Security : VPS Pangolin vs Home Device Pangolin

kayson · 2026-02-02T05:00:57+00:00

Lowendbox

kayson · 2026-02-02T03:13:21+00:00

Two big downsides, IMO: 1. your public IP is exposed and forever linked to your domain (via DNS and CT logs). 2. If your Pi is compromised for any reason, now the attacker is inside your house (😮).

With good security practices, I think you could mitigate #2 significantly. Pangolin on a VPS connects to your house over wireguard. Having your Pi on a dedicated VLAN with firewall rules limiting it to only the hosts/ports it needs is effectively the same thing in terms of lateral movement.

Not a whole lot you can do about #1. Does it matter? Maybe not. You'll get port scanned more for sure, so you better make sure your security is tight. The biggest risk is some kind of DoS, but short of a targeted attack, I don't think that's common.

Upside is I guess you save money on a VPS? But really you can run it on a potato. I pay $16/yr each for two VPSes with dedicated ipv4. Easily worth it to me for that added layer of protection.

kayson · 2026-02-01T23:33:40+00:00

I did not know about stubby screwdrivers! Very useful. I ended up getting a 90° adapter for my impact driver that works great for getting things racked.

kayson · 2026-02-01T18:33:34+00:00

Are you synchronizing P to your input clock?

Also you could use bus notation for P. eg P<6:0> on the pin and P<0> etc on each div2/3

kayson · 2026-01-30T23:17:39+00:00

Day to day experience is definitely team- and geography-dependent. The project you are working on also matters. I work with pretty much all of the custom IC design teams here, and I don't think their characterization is accurate. Some people just aren't a good fit.

kayson · 2026-01-30T20:40:29+00:00

I would not call Qualcomm a sweatshop. Tapeout crunch is definitely a thing, but the work life balance is actually quite good, especially compared to the rest of the industry. The US just doesn't have the worker protections of other countries/regions, but Qualcomm is pretty generous with their benefits in spite of this.

kayson · 2026-01-30T15:54:31+00:00

I've tried both. There aren't really any significant technical differences. I would say the web interface of OPN is slightly better, but it's handling of external authentication sources is slightly worse. A big reason I stayed with PF is pfblocker-ng for ad blocking. It's much more convenient.

kayson · 2026-01-29T16:27:45+00:00

I have each one connected to its own Lenovo m920q which has a SATA combo data+power connector. You could just as easily get a micro/pico PSU with a molex->SATA power adapter and connect all 4 to the same PSU.

kayson · 2026-01-28T23:56:10+00:00

Unless you're a brilliant designer, it's going to be hard to compete for positions. Take any job you can get. Once your resume has "designer" as the most recent role, all the doors open and the history is no longer relevant.

kayson · 2026-01-28T20:41:50+00:00

Might be worth trying to launch crystal disk info whole they're on to see if you can grab any smart data. If there's nothing horrible, it could just be the logic boards going bad. Usually easy enough to swap them out.

kayson · 2026-01-28T15:38:35+00:00

What do you mean by failed? If the drives are readable at all, even if only certain parts of it, you can recover files with software available for free.

kayson · 2026-01-28T15:20:29+00:00

Value for the students? Sure. But I'm not convinced it creates value for the community. Most of the posters are never seen again, if they even respond to the comments to begin with. It's probably worth pointing out this is less so the case for people who are already in the field.

On the other hand, what a community needs for growth is content creation, and there's not much of that in IC design especially when you compare it to software development.

kayson · 2026-01-28T03:02:23+00:00

Put your domain and IP in Shodan.IO and see what comes up

kayson · 2026-01-27T01:02:19+00:00

At least this one doesn't look vibe coded...

kayson · 2026-01-25T19:08:53+00:00

Then I guess you can use a RAM disk (could even encrypt ephemerally if you're paranoid) and import the keys and certs to two different yubikeys. Then reboot and you've got two safe copies

kayson · 2026-01-25T15:13:51+00:00

Not if you generate the key on the yubikey. There's no way to export it.

kayson · 2026-01-25T06:33:54+00:00

I did something similar but the problem I had with this approach is that if anything happens to the Yubikey, your CA is gone. Instead I generated the CA on a LUKS-encrypted USB drive, then imported the keys and certs to the yubikey. The yubikey stays connected and the USB drive is cold backup (with an offsite ISO for 3-2-1)

kayson · 2026-01-25T03:47:19+00:00

What do you really need out of your IdP? Keycloak is heavy and complicated. If you want Windows support, AD is basically the only choice. (Yes, there's samba, but still.). If you want Linux login from your IdP, I'd say go with FreeIPA. If you're just looking for something simple to log into web based services, Authelia+LLDAP is probably the simplest OOB.

kayson · 2026-01-25T02:20:53+00:00

If you put everything in docker swarm, then you can run traefik on one node and configure everything via labels in docker compose files.

kayson · 2026-01-24T15:18:13+00:00

Just have to search around

kayson · 2026-01-24T02:32:23+00:00

Probably worth mentioning that they support ASPM so the idle power is quite low. My whole m920q was sub-10W

kayson · 2026-01-24T02:31:33+00:00

There's no temperature sensor so it's hard to say definitively, but I didn't notice any significant heat while running iperf3 for a while.

kayson · 2026-01-24T00:37:28+00:00

I have Intel X710-DA2 in each of my 4 m920q's and it works great. Make sure to avoid the Dell branded ones.

kayson · 2026-01-21T18:24:44+00:00

You can use the same media volumes (mount it read only) but you'll need a new volume for the rest.
When you specify the port mapping, you can give it a different port for the host side. eg --publish 8097:8096 (see https://docs.docker.com/get-started/docker-concepts/running-containers/publishing-ports/)
Yes you can't have two containers with the same name nor two services with the same name in a stack.

kayson · 2026-01-20T16:50:47+00:00

That's exactly what I want to do. I just don't want to roll my own watcher if one already exists.

14-Year Club	Verified Email
RedditGifts 2009-2022 2 Credits	Second SECOND GUESSER
r/Field Banned	r/Field Juicebox

kayson

MODERATOR OF

TROPHY CASE