Max-P

That’s fine, the ad co struck a deal with speaker co to not bill for those sound-seconds.

Soon: when you pause a video, it starts playing a video ad with audio, to make sure no silence time gets wasted from your speakers.

Ethernet splitter

What kind of splitter? Not a hub or switch, just a passive splitter?

Those do exist to do 4x 100M links on a single pair each, but you can’t just plug those into a router or switch and get 4 ports, it still needs to eventually terminate as 4 ports on both ends.

If you’re behind Cloudflare, don’t. Just get an origin certificate from CF, it’s a cert that CF trust between itself and your server. By using Cloudflare you’re making Cloudflare responsible for your cert.

There’s also Cockpit if you just want a basic UI

Less and less about OpenAI is actually… open at all.

I believe you, but I also very much believe that there are security vendors out there demonizing LE and free stuff in general. The more expensive equals better more serious thinking is unfortunately still quite present, especially in big corps. Big corps also seem to like the concept of having to prove yourself with a high price of entry, they just can’t believe a tiny company could possibly have a better product.

That doesn’t make it any less ridiculous, but I believe it. I’ve definitely heard my share of “we must use $sketchyVendor because $dubiousReason”. I’ve had to install ClamAV on readonly diskless VMs at work because otherwise customers refuse to sign because “we have no security systems”. Everything has to be TLS encrypted, even if it goes to localhost. Box checkers vs common sense.

LetsEncrypt certs are DV certs. That a put a TXT record for LetsEncrypt vs a TXT record for a paid DigiCert makes no difference whatsoever.

I just checked and Shopify uses a LetsEncrypt cert, so that’s a big one that uses the plebian certs.

Neither does Google Trust Services or DigiCert. They’re all HTTP validation on Cloudflare and we have Fortune 100 companies served with LetsEncrypt certs.

I haven’t seen an EV cert in years, browsers stopped caring ages ago. It’s all been domain validated.

LetsEncrypt publicly logs which IP requested a certificate, that’s a lot more than what regular CAs do.

I guess one more to the pile of why everyone hates Zscaler.

That’s more of a general DevOps/server admin steep learning curve than Vaultwarden’s there, to be fair.

It looks a bit complicated at first as Docker isn’t a trivial abstraction, but it’s well worth it once it’s all set up and going. Each container is always the same, and always independent. Vaultwarden per-se isn’t too bad to run without a container, but the same Docker setup can be used for say, Jitsi which is an absolute mess of components to install and make work, some Java stuff, and all. But with Docker? Just docker compose up -d, wait a minute or two and it’s good to go, just need to point your reverse proxy to it.

Why do you need a reverse proxy? Because it’s a centralized location where everything comes in, and instead of having 10 different apps with their own certificates and ports, you have one proxy, one port, and a handful of certificates all managed together so you don’t have to figure out how to make all those apps play together nicely. Caddy is fine, you don’t need NGINX if you use Caddy. There’s also Traefik which lands in between Caddy and NGINX in ease of use. There’s also HAproxy. They all do the same fundamental thing: traffic comes in as HTTPS, it gets the Host header from the request and sends it to the right container as plain HTTP. Well it doesn’t have to work that way specifically but that’s the most common use case in self hosted.

As for your backups, if you used a Docker compose file, the volume data should be in the same directory. But it’s probably using some sort of database so you might want to look into how to do periodic data exports instead, as databases don’t like to be backed up live since the file is always being updated so you can’t really get a proper snapshot of it in one go.

But yeah, try to think of it as an infrastructure investment that makes deploying more apps in the future a breeze. Want to add a NextCloud? Add another docker compose file and start it, Caddy picks it up automagically and boom, it’s live and good to go!

Moving services to a new server is also pretty easy as well. Copy over your configs and composes, and volumes if applicable. Start them all, and they should all get back exactly in the same state as they were on the other box. No services to install and configure, no repos to add, no distro to maintain. All built into the container by someone else so you don’t have to worry about any of it. Each update of the app will bring with it the whole matching updated OS with the right packages in the right versions.

As a DevOps engineer we love the whole thing because I can have a Kubernetes cluster running on a whole rack and be like “here’s the apps I want you to run” and it just figures itself out, automatically balances the load, if a server goes down the containers respawn on another one and keeps going as if nothing happened. We don’t have to manually log into any of those servers to install services to run an app. More upfront work for minimal work afterwards.

I hope they’re donating big chunks of money to the Internet Archive in return for what’s likely to bring a ton of extra traffic.

Yeah, that didn’t stop it from pwning a good chunk of the Internet: https://en.wikipedia.org/wiki/Log4Shell

IMO the biggest attack vector there would be a Minecraft exploit like log4j, so the most important part to me would make sure the game server is properly sandboxed just in case. Start from a point of view of, the attacker breached Minecraft and has shell access to that user. What can they do from there? Ideally, nothing useful other than maybe running a crypto miner. Don’t reuse passwords obviously.

With systemd, I’d use the various Protect* directives like ProtectHome, ProtectSystem=full, or failing that, a container (Docker, Podman, LXC, manually, there’s options). Just a bare Alpine container with Java would be pretty ideal, as you can’t exploit sudo or some other SUID binaries if they don’t exist in the first place.

That said the WireGuard solution is ideal because it limits potential attackers to people you handed a key, so at least you’d know who breached you.

I’ve fogotten Minecraft servers online and really nothing happened whatsoever.

Isn’t he the same person who calls adblocking piracy?

He’s also got a generally nuanced opinion of piracy, in that it’s justifiable in some situations. If you call it piracy and you’re okay with piracy then it’s not really a contradiction.

Being willing to talk about it despite working against your interests isn’t always bad depending on context.

You can’t, because normies don’t care about tech other than it benefits them directly in some way. They care about the experience they get and doing the same thing everyone does because normies are like sheeps.

Normies barely even get how emails work and it’s been like over 40 years. They know if they sign up for Gmail it’s free, they get a ton of space and an @gmail.com address. That’s it.

And even then, people looked at me weird back in 2007 when I made my Gmail account because “everyone uses Hotmail, why wouldn’t you use Hotmail, everyone uses it so it must be the best”. Heck just yesterday, the teller at the mechanic shop looked at me weird because I used $storename@max-p.me to place the online order, they were utterly confused. They thought I made a Gmail or Outlook for all of those aliases. People don’t think about using emails, they think about using Gmail or Hotmail/Outlook.

Same with Reddit, it didn’t become popular until normies felt like they were missing out by not being on Reddit, and arguably that was Reddit’s downfall flooding the site with the same repeated arguments and opinions over and over. And for that too, I’ve been told my “Reddit looks weird” because I use a third-party app. People want to use Reddit so they download Reddit.

Normies don’t use Twitter because they want to microblog, they use Twitter because their idols are on Twitter and they want to mimic them. If Taylor Swift opened a Mastodon account and posted exclusively there, we’d get a massive spike of users. And they all would want to register on the same instance as her and it would be the only viable instance to them.

They just want to fit in and do the same as the others, using the same services and same apps and everything. “Influencers” are everything these days.

The best way to get normies on the Fediverse is IMO, endorsing Threads and BlueSky, which will effectively force them to integrate because those platforms integrate.

Only time will tell. They’ve definitely done their own share of EEE like for a while you could use Facebook Messenger over XMPP then closed it down.

Definitely can appreciate the carefulness here. Imagine they just open the floodgates and now some random Mastodon instance on a $5 VPS is getting hammered with millions of activities because they followed an account with millions of followers on Threads, and now it’s federating millions of likes and thousands of posts.

Meta is trying to be a good fediverse participant here. They could just come in and crush the entire fediverse and be like “lol should have gotten beefier servers”.

If your stuff is all Docker then yeah, immutable makes sense as it makes the entire box declarative and immutable: you can get back the exact same operating Docker environment on the server, and then you can get back the exact same Docker workloads going with the Docker compose configurations.

If you ever need to run stuff you’d run on Debian, you can just shove it in a Debian container.

That said, if most of the stuff is containers, the risk of just the core Debian breaking is fairly low. Pick whatever is easiest for you to deal with based on your needs. Immutable distros have a bit of a learning curve.

From a user’s perspective, yes, but as an instance admin that’s also a DMCA nightmare.

That’s a great example of the eternal fight between mods and users that ultimately drives admins away: users feel entitled to post that stuff, and mods have to take it down. The user is anonymous and possibly from a country with very lax laws, so they’re protected. The admins have to pay for the servers with real money and their real identity, and thus also an easy target for lawyers.

Porn is often really high traffic, which is expensive to run. But a lot of people are weirdos too and tend to push it to the border of legality, which can be challenging for admins if your users keep posting lolis even if it’s not allowed. And they’ll scream at you “it’s not technically illegal”.

The other thing people do a lot with porn is post stuff from sketchy sources or repost paid content for free stealing from OnlyFans pages and the big porn studios. And lately, AI generated porn of non-consenting celebrities. And of course now the increasing pressure to make sure to keep minors out or heaven forbid they’re shown trans porn.

It’s expensive to store all that porn, it’s insanely expensive to distribute it, you need lawyers on standby for the firehose of DMCA reports, you need a solid team of moderators scrubbing the site as fast as possible for CSAM, or run AI tools that needs a lot of fast hardware to run at any decent speed (you need to analyze every frame of a video, for example).

It’s just expensive as fuck overall and that’s why a lot of the porn sites have the sketchiest ads ever, and that’s because you can’t run regular ads as most advertisers don’t want to be shown next to questionable content.

On the fediverse you have the added challenge that ideally, you scrub things before they get federated due to federation bugs. Or you risk being defederated which you probably will anyway as most admins just don’t want to deal with it.