I’ve found Authentik’s proxy will break things that don’t support it (like a Jellyfin app; afaik no app supports hitting an Authentik proxy login first). Do you have a way around that? Or are the friends/fam web-browser only unless they get around to the certificate?
If you feel up for answering, what is your use case for wanting to manage your own mTLS?
That statue killed its creator and has veiny balls, it’s got it all
What is your peak bloc car model?
I’d choose the Dacia 1304
There’s still no path for them to get RAM chips better than the already-established DDR5 makers. I don’t see how they’d have stronger leverage with Samsung, SK Hynix, or Micron than the regular RAM chip customers that already do business with the triopoly
They do not have experience manufacturing chips and I do not think they are going to make a chip fab. The timeline is too short. Idk on the RAM is easier to make than CPU claim - it feels like it’s a different goal than CPU so node size comparison is less apt - but for a company that has no experience they’re not gonna shit out a fab in Q2 2026. The fab pros take years to build them.
They do have the manufacturing ability to make DDR5 sticks, people can make them themselves right now - just get a PCB and the chips and put the BGA chips on! So Q2 2026 is fast but doable for their expertise there.
Buuuut we come back to, they’ll need to get RAM chips from the remaining consumer suppliers - which you can’t right now cause some AI bro future bought all the chips with his future money he will surely get in the future.
And so they won’t get any more than someone already in the market could get (Corsair, GSKILL, etc.). Thus, no change for the supply limit. TBH stupid to get into a market while it’s high; I don’t think they’ll be able to profit in time on the scalping prices before RAM prices crash when the AI money evaporates
TLDR: rip gamerz
If you live near IKEA, they have a sleek ass 8 bay charger that closes shut and attaches to a wall. And they sell eneloops (in the name of ladas) but they’re from Japan and were (and still likely are) eneloops. And eneloops are the top tier of the rechargeable batteries.
Edit: forgot ikea ships now, usually with a minimum total, but they do ship now
Btw thanks for asking, I’ve got many dullsters to think about
I am loving OIDC giving a single login for all the things I’ve got going, I see it as a near-essential for adding new services!
Read-only is easy! You just need to confine where the writes happen. You use volumes for stuff you want to remember were written and tmpfs for stuff you don’t want to remember. Tmpfs for /tmp if needed, volume for the DB, good to go. It is super useful for security since only what is included in the container can be executed greatly reducing the attack area. No way to introduce a new excutable to the container! (you set noexec for tmpfs/volumes)
I’ve seen difficult setups like a “work directory” where key files, executables, and temp files go. That structure can’t be secured, avoid that. Basically the temp files go in somewhere that’s not a big pile of a “work directory” - like /tmp - and then that structure once again works!
Of course I wouldn’t say no to an LCARS theme either…
Any plans for OIDC and read-only/non-root/no-cap container running?
I have a USB drive with the key on it. The primary purpose for LUKS for me is so that drives I replace don’t need to be wiped, so I just leave the USB drive in all the time. Makes it so it boots automatically.
If I lived in a place I owned, I’d stash a rpi somewhere deep and have it do network dropbear automatic unlock to protect the data if the server is nicked. Till then it’s yolo
The smlight slzb-mr2 does both and is PoE - makes it more robust. HA comp goes down? Restarts? USB port change and now the passthrough fails? With an independent LAN coordinator the zigbee network is fine. I don’t have threads stuff (yet) but I assume the same applies.
I’ve had no issues, the Ukrainians already got this solved. Get from Ali express (Ukrainians don’t produce them, they’re busy being bombed)
So you don’t need that set up. Moca is well designed to be Omni-directional.
You do need to put a moca filter in that shitass box between the cable that comes from the outside world and whatever hellsplitting is going on in there. That’s to keep your personal moca network inside so peeps can’t snoop (it’s also encrypted) or cause interference elsewhere.
Note that you may need to update your splitters and coax wall keystones to be 1+ GHz friendly for Moca. I found where I am has “black” rings on the coax wall keystones that only did the regular cable freq and Moca failed to work. Replaced with modern “blue” rings that do the Moca freq range. And splitters involved in the routing too.
I have the line in inside, in a panel. It splits 3 ways, and I use that 3 way splitter as a “dumb switch”, replaced with a Moca friendly one. Moca filter between splitter and line in.
I have modem/router in living room, connected to a switch. Switch also connects to a Moca adapter. Computer in bed room, connected to Moca adapter. I get ballin’ 1 Gbps up and down at the same time (within my network of course, real internet speeds are ass
May these facts I typed from memory help you achieve your networking dreams :)
Arch’s design is key for user devices - it gets you the fixes you need now with good enough guard rails that usually it’s all good!
But that’s not the design you want for a 24/7 server that’s likely headless. You want that server to have the security updates and to get them installed asap without worry about stability. Literally for years now I’ve never had unattended upgrades cause any issue, and I’ve taken that system from 11 to 13 now. And I’ll look at in a month (maybe) while it continues to do DNS and serve up vidz
Debian on a laptop would be akin to a skeleton waiting on food/water; you’ll get that fix for sleep in 14 (maybe). It’s workable - just like Arch is workable for a server - but it’s just not the ideal role.
Both designs exist for a reason though, and that’s cause they both have their strengths!
Reading that is wild
Why are you doing Arch on a server? You want to tinker forever and read the update notes like a hawk lest the server implode forever?
Arch isn’t gonna be noticeably leaner than Debian.
Get Debian, install docker and/or podman, set unattended upgrades, and then install Incus if you need VMs or containers down the line. You can stick on ZFS and it’ll be fine, you already have BTRFS for basic mirrors. Install Cockpit and you’ll have a nice GUI. Try not to think you have to fiddle with settings, the maintainers for each package/service have set it so it works for most people (and we’re most people!); you’ll only need to intervene on an handful of package configs. All set and it’s not proprietary.
One of the best uses of encryption is that you can pull drives that die and not have to try to wipe them as they die or smash them. They’re encrypted so it’s just gibberish. Mostly the reason to encrypt.
I auto-unlock with two things: a USB drive I put in the computer that it looks for and another computer on the network that hosts an unlock file. I’m not defending against nation-states or the Gestapo, regular rubes won’t notice the pi zero hidden that hosts the network file. USB drive is for just-in-case so I don’t have to type that long ass password ever.
I didn’t try hard, but I’m not sure how to make auto-unlocking more secure.
I put a tiny NAS in my parents’ house (cheapest ARM synology 2-bay). It backs up their computers (a first, of course, but the photos are safe now!) and my server sends its TBs to there too. Upfront is large because you need to put in two big drives plus a lil NAS. But no $/mo, thanks parents.
For over a few TB Hetzner and the like really hit hard (€21/mo for 10TB at Hetzner storage box). Depends how much disposable income you have/want to ensure data is good. Now-a-days €21/mo is like 1 Disney/Hulu/bullshit, that price is obviously over inflated but it makes you feel less bad about spending it on cold, hard, remote backups of your big ass data.
Ignore the peeps saying not to use a regular pci-e card. Old recc, ASmedia ones are ideal good for 4-6 ports. 8+ you need to dabble in LSI shenanigans. The ASmedia ones use way less power and are worth it if you don’t need 8+ ports. You get all the features you want, they look and act like real SATA ports.
Check these guides (not just applicable to unraid, I don’t use unraid, but they cater towards a “ez straightforward” crowd so they make relatively concise and vetted info dumps):
https://forums.unraid.net/topic/102010-recommended-controllers-for-unraid/
Yes that tracks with how OIDC setup works with my other services (you give the container the OIDC links and shared secrets so it knows how to talk to the OIDC and trust it).
I am digging this, thanks for keeping it updated and improving it!
I see that you say it’s feature complete / no user stuff; but it’d really mesh well if it took OIDC authentication. Don’t need it to make users or anything, just instead of the password popup the OIDC provider is asked for confirmation that whatever user registered with the OIDC is logged in. That’d let me leverage extra 2FA protection from the OIDC provider and juice on that one-login life.
Now I have no experience making OIDC crap work nor how it even works behind the scenes, so I can’t help :( sorry; just wishful thinking.
Also saw on your github - hope our newly shit-out gestapo don’t bother you!
Gotchya, so at the reverse proxy stage you have a pathway for “if they have the mTLS certificate, allow in” to let you access your stuff from outside your local network?