Goofed Home

suggestions to improve appreciated!

i download it at beginning of the week, convert to ical, a bit inconvinient, thinking of writing a script to automate it

Still the same, a starter home page.

Here are some cool examples I was looking at:

https://github.com/zardoy/minecraft-web-client — Minecraft in your browser, complete with connections to servers.

https://github.com/inolen/quakejs — quake 3 in your browser, has multiplayer as well.

Any other good examples? or good lists?

probably also selfhosted.

Here is a link do selfhosting it: https://github.com/TeamHypersomnia/Hypersomnia/blob/master/README_SERVER.md#docker-setup

I know wikis have been discussed here before, but I wanted to add my two cents after shopping around for a wiki at work and for personal use.

Obsidian

Pros

• plain text storage format
• great at gathering disorganized thoughts without imposing a rigid structure

Cons

• closed source
• many features that arguably define a wiki are either absent or paywalled, like easy sharing, collaboration, and versioning

Mediawiki

Pros

• it’s the wiki. Everyone’s used and possibly edited a Wikipedia page.
• version history
• close to Obsidian in terms of “write now, organize later”
• Probably the nicest-looking FOSS wiki platform out of the box
• a lot of the features that Obsidian paywalls are built in, like multi user support and version history

Cons

• Articles not stored in plain text
• Has its own markup. Granted Mediawiki predates Markdown but the table syntax is horrendous. The Mediawiki help page on the matter actually tries to dissuade you from using tables and notes that the markup is ugly.
• Extensions are annoying to install
• Absolutely zero access control. You can even edit other people’s user pages. There’s no way to hide sections of a wiki from the public or from particular groups of users.
• It tries to be all things to everyone. While this makes it versatile, it also means doing a particular thing probably requires knowledge of CSS or Mediawiki’s own templeting syntax. Sometimes I just want to have an info box that doesn’t clutter the source code of a page.

Dokuwiki

Pros

• Access control finally!
• Plain text files
• Easy to create namespaces, which Mediawiki also has but doesn’t want you to go crazy making your own.
• While it’s not Markdown, the markup is nicer than Mediawiki IMO. The table syntax at least is miles better

Cons

• Uglier than sin. Yes even many of the templates (themes) on offer aren’t much better. The Bootstrap 3 template seems particularly popular, and while it’s a marked improvement in most areas, like a lot of frontends that use those bootswatch pallets there are dusty corners that don’t work, like black text on a black background.
• Some stuff like tags and moving pages have to be achieved via plugins. Seriously you can’t even rename a page?
• Mutilates article titles. Makes everything lowercase and replaces non alphanumeric chars with underscores (or something else configurable).

Bookstack

Pros

• It looks good I guess. Haven’t spent much time with it.
• Yay markdown!
• Also has access control

Cons

• Also not plain text
• remember earlier when I talked about “write now, organize later”? Bookstack holds a gun to your head and forces you to use its shelf>book>chapter>page organization system. I know some people thrive under this limitation, but I don’t.

Other wikis I’ve tried but not to the same extent

Wiki.js

IDK, I don’t know much about this one, but don’t like the workflow of making new pages.

Gollum

Really simple, which is both good and bad.

An Otter Wiki (the article seems to be part of the name)

A lot like Gollum. Doesn’t indicate when you link to a nonexistent page. No support for article tags.

Pepperminty wiki

Looks cool but it’s abandoned

Tiddlywiki

Steep learning curve but pretty versatile. It’s a single HTML file so you can host it on something like Neocities. Really rudimentary search functions

A little bit of both. I ran a private wiki for writers to collaborate on for a project. I was doing other tech stuff for the team so it was my job to deal with it. Keeping it updated was a chore and actually using it was finicky.

For example, there was an issue we ran into where we wanted a dynamic table that pulled from other pages. Think of a shopkeeper inventory or something similar where each item was another page. Displaying an item worked fine the first time you pulled it, but if you updated the item’s page it wouldn’t push that to any page it’s displayed on. We ran into issues like this constantly. Some solutions worked, others didn’t.

After a year or so we migrated to something else. It’s free and it’s great that it exists, but it just has a roughness to it that we didn’t have the resources to deal with.

UPDATE:

I see Bookstack mentioned a lot, so I decided to try installing it. I took the better part of a day and I still can’t get it working. Pity since it looks a lot nicer than Dokuwiki and has access control unlike Mediawiki.

An informative YT channel I found. I’m sure many people here might already know, but I found it helpful and it makes the comm a good resource for newer folks looking to get a handle on what all these tools do and how they will use them in their selfhosting.

Cgroups is not a really a security feature (from what I understand). It is about controlling process priority, hierarchy, and resources limiting (among other things).

With respect, I think you misunderstand what gvisor does and containerization in general. cgroups2 is the isolation mechanism used by most modern Linux containers, including docker and lxc both. It is similar to the jail concept in BSD, and loosely to chroot. It limits child process access to files, devices, memory, and is the basis for how subprocesses are secured against accessing host resources without the permission to do so.

Gvisor adds more layers of control over this system by adding a syscall control plane to prevent a container from accessing functions in the host’s kernel that might not be protected by cgroups2 policy. This lessens the security risk of the host running a cutting-edge or custom kernel with more predictable results, but it comes with caveats.

Gvisor is not a universally “better” option, especially for homelab, where environment workloads vary a lot. Gvisor comes with an IO performance penalty, incompatibility with selinux, and its very strength can prevent containers from accessing newer syscalls on a cutting edge host kernel.

My original comment was that ultimately, there is no blanket answer for “how secure is my virtualization stack”, because such a decision should be made on a case-by-case basis. And any choice made by a homelabber or anyone else should involve some understanding of the differences between each type.

Yes, I understand what GVisor does. Cgroups2 are for isolation of system resources, bit arent even the main sandbox feature used for isolation by Docker. I am pretty sure namespaces significantly more important for these containers’ security.

GVisor helps with one of the main risks in a container setup which is the shared kernel by hosts and guests. I understand it comes with a performance penalty (and I didnt know it was incompatible with SELinux), but that does change my original point that GVisor is a security improvement to default Docker. I understand there is more nuance, even when I wrote my original comment I understood (just like any other security feature) it cant be used in every scenario. I was being intentionally general, and in my second comment I was pretty specific about what it protects against: Kernel vulnerabilities and privilege escalation.

I researched cgroups2 more and I still dont understand why you brought it up in the first place. Cgroups2 and gvisor provide very different security benefits. Cgroups help to keep a system available (lessening the risk DoS attacks) by controlling access to some system resources (io, devices, cpu, memory) and grouping processes of a similar type. It seems rather optimized to solve resource control on a container host. I mentioned gvisor because it is mostly just a drop-in replacement container runtime which doesnt need setup to be used.s

Now for a different container runtime which provides significantly more features (than gvisor) with less downsides (if configured correctly for a specific workload), Sydbox provides syd-oci which id an application kernel runtime which uses a permission config file to create a sandbox, isolating using namespaces, seccomp, landlock, and more. It can sandbox in many different categories (often times leveraging multiple features to provide a multilayer sandbox), you can see the categories at the syd manpage. The biggest downside is that you must really understand what your container application needs otherwise it will prevent it from running. It is a “secure by-default” sandbox which can be softened through config.

I have a 56 TB local Unraid NAS that is parity protected against single drive failure, and while I think a single drive failing and being parity recovered covers data loss 95% of the time, I’m always concerned about two drives failing or a site-/system-wide disaster that takes out the whole NAS.

For other larger local hosters who are smarter and more prepared, what do you do? Do you sync it off site? How do you deal with cost and bandwidth needs if so? What other backup strategies do you use?

(Sorry if this standard scenario has been discussed - searching didn’t turn up anything.)

So being encrypted before transmission and at rest isn’t enough simply because someone at backblaze can send the encrypted files out to you on a HDD……..

lol

Nice ragebait.

With this kind of mentality, nobody will ever migrate and one will have to deal with Discord’s horrible terms and conditions

The only alternative is to willingly leave over a hundred communities, some of which I have strong ties to, and never interact with the majority again.

That’s a big ask.

I run Home Assistant in a virtual machine on my home server. Sometimes I need to restart it and I’m not always in a position to SSH or VNC in. Is there anything out there that would allow me to do this quickly?

Not looking for a workaround but thanks

OK now we’re talking! Thanks.

yep… I write all my papers in Google because I can access the files anywhere, and nothing beats PaperPile for referencing yet.

I recall spreadsheets being particularly painful on mobile when I’d try to select multiple rows and it would select way more at a time but would need to fouble-check that or find a screen recording if I made one at the time.

The main issues is there was a bug where if there is an open session for a document in Collabora (including dead sessions say from mobile) and that Collabora server is shut down in the wrong order, then all changes including if you click “Save” will be lost. A bug was opened for this and closed by making sure the servers shut down in the correct order, but I don’t know if that fixes cases where the servers a hard shutdown.

From time to time I like to review my network to see where I can tighten up. Review logs, check out the landscape, and make sure there are no gaps. Today, I have some downtime, so I figured it’d be a good for it. Since I am not a certified IT professional, this is what I have cobbled together reading, and seeing what others have done. I’d like to bounce this off you guys who are more experienced than I and get your impressions. If you have any recommendations, I’m always down to be schooled.

So if you’d like to participate in my audit, I have a home network as follows:

• Modem receiving IP from ISP. Modem to router. Router to stand alone pfsense firewall. Router has a 54 character complex password for WiFi. There are no guest provisions for WiFi.
• Pfsense firewall with pfblockerng & suricata running on both lan and wan, both with a full array of rules/feeds updated daily. pfsense has tailscale as an overlay vpn. Server traffic and PC traffic have their own VLAN provided by pfsense. My approach is to deny all until something complains and address that on a case by case basis. Additionally ntopng is utilized for traffic analysis. IPv6 is disabled.
• Server running Tailscale as an overlay VPN, UFW deny all posture, and fail2ban with an aggressive posture. Server has been hardened against Lynis spec where applicable. Not all recommendations apply to my server. Server is utilizing host deny/host allow and SSH keys.
• Server is utilizing containers for services.
• Server is using Cloudflare tunnel/zero trust.
• Server and pfsense communicate via Tailscale encrypted tunnel. PC/Phone/mobile device can communicate with pfsense via Tailscale.
• Server services are accessed via https.
• PC connected to pfsense firewall with same rules as server. PC is using a VPN with Cloudflare 1.1.1.¹⁄₁.0.0.1 for DNS queries. Firefox is using 1.1.1.¹⁄₁.0.0.1. Settings for Firefox are the strictest for Enhanced Tracking Protection, and DOH. HTTPS-Only mode enabled. PC is also running a soft firewall.
• All other devices such as phones, laptops, and tablets run a VPN with Cloudflare 1.1.1.¹⁄₁.0.0.1 for DNS queries.
• IoT devices are isolated. Phones are isolated. Smart TVs are isolated.

How secure would you say this network is and give any recommendations to further harden the network besides keeping up with current updates, monitoring and auditing logs.

Thanks

You’re ahead of an alarming number of my colleagues by just trying until you can get it working then documenting things

I have to document. At 71, with a TBI, my brain is not what it used to be. Sometimes I don’t even remember what I had for breakfast. LOL

Ever since Readarr was officially discontinued, many forks and replacements have popped up. I’m currently running pennydreadful/bookshelf, which seems to be chugging along. Faustvii/Readarr is also around but seems to not be actively meaintained??

There’s also Chaptarr, which looks promising, but I’ve heard concerns about it being vibe-coded and such (see rreading-glasses: “I do not endorse the vibe-coded Chaptarr project.”). Does anybody know to what extent this is true, and what the code quality is like?

??

Caliber web isn’t two separate applications, it’s a calibre-compatible database served via http. There is no desktop “calibre” involved.

There is integrated koreader sync, though.

Yep! for a while I deployed Calibre-Web alongside Calibre in a ‘books’ compose.yaml stack using Docker. I used volume mounts to expose my library to both containers. The main thing to be cautious of is that you don’t write to the db from both C and CW at the same time (which could result in corruption). Some folks spin up/down Calibre as-needed, but I had them both running and was just mindful. I personally ended up switching from C+CW to Calibre-Web Automated and fully removing Calibre. I’m able to do everything from CWA that I was doing in both previously. FWIW if you are managing devices (e.g., family, etc.), Kobo devices + Kobo sync via CW/CWA is wonderful for usability (books show up on devices ‘natively’).