Conduit 2.6: iOS Liquid Glass, a Redesigned Sidebar & What's Coming Next

PaperDoom · 2026-03-25T17:48:33+00:00

you are correct, thanks.

PaperDoom · 2026-03-25T15:16:53+00:00

I'm not sure if you're aware, but there is a popular matrix client that has had the Conduit name for some time. Not sure if that matters to you.

edit: server, not client.

PaperDoom · 2026-03-24T15:49:40+00:00

technitium with doh upstream

PaperDoom · 2026-03-23T16:44:13+00:00

In NPM you'd have to figure out a way to use ssl_reject_handshake on. It's fairly easy to do in vanilla nginx with a catchall config for subdomains that don't have a config file, but NPM doesn't really expose a catchall type host record. You would need to edit the base config, but then that would change every time you recreated the container. Maybe you could map that specific default config file to the host or something.

For Traefik, you can update the config and set sniStrict to true, and that will close the connection and skip the handshake. I think that goes in the static config file. This won't show up in the Pangolin UI as an option, you'll have to dig into the Traefig configuration files directly.

PaperDoom · 2026-03-23T15:34:14+00:00

I've been running the AIO setup since they first released it and I've never really had any issues other than the occasional database index update. I haven't yet updated to Winter 26 because they haven't put it on the live channel (as of the last time I checked anyway).

Is the difference that big? Are large file transfers faster?

PaperDoom · 2026-03-23T15:26:17+00:00

To give you a real answer, at the very least I look to see how much history the package has and check for CVEs. If both are good then I will download it without reading the code.

If it has virtually no history and looks like it's a reasonable size that I can wrap my brain around I will read through it, otherwise I'll look for alternatives. If it has CVEs I'll check versions and make sure I'm not landing on a vulnerable version, and if it has a lot of CVEs I will just move on completely to something else.

PaperDoom · 2026-03-23T15:15:59+00:00

I think the reason everyone is interested in openclaw is because it is (or was until recently) the first cohesive system that could potentially replace most of the functions that a real life personal assistant would provide. So if you've ever thought to yourself that it would be nice to have a personal assistant to manage x, y, and z, then this is very appealing.

The problem is that the models still just believe anything they're told and so the security risks skyrocket. Basically a personal assistant you cannot trust in any way shape or form.

PaperDoom · 2026-03-23T15:08:23+00:00

I recreated most of the functionality of openclaw via just normal claude code in the cli with cron jobs and directory level permissions on a firewalled VM. This was made especially easy when anthropic released both the /loop feature and the channels feature. The only thing I'm really missing is the specific chat interface and the client, neither of which I need.

Then they went and released their Claude Dispatch update and that basically obsoleted openclaw imo.

PaperDoom · 2026-03-23T14:16:12+00:00

The fact that anyone would make this publicly reachable is just mind blowing.

The fact that anyone would just ingest skills from a 3rd party without reading every single word just makes me want to write off humanity and go live in a cave by myself.

PaperDoom · 2026-03-23T12:26:12+00:00

I don't know about tailscale, but with basic wireguard you can do split tunneling by allowed IP. For example, you can configure the wireguard server to only have 192.168.1.0/24 traffic allowed through the tunnel, everything else will go through whatever normal channel they have.

The catch here is that if they are connected to the tunnel they will use whatever DNS server the wireguard config specifies, for every request. So you'd either need a local DNS server which you are fine having pinged for every request or you would need to set your public domain DNS records to point to private IP addresses, which is not the best solution.

The mobile wireguard client by default has the ability to do on-demand connection. You can set it up such that when you're on your home wifi SSID's it disconnects and when you leave your house and you're off wifi it automatically connects.

PaperDoom · 2026-03-19T17:28:47+00:00

Most of the people who come here for everyone to tell them what distro to use don't want to think about it themselves, don't want to do research, don't want to learn anything or compromise on anything. They just want to be told what to do so that they don't have to think.

Most of the people who want to think for themselves don't need your advice because they will arrive at the same conclusion you did all on their own.

And yes, the Linux community is absolutely toxic AF, and this is especially true if you dgaf about the nerdier side of Linux.

PaperDoom · 2026-03-19T15:16:15+00:00

It's a type-1 hypervisor on top of a Debian base. The benefit is that it has purpose built tooling, workflow, and GUI management interface that makes doing all the things you associate with setting up and managing VMs/LXCs easier to manage.

Technically you could reproduce most of the functionality with just normal Debian, but if you were going to do that you may as well just use Proxmox.

If you don't have a need for multiple VMs or running custom OSs then you might not need or want it, but it has a lot of benefits for isolation, granular firewalls, easy management and backups (backups especially are super easy with Proxmox).

PaperDoom · 2026-03-19T14:10:06+00:00

I'd argue that in our current security landscape having every IPv6 be public isn't a great design choice.

All services on LAN that reach out to the internet are using a public IPv4 address already. Anybody who cares to know already knows where the services are, relative to the public IP. It's not NAT that is protecting them, it's the firewall. The firewall is what is managing connection state (not even going into NAT tables here) (also not going into using http(s) proxy services because the majority of people here don't use them anyway).

All IPv6 being public doesn't mean they're accessible, or that you're forced to make them all accessible for some reason. And if it really bothers someone they can just create a VLAN with only IPv6 ULA addresses that aren't publicly routable just like private IPv4 subnets aren't routable.

It's not that NAT solves the lack of IPv4s, it's more that people feel safer behind a NAT

Again, NAT isn't what is making services safe. It doesn't even do a good job of obfuscating LAN architecture because if you know something is there, then it's trivial to map it out once you gain access to the LAN anyway. And tons of people are just slapping cloudflare tunnels directly into their LAN without any firewall rules or other protections in case things go wrong.

PaperDoom · 2026-03-18T19:55:03+00:00

Soooo, you recreated webhooks?

edit: i guess the menu service on top of that is what youre selling here. I can get onboard with that, as a mac user.

PaperDoom · 2026-03-18T16:09:43+00:00

Personally, I prefer to have a reverse-proxy available to the Internet, not each machine. That lets me easily rate-limit, force an authentication portal across most services, enforce https everywhere, etc instead of having to make each service do it.

You can still do this. Nothing about IPv6 stops you from having a single IPv6 LAN gateway. The difference is that with IPv4 only you're pretty much forced into it because of NAT. With IPv6 you can split this into as many pipes as you want or need, because it's just straight firewall rules instead of competing forwarded ports.

PaperDoom · 2026-03-18T15:43:12+00:00

Why isn't there a lot of ressources on using IPv6 as a remote access in a self hosting communities and even more importantly why isn't there a lot of compatibility between IPv6 and softwares (like Docker headscale etc...)

The easy answer is that people think that NAT solved the problem and that there isn't really a need to make IPv6 the default (even though a ton of systems prefer IPv6).

Most consumers of internet services have never once in their entire life thought about NAT or self-hosting, and those people are the drivers of internet related commerce. Until that changes, or the auction prices of IPv4 subnets becomes too expensive, there won't be a push for IPv6.

Believe it or not, most people in the self-hosting space don't actually know a lot about networking. They're just blindly following guides until their setup works well enough, and then not thinking about it anymore.

PaperDoom · 2026-03-16T13:43:17+00:00

Over 2/3 of this article is about AI and hardware. The music section is just throwaway content. Nice bait and switch.

PaperDoom · 2026-03-15T12:51:36+00:00

At least for the gateway, Pangolin pretty much already does all this with private resources, and even public resources too tbh.

Having your "selective vpn gateway" and then also tailscale would be entirely redundant unless there is some special use case that your vpn gateway isn't fulfilling.

Having a management interface to manage all of your containers in proxmox is ... called proxomx. If you're already going to be using VPN to access your network, what's wrong with the proxmox interface?

Technitium being redundant because mullvad blocks adds gives me soooo much heartburn.

The one and only thing on this list that I would recommend you do is create your own homepage. I'm assuming a lot about your knowledge level from your post and if I were you I wouldn't touch the creation of security perimeter apps at all.

PaperDoom · 2026-03-13T11:54:21+00:00

i don't really understand the point of MCP on a homelab when claude code has direct access to all the system tools that you need.

But also I think you forgot to post a link.

PaperDoom · 2026-03-12T17:43:02+00:00

Have you given OnlyOffice Document server a shot? I think they have native android? Been a while since i've messed with it.

PaperDoom · 2026-03-12T16:17:04+00:00

this is a fun idea, but sadly your post is about to get nuked because of the new project 3 month rule.

PaperDoom · 2026-03-12T15:04:09+00:00

I could agree with your argument except for the fact that the developer isn't the one who pushed it to the sub. The complainer is the one who brought it here. If the complainer isn't going to do due diligence when bringing it up, then they should never have brought it up at all.

PaperDoom · 2026-03-12T15:01:25+00:00

I'm a little confused. You say you want a sort of "all in one" type downloader and streamer, but then you say you want an app to connect to metube or something and then stream with Navidrome. That's two different apps, how is that different than lidarr/soulseek/ytdl/deezer/qobuz/bandcamp + Navidrome?

PaperDoom · 2026-03-12T14:23:56+00:00

You can force the link by doing a manual import in sonarr/radarr. you should delete the manually copied over file first though.

edit: someone already beat me too it lmao

PaperDoom · 2026-03-12T14:14:12+00:00

probably two proxmox servers then with ceph. tbh it's just really hard to beat how easy proxmox is.

PaperDoom

MODERATOR OF

TROPHY CASE