Justin

Self hosting can save a lot of money compared to Google or aws. Also, self hosting doesn’t make you vulnerable to DDOS, you can be DDOSed even without a home server.

You don’t need VLANs to keep your network secure, but you should make sure than any self hosted service isn’t unnecessarily opens up tot he internet, and make sure that all your services are up to date.

What services are you planning to run? I could help suggest a threat model and security policy.

I’m using IPv6 on Kubernetes and it’s amazing. Every Pod has its own global IP address. There is no NAT and no giant ARP routing table slowing down the other computers on my network. Each of my nodes announces a /112 for itself to my router, allowing it to give addresses to over 65k pods. There is no feasible limit to the amount of IP addresses I could assign to my containers and load balancers, and no routing overhead. I have no need for port forwarding on my router or worrying about dynamic IPs, since I just have a /80 block with no firewall that I assign to my public facing load balancers.

Of course, I only have around 300 pods on my cluster, and realistically, it’s not really possible for there to be over 1 million containers in current kubernetes clusters, due to other limitations. But it is still a huge upgrade in reducing overhead and complexity, and increasing scale.

It is illegal in Europe, but not widely enforced.

No shit. These machines are as advanced as a nuclear power plant, they’re gonna have a bit more proprietary software and security protocols than you’d think. Not as simple as just pressing “start” with these machines.

I wonder if asianometry will do a video about the software on ASML machines sometime.

Onani!

Definitely! If your VPN keeps logs, is in a surveillance-friendly jurisdiction, etc, then details of your internet traffic can be revealed by your VPN. I recommend Mullvad, paid with cash, for the most security. It can also help to pick VPN servers outside of the most egregious jurisdictions, like picking EU servers over US or HK servers.

DoH is meant to hide your internet activity from your ISP/cell-provider since DNS is otherwise unencrypted. If you trust your VPN, then you can trust unencrypted DNS.

The first step in security is to answer who you’re defending against. Someone stealing your phone? A cop with a STINGRAY device? All the security decisions you make are based on your initial threat model.

Generally, home internet, wifi, and cellular data are considered safe against passers-by (assuming your wifi password is strong). However, they are also assumed to be eavesdropped on by your ISP and government. Details of your internet traffic can then also be revealed by your ISP to other people during legal action, such as if you’re being investigated for piracy.

There are ways to further protect your internet traffic from being snooped on, even from your ISP and government, by using things like HTTPS, DNS over HTTPS, and of course, VPNs.

yeah, Id recommend switching on your secondary machine, so you can try it out and use it properly, but not get frustrated if it does something you don’t expect.

It would accelerate the ongoing brain drain in Hong Kong at least, and encourage the stragglers to finally leave for more democratic countries. Banning Google in Hong Kong would be a shitshow for the CCP, but Google doesn’t have any sort of spine or ethics.

The people? Democracy really isn’t that hard.

This is gonna get American tech and American clouds banned from the EU.

Ironic considering they just banned Tiktok for doing literally this.

It’s an algorithm for determining how fast to upload packets. This article just talks about how to enable it.

Here’s the Wikipedia section about it: https://en.wikipedia.org/wiki/TCP_congestion_control#TCP_BBR

The gist is that instead of only throttling upload rate based on packet loss, BBR constantly measures roundtrip delay (ping) to determine how much bandwidth is available.

The report is honestly even more interesting. Really good, detailed, swedish-style report about the current landscape for self/swedish-hosted office tools, and it’s in English.

https://www.esamverka.se/download/18.4a6f5f6917d9204856518c5e/1639137082930/Digital

Stop basing your organization on Discord and hosting all your development work there. Don’t subject yourself to the whims of venture capital and enshittification.

Diversify your online presence, and find a local company that will host a matrix server for you.

Yeah, there’s definitely a learning curve since it’s so different from docker, but there are some good tutorials and everything just makes sense. All the error messages are googlable and everything fits together so well.

Kubernetes has user accounts that you could use to restart containers in an unprivileged way. Create a role and role binding that gives the “delete Pod” permission to a service account. Kind makes it very easy to run Kubernetes without any setup. You’d just need to convert your docker compose files to Deployments, Services, and PersistentVolumes.

If converting to a kubernetes setup is too big of a leap, you could maybe try to write a C program that uses setuid to gain docker privileges in a restricted way.

Probably easiest to just have a cronjob that restarts the container regularly, though.

Your internet/wifi seems really overloaded, average ping rtt should be under 100ms, not 712ms. Your wifi signal might be bad, a computer may be downloading/uploading a lot of data, or there is an issue with your internet line.

Double check your wifi signal and computer traffic, maybe try using a direct wired ethernet connection and disconnecting all other computers. Otherwise, contact your ISP with these ping results and speed results from speedtest.net.

Check for PSI stalling in htop (add PSI meters for cpu, ram, and io in the config menu), to rule out your system being overloaded. Check internet connectivity with ping 1.1.1.1, and see why registry is timing out with curl -v https://registry-1.docker.io/v2/

You can also test your dns servers if you think that they are an issue with

dig registry-1.docker.io @1.1.1.1
dig registry-1.docker.io @194.168.4.100

If the dig command outputs differ from each other, then it is likely that your ISP’s DNS servers are faulty and you should switch nameservers to 1.1.1.1 and 1.0.0.1 like the other commenter said.

docker compose isn’t really scalable. If you need automatic, hgih availability load balancing, you should look into Kubernetes Ingress.