I don’t think anubis can proxy webdav. So that breaks.

Instead of putting anubus at 443, put it at the port 80 block. Or at the 5555 block.

What you probably need to do is make it so that webdav traffic isn’t proxied through anubis.

I know this issue, I had a similer issue trying to get the client for krunker.io working with my nvidia gpu. I might have the solution saved somewhere, this comment is so I can remind myself to check.

Yes, but there is something important to remember.

By default, most Linux installs put there kernels in /boot, which is not on the btrfs partition. This is not an issue on distros that keep multiple kernel versions, but it can cause issues on distros that only provide one kernel version (Arch and Arch based distros).

Because the kernels are not stored on the btrfs partition, they are not restored by btrfs snapshots. And if the rest of the system, including kernel modules, are a mismatched version due to restoration, then it means your system is unbootable.

A simpler fix is to install ArchLinux’s linux-tls package, which is the stable version of Linux that doesn’t update constantly.

But what I do to get around this, I put /boot on the btrfs partition, and /boot/efi is the seperate efi partition where grub is installed. Then, kernels are restored when I restore a snapshot.

https://training.play-with-docker.com/

This is an interactive, guided docker course in your browser.

Of course, docker is easy to install and use on a Linux system.

Do you have any examples of rustic having bugs that eat data? I couldn’t find any precedent when I searched, which is part of why I used rustic.

restic is in go, rustic is in rust, both are memory safe typed languages.

Not a stupid question.

Cachyos to cachyos.

This matters. Firefox will refuse to do anything with a profile directory from a newer version of firefox. So if I switched to opensuse leap, or another linux distro that has an older version of firefox, then I might encounter issues with just directly copying the profiles.

Okay, I hath returned. Here is what I am doing with FLuxCD and it’s method of installing helm charts:

https://github.com/moonpiedumplings/flux-config/blob/fe71453facc4f5eaf70738430ca7f38f098171b2/apps/apps/authentik/helmrelease.yaml

Okay, I’m cheating. :/ . I’m using Flux’s method where you can have a secret that has values, and then I’m just including those.

But yeah, using an ENV var that pulls from a secret is probably better.

I would say the big thing that might give you trouble is not the init system, but NetworkManager. NetworkManager is the… network management software (wow who woulda guessed?) used on desktop linux distros.

People have many criticisms of it, that are similar to criticisms applied to systemd (it’s also Red Hat software), so I see my friends switching to iwd, wpa_supplicant, or other alternatives when trying something other than systemd as well.

It gives them a lot of pain. None of the other alternatives are as reliable as NetworkManager when it comes to connecting to Wifi. Switching away from Systemd shouldn’t be too hard, but NetworkManager is much tougher to give up. Thankfully, you can run NetworkManager on non-systemd setups.

This is a message to remind myself to share my config later.

I will state that I a, using cloudnativepg for postgres.

The way forgejo actions works, is that it is not a universal thing for every repo. Each repo, can have it’s own forgejo actions instance connected to it, running stuff.

The big benefit of that, is that you can make users bring their own actions servers, and not bother to deploy your own.

It has newer packages than Debian.

This is not quite true. They have overlapping release cycles. A new Debian release will ship frozen versions of the latest packages, causing it to have newer packages than most ubuntu releases. Then the new ubuntu release comes out, with and it has newer packages. Ubuntu doesn’t universally newer packages than debian. The difference is that Debian ONLY does security updates, and doesn’t do feature updates or even bugfixes over it’s lifespan. Ubuntu, on the other hand, does ship feature updates and bug fixes, incrementing the package version as they go over the lifespan of an Ubuntu release.

Comparing the bash versions of the latest ubuntu stable version versus the current debian stable, and you’ll notice that Debian has a newer bash:

[moonpie@osiris moonpiedumplings.github.io]$ podman run -it --rm debian
root@980ac170ddb4:/# bash --version
GNU bash, version 5.2.37(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
root@980ac170ddb4:/# exit
exit
[moonpie@osiris moonpiedumplings.github.io]$ podman run -it --rm ubuntu
Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/00-shortnames.conf)
Trying to pull docker.io/library/ubuntu:latest...
Getting image source signatures
Copying blob 817807f3c64e done   | 
Copying config f794f40ddf done   | 
Writing manifest to image destination
root@1486a1c38699:/# bash --version
GNU bash, version 5.2.21(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

This is Ubuntu 24, the current stable release. 25/questing, the rolling version does have newer/same package versions of debian. But people don’t base distros off of the rolling version of ubuntu, only the stable releases.

No, they’re dual licensed. Canonical has users contributing signing a Contributor License agreement, in which they agree to allow Canonical to distribute alternatively licesed, or proprietary versions.

This change was somewhat controversial, and partially why Incus was forked from LXD.

Companies at onferences give 4/8gb out sometimes. They buy branded ones in bulk.

• oauth, and control sign ups via there. Don’t let people sign up via forgejo itself.
• anubis, yeah. Or similar.
• forgejo actions is an optional component… and forgejo users can bring their own actions server. Of course, it’s a risk to them since the server owner could execute code in actions. But yeah.

Void auth, or kanidm look like easier alternatives.

I have installed an OS onto just the btrfs root subvolume, leaving the home directory intact. This is how I originally swapped from Manjaro to Arch. The arch manual install instructions helped.

But this should be a feature of the graphical installers imo.

Transparent fileystem compression and deduplication (btrfs feature not in ext4) compresses data while still having it be accessible normally. This leads to big space savings.

You can use the tool compsize to check it out.

Journalists communicating with sources in censored regions

Whistleblowers sharing information securely

You and your peer agree on an encryption key (any string).

This is unacceptably unsecure for the usecases you mention. There is a reason why the most secure messaging apps don’t use symetric encryption, don’t use passphrases, and they also possess forward secrecy.

It’s pointless to push this as a censhorship circumvention method when many other methods exist that already do so 10x better, in a secure way, over decentralized, hidden and unblockable infrastructure. (Tor’s meek-azure bridges use microsoft’s infrastructure, which nobody is able to block because everybody depends on it, even China).

I appreciate the project, and I am always happy to see people learning, progressing, and publishing their results, but you need to be honest about the weaknesses of your software compared to established solutions. It’s not impossible for you to one day produce a secure messaging app, but today is not the day. Right now, using this is just a fast way to get killed.

somewhat relevant: https://en.wikipedia.org/wiki/Shadow_IT

Also try wireguard over port 53. Often (udp) traffic to port 53 is unblocked because it’s needed for DNS.

What is special about this setup is that it can sometimes get around captive portal wifi.