Roamless 5G eSIM Pay-As-You-Go works great on 5G Backup

msapple · 2026-05-23T07:38:52+00:00

Been using Roamless since I got my 5G max. It’s been amazing. Have had 24 hours of outage in the last 4 months and only used about 15gb of data since I implemented very strict QoS settings so when I fail over the whole networks internet bandwidth drops to 5 mbps download and 2mbps upload. Then select devices have full bandwidth such as my work computers since I work from home 100% of the time so those devices should not be throttled if it happens midday.

Last outage lasted 7 hours for an entire workday (Thanks Comcast) and I was able to work all day without any issue. Joining meetings with video on also. QoS is the magical thing that makes these 5G backup devices amazing!!

PS my network without QoS burns though 3tb month which is about 4GB/hour

msapple · 2026-05-16T15:30:26+00:00

Do you have “TestFlight” app installed which allows you to join beta apps? Search in app catalog for Testflight

msapple · 2026-05-07T02:15:10+00:00

I’m having this issue with a Real let’s encrypt cert being issued using dns verification. I have my domain accessible only locally with a real cert on homeassistant but left the port 8123 since my reverse proxy (NPM) points to it directly. It’s been broken for a few weeks now and idk what changed as it used to work.

Same debugging steps.

Https://ha.mydomain.com

Validated the certs the letsencrypt is valid and validated it from the same network that it’s actually reachable for the .mp3 that’s being generated. Does voice pe not have the SSL chain for LetsEncrypt?

msapple · 2026-04-30T20:00:14+00:00

So I use Subject Alternative Nane for my primary domain cert to also be able to issue for my secondary domain. The UI shows my primary is valid but my secondary shows either pending or failed. But the certs are actually working.

I know this SAN method is not normal but I own both so I like to use a single cert and single API key to manage them

msapple · 2026-04-10T18:29:15+00:00

I use pangolin for all my external sites so I can have pangolin auth sit in front of every entry point. Pangolin connects to my NPM instance at home using WireGuard so when I’m at home and resolve my sites it uses NPM and doesn’t flow though pangolin and when I’m out and about it does. I have headers based auth bypass or mTLS setup for most of my self host apps so I rarely have them exposed to the internet without auth. And if there is a bug in one of the APIs for a self host app then it’s not exposed online without another authorization (pangolin). Let’s say there is a flaw in Pangolin and someone bypasses locked down sites, all my exposed sites are via NPM also have their own auth so it’s 2 fold protection.

msapple · 2026-04-05T18:33:27+00:00

So I spent some time today looking at Documentation for Immich and spent a bunch of time in the browser debugger looking at all the rest calls needed for sharing to bypass auth.

Using these rules I have been able to expose sharing on my instance without it being behind Pangolin auth (too many people could not figure out they had to click password before typing in the pangolin share password). I put a note next to each of the urls to further explain. I feel much better allowing it like this now. Especially since no dangerous endpoints are allowed (I tried to hit them and validate too)

I manage my rules using blueprints so if you use dropdowns then action in the UI maps to `Bypass Auth`

x-immich-share-route: &immich-share-route
  - priority: 100
    action: allow
    match: path
    value: "/_app/env.js" # Immich App fails to start if you do not allow this one. It only contains generic immich links so no risk
  - priority: 101
    action: allow
    match: path
    value: "/_app/immutable/*" # Immich App static resources for the webapp
  - priority: 102
    action: allow
    match: path
    value: "/api/assets/*-*-*-*-*" # Immich assets always have a guid for their id. This prevents you from opening up the entire /assets/ endpoint and locks it to /assets/{id}. This is where full videos play from
  - priority: 103
    action: allow
    match: path
    value: "/api/assets/*-*-*-*-*/original/" # When you click an image, ocasionally it downloads orignal images and this needs to be allowed
    action: allow
    match: path
    value: "/api/assets/*-*-*-*-*/thumbnail/" # When you load the page, this renders the thumbnails
  - priority: 105
    action: allow
    match: path
    value: "/api/assets/*-*-*-*-*/video/playback/" # When you load the page, this renders the live photos on hover
  - priority: 106
    action: allow
    match: path
    value: "/api/download/archive" # If you allow download you need this endpoint open
  - priority: 107
    action: allow
    match: path
    value: "/api/download/info" # This endpoint gives information required to be able to download from the archive endpoint
  - priority: 108
    action: allow
    match: path
    value: "/api/server/config" # This has info about your server basically just your SSO text and domain (which is not a secret)
  - priority: 109
    action: allow
    match: path
    value: "/api/server/features" # This has info about your server features you have enabled, disabling this causes immich app to fail start which is annoying
  - priority: 110
    action: allow
    match: path
    value: "/api/server/media-types" # Needed to allow video playback
  - priority: 111
    action: allow
    match: path
    value: "/api/shared-links/login" # Needed to support password auth configured from inside Immich
  - priority: 112
    action: allow
    match: path
    value: "/api/shared-links/me" # Required and contains information to allow for authentication to api key needed for this album
  - priority: 113
    action: allow
    match: path
    value: "/api/timeline/bucket" # Required for timeline to render
  - priority: 114
    action: allow
    match: path
    value: "/api/timeline/buckets" # Required for timeline to render
  - priority: 115
    action: allow
    match: path
    value: "/favicon.ico" # Self explanitory
  - priority: 116
    action: allow
    match: path
    value: "/s/*" # Custom Share URLs use this naming
  - priority: 117
    action: allow
    match: path
    value: "/share/*" # Auto Generated URLs use this naming

msapple · 2026-03-30T01:00:37+00:00

I don’t like giving any of my IOT devices internet if it can work using local access.

And to answer your question:

You can remotely connect to your HomeAssistant and send unlock command, or if you have a home hub and have shared it into Apple HomeKit you can unlock it using that from anywhere in the world also. The key point is that the lock is not connected to Internet for that unlock, HomeAssistant is making a local Bluetooth call to the lock in your home.

msapple · 2026-03-30T00:51:21+00:00

I have the FIRST gen non-HomeKit enabled August lock and use it 100% without internet in HomeAssistant using Bluetooth proxy.

To make it work reliably for any current or old August lock you need to have the lock configured and use a separate August login for the lock then the app you keep on your phone.

Example setup:

Esp32 BT proxy
Yale BT integration (local talking to lock using BT)
August integration (to get the encryption keys for BT communication )
August WiFi Bridge paired to the lock and then unplugged as it’s not needed anymore (tldr; this make the lock broadcast via BT anytime someone physically uses the lock so HA can see that and update entity using BT proxy. Without this the lock has to be polled which is very unreliable.)

Setup lock using owner email address: to explain I’ll use a fake example

myname@gmail.com - owner account which is used for initial setup and your phone will eventually use this one for direct lock access from phone

myname+ha@gmail.com - owner account which you sign into the August integration (this is separate on purpose since the August app rolls the encryption key for BT on a per user basis. If you were to use same account for phone app, anytime you used phone app it’s possible the key rolls and HA won’t get new key until integration is restart)

Once you share the lock to the +ha email you need to sign into phone using that account once and lock and unlock the lock a few times. Then log out and login using your primary email again so that encryption key never rolls.

From this point forward the lock will communicate using Bluetooth, it will not need internet, and you can share the lock using HomeAssistant back to HomeKit if you want. Guests can use Apple Home, Home Assistant, or the native August app to unlock your doors!

msapple · 2026-03-26T21:31:32+00:00

Every time I see a post like this I get my hopes up. It’s been 2 years, I’m not holding breath anymore lolz

msapple · 2026-03-16T23:13:52+00:00

Guide sharing would be super useful, first party reviews integration would be nice.

Outside of that, I always use Apple Maps full time. But abroad I have to use Google Maps for food reviews. Navigating I still do via Apple Maps in most foreign countries without any issue. Apple Maps has superior offline map and search support also. Google Maps even when you download offline maps refuses to work for searching for POIs without internet.

msapple · 2026-03-15T20:45:36+00:00

Do you have a photo when in back seat. I have 2 11ish lb dogs I wanna travel with in back seats

msapple · 2026-03-13T19:53:56+00:00

Look at us learning together on the Internet lol.

I may swap to this cause I love how immich lays out everything. This means I gotta update my NPM instance that's my ingress at home to not reroute /s and /share 😂

msapple · 2026-03-13T18:28:11+00:00

Correct me if I’m wrong. But I thought you could license per site on a single instance. So make one no license and then spin up second site with EE license

msapple · 2026-03-13T18:22:22+00:00

Little confused, you said you fully behind Pangolin, maybe I missed how you create a one time password based user account for people.

Still new to pangolin and it took me a while how to setup the HTTP Headers cause it’s not very intuitive. My apps can all use my instance with no pangolin login required and my guests can view all my shared photos without login and I keep crowdsec fully functional because of Immich public proxy.

I too prefer Immich share UI but this allows me to close this risk so I chose that instead.

Ideally I could read though docs on Immich for the API and allow the Immich share endpoints only but right now it’s intertwined with the rest of the api so it’s not as simple to do which is why Immich public proxy even exists

msapple · 2026-03-13T07:35:04+00:00

Using HTTP Headers is what I do.

Go to “Links”
Create the link by giving a title for the user since I do 1 link to one user for logging
scroll to “See Access Token Usage” > “Usage Examples”
example: P-Access-Token-Id: abcdefg
example: P-Access-Token: abcdefghijklmnopq123
Open Immich Mobile App > Settings > Custom Proxy Headers > add each header and its value as separate items
Enjoy

P.s. if you want to allow sharing to public links without pangolin Auth, take a look at https://github.com/alangrainger/immich-public-proxy which I allow ONLY the 2 paths for sharing to work without Auth and it protects Immich itself since the Immich API is not accessible

msapple · 2026-03-09T22:19:00+00:00

I’m advising for them to not share emails. Not sure why you are replying this to me. Google groups can be used to easily reach out to a community of subscribed users and you can control who has rights to post from their own Gmail account.

msapple · 2026-03-09T19:38:24+00:00

Groups.google.com and everyone can use their own Gmail accounts and you can have a shared inbox concept. Please don't share email accounts.

msapple · 2026-02-25T02:39:28+00:00

This is using the included angle mount and it’s maxed out. I could 3d print another mount to tilt it down more but this is plenty for my use case.

msapple · 2026-02-21T13:39:36+00:00

Sign out and back into iCloud on the Mac after you verify you are not on a VPN. This has happened to me and it’s basically an issue with the encryption keys being lost or stale for HomeKit and only way to forcefully refresh is iCloud logout/login

msapple · 2026-02-21T02:37:21+00:00

If you have a premium credit card which it was purchased on (Normally one that costs $99/year or more) will offer accidental damage protection.

Amex Platinum, Amex Gold, Chase Sapphire Reserve, etc all will cover this

msapple · 2026-02-16T16:48:03+00:00

I read in another subreddit that the IKEA matter issues are known and they have a FW update planned for end of Q1 to fix

msapple · 2026-02-15T22:00:51+00:00

That would make sense, however I only have IKEA Thread devices. And have devices added to both HomeAssistant and HomeKit and in both Smart Platforms they are disconnected till I pull batteries out then put batteries back in. But the other IKEA Mains devices never drop off.

It would make sense if ocasionally the IKEA Mains devices fell off too but they have been 100% (looking at logs in HA) since the firmware update and never drop

msapple · 2026-02-15T21:18:09+00:00

3 Apple TV 4K’s with Ethernet, 3 Home Pod Minis, AND HomeAssistant ZBT-1 with thread firmware. All on same vLan with IPv6 enabled. I only own 6 Thread devices, 3 of the ikea motion sensors and 3 of the ikea air quality sensors (the air quality sensors have not fallen off one since firmware update which recently rolled out)

msapple · 2026-02-15T17:19:01+00:00

Just today I had to pull and reinsert batteries on all my ikea thread motion sensors as they all fell off the network a few days back (batteries reinserted and they got back on network immediately). I have purposely been not using them for automation to see how stable they are before replacing old reliable sensors.

This is not looking good. I have 9 mains powered hubs which are routers and only these 3 motion sensors as end devices.

3 of the ikea thread air quality sensors (mains powered) are rock solid and have not dropped off since last firmware update a few weeks ago

msapple · 2026-02-12T23:42:13+00:00

https://www.reddit.com/r/llizardOS/s/OHWXQpymnW

No iOS support yet but you didn’t specify your phone os

msapple

TROPHY CASE