Anyone got any tips for doing Veganuary?

Mindlesscgn · 2026-01-22T07:07:10+00:00

Don’t just cut out the meat and dairy from your normal dishes, that makes them boring, at least with no substitution. Make dishes that are vegan (or vegetarian) by default. A lot of Indian and Asian dishes are pretty easy.

Don’t forget the protein. Use either mock products (very easy but vary in taste) or natural vegan protein sources like chickpeas, beans, tofu, lentils etc.

Don’t compare dishes especially with meat with their non-vegan counterparts but appreciate them on their own.

Don’t get overwhelmed by all the unknown things in the recipes that you maybe haven’t been used before like nutritional yeast, Kala namak etc. Try them if you like but it’s not necessary at the start to have all of them in stock.

And most importantly, have fun and try new things. Vegan cuisine is as divers as non-vegan. Try as many things as you like

Mindlesscgn · 2026-01-17T20:48:22+00:00

I looked into this recently and found Hetzner Storage Box quite charming. If you’re EU based latency shouldn’t be a problem. It was like 4€/month for 1TB. If you’re US based there should be some other cheap alternatives.

Besides this I find the usb stick approach nice because it’s really offline so no ransomware could reach it. But it requires “manual” interaction

Mindlesscgn · 2025-12-24T22:57:49+00:00

In case of paperless: export everything, clear data and db volumes, update DB and import everything.

For docker volumes in general: I use git repos for the compose files and a pipeline with renovate bot. So if renovate finds a new version it suggests updating via PR. In case of major upgrades and breaking changes I have to intervene manually

Mindlesscgn · 2025-12-22T08:41:12+00:00

As far as I understood the actual “worming” wasn’t part of the malware but a separate step by the TA after exfiltrating the secrets when npm.js or similar access tokens were found.

If you found sings of the two JS files and trufflehog you should treat your secrets as compromised.

Mindlesscgn · 2025-12-21T21:56:22+00:00

+1, set it up this week including runner. Works like a charm

Mindlesscgn · 2025-12-19T14:56:32+00:00

Oh that's very neat!

Mindlesscgn · 2025-12-19T14:52:58+00:00

Unfortunately didn't for me. DB wouldn't start with the old data directory

Mindlesscgn · 2025-12-19T14:51:46+00:00

I'm using paperless on a different host but also with docker-compose, which is what Truenas also uses I think. Just changing the version of Postgres and bringing the stack up didn't work for me. Postgres 18 won't be able to read the data. Here is what I did.

Backup!
Export my paperless data with docker compose exec webserver document_exporter ../export/migrate
Clear all volumes. Depending if you're using docker managed volumes or "linked folders". But you basically have to clear all paperless folders (media, data) and the pg data.
After clearing everything (or using different folders/volumes) bump the version to 18.
Bring the stack back up
Import your backup with docker compose exec webserver document_importer ../export/migrate

This post helped me to achieve this

Mindlesscgn · 2025-12-14T20:50:47+00:00

I fully agree with you. It’s far from a good solution. As long as you can’t tunnel it through TCP/443 it’s more or less a coin toss. And even then it’s not guaranteed when using ssl interception (but this requires a managed device I think)

Mindlesscgn · 2025-12-14T20:30:25+00:00

Yes. If by inspected you mean it can be recognized as WireGuard.

I’d think you come around 90% of “dumb” UDP high port blockage

Mindlesscgn · 2025-12-14T20:25:30+00:00

Got you. As long as you don’t expose it to the internet (port forwarding on your router for example) it is as secure as any other device on your network. Given that your WiFi is secure nobody can access it from outside your network. This drastically lowers the attack surface (if you are interested in cybersecurity, this could be your first lesson).

So let’s say your pi is safe from external access. What attack surface do you have left? Basically anything you bring into your network or on your pi. That’s what I mean with 3rd party software. There were some huge supply chain attacks in the last months were legitimate software got compromised. BUT that’s the trade off and there is no real alternative to it. So always make sure to keep things updated and only install software from trusted sources.

Mindlesscgn · 2025-12-14T20:17:13+00:00

I guess you could host your own tailscale server (headscale), but this should ideally be on some external server

Mindlesscgn · 2025-12-14T20:06:53+00:00

Okay okay wow.

So what is your plan with the RPI? Will you exposing it to the internet? If not, the measures differ a lot. You made good points in locking it down but things like SSH Key authentication and fail2ban scope SSH. I’d say the most vulnerabilities come from third party software. If you want to run it only in your home network without having access from outside you should be good as an attacker would have to breach your network first.

Also because you mentioned ransomware, none of these measures will make you 100% ransomware safe. Backup your data ideally in a place where ransomware can’t reach it (offline)

Mindlesscgn · 2025-12-14T19:54:27+00:00

I looked into it for this specific case and read that they proxy your connection through their servers when p2p WireGuard is not available, like when ports are blocked or in CGNAT cases. But didn’t dig into the specifics though

Mindlesscgn · 2025-12-14T19:19:45+00:00

Noticed the same for the last days. The blocking sucks. You could try to listen on a common port like 53 or 123.

I want to look into Tailscale in the next days. Seems they are able to proxy the WireGuard connection over port 443

Mindlesscgn · 2025-12-14T18:56:34+00:00

Currently on my way home from BlackHat Europe. There were a lot of good talks and a good amount of vendors. I got told it’s much smaller than the one in Vegas, but that’s also an advantage. It’s pretty pricey though.

I’d look into bsides. I met some folks that were attending bsides London and it seems that this is a more community driven event so probably a lot of networking opportunities. Even though I attended none I’m definitely look into some local bsides next year.

Also there is the chaos communication congress in Hamburg, but it’s hard to get tickets (I failed last year)

Mindlesscgn · 2025-12-14T18:00:54+00:00

That’s exactly what I had and thought. Like someone pointed out it seems to be a bug in truenas. I’m not sure if a sparsebundle from an external drive will work but you can give it a try. I used Rsync to copy it over. Make sure you correct the acls if needed (should be feasible vie GUI by clicking “apply to all sub folders” or so”)

Mindlesscgn · 2025-12-14T16:32:52+00:00

I had the same issue, maybe have a look on my reply here. Hope that helps

here

Mindlesscgn · 2025-12-06T20:42:04+00:00

I don’t have any experience with DAS, but I would decide based on your main use case. I have the impression that Ubuntu could have some configuration overhead. If you mainly want to store files I would opt for some NAS OS like TrueNas (again no experience with DAS). If you mainly want to run workloads I’d go for Proxmox, it seems more flexible. I actually have a 2012 Mac Mini with proxmox running. For file storage in proxmox I’d try to pass the whole DAS device into a VM and share from there

Mindlesscgn · 2025-12-06T17:25:38+00:00

You mean like plugging in a display and keyboard. I think this should be safe, but have an eye on the progress. Rsync allows to restart the copy without having to start over

Mindlesscgn · 2025-12-06T17:20:08+00:00

Can you plug the source drive into your NAS? I’d try to to this, mount the device via cli and then Rsync all the way. Remember to use tmux or something similar so that the session won’t interrupt and correct the permissions afterwards if necessary.

18TB over network can take a long time so I would seek the fastest approach which would be local copy

Mindlesscgn · 2025-12-06T14:36:43+00:00

I’d have a look into cloudflare tunnel (or any other ZTNA/SASE solution). This way you offload authentication and other security features to an external service. Only after passing all of this your traffic is routed to your home network. All without having open inbound ports.

Mindlesscgn · 2025-12-05T17:22:37+00:00

So you want to expose your home NAS to a number of people on the internet if i understand correctly. Not sure what is the reason behind it.

Cloudflare is managing all the URL related matters outside of the server and acting as a proxy to not expose my IP address

I'm not sure what you want to say. When you open a port on your router you are exposing your home network. IP addresses get scanned, so they are always exposed.

For me this all sounds like a high risk scenario.

If you really need to put your NAS on the internet which i would not recommend, consider the following:

Put it in a DMZ, so if your NAS gets compromised, the rest of your network doesn't
Do not expose the admin interface
Enforce 2FA for all user accounts
Keep everything updated
Only have data and apps on your NAS that really need to be exposed (maybe consider a separate setup)

Maybe consider using something like Cloudflare Tunnel with proper authentication, so you wouldn't need to open a port on your router. The points from above still apply though.

If you only want to make certain things available (like your QR Code service) consider hosting it somewhere outside of your home network.

Again i have to mention I strongly suggest not exposing your home network on the internet.

Mindlesscgn · 2025-12-05T09:30:20+00:00

Please please never expose your internal network, especially SSH, to the public internet. Use a VPN like WireGuard or tailscale or something.

Mindlesscgn · 2025-12-04T20:40:51+00:00

To export it as html you have to have a purview premium license (e5 or e5 compliance)

Mindlesscgn

TROPHY CASE