stratself

joined 10 months ago
[–] stratself 2 points 13 hours ago

I don't think geoblocking would be a great fit for Matrix, since you'd be contacted by servers from all over the world. It's more suitable for something like a static website

[–] stratself 9 points 13 hours ago* (last edited 13 hours ago) (1 children)

There are various technical alternatives (ActivityPub-based stuff like PixelFed/Loops/Mastodon/GotoSocial/Sharkey/Akkoma/something else on the Fediverse)

But would you take the plunge of self-discovering different content, which might as well be none of your topics of interests? Would you be acquainted of vastly different UI/UX such as the lack of recommendations, a million client frontends, and the technicality of federation? And lastly, will you find it a place with communities to socialize and content to enjoy from in the long run?

I think trying out on a public instance would be a good way to answer those questions. PixelFed most closely resembles Insta, but the other ones can do too. Then you can consider selfhosting your own

[–] stratself 3 points 2 days ago

How on earth do you have 54 release candidates, each of them adding significant feature, and not bumping your versions? Wouldn't it be nicer to just put them on the main branch and cut a semver release every now and then? At least that'll save on the frequency of posts here

[–] stratself 3 points 2 days ago

When you say "on each device" you mean this configuration would refer to the services running on that device right? Not that every client device needs to have this set up?

The device that runs multiple services will set that up, yes. Not the client.

All my web services use apache or lighttd. Do I use caddy just for this or do I have to figure out how to move each of them to use this web server?

Apache and lighttpd can both do the same thing that Caddy does (multiplex many services via subdomain names on port 80). Caddy is just simpler and hence recommended.

You can move all services to use Caddy, takes some learning but overall better. Alternatively, if you already set up apache/lighttpd for each of your services, you can put Caddy in front and do something like

http://service1.devicename.lan/ {
    tls off
    reverse_proxy localhost:<port-that-apache-listens-on>
}

Also does it work for non-web services, like ssh or samba? (Which wasn't in my original question, I only thought of it now.)

No. Also, those should be running on their dedicated ports anyways

[–] stratself 13 points 2 days ago (5 children)

Use Caddy on each device, with tls turned off. Basically

http://service1.devicename.lan/ {
    tls off
    reverse_proxy localhost:8000
}
http://service2.devicename.lan/ {
    tls off
    reverse_proxy localhost:8096
}
[–] stratself 1 points 4 days ago

What kind of network are you on? If you use public wifi/corporate network, then some of them might block XMPP ports (namely :5222/tcp and :5223/tcp) and has other very restrictive firewalls

[–] stratself 1 points 2 weeks ago (1 children)

You will need to create the address (or alias) using your newmatrix.org account. Check the space's settings and see if that could be done

[–] stratself 2 points 2 weeks ago (2 children)

You're probably interested in creating a firewall on openwrt that blocks all traffic from/to certain IPs

[–] stratself 3 points 2 weeks ago* (last edited 2 weeks ago)

I use my own "solution" to host a WireGuard node inside a tailnet: https://github.com/stratself/tswg

You can also try https://github.com/juhovh/tailguard

Gluetun + Tailscale also kind of worked, but quite slow

[–] stratself 2 points 2 weeks ago

Run tailscale ping if it's using a DERP relay that means you'd get abysmal speed and bandwidth. Usually this is because the NAT can't be punched through. Try opening proper ports and/or configure a peer relay

[–] stratself 3 points 2 weeks ago* (last edited 2 weeks ago)

I custom-build the Caddy container since it is easy to do with xcaddy. It is automated to run every week via Forgejo Actions on a Forgejo repo, and one can pull the latest images from there using Portainer or whatever docker updater software there is.

You can also use any other CI/CD solutions you like as long as it churn out a regularly updated image. Github Actions is another good one if you don't wanna set up Forgejo.

The caddy-cloudflare image is probably also enough for your use case, assuming they're regularly updated. But if you like control, CI is one way to go.

[–] stratself 2 points 3 weeks ago

i'm not sure what you mean? you configure it as your default ntfy server, then delete the previous topic. Then Element X should be able to recreate a new topic again and you can test if notifications are working.

If your server is a continuwuity then there are some little push problems. But if you're on matrix.org or any other Synapse server it should be fine.

 

Technitium DNS Server v15.1.0 has been released with support for OIDC! Now you can use your preferred identity provider to log in to user accounts, and manage your DHCP/DNS deployments with approriately granular permissions controls.

I've played around with it, and safe to say that the SSO integration works well. I've written a guide to set it up against Kanidm here. There were some OIDC/clustering bugs in prior v15 releases, and with v15.1.0 they have been squashed and solved.

The major release of version 15 also include various important changes, such as the following highlights:

  • A new API call for Prometheus metrics
  • Query Logs apps can now follow live updates
  • Codebase updated to .NET 10 runtime
  • HTTP tokens are now accepted via the Authorization: Bearer <token> header
  • Many other bugfixes, secfixes, and improvements...

Technitium is pretty great. Hope everyone enjoy the release :)

 

There is a recently discovered critical vulnerability that affects all Matrix homeservers of the Conduit lineage. If you're using a Rust-based Matrix server (which are basically Conduit and forks), please urgently upgrade to the following versions:

If you're not able to upgrade right now, you should urgently implement this workaround in your reverse proxy.

Attackers exploiting this flaw can arbitrarily kick any user out of a room, join rooms unauthorized on the same server, and can also ban same-server users. They effectively constitute a severe denial of service from an unauthenticated party, and it has been exploited in the wild.

 

Technitium DNS Server (TDNS) has gotten a new release with many awesome features: TOTP authentication, an upgraded .NET library, and many security and performance fixes.

But most important of all, it now supports clustering. A long-awaited feature, this allows Technitium to sync DNS zones and configurations across multiple nodes, without needing an external orchestrator like Kubernetes, or an out-of-band method to replicate underlying data. For selfhosters, this would enable resilience for many use cases, such as internal homelab adblocks or even selfhosting your public domains.

From a discussion with the developer and his sneak peek on Reddit, it is now known that the cluster is set up as a single-primary/multiple-secondary topology. They communicate via good-old REST API calls, and transported via HTTPS for on-the-wire encryption.

To sync DNS zones (i.e. domains), the primary server provisions the "catalog" of domains, for secondary ones to dynamically update records in a method known as Zone Transfers. This feature, standardized as Catalog Zones (RFC9432), were actually supported since the previous v13 release as groundwork for the current implementation.

As an interesting result, nodes can sync to a cluster's catalog zone, as well as define their own zones and even employs other catalog zones from outside the cluster. This would allow setups where, for example, some domains are shared between all nodes, and some others only between a subset of servers.

To sync the rest of the data such as blocklists, allowlists, and installed apps, the software simply sends over incremental backups to secondaries. The admin UI panel is also revamped to improve multi-node management: it now allows logging in to other cluster nodes, as well as collating some aggregated statistics for the central Dashboard. Lastly, a secondary node can be promoted to primary in case of failures, with signing keys also managed within for a seamless transition of DNSSEC signed zones.

More details about configuring clusters is to be provided in a blogpost in the upcoming days. It is important to note that this feature only supports DNS stuff, and not DHCP just yet (Technitium is also a DHCP server). This, along with DHCPv6 and auto-promotion rules for secondaries, is planned for the upcoming major release(s) later on.

As a single-person copyleft project, the growth of this absolute gem of a software has been tremendous, and can only get better from here. I personally can't wait to try it out soon

Disclaimer: I'm just a user, not the maintainer of the project. Information here may be updated for correctness and you can repost this to whatever

66
submitted 8 months ago* (last edited 8 months ago) by stratself to c/selfhosted@lemmy.world
 

Hi all, I made a simple container to forward tailscale traffic towards a WireGuard interface, so that you can use your commercial VPN as an exit node. It's called tswg

https://github.com/stratself/tswg

Previously I also tried Gluetun + Tailscale like some guides suggested, but found it to be slow and the firewall too strict for direct connections. Tswg doesn't do much firewalling aside from wg-quick rules, and uses kernelspace networking which should improve performance. This enables direct connections to other Tailscale nodes too, so you can hook up with DNS apps like Pi-hole/AdguardHome.

I've shilled for this previously, but now I wanna promote with an actual post. Having tested on podman, I'd like to know if it also works on machines behind NATs and/or within Docker. Do be warned though that I'm a noob w.r.t. networking, and can't guarantee against IP leaks or other VPN-related problems. But I'd like to improve.

Let me know your thoughts and any issues encountered, and thank you all for reading

 

Hi all. Per the title, I'm looking for something that:

  • Can run as an unprivileged user inside a container

  • Allows OpenID Connect authentication for a multiuser setup

  • Doesn't take hostage of my CPU

Homarr and Dashy are featureful solutions, but they can't run unprivileged in docker. Dashy closed this issue, but in fact it's not resolved. Meanwhile Homarr does work with UID/GID env vars, but starting as root and dropping capabilities is not the same as defining user: 1234:1234 from the get-go. Furthermore, they are really heavy node apps, which kinda deter me from deploying.

I neither wanna use my reverse proxy with forward auth or having an extra oauth2-proxy container, so Organizr (using forwarded auth headers) or Homer/Homepage/bunch of static pages behind a reverse proxy is out of scope.

Feature-wise I'm just looking for a beautified link keeper, preferably with multiple dashboard mapped to different user groups (ideally it could be done via custom OAuth metadata/claims). Fancy plugins like RSS and weather are not needed, but appreciated.

With all that said (and sorry if I'm too choosy), is there a current solution that fits the bills above? My IDP's UI is quite rudimentary, but I can resort to using it as a "homepage". I wanna thank in advance for any guidance

P/S: Seems like most dashboards fall into two categories - bloated fancy apps, or dead simple frontpages. It'd be nice to have something inbetween.

view more: next ›