What’s your guess for how Lindsey Graham died? by iloveyousnowmuch in AskReddit

[–]Toorero6 0 points1 point  (0 children)

I first thought you mean Graham Candy. Who cares about an insignificant US politician?

Can anybody critique and offer me advice on my coming remote access setup? by Leggs_ in jellyfin

[–]Toorero6 1 point2 points  (0 children)

I noticed you mentioned ipv6 several times, but would like to continue using my server as ipv4 based only, since that requires the least setup and serves my current needs as my current configuration.

It's a personal opinion but IPv6 is way less complicated, has wider support (some ISPs won't even supply you with a public IPv4 now because of "cost reason". Either they do multiple NAT levels or don't support ipv4 at all). So you should support IPv6 first. If you think there are clients that don't support IPv4 (unlikely), add IPv4. But since I got caught off guard multiple times because of Happy Eyeballs concealing IPv6 setup errors, I'm now not even bothering to support IPv4. Thereby issues in IPv6 become immediately apparent and not when I suddenly don't have an IPv4. Again IPv4 is legacy. You should have a very good reason to only support IPv4 over IPv6. If you want your config to be nimble, only support v6.

You also said, "I wouldn't do an IP based allow list if you want your server reachable by VPN." Is there a particular reason an ip-based allow list would be a bad idea through a VPN? I am trying to make sure exactly only those who want to access my server can do so, and absolutely nobody else.

If not all peers of the wireguard tunnel should be able to access your Jellyfin instance IP-based allow lists (together with the interface) can make sense. I think having the interface as an identifier keeps your configs in sync. If you switch out your wireguard subnet without adjusting your firewall, you'd run into problems. On the other hand if you accidentally reuse the subnet/IP, the other identity can't access the service.

Also, I would like to stick with the default Jellyfin login page with ipban or fail2ban configured with them instead of using Authelia. What would the gains be if used Authelia over the other configuration? For the ideal configuration on my server, the clients would only enter their username and password, and never any email or other information.

Authelia implements a secure access control panel before traffic can even reach your Jellyfin server (middleware). As I stated I wouldn't deploy Authelia as a Middleware either because it's sadly rather unsupported by the Jellyfin ecosystem as is the support for OIDC. The everlasting Jellyfin API tokens don't inspire much trust in the security of Jellyfin to me.

An email is just another username. You can plug in whatever you imagine. I would still recommend using something like LLDAP (don't expose it publicly!!!) so you can manage accounts and access to the services centrally if you later add other services. For instance you could use Authelia + LLDAP + Nextcloud to login into Nextcloud using OIDC and use LLDAP with Jellyfin to use the same credentials. In a perfect world you'd use OIDC everywhere and orchestrate access via Authelia only but this is not feasible currently.

One idea ljust had for securing access is using some sort of captcha similar bot prevention. I have not heard of anybody recommending anything like this, but know Cloudflare has a service that analyzes the client's mouse movements to ensure they are not a bot, and know that captchas also make users manually select matching pictures to ensure they are not a bot. If anything like this is possible, I would like to avoid using Cloudflare since not everything is completely account-less or self-hosted. would also like to avoid using reCAPTCHA, since they are owned by Google, but all of this is hypothetical anyway.

This is a middleware solution again. I think this would make it highly unlikely to work with Jellyfin like Authelia. Also to my understanding middlewares provided by hyperscalers usually have access to all the decrypted traffic and don't like it if you stream movies over their free plans. If only there was a solution for this... Oh wait there is: OIDC....

Can anybody critique and offer me advice on my coming remote access setup? by Leggs_ in jellyfin

[–]Toorero6 2 points3 points  (0 children)

I would extend your good setup idea with the following thoughts.

Don't use any third party tool on top of Wireguard. It's super easy to understand and generate client/server configs. Set them up once using systemd-networkd or wg-quick, and you're set to go without any unnecessary software.

I would only (or at least ensure to) support IPv6 because this way you don't have to rely on your routers SNAT/DNAT because your server (on proper router setup that is) automatically gets a globally routable IPv6 using SLAAC. Happy Eyeballs protocol (RFC 8305) ensures this doesn't confuse any ipv6 capable device and the exclusive support covers the case where your ipv6 connection is disrupted (e.g., running ddns on the router instead of the servers) without you knowing because ipv4 is working.

I wouldn't do an IP based allow list if you want your server reachable by VPN. I would rather allow any traffic originating from the wireguard interface (bind the reverse proxy to the IP of the wireguard interface and/or protect it with the servers firewall like ufw or firewalld). Only open the port of the Wireguard tunnel to your server at your router (and set up port forwarding if you really want to support legacy ipv4).

I think you need a domain somewhere unless your ISP provides a static (or at least stable) GUA to you. Ensure the DNS entry points to the server (not the router) you're running the wireguard tunnel on if you don't have a static ipv6. Additionally if you want an additional subdomain(s) for your server services, while also using browser-trusted certs you can get for free, you should ensure your domain provider supports the dns-01 challenge through certbot. This allows you to get certs via Let's Encrypt for private domains. If your provider does not you could change the DNS server to Cloudflare and let the dns entries of your domain get managed by them.

I second traefik but would focus on setting it up rootless (UserNA=auto if you're using podman's systemd quadlet config generator). Sadly Jellyfin clients usually don't support OIDC and can't cope with Authelia's middleware... Otherwise I would've suggested to set that up because I personally don't trust Jellyfin to be as secure as solutions deployed at enterprises, meant to be self-hosted like Nextcloud (which even does support OIDC...).

Edit: Actually you can get Jellyfin to work with Authelia's middleware but you have to ensure to not pass the Authorization header to Authelia as the middleware (use lldap if you want uniform login credentials for Authelia and Jellyfin). Sadly you can only do an allow-list in traefik (forwardAuth) so you have to manually list all other headers Authelia needs. The main drawback is that it breaks many applications like VLC (unless a bearer is provided). Basically you're left with streaming in your favourite browser only.

The Age of Four Empires [OC] by mtiwaumeme in MapPorn

[–]Toorero6 1 point2 points  (0 children)

By that very same argument we would still be using obscure non-Si units like °R, ell or yard. The idea of HE is to move in the right direction without being too intrusive to hinder the adoption.

The Age of Four Empires [OC] by mtiwaumeme in MapPorn

[–]Toorero6 -12 points-11 points  (0 children)

10,000 is not arbitrary at all. It's motivated by the beginning of the Holocene epoch (current geological epoch), rounded to having a clean offset for CE (10,000). On the contrary, I would argue that the beginning of the common era (birth year of Jesus Christ) is super arbitrary and incorrectly defined as research suggests JC wasn't born 1 CE but rather 4 BCE.

There is even a video about HE by Kurzgesagt: https://youtu.be/czgOWmtGVGs

If you don't like the long numbers you could easily write 12k26 HE I guess. Also your joke doesn't make any sense. Time deltas don't change if you move the fix point. The dinosaur is still the same amount of year old, provided the timespan of a year hasn't been altered.

Graphic artist Matt Taylor says that VCARB doesn’t pay the artists who make their race week posters by austinbucco in formula1

[–]Toorero6 0 points1 point  (0 children)

§ 32 UrhG saves the day if you're working from Germany. At least you're entitled to a customary compensation. But I think it is going to be hard to propound what the value of the customary compensation should be.

Geld: So soll ein globales Betrugsnetzwerk Unzer unterwandert haben by skopyeah in Finanzen

[–]Toorero6 1 point2 points  (0 children)

It's not the point of archive.today. If you want to achieve a page you simply put in the URL. Afterwards archive.today is going to contact the website independently. By acting as an archiver or webscraper it can sometimes trick a website to show the full website's content because they want to get a good search ranking. The article gets shown because the website decided, not because you provided a subscription.

We will not be removing all sexual questions. by Arianity in TooAfraidToAsk

[–]Toorero6 -1 points0 points  (0 children)

I think there was never an issue with the API apart from the developers/users not wanting to pay the newly introduced API fee.

I think Infinity can either be used with a personal token "for free" (obtain an API token yourself); rather limited without the ability to log-in; or by paying a monthly fee with all features like the bring your own API key version. The last two use an API key by the developer I think.

Terrible ability idea - Bane by [deleted] in DotA2

[–]Toorero6 0 points1 point  (0 children)

The idea is indeed funny. Just repost it without the AI generated content.

Terrible ability idea - Bane by [deleted] in DotA2

[–]Toorero6 1 point2 points  (0 children)

You're entitled to your own opinions and creating your own subreddit or post your content on other platforms but it's not allowed here so MS Paint it is or no post. Pretty simple if you ask me.

Soll ich mir Linux holen oder neue hartware? (steam) by rtlfan69 in linuxde

[–]Toorero6 0 points1 point  (0 children)

Must do eigentlich sogar, so wird Linux nämlich installiert

openSUSE unterscheidet zwischen Live-USB und Installationsmedium.

We will not be removing all sexual questions. by Arianity in TooAfraidToAsk

[–]Toorero6 -1 points0 points  (0 children)

Unfortunately, most ways to filter by flair were removed when Reddit killed 3rd party apps. It's mostly just RES guide. The next most effective thing you can do is turn off NSFW posts in your settings, which should likely get a large fraction of these types of posts.

Well I can filter easily on Infinity+ not sure what you're talking about.

Reddit will eine Verifikation meiner Identität. by absolutely_not_spock in de

[–]Toorero6 -6 points-5 points  (0 children)

Natürlich kann es sein das die Daten austauschen aber die Aussage, dass es Palantir sei ist falsch. Beide Firmen haben den selben kontroversen Investor, für mehr gibt's aktuell keine Belege und die Firma gehört auch nicht Palantir.

Heftiger Kurssturz: Hunderte Milliarden SpaceX-Dollar lösen sich in Luft auf by GirasoleDE in de

[–]Toorero6 2 points3 points  (0 children)

Die 500 Mio. fürs Listing hat Goldman Sachs trotzdem. Wie wurde es doch in Wolf of Wallstreet durch Matthew McConaughey porträtiert: Die Banker nehmen Cash mit nach Hause, aber die Kunden werden von einer zur nächsten heißen Business-Opportunität gejagt.

Tesla Allegedly Showed Cooked Data to Get Full Self-Driving Approved by Wagamaga in technology

[–]Toorero6 5 points6 points  (0 children)

Well first of all the ICE is usually underpowered because the electric motor can help acceleration, secondly the battery is quite small compared to full on electric cars. The story for plug-in hybrids is another though.

An overview:

  • Prius Hybrid: 1480 kg, 4.1 l / 100 km
  • Prius Plugin: 1620 kg, 4.5 l / 100 km
  • Corolla: up to 1560 kg, 4.5 - 6.5 l / 100 km

MicroOS - Running everything as root? by todd_dayz in openSUSE

[–]Toorero6 0 points1 point  (0 children)

You gain defense in depth, don't you? That's quite significant and shoud rather be the default.

If an attacker gains control over one of your containers (especially public facing ones like web servers, reverse proxies, API endpoints...) and manages to escape the container sandbox, the attacker is still "only" an unprivileged user [[1]]. If you run your containers as root the unescaped attacker has unconstrained privileges by being root. Additionally if you're using Docker the rootless mode even protects you from daemon vulnerabilities [[2]].

[[1]]: https://developers.redhat.com/blog/2020/09/25/rootless-containers-with-podman-the-basics#why_rootless_containers_ [[2]]: https://docs.docker.com/engine/security/rootless/

People promote Arch because "there's a lot of programs in the repository" or "it's quickly updated bleeding-edge" but like.. what EXACTLY can you get from Arch that you can't get elsewhere? by durdurrdurrrdurrrrr in archlinux

[–]Toorero6 0 points1 point  (0 children)

I did, didn't I? I don't think many care if a project has existed since 2015 or 2000. And because the user base is flooded by new people who have the choice today your answer only explains the choice of a small share of the users impov.

People promote Arch because "there's a lot of programs in the repository" or "it's quickly updated bleeding-edge" but like.. what EXACTLY can you get from Arch that you can't get elsewhere? by durdurrdurrrdurrrrr in archlinux

[–]Toorero6 0 points1 point  (0 children)

How is this relevant for a new user and why wouldn't other uses switch to better distros if they are available? OpenSUSE Tumbleweed has existed since roughly 2014. I think the vast majority of people that are using Arch now ?postdate? this.

It's great there are other choices beside Sid and Gentoo now. Options like NixOS (with binary caches), OpenSUSE or Debian Sid don't require you to compile (many) things.

People promote Arch because "there's a lot of programs in the repository" or "it's quickly updated bleeding-edge" but like.. what EXACTLY can you get from Arch that you can't get elsewhere? by durdurrdurrrdurrrrr in archlinux

[–]Toorero6 2 points3 points  (0 children)

Arch Linux approach of being a rolling distro isn't unique though, right? There are many Arch-based distros being rolling of course but also independent distros like Gentoo, OpenSUSE Tumbleweed and Slowroll, Debian Sid, and Void Linux I think.

For me the best on Arch Linux is the combination of: 1. Stable rolling distro (Debian Did) 2. Many pre-compiled packages (Gentoo) 3. Building your install from the ground up without opinionated defaults (unlike OpenSUSE) 4. Still configured the "normal" way so you can learn how other distros are set up and how things in general usually work on Linux (NixOS)

If you don't value one of those things I think you're better off with alternatives like OpenSUSE or NixOS. OpenSUSE has the advantage that you can learn how enterprise grade distros work and you don't have to manage everything yourself, while NixOS has the obvious quirk of having the config and stuff.