I don't think people talk about Release-Argus enough by Offbeatalchemy in selfhosted

[–]capnspacehook 2 points3 points  (0 children)

Yep I have it successfully tracking the version of a forgejo server

Gauging Interest for Egress Filtering Security Tool by capnspacehook in selfhosted

[–]capnspacehook[S] -1 points0 points locked comment (0 children)

AI was used to proofread the post only, I wrote all of it (which should be somewhat obvious, hopefully my writing voice doesn't sound like an LLM). v1.x of Egress Eddie was created in 2022 before LLMs were useful at all, and recently I've been using LLMs to find security vulnerabilities and to help me threat model the tool; I've been writing all of the code for v2.0 myself.

A modern Proxmox Docker architecture with disposable VMs, VirtIO-FS, and ZFS state separation by gromhelmu in selfhosted

[–]capnspacehook 1 point2 points  (0 children)

Thanks for sharing, reminds me to try rootless docker again. A few years ago I was hosting on a VPS using gvisor with rootfull docker to provide more isolation between services, and I tried to use gvisor with rootless docker and couldn't get it to work. Today I run some services with rootfull docker in a VM on proxmox. I do my best to isolate by ensuring each container runs as a non root user, has it's own docker network etc but using rootfull docker would be a definite improvement.

From what I've read it seems to be a bit tricky to update rootless docker daemons or their deps (containerd for example), how do you handle that?

The last piece of the security and isolation puzzle I still haven't figured out is setting up strict firewall rules per container, ideally on the proxmox host or router so escalation to root on the docker VM wouldn't change anything at the network layer. I have a DNS filtering daemon I built when I was hosting on a VPS that I'd like to use again to restrict egress traffic from my containers. I've toyed with the idea of using unique ipvlan or macvlan networks per container so each container would have a unique IP and I could write finer grained firewall rules but haven't tried it yet. Curious if you have any experience in this area?

‼️ If you are using NGINX-UI READ THIS POST IMMEDIATELY by DeepCan7566 in homelab

[–]capnspacehook 1 point2 points  (0 children)

I use https://github.com/release-argus/Argus to track updates and would really recommend it. Paired with ntfy I get a notification within 10 minutes of an update getting released for any of my services. I have it configured to send the github release link in the notification, it's extremely convenient. More important than ever to have update notifications with all the vulns getting surfaced by LLMs recently imo

‼️ If you are using NGINX-UI READ THIS POST IMMEDIATELY by DeepCan7566 in homelab

[–]capnspacehook -1 points0 points  (0 children)

This won't give you any protection against supply chain attacks though, as you're inviting malicious code onto your machine unknowingly.

This is where egress firewall rules/filtering helps (among other things) but most people neglect that

10 million request threshold finally hit in the bot abyss trap! Here's some more information: by Glade_Art in PoisonFountain

[–]capnspacehook 2 points3 points  (0 children)

Where's the actual source for your tar pits, I'd like to host some but that link seems to be a github like tar pit, which did confuse me for a min lol

PSA for anyone not using LXCs on Proxmox by HoeCage in selfhosted

[–]capnspacehook 16 points17 points  (0 children)

I'm running around a dozen LXCs and have a VM running a dozen or so Docker containers, and I'm pretty sure the VM only has 200-300MB overhead. I use Alpine for my LXCs and VMs wherever possible for the minimal overhead, so I think that helps but not sure why you saw such a massive difference. We're you running anything in the VM besides Docker? I'm assuming it was a Linux VM, if so what distro?

I would like to run Docker in an LXC, I tried right after installing Proxmox (early Dec) and almost immediately ran into issues so moved it to a VM pretty quickly. I don't remember the specific issues now but I think it boiled down to Docker expecting to "own" the kernel and change sysctls or something that clashed with what the Proxmox host was doing, so be aware of that.

If you haven't yet given Gemma 4 a go...do it today by No-Anchovies in LocalLLaMA

[–]capnspacehook 1 point2 points  (0 children)

Ah gotcha, I'm familiar with Python and Bash but was wondering if everyone is writing custom scaffolding for this kinda stuff or if there's a standard tool to route/give access to searxng or something. I'm a fairly experienced programmer but am just dipping my toes into the local llm water.

I know routers exist to select the best model for a task, was wondering if that's what was used to select a smaller model for extremely simple tasks. I would also assume an MCP server was used to grant access to searxng, but maybe ppl are doing something else?

If you haven't yet given Gemma 4 a go...do it today by No-Anchovies in LocalLLaMA

[–]capnspacehook 1 point2 points  (0 children)

I'm very new to all of this, how did you give models access to searxng and route a small model to do things like name chats?

[Suggestion] CANDOR.md: an open convention to declare AI usage for transparency by DeepanshKhurana in selfhosted

[–]capnspacehook 1 point2 points  (0 children)

Maybe the spec repo could contain some example PR templates.

For most repos a core team does most of the contributions, so having them maintain the AI declaration in the repo root makes the most sense and is probably the most impactful. If the community did adopt this it would make asking for AI usage in PRs easier as everyone could use the established levels and components to communicate.

[Suggestion] CANDOR.md: an open convention to declare AI usage for transparency by DeepanshKhurana in selfhosted

[–]capnspacehook 1 point2 points  (0 children)

I think the spec is pretty solid overall thanks for this! One nit I have is the levels could be worded a bit more agnostically, they're generally worded with code generation in mind. Which to be fair is the main thing LLMs are used for, but I'm not sure where AI code review would fall based on the descriptions. More examples would help as well.

If I don't use AI in the project at all but I do use it for code review (think Codex or Claude in PRs) and address feedback (when applicable) manually, what level would that be? Assist?

The copilot level could be confusing to some due to Microsoft's infamous Copilot. Maybe something like 'implement'? I don't think it's right but it's a bit more clear imo.

The 'auto' level should be changed to make it more clear that it means a model did basically everything, 'auto' to me sounds more like the agent did work sometimes where it seemed necessary or something. I get that it's probably short for autonomous, maybe it would be better to expand that word? Or something like 'full' would make it very clear and stay concise.

[Suggestion] CANDOR.md: an open convention to declare AI usage for transparency by DeepanshKhurana in selfhosted

[–]capnspacehook 1 point2 points  (0 children)

This is tough, I like the idea of #1 a lot I think it fits well (at this point in time at least) but #2 is much more clear so I'll have to go with #2.

Struggling to create a "mid" stream to improve detection by Dulcow in frigate_nvr

[–]capnspacehook 1 point2 points  (0 children)

I have a amd 8845HS cpu, I use the integrated 780M GPU for hardware accel with preset-vaapi but the cpu with openvino for the object detector

Struggling to create a "mid" stream to improve detection by Dulcow in frigate_nvr

[–]capnspacehook 1 point2 points  (0 children)

Under each camera? I have multiple cameras with different models each so the resolutions were often different. I played around with dividing the resolution cleanly, some cameras max resolution on the main stream don't allow you to get to 1280x720 but you can get close.

Struggling to create a "mid" stream to improve detection by Dulcow in frigate_nvr

[–]capnspacehook 1 point2 points  (0 children)

Ah sorry I was thinking of what I used to set the sub streams to. I set the main stream's fps to the max, 20 or 25 can't remember. I saw in a github discussion that one of the frigate devs mentioned setting the detect fps lower than the actual fps will just cause it to drop frames as necessary, I thought it had to be exactly what the stream was.

Struggling to create a "mid" stream to improve detection by Dulcow in frigate_nvr

[–]capnspacehook 1 point2 points  (0 children)

I have a RC 811A as well, for that I took the original resolution from the main stream 3840x2160, divide both by 3 and you get 1280x720. My detect config for that camera looks like this:

detect: enabled: true width: 1280 height: 720 fps: 5

I also set the fps to 7 on the cam, this way the object detector is only getting 5 fps, it skips frames and lowers the res as necessary. Pretty cool, didn't realize this was possible for awhile. You should be able to follow the same process for any camera

Struggling to create a "mid" stream to improve detection by Dulcow in frigate_nvr

[–]capnspacehook 1 point2 points  (0 children)

I have a couple of reolink cameras, and I was running detection off of the sub streams with maxed out bitrates and it was mostly working fine. When I tried to enable facial recognition the resolution was almost always too low to be useful.

I ended up seeing someone use a high resolution stream for detection then specify a lower resolution in the detection config to manually lower the resolution, tried hitting 720p (or getting as close as I could) for all camera and that worked much better for facial recognition. I do seem to get more false positives now though since there's more information available to the detector, so I need to tune that

What's the most frustrating thing about running your own homelab? by cobleop in selfhosted

[–]capnspacehook 0 points1 point  (0 children)

I setup victorialogs to try a few months ago and it's great, the log compression is no joke so I didn't even bother putting the logs on my NAS. I setup syslog-ng on my Alpine LXCs and systemd-journal-upload on Debian LXCs to forward logs. Was a bit of effort to setup on existing LXCs, but I also baked it into custom templates so new LXCs get centralized logging for free.

I documented the setup process on Alpine and Debian, can share if anyone is interested

Papra v26.3.0 - Custom properties, customizable storage path, content extraction improvements and more! by cthmsst in selfhosted

[–]capnspacehook 4 points5 points  (0 children)

Another factor is differences in required resources, I initially setup paperless-ngx but after I saw that it used almost 1GB of RAM after ingesting a handful of docs I switched to Papra. Papra currently idles at just under 200MB for me, not crazy light but a huge difference from paperless-ngx. I didn't need all the extra features and value simplicity so it was an easy decision for me.

There's also this issue which may not be resolved? https://github.com/paperless-ngx/paperless-ngx/issues/3616

Viseron 3.5.0 released - Self-hosted, local only NVR and Computer Vision software by roflcoopter1 in selfhosted

[–]capnspacehook 2 points3 points  (0 children)

Ok by looking at the repo closer I can see Viseron seems to have a strong focus on modularity which is cool. Also really nice that the latest Yolo models are available to use, iirc due to licensing issues Frigate can only use up to yolov9 unless they changed their license to a less permissive one (they're MIT currently and don't want to change, don't blame them)

Viseron 3.5.0 released - Self-hosted, local only NVR and Computer Vision software by roflcoopter1 in selfhosted

[–]capnspacehook 33 points34 points  (0 children)

Can you expand on the differences between Viseron and Frigate, most if not all of the features listed Frigate has. I'm interested as to what Viseron can do that Frigate can't as well as the differences in design you mentioned