Goofed Home

Hey there, it’s me again with my cursed project. Last time is said “i basically reinvented Kubernetes”. But the voices won and I legit did.

Last time it was a cursed novelty. A random script made by some autistic dude with too much time on its hand.

Now it’s become its own project, with ecosystem and overpriced .io domain. For no reason other than : It’s cursed, but it works beautifully.

Every Kind is handled by its distinct code. Everything is pluggable, nothing is hardcoded. The next layer of hell is for someone else to write Docker Swarm extensions. Won’t be me.

I am, again, very sorry. Sorry for releasing this thing into the world as a complete, working, product.

And sorry for keeping spamming it. I will stop, i promises (the voices will never)

Ξέρεις την ελληνικά γλώσσα;

No, no hablo Griego.

PodOsef is an MP3-first podcast publishing system: drop MP3s into a folder, it generates HTML + RSS. No DB, the MP3 metadata is the source of truth. Also supports an archive mode that watches a main feed and mirrors episodes. Repo + write-up:

https://meirz.net/2026/02/22/podosef-mp3-first-lightweight-simple-podcast-publishing-system/

Thank you.

After feedback on artwork, one of my friends gave me new artwork for the podOsef. I updated the post and source code.

Hey all,

I’m setting up a homeserver and trying to figure out the best way to access it remotely. I’ve been looking at different solutions, but I’m a little stuck.

I’ve been looking at VPNs, but it feels weird, to route everything through my home IP when I’m also trying to use a commercial VPN for privacy / to combat services fingerprinting me based on my IP.

I’m currently considering a reverse proxy setup with an authentication provider like authentik or authelia, but as far as I understand, that wouldn’t work well with accessing services through an app on my mobile device (like for jellyfin music for example.) I did think about just opening up the ports and using a DDNS with a reverse proxy, but is’nt that like a big security risk?

Keep in mind I am no network admin, but I don’t have anything against learning if someone can point me in the right direction.

Also I heard some people say that on proxmox you should use unprivileged containers instead of vms for your services, does that hold up?

Any recommendations for tools or approaches?

That’s a bummer. It’s great for this stuff, don’t need processing power or memory, and I don’t really care if it got nuked for some reason

This is the best option if you don’t want to manage your own VPN server.

Not in there: - https://github.com/dannymcc/bluehood (alpha) - https://github.com/p2r3/convert

Yep. I got an email from them yesterday. My lil box is going from just under 4 USD to 5 USD per month.

Yes but the RSS feed for non-subscribers is just the announcement of the post. I still have to go to the site to read the whole newsletter, which is fine.

I just installed NetBird on a VPS using the Self-Hosting Quickstart Guide. Now I want to connect the VPS using Netbird to another client. When I also use Docker to register the VPS as a Netbird peer the whole network gets messed up because now the server and the client try to manage the network. So how am I supposed to register the VPS as a netbird peer to connect it to other peers?

I’m not quite sure what you are asking but I run the Netbird management containers containers on a server and also run a native client alongside them to have the server itself also perform as a peer. Is that what you are looking to do above?

Yes, but I also want to run the client in a container and the docs recommend to run the container using network_mode: host. And I suspect this creates a conflict in networks. So I want to have Netbird server, Netbird client and Nginx Proxy Manager all in containers share the same network.

An informative YT channel I found. I’m sure many people here might already know, but I found it helpful and it makes the comm a good resource for newer folks looking to get a handle on what all these tools do and how they will use them in their selfhosting.

Cgroups is not a really a security feature (from what I understand). It is about controlling process priority, hierarchy, and resources limiting (among other things).

With respect, I think you misunderstand what gvisor does and containerization in general. cgroups2 is the isolation mechanism used by most modern Linux containers, including docker and lxc both. It is similar to the jail concept in BSD, and loosely to chroot. It limits child process access to files, devices, memory, and is the basis for how subprocesses are secured against accessing host resources without the permission to do so.

Gvisor adds more layers of control over this system by adding a syscall control plane to prevent a container from accessing functions in the host’s kernel that might not be protected by cgroups2 policy. This lessens the security risk of the host running a cutting-edge or custom kernel with more predictable results, but it comes with caveats.

Gvisor is not a universally “better” option, especially for homelab, where environment workloads vary a lot. Gvisor comes with an IO performance penalty, incompatibility with selinux, and its very strength can prevent containers from accessing newer syscalls on a cutting edge host kernel.

My original comment was that ultimately, there is no blanket answer for “how secure is my virtualization stack”, because such a decision should be made on a case-by-case basis. And any choice made by a homelabber or anyone else should involve some understanding of the differences between each type.

Yes, I understand what GVisor does. Cgroups2 are for isolation of system resources, bit arent even the main sandbox feature used for isolation by Docker. I am pretty sure namespaces significantly more important for these containers’ security.

GVisor helps with one of the main risks in a container setup which is the shared kernel by hosts and guests. I understand it comes with a performance penalty (and I didnt know it was incompatible with SELinux), but that does change my original point that GVisor is a security improvement to default Docker. I understand there is more nuance, even when I wrote my original comment I understood (just like any other security feature) it cant be used in every scenario. I was being intentionally general, and in my second comment I was pretty specific about what it protects against: Kernel vulnerabilities and privilege escalation.

I researched cgroups2 more and I still dont understand why you brought it up in the first place. Cgroups2 and gvisor provide very different security benefits. Cgroups help to keep a system available (lessening the risk DoS attacks) by controlling access to some system resources (io, devices, cpu, memory) and grouping processes of a similar type. It seems rather optimized to solve resource control on a container host. I mentioned gvisor because it is mostly just a drop-in replacement container runtime which doesnt need setup to be used.s

Now for a different container runtime which provides significantly more features (than gvisor) with less downsides (if configured correctly for a specific workload), Sydbox provides syd-oci which id an application kernel runtime which uses a permission config file to create a sandbox, isolating using namespaces, seccomp, landlock, and more. It can sandbox in many different categories (often times leveraging multiple features to provide a multilayer sandbox), you can see the categories at the syd manpage. The biggest downside is that you must really understand what your container application needs otherwise it will prevent it from running. It is a “secure by-default” sandbox which can be softened through config.

A domain name I was interested in expired in January this year. It was previously registered at Squarespace.com.

Why is it still unavailable to purchase despite being more than a month since its expiry?

Not sure if relevant but I checked the expiry date at: whatsmydns.net/domain-expiration

If it’s not a cooldown period as that other guy said, you may contact the scammer new owner, he will ask for a billion dollars and it’s up to you whether that domain was important enough. Consider finding a new one right now if you can.

Basically many domain providers will hold onto domains for a little while after it expires.

Some like namecheap also advertise the domain names to peddle-man companies that will somehow buy temporary access to the domain after your extortion recall window expires.

To continue the namecheap example, when your namecheap domain expires, it gives you a lapse window where you can pay like double the cost of the domain renewal to reclaim it. If you don’t reclaim it during that window they give it to a middleman whom will somehow buy a 2 or 3 months domain lease for it. They will put it on a “site for sale” broker page and will charge yo easily 100x what you paid for the domain if you wanted it back.

This is wild and a rather unfortunate situation… Ty for sharing.

This is great thank you for this since the next step on my journey is the ARR stack!

Best lf luck, hit me up if you have any questions regarding it 😊

I recently configured forward auth with Authentik and Envoy Gateway and found the process troublesome enough to warrant a post. If you’ve been thinking about doing the same then maybe this post will save some time.

Here are some cool examples I was looking at:

https://github.com/zardoy/minecraft-web-client — Minecraft in your browser, complete with connections to servers.

https://github.com/inolen/quakejs — quake 3 in your browser, has multiplayer as well.

Any other good examples? or good lists?

probably also selfhosted.

Here is a link do selfhosting it: https://github.com/TeamHypersomnia/Hypersomnia/blob/master/README_SERVER.md#docker-setup