I really wish there was a self hosted option for discord that was as fully featured. If we could even use the discord client (desktop & mobile app) with a self hosted server, that would be amazing, but I know it's impossible and would never happen. It's great that so many gamers use it, but it's annoying how expensive the premium features are to allow larger file sizes of attachments, and higher quality for streaming things. We don't use the streaming enough to justify boosting the discord server, it's more for the quick "hey check this out for a couple minutes" type of things when we're all on there already, or using some other file sharing thing for larger file sizes. Oh how I wish it was just some XMPP type thing where we had more flexibility with what client & server to use.
|
|
# ? Apr 26, 2022 21:28 |
|
|
# ? Jun 10, 2024 11:09 |
fletcher posted:I really wish there was a self hosted option for discord that was as fully featured. If we could even use the discord client (desktop & mobile app) with a self hosted server, that would be amazing, but I know it's impossible and would never happen. It's great that so many gamers use it, but it's annoying how expensive the premium features are to allow larger file sizes of attachments, and higher quality for streaming things. We don't use the streaming enough to justify boosting the discord server, it's more for the quick "hey check this out for a couple minutes" type of things when we're all on there already, or using some other file sharing thing for larger file sizes. Oh how I wish it was just some XMPP type thing where we had more flexibility with what client & server to use. What about a Matrix server: https://github.com/AVENTER-UG/docker-matrix https://matrix.org/ and Element client: https://element.io/
|
|
# ? Apr 26, 2022 21:58 |
fletcher posted:Oh how I wish it was just some XMPP type thing where we had more flexibility with what client & server to use. Gotta have the shittest possible proprietary solution that's held together with string of woven cloth and wet tape where the front-end is designed to be the least-efficient and most exploitable to encourage the users to build their own clients using undocumented APIs, so that you can ban them. Nitrousoxide posted:What about a Matrix server: This is Microsoft Chat levels of bullshit, and they managed to get themselves banned from every network for behaving that way, so why the gently caress does Matrix developers think it's a good idea?
|
|
# ? Apr 26, 2022 22:26 |
|
Nothing out there right now is going to provide discord levels of features but whatever ircd of your choice plus https://thelounge.chat will give you a decent self-hosted community chat solution that won't poo poo the bed or do whatever the gently caress matrix is doing. I'm sure there are similar webui solutions out there for XMPP but to be honest I've never gone looking. BlankSystemDaemon posted:so why the gently caress does Matrix developers think it's a good idea? I was going to say because "recreate basic internet protocols but worse using activitypub is the hot new trend right now" but it turns out matrix is its own terrible bodge on top of http. corgski fucked around with this message at 01:40 on Apr 27, 2022 |
# ? Apr 27, 2022 01:35 |
|
BlankSystemDaemon posted:Matrix somehow manages to be even worse, because it does an impossibly poor job of interoperating with IRC by completely making GBS threads all over the existing protocol, implementing threaded conversations by doing partial inline quoting which makes conversations harder to follow if you're using a regular client, and on top of all that if you so much as dare type one character above the max length of any message on IRC, Matrix unilaterally decides to parse the entire sentence through a httpd and instead put part of the message plus an URI into the IRC channel. I don't really see how Matrix is worse than Discord because of poor IRC interoperability, considering neither of the services connect to IRC. I guess you're talking about this appservice bridge, which lets you configure how many lines to output before linking a document instead: https://matrix-org.github.io/matrix-appservice-irc/latest/usage#matrix---irc-formatting Looking briefly at the sample config the reply formatting is completely configurable as well. Allow posting lots of lines at once and your service will get banned for spamming, or link long posts Twitter style and you get banned for being annoying, there's no winning with the IRC crowd.
|
# ? Apr 27, 2022 01:43 |
BlankSystemDaemon posted:Matrix somehow manages to be even worse, because it does an impossibly poor job of interoperating with IRC by completely making GBS threads all over the existing protocol, implementing threaded conversations by doing partial inline quoting which makes conversations harder to follow if you're using a regular client, and on top of all that if you so much as dare type one character above the max length of any message on IRC, Matrix unilaterally decides to parse the entire sentence through a httpd and instead put part of the message plus an URI into the IRC channel. Is Matrix running over IRC? Looking at their docs, it looks like the standard setup just talks to other Matrix servers directly. Why would anyone care if it doesn't play nice with IRC?
|
|
# ? Apr 27, 2022 02:06 |
Thanks for last page’s big exploration of security and video codecs and transcoding and stuff. Things I’ve always tried to read up on but didn’t know the terminology before.
|
|
# ? Apr 27, 2022 02:56 |
This conversation about Matrix-IRC bridging reminds me a lot of the people who insist on top-posting and doing rich text MIME in mailing lists without the client at least inclining a plaintext alternative.Keito posted:I don't really see how Matrix is worse than Discord because of poor IRC interoperability, considering neither of the services connect to IRC. When connecting Matrix to IRC, it shouldn't be offering them as a solution since it makes for an absolutely terrible experience for everyone but the Matrix user. There's something called the robustness principle, which arguably has led to a lot of security issues over the years so might not be the best if left on its own, but still has something that I think people can stand to learn: Be conservative in what you send, be liberal in what you receive. A modern rewrite would probably add to discard early for things which don't fit what you expect to receive, but phrased better. Nitrousoxide posted:Is Matrix running over IRC? Looking at their docs, it looks like the standard setup just talks to other Matrix servers directly. Why would anyone care if it doesn't play nice with IRC? Meanwhile, real IRC clients will break up sentences that exceed the maximum number of characters into multiple messages, and that's generally accepted since the maximum length of any message is defined by the RFC. If you end up typing more than ~1000 characters per sentence (which is enough to require three full messages, since the maximum length is 510 characters), you could probably express yourself more concisely. Besides, you risk getting hit by flood protection if you do insist on behaving badly, which can result in you getting K-lined or G-lined in quick succession. tuyop posted:Thanks for last page’s big exploration of security and video codecs and transcoding and stuff. Things I’ve always tried to read up on but didn’t know the terminology before. BlankSystemDaemon fucked around with this message at 09:16 on Apr 27, 2022 |
|
# ? Apr 27, 2022 08:56 |
|
BlankSystemDaemon posted:This conversation about Matrix-IRC bridging reminds me a lot of the people who insist on top-posting and doing rich text MIME in mailing lists without the client at least inclining a plaintext alternative. Yeah, that's a good comparison of the "problem" I would say. BlankSystemDaemon posted:Be conservative in what you send, be liberal in what you receive. BlankSystemDaemon posted:A quick glance at /who #libera suggests that out of ~2000 users it's maybe 5-10% - but since it's apparently something people have to go out of their way to setup, and it's looking like they deliberately ship without a sample config, it seems to me that they could do a bit more, since it's set to 3 by default, despite the fact that they acknowledge that it pisses off people who use IRC. Au contraire, the sample config sits right in the root of that repository. In the case of libera.chat, I think you're grievances should be with them rather than Matrix users: https://libera.chat/guides/faq#can-i-connect-with-matrix If the bridge interface they've got EMS running for them is configured in a way that pisses off users of their own network, they should do something about that.
|
# ? Apr 27, 2022 09:28 |
|
Look, if we're running IRC then it's Microsoft Comic Chat or nothing
|
# ? Apr 27, 2022 12:03 |
Scruff McGruff posted:Look, if we're ruining IRC then it's Microsoft Comic Chat or nothing
|
|
# ? Apr 27, 2022 13:31 |
|
Scruff McGruff posted:Look, if we're running IRC then it's Microsoft Comic Chat or nothing Thanks to this I discovered that Jerkcity is still running.
|
# ? Apr 27, 2022 17:47 |
Not sure if this is the right thread for it but I've been thinking about finally ditching Google. My plan would be:
Anything else I'm not thinking of? Is there anything that I'm going to really miss after this switch?
|
|
# ? May 11, 2022 06:55 |
|
fletcher posted:Anything else I'm not thinking of? Is there anything that I'm going to really miss after this switch? It is possible to use a single sign on front end with nextcloud, but photoprism is not multiuser and only supports link sharing. The SSO stuff is hard for me to comprehend, but I did get e: I take that back it was "Authentik" CopperHound fucked around with this message at 02:50 on May 12, 2022 |
# ? May 11, 2022 15:36 |
fletcher posted:Not sure if this is the right thread for it but I've been thinking about finally ditching Google. Google docs, drive and photos can be replaced with Nextcloud. You can either self host a collabora server separately (I do this) or use the built in code server available to modern installs of Nextcloud spin it up (as I understand this is technically less robust, but will be fine for a few users and isn't as complicated because you don't need to deal with the SSL certs and pointing to the correct servers). Either way it's free. This is what a document would look like being edited online. Nextcloud can happily backup photos from your phone automatically and can be used to share them with other folks. I do this for my family when I share hiking photos. It's a bit more clunky than Google Photos though, and you're not going to get all that neat AI stuff for identifying people and things. If you want those features then some other self-hosted open source photo apps can do them, though they can be pretty processor heavy because your server is doing all the AI identification itself. Nitrousoxide fucked around with this message at 17:51 on May 11, 2022 |
|
# ? May 11, 2022 15:54 |
|
fletcher posted:Not sure if this is the right thread for it but I've been thinking about finally ditching Google. I'd never keep important photos and files exclusively on my server - all it takes is a house fire and everything is toast. I appreciate the self hosted ethos, but you're just asking for trouble if you're not doing some sort of cloud-based redudant backup of some sort - I have rclone doing monthly encrypted backups of my Unraid config, appdata backups, docker backups, and photos and files to a Google Business Standard account.
|
# ? May 11, 2022 16:18 |
Thanks for the feedback and some things to investigate further!Gay Retard posted:I'd never keep important photos and files exclusively on my server - all it takes is a house fire and everything is toast. I appreciate the self hosted ethos, but you're just asking for trouble if you're not doing some sort of cloud-based redudant backup of some sort - I have rclone doing monthly encrypted backups of my Unraid config, appdata backups, docker backups, and photos and files to a Google Business Standard account. This is good advice, that's why I mentioned the NAS is being backed up to b2. I am very paranoid about backups! I do like that my truly irreplacable stuff currently exists in 4 places: desktop, NAS, backblaze, and Google drive. I also regularly verify my backups by testing the full restore process.
|
|
# ? May 11, 2022 18:45 |
|
I'd just like to acknowledge how everyone who says Docker and containers are easy, and how in real life its worse than using Linux in 2004.
|
# ? May 13, 2022 03:37 |
|
Billy Ray Blowjob posted:I'd just like to acknowledge how everyone who says Docker and containers are easy, and how in real life its worse than using Linux in 2004. My first real experience with docker was with unRAID and the community apps plugin. It made docker nearly as simple as an app store. As for compose or command line, many docker hub pages tell you exactly how to start them with compose or the command line. If there isn't an official image, I usually go for something from linuxserver.io for the sake of consistency. E: one problem I occasionally have is with file permissions on mapped directories. I usually manage to fix it but it seems super inconsistent. CopperHound fucked around with this message at 05:19 on May 13, 2022 |
# ? May 13, 2022 05:13 |
|
The popularity of docker is largely people treating it as a cross-distribution app store. It's not very good at that, but that's why it's so prevalent. I'm an old grump and run services grouped in VMs based on logical boundaries rather than putting everything in individual docker containers and dealing with all the configuration headaches and security issues that stem from that.
|
# ? May 13, 2022 06:58 |
Docker didn't invent the idea of individual containers. FreeBSD folks have been doing service jails (ie. one jail for every service) since FreeBSD 5.0 if memory serves, which was around 2003.
|
|
# ? May 13, 2022 09:10 |
|
Billy Ray Blowjob posted:I'd just like to acknowledge how everyone who says Docker and containers are easy, and how in real life its worse than using Linux in 2004. The technology is excellent, but very complex. Most people are absolutely awful at writing/orchestrating Linux containers. As corgski wrote most of the self-hosting crowd seems to treat it as a universal app store which is less than ideal; poor understanding of the underlying tech/tooling and (I assume in most cases) no auditing of images they download onto their systems is pretty much bound to lead to security issues.
|
# ? May 13, 2022 09:50 |
CopperHound posted:If there isn't an official image, I usually go for something from linuxserver.io for the sake of consistency. I have avoided official & community images. I found it pretty straight forward to just write my own Dockerfile using debian:bullseye-slim as the base and use whatever "generic linux install" steps the documentation of the app I want to use has. I like the consistency this brings to all my images. Maybe part of this is rooted in getting annoyed with trying to keep up with all the breaking changes Chef community cookbooks & Ansible community playbooks would have. Perhaps official/community docker images don't suffer from this as much. It's also nice having total control over what is installed on the thing though, from a security perspective.
|
|
# ? May 13, 2022 09:56 |
|
I recently moved from unraid+appstore to just a plain debian install and podman and it's been a fairly easy adjustment but I have been a computer janitor in a past life. I think if you don't do this poo poo at work (I don't) then documenting what you're doing is the missing step in terms of managing everything moving forward, there's plenty of guides to get something setup quickly but precious few on ongoing management. I had a few abortive attempts at cockpit and portainer and gave up on them to manage my deployment but I would never say it's a breeze for any random person.
|
# ? May 13, 2022 10:30 |
|
In short, if you can't explain it back to yourself as a bare minimum you're not going to have a good time long term.
|
# ? May 13, 2022 10:31 |
|
My boot SSD died last week for the first time since I switched to using docker for my services. The rebuild experience was so much smoother and better thanks to docker. I set all my containers to write their app data to /opt/config/$service and then I rdiff-backup /opt/config to a backup disk nightly, I do the same with my fstab. Getting back online was a case of installing ubuntu server, then mounting my backup disk. Then I copied the media disks and parity disk lines from the fstab backup to the new fstab, and rdiff-backup restored the config directories. Then I ran docker-compose up -d on my backed up docker-compose file and all my services were back online as if they'd not been gone. I can never go back to losing a weekend on configuring all my services and putting config files back into /etc/ all over the place.
|
# ? May 13, 2022 13:42 |
|
BlankSystemDaemon posted:Docker didn't invent the idea of individual containers. I suppose I could have phrased it better. I use chroot jails liberally, especially for things like postfix, but also don't have, eg, postfix, dovecot, and rspamd running on the same VM as mariadb or plex. If I switched to using docker I'd do what fletcher does and build my own images and enjoy the better isolation docker provides over chroot jails but also eh, if something on my mailserver gets compromised the entire VM is getting restored from a snapshot regardless of what sandbox technology I'm using.
|
# ? May 13, 2022 18:37 |
corgski posted:I suppose I could have phrased it better. I use chroot jails liberally, especially for things like postfix, but also don't have, eg, postfix, dovecot, and rspamd running on the same VM as mariadb or plex. As the jails paper linked below mentions, nobody really knows why chroot was originally implemented - it first got added to BSD around 1981 in order to build BSD cleanly - ie. to avoid build environment polution, which FreeBSD uses jails for nowadays with poudriere(8), and which is necessary for things like reproducible builds in general. Docker isn't made for it either, with both Google and Red Hat pointing out that container solutions by themselves don't provide isolation. Other places will point out that you need a Mandatory Access Control solution like SELinux or alternative forms of sandboxing to enforce isolation, although that way leads to its own fun since you'll you'll run into interoperability issues with specific filesystems that don't support the proper labeling. Still other places will talk about capabilities, but that's its own can of worms. EDIT: And sooner or later you'll find other helpful advice. EDIT2: In general, it can probably be argued that if something wasn't built from the ground-up with isolation in mind, like FreeBSD Jails, then it's probably going to be very very difficult to retrofit that functionality on top of it. BlankSystemDaemon fucked around with this message at 19:36 on May 13, 2022 |
|
# ? May 13, 2022 19:22 |
Non-rootful Podman is supposed to be more secure than Docker though if you need to do any fancy networking stuff with it I don't think that works unless you go rootful. Unfortunately the documentation and how-to's for Podman are really lacking compared to docker. Sometimes you can just follow the docker instructions, but since those generally assume rootful docker installs it's not at all uncommon for them to just fail to work and you have to untangle how you have to do things differently in Podman (or if it's even possible, as with the aformentioned networking)
|
|
# ? May 13, 2022 19:30 |
Nitrousoxide posted:Non-rootful Podman is supposed to be more secure than Docker though if you need to do any fancy networking stuff with it I don't think that works unless you go rootful. That can also be done via su, sudo, doas, daemon(8) on FreeBSD, and many daemons implement their own privilege dropping via daemon(3) or some home-grown code to achieve the same. I think it got implemented first in OpenBSD, but I'm not 100% sure about that. BlankSystemDaemon fucked around with this message at 19:37 on May 13, 2022 |
|
# ? May 13, 2022 19:35 |
|
Billy Ray Blowjob posted:I'd just like to acknowledge how everyone who says Docker and containers are easy, and how in real life its worse than using Linux in 2004. I went from VMs, to containers and have recently went back to VMs for everything. The cost is that I consume more memory and compute per service, but they are substantially easier to manage,and substantially easier to expand. And I get to keep my sanity.... I think there are still situations where I'd do the whole k8s thing again, but the scale would have to be extremely huge, or the service would have to require crazy flexibility to spin up and spin down
|
# ? May 13, 2022 19:40 |
|
BlankSystemDaemon posted:It's the same privilege separation as running something as root then dropping privileges. Not at all. You're talking about switching user inside of a container. What Nitrousoxide referred to was rootless containers which Podman (as well as Docker) supports, although no one in the selfhosting crowd seems to grok/know about it. In your previous post you linked these: BlankSystemDaemon posted:Docker isn't made for it either, with both Google and Red Hat pointing out that container solutions by themselves don't provide isolation. A 4 year old article from Google, and an 8 year old article from Red Hat, respectively. This is not where we're at with Linux containers at this point in time; Linux user namespaces are used to allow unprivileged users to run containers.
|
# ? May 13, 2022 19:55 |
Keito posted:Not at all. You're talking about switching user inside of a container. What Nitrousoxide referred to was rootless containers which Podman (as well as Docker) supports, although no one in the selfhosting crowd seems to grok/know about it. In your previous post you linked these: Have you had a look at your favorite search engine for "docker escape"?
|
|
# ? May 13, 2022 20:31 |
BlankSystemDaemon posted:Welp. I don't think Podman is susceptible to a docker escape in rootless mode, at least as far as I know.
|
|
# ? May 13, 2022 20:34 |
|
BlankSystemDaemon posted:Welp. Did you read any of what I wrote/linked? Probably not.
|
# ? May 13, 2022 20:38 |
Nitrousoxide posted:I don't think Podman is susceptible to a docker escape in rootless mode, at least as far as I know. I've seen this before, though; Someone suggests a tool to use, a bunch of code execution and/or privilege escalation and other exploits are found, and someone else suggests the newest tool that this time will work for sure, despite also not having been designed for isolation. Keito posted:Did you read any of what I wrote/linked? Probably not. Threat actors nowadays don't assume they can get by with a single exploit; they chain stuff. Even if your container runs as root, all they need is a privilege escalation for something outside of the container, and they've got root on the host - that's not exactly a big leap. Was docker completely rewritten with isolation in mind? No? Then it's probably not any better than it was, irrespective of how long it's been. Jails have existed since 1998 (and were made public in 1999), and there's so far been a very very short list of escapes, despite the creator asking people to find them. BlankSystemDaemon fucked around with this message at 20:45 on May 13, 2022 |
|
# ? May 13, 2022 20:40 |
|
None of this poo poo should be directly internet facing anyway. If you're self hosting and need something exposed without VPN you should be using cloudflared and a good reverse proxy.
|
# ? May 13, 2022 21:20 |
|
I don't disagree with you at all that filesystem sandboxing through chroot or even anything more involved like docker is still an imperfect solution, but do you have to be such a dick about it?
|
# ? May 13, 2022 21:55 |
Matt Zerella posted:None of this poo poo should be directly internet facing anyway. If you're self hosting and need something exposed without VPN you should be using cloudflared and a good reverse proxy. I wish there was an alternative to cloudflare; it sucks that when you've done a whole lot of work to setup self-hosting, you're still dependent on a single point of failure - and doubly so if you're European. corgski posted:I don't disagree with you at all that filesystem sandboxing through chroot or even anything more involved like docker is still an imperfect solution, but do you have to be such a dick about it? BlankSystemDaemon fucked around with this message at 23:30 on May 13, 2022 |
|
# ? May 13, 2022 23:27 |
|
|
# ? Jun 10, 2024 11:09 |
|
You’re a BSD fan, we know you can’t help it In terms of reverse proxies, is there any reason to swap from Synology’s solution if I’m getting what I need out of it? Iirc the only thing I have external facing is Plex and 99% of my use case is “I hate IP addresses and/or ports in my address bar.”
|
# ? May 13, 2022 23:45 |