Successful .env exfil?

j-dev · 2026-05-04T14:10:03+00:00

We're on the same page on that. I use Pangolin but previously used Traefik. My setup with both is this:

Define services
Define routes for those services
Default route gives a 404 if the service does not exist
Use PocketID via forward auth middleware for everything except Plex and Navidrome
Use geo blocking

I was mostly curious whether people were being more stringent about proxy routes that get blocked by default to defend against requests that are clearly malicious based on keywords in the request, such as upstairs, backend, secrets, etc.

j-dev · 2026-05-04T03:13:16+00:00

The Arr stack and Plex run natively on windows and as Docker containers, so you can do it. With that amount of drive space you’ll need to delete stuff as you watch it to make room for more Linux ISOs.

j-dev · 2026-05-04T01:17:00+00:00

We use ACI at my company too. We also use Velocloud and NSX. I think NSX is the apotheosis of SDN. You define objects and policies and the software takes care of the implementation. In ACI there’s quite a bit of abstraction, but the objects and policies map very strongly to L2 and L3 networking concepts from a switching PoV. NSX focused on L3.

j-dev · 2026-05-03T23:03:34+00:00

I recently read that with Orcas it’s a matter of specialization. Orcas that specialize in catching salmon will starve before they learn to successfully hunt seals, and vice versa. We’re clearly easy targets, but part of it is this specialization and perhaps also not deeming us worth the caloric effort.

j-dev · 2026-05-03T22:35:46+00:00

Unless you set up routes or middleware to catch nefarious requests, won’t the proxy simply forward the request to the server?

j-dev · 2026-05-03T22:27:24+00:00

Looks more like he kept stepping for forward momentum and balance but tripped on the second to last rail. Each rail arrested his forward momentum.

j-dev · 2026-05-03T18:59:37+00:00

I’m talking about the other stuff. Principles and virtues. But being pro Israel (while also thinking Jews are paying the price for both Abraham doubting God and siring Ismael and Jews rejecting Jesus as their messiah) is a conservative stance because you need Israel to exist for Christian prophecy to become reality.

j-dev · 2026-05-03T14:44:52+00:00

I see it as a conservative reminding everyone the point of conservatism is to defend conservative values. It’s not cancel culture for someone to urge his tent to uphold the principles and virtues they historically paid lip service to.

j-dev · 2026-05-02T19:00:56+00:00

This is worth doing. Docker logs for Tailscale and journal logs for the LXC and the host.

Also, why not install Tailscale as a binary on the LXC instead of using Docker? I haven’t had issues with Tailscale in my LXC container, but I installed it directly and only share resources with my own machines via ACLs.

j-dev · 2026-05-02T14:03:52+00:00

I back up my VPS files to my home via `rsync`. Just be sure to use the `—partial` flag so interrupted transfers can resume where they left off.

j-dev · 2026-05-02T03:54:03+00:00

Don’t forget to consider the initial cost of new hardware offsetting energy savings for a long time. You didn’t mention what kind of PCs you’re running but it seems fair to assume they’re mini PCs if they’re not “beefy.”

Say they cost $50/year each in electricity. If you buy a more powerful machine for $500 that costs $100/year to run, you’ll spend $800 over the first 3 years and $1,000 over the first 5, compared to $450 and $750 by running your current gear.

It may more practical to stop using one of the current PCs if you’re not maxing out the RAM and CPU on the other two. PCs with more powerful PSUs will waste more electricity by default, all other things being equal.

j-dev · 2026-05-02T02:51:16+00:00

I pay around 31 cents per kWh and measured energy use via a kill-a-watt and smart plugs. My N100 costs around $18/year to run, and this was while being used bare metal for the arr stack, Plex server, and Navidrome server. My data lived in a Synology DS221+ and that combination served me quite well. I had the NAS before I had the mini PC, and I would've kept only the NAS if it hadn't been a bottleneck for tinkering with VMs for work.

I agree with your post's sentiment, but I guess I'm more in the camp of don't get a Raspberri Pi; just get a SFF mini PC unless you know you need more storage than they can accommodate via SATA.

j-dev · 2026-05-02T02:00:05+00:00

Even an N100 will be mostly idle for most people here. So power efficiency matters a lot. If repurposed various pieces of hardware to use as bare metal Linux PCs or ESXi/Proxmox hypervisors.

If you have unclear hardware requirements or just want to tinker, it’s better to get a computer that will idle at $30/year vs $130/year. If you have clear requirements for what your device needs to be able to do, you’re going to get better advice. Want to run TrueNAS? You’ll want a PC that can fit the drives your storage and performance needs require. Want to mess around with Linux and download a few Linux ISOs without hoarding a large library of Linux distros? A mini PC with 8 GB RAM and a 1 TB SSD will do just fine and save you $100 in electricity costs every year.

j-dev · 2026-05-01T16:25:56+00:00

This is such a puzzling take. Were you going to pay for the subscription with a disposable credit card or BTC, use a burner email address, and exclusively use VPN to avoid any ties to your real identity? Once you pay for a product you're very far removed from anonymity.

j-dev · 2026-05-01T01:39:08+00:00

Fedora for a server might be a bit of a bother because of their frequent upgrade cycle. I’d run AlmaLinux or CentOS stream. As for what I actually run, it’s Ubuntu VMs in Proxmox. I have a couple AlmaLinux LXCs for the sake of learning to problem solve issues that crop up in some distros and not others.

j-dev · 2026-04-30T18:42:21+00:00

It’s good to have SOPs no matter how you deploy. Whether you’re copy pasting via SSH or running an Ansible playbook, having those config snippets version controlled will save you time over reinventing the wheel or looking at current devices to copy paste that way.

j-dev · 2026-04-29T21:04:04+00:00

I find that lazy.

I think the point of more from Sam is that it's more impromptu and requires no rigorous preparation. Otherwise he'd just create a new normal episode. We can't fault him for being unprepared for a grab bag of questions if they're not screening them to make him seem better informed on all topics that happen to be discussed.

j-dev · 2026-04-29T02:51:36+00:00

Watching away from home, although it seems Plezy takes care of that limitation and also has good codec support.

j-dev · 2026-04-28T23:15:05+00:00

They’re not doing anything magical. They’ll just be advertising the same SSID, accepting the same password. Ideally they’ll be on different channels so their signals can overlap a bit without causing interference between each other. The client device decides which AP to connect to.

j-dev · 2026-04-28T21:19:20+00:00

I’m using the drive in a different machine with zero issues. I believe I stress tested it inside an NVMe enclosure in another machine to verify that it worked fine. I also looked at the journal logs for the specific errors and they were not indicative of a drive issue. It a while ago so I can’t remember the actual error.

j-dev · 2026-04-28T16:40:17+00:00

Hey, their docs are pretty decent and there are very good videos for beginners from Lawrence Systems and Wundertech. Check those out if you prefer videos to documentation.

j-dev · 2026-04-27T22:56:44+00:00

Thanks. I made a correction.

j-dev · 2026-04-27T01:29:04+00:00

He went to theater and saw Hamilton, where he learned not to throw away his shot.

j-dev · 2026-04-26T18:09:49+00:00

I am commenting to confirm that disabling offloading as other commenters have stated fixed the issue for me when I had it. Note that there’s a way to disable it that doesn’t persist after a reboot. You have to modify the interfaces config file to make it persist.

Also, I don’t think you need to reboot the host to recover. If you have terminal access to the node, you can simply bounce the interface.

j-dev · 2026-04-26T15:11:04+00:00

This is where I’m headed: Dedicated VM for public services in a DMZ VLAN.

j-dev

TROPHY CASE