• 4 Posts
  • 365 Comments
Joined 2 years ago
cake
Cake day: June 12th, 2023

help-circle

  • This seems super overcomplicated. What I would do is put all the subdomains on the public DNS, let HTTP(S) through the firewall for the respective hosts, deny everything from outside of your local network on the http server that isn’t under the HTTP challenge path and then run the HTTP challenge as you would for a public site.

    Then you can get certs, everyone outside trying to access will get 403, and inside the network you can access as normal.

    Of course you’ll have to trust your http server’s ACL for that, but I’m just going to assume servers like nginx (which I use) have a reliable implementation.






  • 2xsaiko@discuss.tchncs.detoLinux@lemmy.mlGRUB is confusing
    link
    fedilink
    arrow-up
    6
    arrow-down
    1
    ·
    6 days ago

    GRUB is still the standard bootloader in physical deployments because it is the most likely to work

    The countless issues you can find online about being stuck at the GRUB prompt say otherwise. I’ve personally recently experienced GRUB on a computer seemingly randomly losing information about where the config file was stored, or at least not automatically loading it. God knows where that was supposed to be stored, running grub-install fixed it in any case.

    More likely it’s used by the big non-DIY distros because it’s less effort to maintain a single bootloader than one for UEFI and one for BIOS boot, because the latter you still need anyway.

    and supports most of the features you might want in a bootloader.

    That’s the understatement of the century. It’s basically a decently sized operating system at this point, with seemingly everything tacked on that you can think of such as support for what looks like a grand total of 11 partition table schemes, “The Bee File System”, disk driver for classic Macintosh, and a JSON parser.

    While some of what it has may have been needed for BIOS boot, the essential functionality is now provided by EFI APIs, and you do not need 337979 lines of C code anymore to implement a suitable bootloader for a contemporary system.

    And I probably wouldn’t even say anything if it was well written or maintained code. There’s clearly something very wrong with it if distributions feel the need to apply hundreds of patches to it, Fedora has 283 right now. I’ve also had a terrible experience trying to script some of its commands.

    I have 2 disks which each have an efi system partition. And the root file system is btrfs raid1 across 4 disks. This was very easy to set up and completely supported by grub with no custom configuration needed.

    This is of course also supported by any other bootloader, since which of the two ESPs to load from is determined by the UEFI, and mounting the rootfs is done by the kernel. You just need to sync the two ESPs. systemd-boot’s kernel-install admittedly can’t do this out of the box, but you can make it work with hooks.



  • 2xsaiko@discuss.tchncs.detoLinux@lemmy.mlGRUB is confusing
    link
    fedilink
    arrow-up
    42
    arrow-down
    3
    ·
    6 days ago

    Since you use UEFI, you don’t have to use GRUB. It basically consists 90% of cruft left over that was needed for BIOS boot, and has a lot of moving parts and bad design (such as a single config file which has to be shared between OSes, which is so complex it needs a generator for it).

    Try systemd-boot, it’s lightweight and well designed.

    Anyway, looks like the target parameter is default now, the “esp” in the arch command is supposed to be substituted for the ESP path, for example /efi, so the only difference is bootloader-id. Which looks like that’s the label that show up in your UEFI setup for the boot entry.



  • 2xsaiko@discuss.tchncs.detoSelfhosted@lemmy.worldMy thoughts on docker
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    11 days ago

    Yeah, when I got started I initially put everything in Docker because that’s what I was recommended to do, but after a couple years I moved everything out again because of the increased complexity, especially in terms of the networking, and that you now have to deal with the way Docker does things, and I’m not getting anything out of it that would make up for that.

    When I moved it out back then I was running Gentoo on my servers, by now it’s NixOS because of the declarative service configuration, which shines especially in a server environment. If you want easy service setup, like people usually say they like about Docker, I think it’s definitely worth a try. It can be as simple as “services.foo.enable = true”.

    (To be fair NixOS has complexity too, but most of it is in learning how the configuration language which builds your operating system works, and not in the actual system itself, which is mostly standard except for the store. A NixOS service module generates a normal systemd service + potentially other files in the file system.)









  • When I’m living somewhere where I control my home network again, I’m definitely setting this up.

    Last time I got as far as setting up DNS64/NAT64 and then Steam stopped working so I reluctantly enabled IPv4 again. CLAT seems like a great solution for that that I didn’t know about (or didn’t try)

    It would be so funny if Apple actually enforced their rule about every app having to work in an IPv6-only environment. Maybe if some of the worst offenders got kicked off the holy App Store all at once to whose every whim they usually answer, they’d actually finally bother fixing their shit.