Elvith Ma'for

Came to suggest this. I ran into the same problem when I tried to host Jellyfin at home. Also I was fed up with all those certificate warnings, depending on which device I used. Since I was already using pihole in my home network, I just went and looked at all the DNS plugins for certbot to learn which provider allows for easy DNS challenges. Then I researched a bit and stumbled upon a provider that was running a sale - so I got a domain for less than 5 bucks/year.

I set the public A record to 127.0.0.1 and configured certbot to use their API. This domain is now used internally in my network exclusively and I just added some DNS entries for several subdomains in pihole, so that it works for every device at home (e.g. jellyfin.example.com / dockerhost.example.com / proxmox.example.com / …).

When I’m away, I shouldn’t be able to resolve the domain, and even if DNS were hijacked, the TLS certificate will protect me from connecting to $randomServices. Also my router is less restricted, which means that I can just use it’s VPN server to connect directly to my home network, if I need to access my server or need to troubleshoot things when away.

Well, it’d only be a deal, if it was very advantageous and good for us, but bad for the US - if they’re really trying to speak his language ¯\_(ツ)_/¯

I read this as they’re even generating the frames with AI:

The tech demo is part of Microsoft’s Copilot for Gaming push, and features an AI-generated replica of Quake II that is playable in a browser. The Quake II level is very basic and includes blurry enemies and interactions, and Microsoft is limiting the amount of time you can even play this tech demo

While Microsoft originally demonstrated its Muse AI model at 10fps and a 300 x 180 resolution, this latest demo runs at a playable frame rate and at a slightly higher resolution of 640 x 360. It’s still a very limited experience though, and more of hint at what might be possible in the future.

“We’ve talked about game preservation as an activity for us, and these models and their ability to learn completely how a game plays without the necessity of the original engine running on the original hardware opens up a ton of opportunity.”

No, I don’t think that you’re talking about preservation then. Not even game emulation. You’re talking about game hallucination.

At least we’re constantly told to be ready to act to reroll secrets, etc and try to automate the change/deployment of changed passwords and such.

Depending on the system you’re working with, this may still be a PITA, but at least we do have plans for even the “problematic” systems and we have probably done this a few times. Although maybe not at this scale, tbh.

So, imagining I were tasked to do that for $hyperscaler in “my” systems… I feel some dread, as even if everything is automated ä, there’s always something that doesn’t go as planned - but at least I know what can be done in which way and which timeframe is realistic (and which parts will be the most sensitive). If you do not have plans, well… Good luck. You’ll need it.

In reality, it does make OPSEC somewhat harder, if you have to constantly remind yourself to not use WhatsApp, Telegram (LOL), whatever and exclusively use $CustomSignalFork to talk business. Human make errors.

BUT I really don’t think this is worth the loss of privacy as this is in no relation to the gains, that I can see. Also as I intentionally mentioned Telegram above - it’s hard to use “right” and this problem does already exist today to some extent which makes the bad trade off still worse. I mean, howany people are you really going “to get” with this?

Ok, who of you guys is working with Oracle Cloud and has not yet rerolled all API/Access Keys, passwords and so on? And what company do you happen work for? ^Just asking for a friend^

Maybe I didn’t search right, but since I found podlet first, while looking for a tutorial, I was lazy and gave it a try. It’s result was enough to get me there. Maybe, had I completely read the podlet docs and checked all optional arguments, o could have gotten a perfect result. But that way, I learned better about quadlets.

I’m currently trying to migrate my stack on my VPS from docker to podman. Bonus points if I get it running rootless.

Somehow, podman compose just wouldn’t work with my existing docker compose file. I quickly found out that podman has many options, but quadlets are preferred. It took me a while to understand what they even are and their concept. I did get the idea and the concept from the docs, but everything else was demonstrating how to set up a very simple one (think a hello world container). Or I found some blog posts with ready made complex examples for some random stacks that were way over my head. But a simple tutorial on how to map the fields/parts of a docker compose to a .container, .network or .volume file for my stack consisting of several containers in a few networks with a reverse proxy in front of it? Nope.

I’m the end I found podlet and used that to convert a docker-compose. While the result wasn’t completely working (e.g. a problem with some environment vars that got passed and switched in a few “layers” that podlet understandably messed up), it was enough to understand all of it with the docs and complete the quadlet. Now I just need to experiment with the rootless part.

Currently, my first and foremost pet peeve is, that different distros use different approaches and utilities, but many blog posts or guides don’t tell you what distro they’re for. If you google the problem and find the fourth guide on how to solve it and realize halfway through, that it’s again e.g. for Debian based systems, while you’re running on SUSE or RedHat or Arch or… can be very frustrating.

relevant

~$ sudo apt assessment 

I’m currently experimenting if I can convert my stack to rootless podman.

I found in my notes, that

A user-mode networking tool for unprivileged network namespaces must be installed on the machine in order for Podman to run in a rootless environment.

Podman supports two rootless networking tools: pasta (provided by passt) and slirp4netns.

Could this be your problem?

Taken from https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md

If done correctly, those may only be open from the internet, but not from the local network. While SSH may only be available from your local network - or maybe only by the fixed IP of your PC. Other services may only be reachable, when coming from the correct VLAN (assuming you did segment your home network). Maybe your server can only access the internet, but not to the home network, so that an attacker has a harder time spreading into your home network (note: that’s only really meaningful, if it’s not a software firewall on that same server…)

Instead of thinking with layers, you should use think of Swiss cheese. Each slice of cheese has some holes - think of weaknesses in the defense (or intentional holes as you need a way to connect to the target legitimately). Putting several slices back to back (in random order and orientation) means that the way to penetrate all layers is not a simple straight way, but that you need to work around each layer.

…But will it run DOOM?