irotsoma

Really the first issue is your IP address. How does your ISP hand out IP addresses IPv4 and/or IPv6?

If you have an ISP that gives a static block of IPv6 addresses that simplifies things immensely. But also consider that many legacy, monopoly ISPs have not implemented IPv6 for their customers, especially in the US, and so domains without an IPv4 address aren’t accessible from people’s homes that use those ISPs. But it means you could assign static IPv6 addresses to each service if you wanted to and add subdomains for each. Then you just need to deal with security on that system.

Otherwise you’ll likely need to deal with dynamic DNS. If your router and your domain registrar’s DNS can work together for DDNS that’s ideal. For example, my OpnSense router updates my cloudflare registered domain directly when my ISP changes my IPv4 address (I have one of those ISPs that doesn’t assign IPv6 still but I don’t have any choice if I want > 5-10Mbps upload speeds).

Then you need to deal with routing. The best way is with a reverse proxy like Caddy or I actually like Traefik a lot because it works well with my complex setup with docker and kubernetes among other things. Basically your router needs to route all the inbound traffic on the appropriate inbound ports to the reverse proxy to it to then route to the appropriate service based on the subdomain and/or port of the request.

Once you route the subdomain to the appropriate service you need to deal with security. Once a service is exposed, it’s going to eventually start getting hit by bots trying to access it. Best to implement something like fail2ban to stop them from wasting your processing power with failed logins and 404 errors and such.

I set up separate VLANs for devices that do or don’t get filtering with different DNS servers assigned. And I have two different wifi SIDs on my access point for the different VLANs as well as having ports on my primary switch aligned to one or the other VLAN. I did end up having one other switch that has devices from both VLANs in a different area and had to set up one port on the primary switch with a couple of MAC-based filters for assigning the VLAN for just devices on that remote switch, but those are static devices, so that wasn’t an issue. I don’t attach any other devices to that.

My servers that have been around for a while get thousands of scans per day. In fact I am going to move away from crowdsec because I exceed the free limits on log entries within the first day of the month usually, sometimes just an hour or so. I mean it still works and blocks stuff, but the web portal is basically useless for any research into what I need to give attention to. That and the fact that you can no longer delete decisions on the web portal with the free account.

If she has an Android, you can use the DNS blocker in ReThink to do something similar to pihole outside of your LAN. That’s what I use. There are others, but ReThink is pretty good and has lots of other stuff it can do as well, or just use the DNS option.

I’ve used java Scanner objects to do this extremely efficiently with minimal memory required even with multiple parallel searches. Indexing is only necessary if you want to search for information many times and don’t know what exactly the search will be. For one time searches, it’s not going to be useful. Grep honestly is going to be faster and more efficient for most one time searches.

The initial indexing or searching of the files will be bottlenecked by the speed of the disk the files are on, no matter what you do. It only helps to index because you can move future searches to faster memory.

So it greatly depends on what and how often you need to search and the tradeoff is memory usage, but only for multiple searches of data you choose to index from the files in the first pass.

Yeah, companies have abused that to release buggy, incomplete products faster and only make the software stable and feature complete if they make a good profit.

Yeah one thing I find these kinds of tools good for is warranty tracking I’d something breaks and insurance claims if there’s a fire or robbery or something.

Personally, I find Traefik much simpler than Nginx, especially with Kubernetes, but even with pure docker, but it’s definitely not as performant. That’s balanced by the fact that it does a lot of automatic detection and has dynamic config loading so I don’t have to break other services when changing configurations.

Yeah, video streaming is not a good thing to put on a limited bandwidth server either directly or as a VPN or proxy passing data.

Best bet would be if you can set up a reverse proxy on your router and have that accept all inbound requests and direct to the correct internal server and port.

Mobilizon works well for me. I only wish more organizers used it so I could get events from local communities without having to enter it myself.

There’s a plugin for compose, but podman itself does have some differences here and there. I’m starting to migrate my own stuff as Docker is getting more money hungry. Womder if they’ll try to IPO in a few years. Seems like that’s what these kinds of companies do after they start to decline from alienating users. Just wish that portainer and docker hadn’t killed all the GUIs for docker and swarm was better supported.

The company i work for has also required us to migrate from Docker as the hub and desktop app are no longer totally free. I expect more and more limitations will show up on the free versions as usually is the case with companies like this.

If the meter is plugged into the UPS, then the UPS has nothing to do with the power flowing into the meter. Power is “pulled” not “pushed” to devices in that a device supplying power can limit the amount of power provided, but can’t increase it beyond what the devices request.

Just like with plumbing. The water company can’t force your faucets to open and use more water. Now they could increase pressure and break pipes, similarly the UPS could provide the wrong voltage and short or burn out wires or devices causing them to draw more, but that is unlikely to be the issue here. As long as voltage is constant, amperage (the other component in wattage) is pulled, not pushed.

What you’re seeing in the input load, if it matches what is flowing out of the meter, is some device requesting more power and thus more power flowing into the UPS to be passed to those devices, not the UPS forcing something to use power which isn’t possible as explained above, or the UPS itself using power because the meter has no connection to what power is being used by the UPS, only things plugged into the meter.

So, there must be something else using the power. Likely the devices, even if they aren’t really doing anything you consider significant, are doing something. Probably maintenance, checking for updates, the monitoring proceses requesting information from the devices since the TrueNAS server is on that end, etc. You’d need to put a meter on each device to determine what is drawing the power specifically.

Also, does the power meter only display power used by devices plugged into it, or does it also display it’s own power usage? Could be that the plug itself is using WiFi or something to communicate with external services to log that data. But that would be quick bursts.

Also, without putting a meter on each device, this is probably cumulative. For example, if the NAS is requesing info for monitoring the network, that would spin up the processors on the RPi an cause the switch to draw more power as it transmits that information across the network. Again, this should only be small bursts, but it’s also possible the devices are not sleeping properly after whatever process wakes them so they continue to run their processors at higher amperage for some time. Tweaking power profiles can help with something like tuned on Linux or similar to make things sleep more agressively. With the drawback that they take some amount of time to spin back up when needed.

It you’re talking about TOTP exclusively, that only needs the secret and the correct time on the device. The secret is cached along with the passwords on the device.

LLMs are perfectly fine, and cool tech. Problem is they’re billed as being actual intelligence or things that can replace humans. Sure they mimic humans well enough, but it would take a lot more than just absorbing content to be good enough at it to replace a human, rather than just aiding them. Either the content needs to be manually processed to add social context, or new tech needs to be made that includes models for how to interpret content in every culture represented by every piece of content, including dead cultures who’s work is available to the model. Otherwise, “hallucinations” (e.g. misinterpretation and thus miscategorization of data) will make them totally unreliable without human filtering.

That being said, there many more targeted uses of the tech that are quite good, but always with the need for a human to verify.

There’s not a need to have vaultwarden up all of the time unless you use new devices often or create and modify entries really often. The data is cached on the device and kept encrypted by the app locally. So a little downtime shouldn’t be a big issue in the large majority of cases.

A desktop environment is a waste of resources on a system where you’ll only use it to install and occasionally upgrade a few server applications. The RAM, CPU power, and electricity used to run the desktop environment could be instead powering another couple of small applications.

Selfhosting is already inefficient with computing resources just like everyone building their own separate infrastructure in a city is less efficient. Problem is infrastructure is shared ownership whereas most online services are not owned by the users so selfhosting makes sense, but requires extra efficiencies.

How do you connect? Is there a domain? Is that domain used for email or any other way that it might circulate?

Also, depends on if the IP address was used for something in the past that was useful to target or not. And finally do you use that IP address outbound a lot, like do you connect to a lot of other services, websites, etc. And finally, does your ISP have geolocation blocks or other filters in place?

It’s rare for a process to just scan through all possible IP addresses to find a vulnerable service, there are billions and that would take a very long time. Usually, they use lists of known targets or scan through the addresses owned by certain ISPs. So if you don’t have a domain, or that domain is not used for anything else, and you IP address has never gotten on a list in the past, then it’s less likely you’ll get targeted. But that’s no reason to lower your guard. Security through obscurity is only a contributory strategy. Once that obscurity is broken, you’re a prime target if anything is vulnerable. New targets get the most attention as they often fix their vulnerabilities once discovered so it has to be used fast, but tend to be the easiest to get lots of goodies out of. Like the person who lives on a side street during trick-or-treat that gives out handfuls of candy to get rid of it fast enough. Once the kids find out, they swarm. Lol

At work we have 6 environments other than production. At home just one. I created a way to ease deployment of the environment from scratch using a k0sctl config and argocd and the data gets backed up regularly if I need to restore that, too.

Note that often it’s more efficient to move infrequently accessed memory for background tasks to swap rather than having to move that out to swap when something requires the memory causing a delay in loading the application trying to get the RAM, especially on a system with lower total RAM. This is the typical behavior.

However, if you need background tasks to have more priority than foreground tasks, or it truly is a specific application that shouldn’t be using swap and should be quickly accessible at all times, or if you need the disk space, then you might benefit from reducing the swap usage. Otherwise, let it swap out and keep memory available.

This. Get in writing the specific legally binding policies for personal use of their network resources. Not just the personal opinion of the IT people. They don’t write the legally binding policy that you are responsible for following.