NaibofTabr

the free market at work

Sure Jan.

Whatever you do, and whoever you end up working with, document document document. Take.notes.

And I mean on paper, in a notebook, something that can’t crash or get accidentally deleted and doesn’t require electricity to operate.

You’re doing this for yourself, not for a boss, which means you can take the time to keep track of the details. This will be especially important for ongoing maintenance.

Write down a list of things you imagine having on your network, then classify them as essential vs. desired (needs and wants), then prioritize them.

As you buy hardware, write down the name, model and serial number and the price (so that you can list it on your renter’s/homeowner’s insurance). As you set up the devices, also add the MAC and assigned IP address(es) to each device description, and also list the specific services that are running on that device. If you buy something new that comes with a support contract, write down the information for that.

Draw a network diagram (it doesn’t have to be complicated or super professional, but visualizing the layout and connections between things is very helpful)

When you set up a service, write down what it’s for and what clients will have access to it. Write down the reference(s) you used. And then write down the login details. I don’t care what advice you’ve heard about writing down passwords, just do it in the notebook so that you can get back into the services you’ve set up. Six months from now when you need to log in to that background service to update the software you will have forgotten the password. If a person you don’t trust has physical access to your home network notebook, you have a much more serious problem than worrying about your router password.

Because they want step-by-step guidance and support, and design help, and long-term support, not just a few questions answered.

This is a job. The kind of work that IT consultants get paid for. A fair rate would be US$100/hr, minimum, for an independent contractor.

How is America relevant to OP?

obvious whataboutism is obvious

You can just use openssl to generate x509 certificates locally. If you only need to do this for a few local connections, the simplest thing to do is create them manually and then manually place them in the certificate stores for the services that need them. You might get warnings about self-signed certificates/unrecognized CA, but obviously you know why that’s the case.

This method becomes a problem when:

1. You need to scale - manually transferring certs is fine maybe half a dozen times, after that it gets real tedious and you start to lose track of where they are and why.
2. You need other people to access your encrypted services - self-signed certs won’t work for public access to an HTTPS website because every visitor will get a warning that you’re signing your own encryption certs, and most will avoid it. For friends and family you might be able to convince them that your personal cert is safe, but you’ll have to have that conversation every time.
3. You need to implement expiration - the purpose of cert expiration is to mitigate the damage if the cert private key leaks, which happens a lot with big companies that have public-facing infrastructure and bad internal security practices (looking at you, Microsoft). As an individual, it is still worthwhile to update your certs every so often (e.g. every year) if for no other reason than to remind yourself how your SSL infrastructure is connected. It’s up to you whether or not it’s worth the effort to automate the cert distribution.

I’ve used Letsencrypt to get certs for the proxy, but the traffic between the proxy and the backend is plain HTTP still. Do I need to worry about securing that traffic considering its behind a VPN?

In spite of things you may have read, and the marketing of VPN services, a VPN is NOT a security tool. It is a privacy tool, as long as the encryption key for it is private.

I’m not clear on what you mean by “between the proxy and the backend”. Is this referring to the VPS side, or your local network side, or both?

Ultimately the question is, do you trust the other devices/services that might have access to the data before it enters the VPN tunnel? Are you certain that nothing else on the server might be able to read your traffic before it goes into the VPN?

If you’re talking about a rented VPS from a public web host, the answer should be no. You have no idea what else might be running on that server, nor do you have control over the hypervisor or the host system.

Don’t worry, nothing will change, it will still be Obama’s fault somehow.

Uyghurs in China are being rounded up and forced into labor camps

I think this set of photos of one of the camps in Xinjiang is particularly illustrative:

This isn’t some short-term persecution for the sake of political influence, it’s not the whim of a few local officials, and it’s not just basic racism. This is a systemic problem, not just with the government but with Chinese culture broadly. Uyghurs are seen as inferior, and therefore it is acceptable to use them as labor or worse. What’s being done to these people is akin to the African slave trade of the 1800s, it’s just being done mostly within China’s borders. It is exploitation at an industrial scale plotted by the highest levels of political power and executed ruthlessly.

To change this would require forcing large portions of the Chinese population to see the Uyghurs as equals, as fellow humans with a right to self-determination, and then act on that conviction to change the government.

With China being a nuclear country, military intervention is out of the question.

Yeah, pretty much. Even a non-nuclear conflict at any level that would affect regime change would be devastating.

So the only option left is political

Even if the entirety of the UN got together and unanimously condemned the PRC for the treatment of Uyghurs, I doubt they would care. China is about as likely to change domestic policy based on external political pressure as they are to collectively tap-dance to the moon.

and economical pressure and sanctions.

Effective economic pressure requires a position of economic superiority. China is the second largest economy in the world, which means they are inextricably intertwined with the largest economy (the US) and so nobody has that position.

Long term, I believe we can get our balls out of their death grip, and then sanction them properly.

I doubt it. The situation is not just a death grip… China is the second largest economy in the world. In order to effectively sanction another nation you have to be in a position of economic superiority, such that you can affect the trading decisions of other nations. Even if western nations could extricate their manufacturing needs from China, they would still be dependent on raw materials trade. There just isn’t a way to cut trading ties with China, short of a broad collapse of international trade… and then, well, a lot of people die.

If there are still any Uyghurs left by then…

This is the part that feels so wrong. Choosing to not do anything about this terrible thing that we know is happening seems self-interested. I feel that at some point in the future the descendants of the Uyghurs will look at the world and ask, “Why didn’t you do anything to help us?”, and what could be our answer then?

But… doing something in practice would mean so many deaths, and so much suffering before the conflict was resolved, and more suffering after while trying to pick up the pieces.

I disagree… beyond just saying shit, the actual biggest problem is that no one (west, east, whatever) can do shit because that would basically require direct military intervention… which would probably have a much higher human cost.

At what point is the cost of negligence too high? At what point is it ethically valid to commit the lives of troops from your country to change the behavior of a government of another country within its own borders?

Historically, the answer is never. No country will commit its own military in this way without an initial military provocation, except when using the human rights abuses as a pretext for territorial acquisition.

It’s still important to talk about the truth of these atrocities, to not let their perpetrators pretend they’re not happening. But… the reality of this will not change without regime change in the PRC.

“When?”

“Later.”

Ummm… I’m pretty sure it’s 255.255.255.0 ? …or maybe it’s .256…

No wait, it’s [ABCD::EFGH]

I have experience managing multiple network systems with user-facing endpoints. That’s irrelevant.

Nothing critical on a passenger-carrying vehicle should be remotely managed and it definitely should be frozen while the bus is in active service. The last thing a crowded bus in motion needs is the lights randomly going out because someone decided it was time for a patch install.

The right choice from a security and safety perspective is for any wireless interfaces on the vehicle to be read-only - they can send data out (like current location). Pushing software changes should require direct physical access, and should only work if the vehicle is parked. Anything else is a stupid unnecessary risk.

The simplest solution is to just restrict software updates to direct physical access, and put the USB port or whatever behind a locked service panel.

If the software can’t be infiltrated remotely, then there won’t be any security issues that are so urgent they need to be patched in the middle of a shift, they can wait for a maintenance stop.

Location tracking, diagnostics, statistics, security. Etc. it’s not a bad idea… for a bus.

There’s no good reason for any of that to be updated while the bus is on the road. It should be done at a service location.

Perfect explanation.

Thank you, I try. It’s always tricky to keep network infrastructure explanations concise and readable - the Internet is such a complicated mess.

People like paying for convenience.

Well, I would simplify that to people like convenience. Infrastructure of any type is basically someone else solving convenience problems for you. People don’t really like paying, but they will if it’s the most convenient option.

Syncthing is doing this for you for free, I assume mostly because the developers wanted the infrastructure to work that way and didn’t want it to be dependent on DNS, and decided to make it available to users at large. It’s very convenient, but it also obscures a lot of the technical side of network services which can make learning harder.

This kind of thing shows why tech giants are giants and why selfhosted is a niche.

There’s also always the “why reinvent the wheel?” question, and consider that the guy who is selling wheels works on making wheels as a full-time occupation and has been doing so long enough to build a business on it, whereas you are a hobbyist. There are things that guy knows about wheelmaking that would take you ten years to learn, and he also has a properly equipped workshop for it - you have some YouTube videos, your garage and a handful of tools from Harbor Freight.

Sometimes there is good reason to do so (e.g. privacy from cloud service data gathering) but this is a real balancing act between cost (time and money, both up-front and long-term), risk (privacy exposure, data loss, failure tolerance), and convenience. If you’re going to do something yourself, you should have a specific answer to the question, and probably do a little cost-benefit checking.

But if I’m reading the materials correctly, I’ll need to set up a domain and pay some upfront costs to make my library accessible outside my home.

Why is that?

So when your mobile device is on the public internet it can’t reach directly into your private home network. The IP addresses of the servers on your private network are not routable outside of it, so your mobile device can’t talk to them directly. From the perspective of the public internet, the only piece of your private network that is visible is your ISP gateway device.

When you try to reach your Syncthing service from the public internet, none of the routers know where your private Syncthing instance is or how to reach it. To solve this, the Syncthing developers provide discovery servers on the public internet which contain the directions for the Syncthing app on your device to find your Syncthing service on your private network (assuming you have registered your Syncthing server with the discovery service).

This is a whole level of network infrastructure that is just being done for you to make using Syncthing more convenient. It saves you from having to deal with the details of network routing across network boundaries.

Funkwhale does not provide an equivalent service. To reach your Funkwhale service on your private network from the public internet you have to solve the cross-boundary routing problem for yourself. The most reliable way to do this is to use the DNS infrastructure that already exists on the public internet, which means getting a domain name and linking it to your ISP gateway address.

If your ISP gateway had a static address you could skip this and configure whatever app accesses your Funkwhale service to always point to your ISP gateway address, but residential IP addresses are typically dynamic, so you can’t rely on it being the same long-term. Setting up DynamicDNS solves this problem by updating a DNS record any time your ISP gateway address changes.

There are several DynDNS providers listed at the bottom of that last article, some of which provide domain names. Some of them are free services (like afraid.org) but those typically have some strings attached (afraid.org requires you to log in regularly to confirm that your address is still active, otherwise it will be disabled).

Right, that would be the kind of “collective action” that I mentioned… it doesn’t have anything to do with preventing nations from going to war with each other… the UN doesn’t have that kind of authority and never did.