Hyper V is bare metal. Hyper V is a type one hypervisor. The hyper v kernel runs under the windows kernel, when you run hyper v, the windoss you interact with is transparently converted into a VM, with all devices passed through to it.
Anyway the tools to manage hyper v aren’t anywhere near as mature compared to proxmox and it’s a pain when you hit corner cases so I wouldn’t recommend it, BUT it is a type 1, highly performant hypervisor.
I have a VPS which hosts some stuff and I just e2ee all the data. Syncthing sync is e2ee and Joplin sync is e2ee. But lots of services don’t support e2ee, or e2ee gets in the way of UX and nice features so we make a tradeoff.
As for LUKS, I guess a good solution is to have a VPS or public device somewhere that shares the encryption key with the server (but only after it gives the correct password) but only to the correct IP address of your server.
The router solution someone mentioned below is similar.
Same here. K8s makes stuff like this so mucb easier, since you can declaratively control traffic flow via NetworkPolicies.
And with cilum you ca use hubble to visualize whay traffic is currently happening, in order to figure out what is actually needed.
I also use Cilium as my host based firewall instead of ufw/firewalld.
I think they have a lemmy account as I first saw them here, although I don’t think OP is the site author.
Their javascript “game in less than X lines” stuff is pretty interesting and entertaining but their blogposts are mostly LLM slop. Of course, due to the fact that this article is just basic info, it’s not that bad and is pretty accurate. But their more advanced blogposts begin to fall apart and have the LLM hallucinations, outdated info, and inaccuracies.
This video: https://www.youtube.com/watch?v=40SnEd1RWUU has similar information (though a bit less and doesn’t cover some things), but presented in the style of a comedy skit type thing.
I don’t think anubis can proxy webdav. So that breaks.
Instead of putting anubus at 443, put it at the port 80 block. Or at the 5555 block.
What you probably need to do is make it so that webdav traffic isn’t proxied through anubis.
It’s complicated. There’s a lot of context to this, and even the debate in general.
One big problem is that there’s a lot of money in this. If you “prove” something is real, and pretend it’s a novel discovery, then you can try to sell a novel product that capitalizes off of that.
For example, there used to be a big trend in education, “evidence based learning”. https://en.wikipedia.org/wiki/Evidence-based_education . The idea was science would be used to discover the best ways to learn/teach.
The problem was that the method of implementation would be software, or trainings. That you buy…
This reddit thread is a snapshot of the anger and frustration from that: https://www.reddit.com/r/Teachers/comments/jj6tvx/im_done_with_evidencebased_educational_research/
And of course, much of it was debunked later. Like learning styles, for example, were debunked. Although there was some good stuff, like spaced repetition, for which there is a FOSS app called Anki.
Psychology is kinda the same. People do science to try to back products, or trainings, which are then sold.
The inability to replicate these studies is ultimately not a failure, but a success. Science is still doing it’s job.
Okay, I hath returned. Here is what I am doing with FLuxCD and it’s method of installing helm charts:
Okay, I’m cheating. :/ . I’m using Flux’s method where you can have a secret that has values, and then I’m just including those.
But yeah, using an ENV var that pulls from a secret is probably better.
This is a message to remind myself to share my config later.
I will state that I a, using cloudnativepg for postgres.
The way forgejo actions works, is that it is not a universal thing for every repo. Each repo, can have it’s own forgejo actions instance connected to it, running stuff.
The big benefit of that, is that you can make users bring their own actions servers, and not bother to deploy your own.
Void auth, or kanidm look like easier alternatives.
Journalists communicating with sources in censored regions
Whistleblowers sharing information securely
You and your peer agree on an encryption key (any string).
This is unacceptably unsecure for the usecases you mention. There is a reason why the most secure messaging apps don’t use symetric encryption, don’t use passphrases, and they also possess forward secrecy.
It’s pointless to push this as a censhorship circumvention method when many other methods exist that already do so 10x better, in a secure way, over decentralized, hidden and unblockable infrastructure. (Tor’s meek-azure bridges use microsoft’s infrastructure, which nobody is able to block because everybody depends on it, even China).
I appreciate the project, and I am always happy to see people learning, progressing, and publishing their results, but you need to be honest about the weaknesses of your software compared to established solutions. It’s not impossible for you to one day produce a secure messaging app, but today is not the day. Right now, using this is just a fast way to get killed.
Also try wireguard over port 53. Often (udp) traffic to port 53 is unblocked because it’s needed for DNS.
What is special about this setup is that it can sometimes get around captive portal wifi.
hides as regular HTTPS traffic so it’s not blockable by Firewalls
From OP’s post, of course. If OP does not need to evade firewalls that are that aggressive, then they should have settled for a less stealthy VPN solution, as many of these HTTPS proxy solutions have performance and usability (can often only proxy TCP traffic) tradeoffs.
Perhaps they have already tried the wireguard on port 443 solution, and it didn’t work for them. My high school would auto detect and block wireguard to any port. Perhaps they are in a similar situation.
Many of the prominent https VPN protocols are for evading the great firewall of China. OP had that as a requirement, so it is not an unreasonable assumption.
If you are evading less locked down firewalls, then you don’t need as stealthy VPNs.
Yes because they are all designed to evade the great firewall of China, which automatically catches almost all other VPN’s and proxies.
Github is blocked in China. The fact that these repos are on Github and Chinese is proof of their effectiveness.
If you are not a Gitea customer, you are not being informed of security updates in a timely manner:
Gitea repeatedly makes choices that leave Gitea admins exposed to known vulnerabilities during extended periods of time. For instance Gitea spent resources to undergo a SOC2 security audit for its SaaS offering while critical vulnerabilities demanded a new release. Advance notice of security releases is for customers only.
https://forgejo.org/compare-to-gitea/#security
Also, ForgeJo was promising federation which is still a WIP several years later.
Oh no, it doesn’t do the big feature™. I guess it’s unusable now.
I wish people would realize that software still works and is excellent even without the various flagship features. I use Kubernetes on a single node. I know there are people who use matrix without federation and e2ee because it’s actually a really good chat app, it just struggles with the performance demands of federation, and the e2ee ux isn’t quite there yet.
Yes. But this is a lot. It may be easier to use Forgejo’s built in migration tools, to copy over repositories along with their issues and other info. You would have to rebuild the admin parts of the site, like “organizations” and user privileges. (Well if you are using oauth and mapping users from oautb groups then you don’t…). And I don’t know if it’s automated for a many, many repos. But it’s just a click click click in the gui.
I remember there was a tool, I think it was related to forgefed, that could do batch repo migrations via the cli. I can’t find it anymore though.
Hello, I also run k3s on a single node here.
Yes, it is more complex in some ways. But what I love about kubernetes, is the helm package manager and it’s ecosystem, that makes it easier to user packages from other people and organizations.
They can be searched here: https://artifacthub.io/
There are many that you may be interested in, like forgejo.
The big thing I like about helm vs docker-compose, is helm is another layer on docker-compose. If an app receives an update that causes it to need another service/container deployed, that will be reflected in the helm release, which orchestrates containers. But with docker-compose, you would have to manually update the config file format in order to handle such changes.
Because this setup is more resilient, I actually just auto update all my apps to the latest version on kubernetes, and this is one of the big reasons why I use kubernetes instead of docker. Yes, things do occasionally break, but they mostly break in predictable, easy to handle ways like “config option changed” or “database needs migration”. Plus backups/snapshots to ensure if there is a bug or something I can simply roll back.