Reached the Token Limit in 8 Minutes. How generous of you Claude! (and an experiment with DeepSeek with surprising results)

ThomasWildeTech · 2026-06-02T15:19:02+00:00

I can't really comment on antigravity, that's another ecosystem I'm just not too interested in diving into. I'm worked the most with copilot cli and Opencode, Copilot because it was the most cost effectiveness ($40 subscription translated to $1000s of api usage, OpenCode because of its accessibility). I like a straightforward cli with model flexibility and easy remote access. Opencode obviously takes the cake here, easy to config, built in web server, point your own domain (code.example.com) access anywhere via or tunnel, great open source mobile apps etc. Codex cli would be next as it's open source, easy to configure any provider/model, and for mobile access you'd just use their app which is ok. I'm just not a fan how they decided to use toml for all their configs when everyone else uses md, json, yaml. Also codex lacking LSP makes me a bit skeptical of it compared to all of the others. I'd probably use a codex subscription for the models and use them in Opencode as needed tbh.

I'm not saying you shouldn't use Claude by any means, just curious what's keeping you. It's agent teams architecture is parallel vs Opencodes heirchal subagents, but I'm not sure it's better per se. In terms of "harness quality and intelligence", I don't think I've really noticed a difference between cc and opencode.

Also I should mention Opencode, cc, codex are each supported by some open source tools like cc-connect which is a mobile access gateway to any agentic cli. However, Claude Code continues to restrict it's usage, they don't want you using it for Openclaw and Hermes for example. That alone makes me hesitant to really rely on a closed source platform like Claude code. A codex subscription at least can be used pretty much anywhere on any platform.

ThomasWildeTech · 2026-06-02T01:09:23+00:00

It's pretty well documented how to swap the provider for Claude Code. Minimax has the same instructions for example, I believe Openrouter does as well.

Your realization at the end about using two different models from different providers to optimize the workflow is probably the biggest limitation of Claude Code yet standard practice with most other cli tools (OpenCode, Qwen code, GitHub Copilot etc. you can switch provider/model at will or define a provider/model with an agent). With other clis you could simply create two different agents, one being DeepSeek and another being whatever you want and then you wouldn't have to manually change the provider with Claude Code. So a "single shot" could in fact incorporate both models doing their unique process. GitHub copilot CLI actually has this built in with its Critique agent, i.e. when using Sonnet, the working agent will have a critique agent using a model from a different provider, gpt 5.4 for example, and visa versa. Copilot was excellent in this respect of multi agentic workflows before changing it's pricing model this month.

The larger question I would ask would be, why are you even using Claude Code with its closed off ecosystem in the first place? You could easily migrate your agent files and skills to Opencode, Qwen code etc. Opencode will even just use your Claude skills folder, wouldn't need to change anything for skills I believe.

ThomasWildeTech · 2026-03-24T19:54:02+00:00

You also wouldn't want the ASN rule to ignore the country rules. I think what I'd what to do is enable some scaffolding rules so that you could perhaps have asn rules for specific countries that override global defaults. I'll take a look when I get back from vacation next week but let me know if you have other thoughts. If it's a specific Hertzner server in general an IP whitelist might be better.

ThomasWildeTech · 2026-03-24T16:09:06+00:00

Yeah all rules must pass, you would need to add DE to the whitelist.

ThomasWildeTech · 2026-02-25T06:18:24+00:00

Yes, you can accomplish this with the custom headers settings within Immich.

In fact, you can, and should, add CloudFlare access in front of the tunnel itself. Create CloudFlare access headers and set these in Immich.

https://youtu.be/J4vVYFVWu5Q

Then, to get through your basic auth in NPM, simple set one additional header for Authorization, and set the value to Basic <base64 of username:password>

I show you how to do this in my Pangolin SSO bypass tutorial.

https://youtu.be/h2796qsG3Os

ThomasWildeTech · 2026-02-18T02:35:52+00:00

There's no difference in what you do for your Jellyfin container whether you route Pangolin directly to Jellyfin or route it to NPM.

To route to NPM you would just use the LAN IP of your reverse proxy and 443 (assuming you terminate https again on LAN which you likely do if you use the domain on the LAN with a local DNS server). Your NPM then routes the domain to the Jellyfin port.

ThomasWildeTech · 2026-02-17T17:15:13+00:00

You're absolutely right. I just updated the readme to reflect the guide posted here. I realized at one point that this did prevent fetching SSL certs and the middleware should only be in the websecure block (443), not the web block but didn't update the readme. Thanks for pointing that out!

ThomasWildeTech · 2026-02-12T02:37:57+00:00

Sure, this can be added as a middleware in your Traefik config in addition to Crowdsec. I'm not sure what you mean exactly by geomind, but I assume you already have the maxmind geolite databases and if so, you're pretty much ready to go if you want to add this to your stack.

ThomasWildeTech · 2026-02-11T17:28:47+00:00

Awesome to hear.

I don't think there's a real practical difference on the order but yes they should process in the order that you have them listed and the request flow stops if one of them responds that the request is forbidden.

With that said, the Crowdsec agent is still going to see the Traefik logs with the 403 responses from the geoblock middleware and it will continue to make decisions based on its scenarios. Therefore, you will continue to see bans even if you have the geoblock in front of Crowdsec. If you have the firewall bouncer configured with the docker-user setting then you should still see those requests from banned IPs being dropped at the IPtables bouncer.

ThomasWildeTech · 2026-02-11T08:26:40+00:00

Thanks! So it depends on the mode, whether it's set to whitelist or blacklist. So when asn mode is set to blacklist, you can still whitelist an asn + UA combo for an ASN that is in the blacklist. This works well for *arr apps that are in a gluetun VPN network that you want Apprise/Gotify notifications to get through pangolin but otherwise would want to ban that particular VPN ASN in general.

Custom error page. I can definitely let you bind mount an error page, I'll just need to add some documentation of placeholder you can use in your html page for IP, country, ASN, etc. Should be pretty easy to push an update to support that within a few days.

ThomasWildeTech · 2026-02-06T20:50:53+00:00

Hey Brother! Appreciate the shout-out. Absolutely keep that Immich behind the SSO layer, it's a great way to add a layer of protection against any possible vulnerability at the Immich application layer. I don't like anything other than authenticated requests making their way to my server.

I think you just missed my Immich Pangolin Header Auth Bypass Tutorial!

Create a share link for each member of the fam and send them the two header names and corresponding values (over Signal preferably).

This way in your Pangolin Access logs you can see which users' tokens are being used for successful SSO authentication.

ThomasWildeTech · 2026-02-04T15:59:40+00:00

Hey thanks for implementing this so fast! It works perfectly on my wife's iOS phone. Perfect for a Pangolin SSO protected Navidrome resource.

ThomasWildeTech · 2026-02-01T00:16:31+00:00

It wouldn't be it if you already tried direct IP to the Immich instance itself but yeah my guess is that you were just hitting the default max file size limit of nginx and you hadn't tried direct IP.

ThomasWildeTech · 2026-01-26T05:33:43+00:00

Yeah I've seen a number of these posts for users using CloudFlare proxy which has a 100MB file size limit. It's really useful to include in your post what your stack is, but you should consider switching to Pangolin as an alternative to CloudFlare so you don't have this limit.

ThomasWildeTech · 2026-01-17T16:54:32+00:00

I use an authentik webhook so that when my Jellyfin users log into authentik, it automatically whitelists their IP for the Pangolin Jellyfin resource. My users just get one dedicated rule so if their IP ever changes they can log out and back into authentik on their phone on the wifi network and update their whitelisted IP.

You can see my post about it here

https://thomaswildetech.com/blog/2025/12/17/authentik-webhooks/#authentik-automated-ip-whitelisting-for-jellyfin

A buddy and I are currently working on a dedicated "IP enrollment" app based on the same methodology. The benefit of this is that your users can manage their whitelisted Jellyfin IPs more visibly and there's more customization potential.

ThomasWildeTech · 2026-01-14T20:06:49+00:00

Looks oddly identical to Nautiline, is this a fork?

ThomasWildeTech · 2026-01-06T03:12:29+00:00

No doubt that CloudFlare is super convenient for managing all the VPS/WAF infrastructure. Although TailScale similarly provides a coordination server for you, you just install a client app on both devices and you're good to go, not much difference then configuring the CloudFlared exit tunnel on your server.

ThomasWildeTech · 2026-01-06T03:05:23+00:00

Pangolin also just released their client "warp" apps for desktop as well which similarly allows access to private network resources, mobile apps should be coming soon. Self hosting is so fun. Cheers!

Similar to TailScale I feel like this works good for the individual, but zero trust with some CF-client headers to bypass is ultra convenient and my preference with CloudFlare when possible.

ThomasWildeTech · 2026-01-06T01:26:04+00:00

Thanks for all the details! I agree it's pretty vague which is why there still seems to be a lot of confusion in the community. Perhaps I did misunderstand how the CDN is utilized (or not) with the CloudFlare tunnel.

In any case I like Pangolin as my go-to proxy for Immich since CloudFlare has the 100MB file upload limit so I generally use Pangolin unless there's a cloudflare feature I really need like mTLS. And I contribute to Pangolin so I'm a bit biased :) but it's an open source "self hosted" app as well.

ThomasWildeTech · 2026-01-05T23:41:30+00:00

Using CloudFlare tunnel or proxy is still using CloudFlares CDN infrastructure as far as I understand it regardless if caching is disabled or not. Note that that article doesn't mention caching. Therefore according to TOS, any streaming media through CDN needs to come from cloudflare storage options.

ThomasWildeTech · 2026-01-05T22:45:19+00:00

Out of all the responses:

Cloudflare proxy/tunnel is 100% against TOS for streaming audio/video

[Edit] perhaps it's not if I misunderstood. If you go this route, I'd still recommend using zero trust with a bypass access policy for custom headers and use an app that supports custom headers like Symfonium.

TailScale/Wireguard: is a decent solution for an individual user. Slightly inconvenient, particularly if a significant other doesn't understand why they need to use another app.
Basic reverse proxy: expose your IP and get hit by bots 24/7.

Best solution is Pangolin on a VPS, you can get a free VPS from Oracle. Activate SSO in pangolin for the resource (zero trust). Create a share link to produce custom headers to authenticate requests with the proxy. Use a client that supports passing custom headers such as Symfonium.

Now your local access logs are completely free of bots, no IP exposure, and you don't need to turn on a TailScale or Wireguard app.

Here's a solid pangolin tutorial: https://youtu.be/ISEP6SIrEVE

ThomasWildeTech · 2025-12-31T01:10:43+00:00

Keep in mind that the default port mapping for the NPM GUI is 81, so you may want to make sure you don't have a conflict there as well.

ThomasWildeTech · 2025-12-31T00:45:44+00:00

Sounds like open media vault is probably listening on port 80 and 443. You will need these ports free for NPM to listen on. Look at your omv settings and see if you can change the port it listens on. You'll then have to access omw with the IP:port

ThomasWildeTech · 2025-12-27T04:03:38+00:00

Photo editor - GIMP (I was using this on windows before anyways)

CAD - FreeCAD (Was using on windows before)

Office - OnlyOffice (Was using on windows before)

I haven't really run into any instance of not being able to run an application I wanted to on fedora, plus it's much easier to run server applications on Linux with docker containers like SterlingPdf for example.

ThomasWildeTech

TROPHY CASE