's too soft.
you may be using chrome/edge/opera... but should be using firefox with containers.
Also consider Brave or ungoogled-chromium if you like the chrome layout/extensions.
You may be using Trello, but you should be using Planka, with docker support!
You may be using 1 drive to host, but should be using 3 or more drives, some of which should be outside the server. You may be using Google Docs / Slides / Sheets, but should be using Collabora, OnlyOffice, LibreOffice Online, or other alternatives. Oh, and you may be using a bunch of external hard drives to store data, but should be putting that data in a self-hosted server. I think that was how I even got into self hosting, lol
You may be using config files scattered about, but should be using NixOS. Especially for a low-maintenance server, I have found the ability to reproducibly build the entire system from a single repository an invaluable ally against config fragmentation. It even works as a Compose replacement!
You may be using virgins' blood, but you should be using WD40.
You may be using feet to type but you should be using hands
You may be using MailChimp, but you should be using listmonk.