Extrapolating the doot load should be XXXL

Dooting too hard, it would seem

Get one of those floor scooters at work and fold yourself up to get your max shrimp in🦐🦐🦐🦐🦐🦐

Top tips for MAXXXXing your SHRIMPIN:

• Try curling up shrimp-esque in bed
• Roll on your chair to the grocery store to never break your shrimp streak

Hope they help you achieve your shrimp maxxing goals bb~

I’d def pref the mods to nuke a few extra comments than let the tankies work their way in.

They thrive on being on the edge of acceptable until they can drive a “holdomir didn’t happen, Ukrainians just forgot how to eat” into a community

Edit: that edge of acceptability they skirt to get into communities makes it hard for people to discern if just close or it’s actually proto-tankie-posting

So you don’t need that set up. Moca is well designed to be Omni-directional.

You do need to put a moca filter in that shitass box between the cable that comes from the outside world and whatever hellsplitting is going on in there. That’s to keep your personal moca network inside so peeps can’t snoop (it’s also encrypted) or cause interference elsewhere.

Note that you may need to update your splitters and coax wall keystones to be 1+ GHz friendly for Moca. I found where I am has “black” rings on the coax wall keystones that only did the regular cable freq and Moca failed to work. Replaced with modern “blue” rings that do the Moca freq range. And splitters involved in the routing too.

I have the line in inside, in a panel. It splits 3 ways, and I use that 3 way splitter as a “dumb switch”, replaced with a Moca friendly one. Moca filter between splitter and line in.

I have modem/router in living room, connected to a switch. Switch also connects to a Moca adapter. Computer in bed room, connected to Moca adapter. I get ballin’ 1 Gbps up and down at the same time (within my network of course, real internet speeds are ass

May these facts I typed from memory help you achieve your networking dreams :)

Arch’s design is key for user devices - it gets you the fixes you need now with good enough guard rails that usually it’s all good!

But that’s not the design you want for a 24/7 server that’s likely headless. You want that server to have the security updates and to get them installed asap without worry about stability. Literally for years now I’ve never had unattended upgrades cause any issue, and I’ve taken that system from 11 to 13 now. And I’ll look at in a month (maybe) while it continues to do DNS and serve up vidz

Debian on a laptop would be akin to a skeleton waiting on food/water; you’ll get that fix for sleep in 14 (maybe). It’s workable - just like Arch is workable for a server - but it’s just not the ideal role.

Both designs exist for a reason though, and that’s cause they both have their strengths!

Reading that is wild

Why are you doing Arch on a server? You want to tinker forever and read the update notes like a hawk lest the server implode forever?

Arch isn’t gonna be noticeably leaner than Debian.

Get Debian, install docker and/or podman, set unattended upgrades, and then install Incus if you need VMs or containers down the line. You can stick on ZFS and it’ll be fine, you already have BTRFS for basic mirrors. Install Cockpit and you’ll have a nice GUI. Try not to think you have to fiddle with settings, the maintainers for each package/service have set it so it works for most people (and we’re most people!); you’ll only need to intervene on an handful of package configs. All set and it’s not proprietary.

One of the best uses of encryption is that you can pull drives that die and not have to try to wipe them as they die or smash them. They’re encrypted so it’s just gibberish. Mostly the reason to encrypt.

I auto-unlock with two things: a USB drive I put in the computer that it looks for and another computer on the network that hosts an unlock file. I’m not defending against nation-states or the Gestapo, regular rubes won’t notice the pi zero hidden that hosts the network file. USB drive is for just-in-case so I don’t have to type that long ass password ever.

I didn’t try hard, but I’m not sure how to make auto-unlocking more secure.

I put a tiny NAS in my parents’ house (cheapest ARM synology 2-bay). It backs up their computers (a first, of course, but the photos are safe now!) and my server sends its TBs to there too. Upfront is large because you need to put in two big drives plus a lil NAS. But no $/mo, thanks parents.

For over a few TB Hetzner and the like really hit hard (€21/mo for 10TB at Hetzner storage box). Depends how much disposable income you have/want to ensure data is good. Now-a-days €21/mo is like 1 Disney/Hulu/bullshit, that price is obviously over inflated but it makes you feel less bad about spending it on cold, hard, remote backups of your big ass data.

It may not be applicable for you, but to get through the anxiety of somewhere with a clear order but it’s not posted anywhere like the canteen, I scope a food I want then channel this energy:

And focus on I want the food I want like I’m a gremlin that requires mango more than anything (to give me the energy and will to do the talk to get the food)

And that usually ends up with me bothering people awkwardly but once I get through it I’m set. Like just hitting whoever works there with “I want sandwich, how?” and then they thus far have always just told me what to do usually in full, so it’s paid off

The mango rev is key for me, again may not be your key - but maybe you are a mango gremlin too

Sorry about the lack of public spaces in this society tho it real

Ignore the peeps saying not to use a regular pci-e card. Old recc, ASmedia ones are ideal good for 4-6 ports. 8+ you need to dabble in LSI shenanigans. The ASmedia ones use way less power and are worth it if you don’t need 8+ ports. You get all the features you want, they look and act like real SATA ports.

Check these guides (not just applicable to unraid, I don’t use unraid, but they cater towards a “ez straightforward” crowd so they make relatively concise and vetted info dumps):

https://forums.unraid.net/topic/102010-recommended-controllers-for-unraid/

https://forums.unraid.net/topic/41340-satasas-controllers-tested-real-world-max-throughput-during-parity-check/

There’s only one rule, no room for answers

Yes that tracks with how OIDC setup works with my other services (you give the container the OIDC links and shared secrets so it knows how to talk to the OIDC and trust it).

I am digging this, thanks for keeping it updated and improving it!

I see that you say it’s feature complete / no user stuff; but it’d really mesh well if it took OIDC authentication. Don’t need it to make users or anything, just instead of the password popup the OIDC provider is asked for confirmation that whatever user registered with the OIDC is logged in. That’d let me leverage extra 2FA protection from the OIDC provider and juice on that one-login life.

Now I have no experience making OIDC crap work nor how it even works behind the scenes, so I can’t help :( sorry; just wishful thinking.

Also saw on your github - hope our newly shit-out gestapo don’t bother you!

Beach bunny’s emotional creature is legitimately fire tho I mean it’s srs bsns prom queen, like for tame impala if every song on that album was mixed with sexy back https://youtu.be/4xW5dqEZQu0

Not if you annotate your data volume with said ‘noexec’ which prevents execution from anything in the data volume. It looks like this, you can slam it on any volume you like - no volumes should have executables in them anyways.

Also I’m pretty sure ‘noexec’ is the default, so that’s by default protected. But I can’t confirm that from a quick search so not 100% on that.

‘/mnt/data:/container/place/it/wants:rw,noexec,nosuid,nodev,Z’

‘rw’ means read/write. You can change it to ‘ro’ for read-only if the volume shouldn’t write to it (maybe a config file).

Z is for selinux that means “only one program can read/write tho this”. You can change it to ‘z’ lowercase in case more than one needs to read/write. Only case I’ve found for little z is crowdsec needing to watch Caddy’s log for blocking.

So overall, the idea is that your volume mounts can’t be used to execute arbitrary binaries AND the image file system is frozen so that arbitrary binaries cannot be loaded into the image (which is by default all executable, a requirement to run anything in it). So if someone was able to hack into an internet-facing container, they won’t be able to load up whatever they want. They’ll be limited to what’s built into the image (which ideally are secure and limited in scope).

As always you store data you want to keep in the volumes section.

With read-only you prevent new binaries from being added in the image space. You can add ‘noexec’ to your volumes/tmpfs preventing binaries to the areas that are writable. Then ideally you are using an image with minimal surface area (e.g., only sh and the exact binaries needed to make it go) and it’s very secure! It’s still plenty secure without a minimal image.

Thanks! This’ll def help me get tooled up for podman :)

Care to share your quartet? I’m just getting into the quads with trixie out - and I haven’t gotten this working yet…

The permissions do seem intense; if you’re getting by without maybe those aren’t quite needed!