FrederikNJS
- 0 Posts
- 20 Comments
While PETG certainly has a lot more moisture problems than PLA, PLA can still give you a lot of grief if it isn’t dry enough. Stringing, oozing, uneven extrusion, and many other weird problems. I would definitely try to dry the filament…
But this could also look a bit like over/under-extrusion… Have you tried calibrating your e-steps?
FrederikNJS@piefed.zipto
Selfhosted@lemmy.world•How would you expose Jellyfin securely without a vpn?English
1·1 month agoThe containers in my setup are running in a Kubernetes cluster. My Kubernetes cluster consists of 3 physical servers (one old desktop computer and 2 Intel NUCs).
On that cluster I run many different things, Jellyfin, Plex, *arr-stack, downloader, Immich, zigbee2mqtt, home-assistant, audiobookshelf, calibre-web, Forgejo, ArgoCD, Homebox, Paperless, Factorio servers, Velero, and a bunch of other stuff.
Because I run so many different things on the same 3 physical machines, using containers, then there’s no way to split this into VLANs.
I could make a “kubernetes” VLAN, but everything else on my network would need to be connected with it anyway. All my computers, phones and TVs need to access Kubernetes (Jellyfin), and Kubernetes need to access everything else such as EV charger, heat pump, and the power monitoring in my power meter. Therefore I need to control my networking at a different level.
FrederikNJS@piefed.zipto
Selfhosted@lemmy.world•How would you expose Jellyfin securely without a vpn?English
2·1 month agoYes, that does indeed sound like you have all the stuff necessary to make this work.
In my home network this wouldn’t work, as I’m running all my stuff in containers on multi-purpose servers, and therefore I can’t really split things per VLAN. Most other people in the homelab/self host community also use their servers for multiple purposes at the same time, so VLANs alone often doesn’t cut it.
FrederikNJS@piefed.zipto
Selfhosted@lemmy.world•How would you expose Jellyfin securely without a vpn?English
1·1 month agoThat depends a lot on what you do with them…
VLANs work on a layer where devices can either reach each other or they cannot.
Let’s say you have your main desktop computer in the “main” VLAN, and your Jellyfin server in the “jellyfin” VLAN, and a third server for your home-assistant in the “home-assistant” VLAN, and finally some IOT devices in the “iot” VLAN.
You connect the VLANs as follows:
- “main” can reach the Internet, but you also want to access your jellyfin and home-assistant, so you connect it to those two VLANs (“jellyfin” and “home-assistant”)
- “Jellyfin” can reach the Internet (because you want updates), but Jellyfin doesn’t need to reach anything else on your local network… However since you already connected “main”, then “jellyfin” can reach it.
- “home-assistant” needs to reach the Internet, but also the “iot” VLAN where some of the devices it controls resides. You also already connected “main” because you wanted to access home-assistant from your computer.
- “iot” is blocked from reaching the internet, and it’s only connected to the “home-assistant” VLAN because home-assistant needs to reach it.
Remember that all connected VLANs much be bidirectional.
Now someone compromises your Jellyfin. They now control and has access to everything on the Jellyfin server, but they also have network reachability to your main computer, because your “main” and “home-assistant” VLANs are connected. They can now try to exploit your main computer.
If they are successful in exploiting your main computer, then they can use your main computer to jump to the home-assistant server because again, these two VLANs are connected. And you likely have the credentials for accessing home-assistant available on your main computer somewhere.
Now they are on your home-assistant server, and they can now start trying to exploit your IOT devices.
If VLANs are connected, they don’t care which direction the traffic flows.
If you want to control traffic flow directions you need a firewall. A firewall can sit between VLANs and block traffic coming from one to other, but not the other to the one.
FrederikNJS@piefed.zipto
Selfhosted@lemmy.world•How would you expose Jellyfin securely without a vpn?English
1·1 month agoIf Jellyfin gets compromised, you risk everything else on the same server getting compromised, as well as everything that server can reach.
VLANs can certainly reduce what is at risk, but wouldn’t the machine running the Jellyfin client be reachable from the Jellyfin server? And if they manage to move laterally to the client machine, what could they then reach from there?
FrederikNJS@piefed.zipto
Selfhosted@lemmy.world•How would you expose Jellyfin securely without a vpn?English
7·1 month agoSure… If someone managed to stream some of my media… They probably earned it… But then they exploit a vulnerability to perform arbitrary code execution, and leverage that to hack everything else on my network…
FrederikNJS@piefed.zipto
Technology@lemmy.world•A security researcher says Microsoft secretly built a backdoor into BitLocker, releases an exploit to prove itEnglish
331·2 months agoDunno… Somehow that seems like a feature to me 😉
FrederikNJS@piefed.zipto
Technology@lemmy.world•Microsoft BitLocker-protected drives can now be opened with just some files on a USB stick — YellowKey zero-day exploit demonstrates an apparent backdoorEnglish
31·2 months agoWell… That depends entirely on your threat model…
In my setup, the backup is encrypted locally, and then uploaded to Backblaze. If I leak my encryption key, then yes, Backblaze and any state actor that can compel Backblaze, might be able to read my backup (and the same goes for an encryption vulnerability). But since the connection to access the backup is also authenticated, the rest of the public would not be able to read my backup. If I leak my access credentials, then everyone could get my encrypted backup data, but not be able to decrypt it. Of course if I leak both the access credentials and the encryption key, then yes anyone that obtains both can read my backup.
Many regular people use Microsoft Onedrive or Google Drive, which offers even less protection, but it’s certainly sufficient and well enough protected to keep your dissertation protected.
In most backup services you have the option to choose what gets backed up, and what does not. But sure, it entirely depends on who you want to protect yourself from.
If your main concern is state actors, then yeah… You probably shouldn’t use something like Backblaze. You should keep everything on your own hardware. And convince a friend or some family to have a NAS sitting somewhere that can host your backup destination.
For my case I’m mostly concerned about data continuity (not losing data). But privacy is certainly also a concern, and here I have chosen to believe that the encryption is sound enough, and that my ability to keep my encryption key safe, is sufficient for the data it protects.
FrederikNJS@piefed.zipto
Technology@lemmy.world•Microsoft BitLocker-protected drives can now be opened with just some files on a USB stick — YellowKey zero-day exploit demonstrates an apparent backdoorEnglish
2·2 months agoNice to hear… However I haven’t figured out how to get my HTC Vive to behave nicely on Linux…
FrederikNJS@piefed.zipto
Technology@lemmy.world•Microsoft BitLocker-protected drives can now be opened with just some files on a USB stick — YellowKey zero-day exploit demonstrates an apparent backdoorEnglish
25·2 months ago- Find online backup service
- Pay for subscription
- Install backup software
- …
- Still have your data
I use Backblaze myself… But there are many other straightforward and easy backup solutions out there.
FrederikNJS@piefed.zipto
Technology@lemmy.world•More Than Half of Gen Z Users Cancel and Renew Streaming Services for a Single Title, Won’t Purchase Full-Price Video Games, New Study FindsEnglish
8·2 months agoThen against the Factorio devs publicly said they much prefer that you pirate the game over using a shady grey market key seller…
And when you set up a multiplayer server there’s even a checkbox to choose whether it should validate that players have a user account… Untick that and you can play with anyone who pirated the game.
To me it’s a pretty clear from the devs message: If you want the game, and want to support the developers, and can afford it, you buy it at full price. If you don’t want to support the devs or can’t afford it, but still want to play, you pirate it. And they even have a free demo, so you can try the game before making your purchasing decisions.
Or in some cases ONLY allowing them to reach the Internet. So they can’t access your other devices…
FrederikNJS@piefed.zipto
Technology@lemmy.world•Raspberry Pi gets eye-watering price rises, new 3GB RAM modelEnglish
921·3 months agoI realised a while ago that it’s way cheaper to hunt for second-hand intel NUCs, and the resulting machine is way more powerful… And the RAM and storage is upgradeable, if the NUC didn’t come with plenty of storage or RAM already…
FrederikNJS@piefed.zipto
Technology@beehaw.org•US bans any new consumer-grade routers not made in AmericaEnglish
9·3 months agoThe “routing” can still refer to routing to devices attached via a switch. So no need for a third port to qualify as a router.
FrederikNJS@piefed.zipto
Selfhosted@lemmy.world•Watchtower replacement recommendationsEnglish
12·3 months agoAll my docker images are in code in Github.
Renovate makes a PR when there are image or helm chart updates.
ArgoCD sees the PR merge and applies to Kubernetes.
For a few special cases I use ArgoCD-image-updater.
FrederikNJS@piefed.zipto
Selfhosted@lemmy.world•SSL certificates for things inside the labEnglish
10·4 months agoI have my Firefox configured to force HTTPS, so it’s rather inconvenient to work with any non-HTTPS sites.
Because of that I decided to make my own CA. But since I’m running in Kubernetes and using cert-manager for certs, this was really easy. Add a resource for a self-singed issuer, issue a CA cert, then create an issuer based on that CA cert. 3 Kubernetes resources total: https://cert-manager.io/docs/configuration/ca/ and finally import the CA cert on your various devices.
However this can also be done using LetsEncrypt, with the DNS01 challenge. That way you don’t need to expose anything to the Internet, and you don’t need to import a CA on all of your devices. Any cert you issue will however appear in certificate transparency logs. So if you don’t want anyone to know that you are running a Sonarr instance, you shouldn’t issue a certificate with that in it’s name. A way around that is a wildcard cert. Which you can then apply to all your subservices without exposing the individual service in logs. The wildcard will still be visible in the logs though…


Does this image not work anymore?
https://docs.linuxserver.io/images/docker-unifi-network-application/