constantokra @ constantokra @lemmy.one

Posts

0

Comments

358

Joined

2 yr. ago

Download a wireguard client file and run it as a systemd service. It'll come up on boot and you won't ever have to think about it. The only reason to bother with the GUI is if you want to have graphical control of what server you connect to. Their wireguard config generator on their website gives you the ability to set a geographic area for your wireguard client file, so it's not like you have to select only one server if you go that route either.

That's pretty neat. I might start doing that, just for kicks.

Now that's the kind of paranoid I was hoping to see in here. High five, pal.

Can you explain why you use onion repos? I've never heard of that, and I've heard of kind of a lot of things.

If you have the option to host physical hardware from your friend's house, I'd go that route for the whole thing. Set it up so they can access your media server locally, maybe even immich, and VPN in for everything yourself, that way you don't have to expose ports, except the wireguard port. Don't acquire new content from their network unless you do it behind a good VPN with a killswitch and they know and are OK with what you're doing.

I would personally rather have my documents, photos and media collection on a computer a friend has physical custody of than in the cloud, but that's on you and your friend. I prefer to host vaultwarden and a notification server, in my case, gotify, on the cheapest vps I could find, which was about 12 bucks a year last I checked.

I'd also set up a tor hidden service for ssh, just so you have another way in, in case something comes up. Or you could get a cheap cellular modem and a yearly Sim card. In the US, red pocket is a good choice, with a limited option available for less than 50 bucks a year. You never know when their ISP is going to do something weird, and you'll be able to figure it out a lot easier if you have a reliable way into your server.

You should probably think about backups too. You can obviously do a backup before you go, but you're going to want to back up at least your new photos while you're gone. I'd suggest looking at koofr lifetime storage plans, as they're pretty cheap for the size.

Airvpn is fine, and also the cheapest option you'll find with any real hope of protection, which is why people are recommending it. It can use openvpn or wireguard, which will work on fedora just fine. I'd personally recommend wireguard, because you can set it up to automatically connect using systemd.

Otherwise, you could try installing riseup's client from the source, available at https://0xacab.org/leap/bitmask-vpn. It's linked on their main site. Don't know if you'll have luck with that. You'll likely have to manually install the dependencies.

You could also try tor.

That's basically the same as my writeup from when I did it. Except I also had a -k all on update-initramfs. Not sure about the switches, so I'll look into them. Thanks.

I was a bit surprised at it as well, but it doesn't for me running Debian headless. If I reboot after a kernel update it'll try to boot into the new kernel and fail waiting for the initramfs, but it'll boot just fine into the previous kernel. Once I update the initramfs it works fine.

If you know what resources you used to set it up, I'd be curious to take a look and see if I missed something.

Encrypt the boot drive, and use dropbear ssh in initramfs to be able to unlock it over ssh during boot. Then set up your data drives however you want, and use a key file on your boot drive to unlock them, once you've unlocked it. All drives are encrypted when your machine is off, and you only need one password you can enter remotely to unlock the whole thing.

Here's a good resource on how to do the initramfs part https://www.arminpech.de/2019/12/23/debian-unlock-luks-root-partition-remotely-by-ssh-using-dropbear/

Also, when you update the kernel you have to rebuild the initramfs with sudo update-initramfs -k all -u, or it won't be able to boot to the new kernel.

I've found it to be a super reliable setup.

They are, yeah. I don't sweat walkthroughs anymore. I'm about 20 years too old to have enough time to wander around frustrated. I give it a go, and look for a hint when I can't figure it out.

I loved that game. I'd recommend Link's awakening next. It's completely different, of course, but it's another great adaptation of something familiar for the gameboy.

Inner light wrecks me.

I hate your opinion, but I like that you're confident about it.

I'm not sure how it will work, but if you're worried, just move the download folder before you remove it from within the application. Better yet, if you have the space, just copy the folder somewhere else.

Hopefully someone else has a better answer for you.

This is one of the reasons docker is so great. If you were running the application in docker, you would have mounted that folder as a volume, so if you wanted to move it you'd just stop the container, move the folder, edit your compose file to point to the new location, restart, and from the application's point of view nothing will have changed.

With wool socks, i'd recommend changing them every day, to give them a chance to air out, but you don't have to wash them every time. You can easily get 3 swears per wash with even the most squeemish people examining your socks daily.

FYI, i'm squeemish and I knit lots of wool socks.

Switching to porkbun would make things a lot easier for you. DNS challenge is why I switched from Namecheap, and it's less expensive and considerably easier to administrate.

People are shitting on them because the price point for arm sbcs has risen, while the price point for small x86 computers has come down. Also, x86 availability is high and arm sbc availability has become unreliable. They also aren't generally supported nearly as well. If you don't need more power and you already have them on hand there's no reason not to use them.

A, great. Overly complicated. B, wireguard lets you set your allowed IPS to your networks's subnet so you only tunnel that traffic. C, that's ideal. Use nginx proxy manager. It's super simple. Buy a domain and you can use letsencrypt for SSL so you don't get http nag messages from your browser. Old suggest something with cheap renewals like '.rodeo' or '.top'. D, there are many right ways. Personally, i'd set up your services in a docker compose file, all behind gluetun as a VPN for your torrent service. I'd set up a wireguard VPN on a pi zero elsewhere on your network so you can access everything from outside, and on your wireguard clients i'd only tunnel the traffic to your network's subnet. Unless you want everything behind the same VPN you use for torrenting. In that case i'd run a wireguard service in the same docker network as gluetun, so you can tunnel all your client traffic through that. You could even out a dns server in there as well, and manually set a domain name to your server's ip so you don't have to buy a domain name. Course, then you can't use letsenceypt SSL.

Lol. Course you are. I'm sure now that i've mentally registered your username I'll be seeing it on all the subs i'm already on.

It's called getting old.

Honestly, I just need a terminal and x, or I guess Wayland now. I'm not too fussed about the rest. Tiling has made me care about it even less.