Admiral Patrick

I’m surprisingly level-headed for being a walking knot of anxiety.

Ask me anything.

I also develop Tesseract UI for Lemmy/Sublinks

Avatar by @[email protected]

  • 1 Post
  • 25 Comments
Joined 2 years ago
cake
Cake day: June 6th, 2023

help-circle


  • Is there a way I can get Let’s Encrypt to dole out a wildcard certificate

    Yep. Just specify the domains yourdomain.com and *.yourdomain.com in the certbot request. Wildcard domains require the DNS-based challenge, but you’ve said you’re already good there. You don’t technically need the apex domain (yourdomain.com) but I always add it since I do have services running there.

    Any subdomains under the wildcard can use internal DNS or internal IPs on the public DNS (I do the former, but the latter works too).

    I used to run an internal CA, and it wasn’t too hard to setup a CA and distribute my root cert. Except on mobile devices. On Android it was easy, but there was a persistent warning that my network traffic could be intercepted (which is true when there’s a custom root cert installed), but it since it was my cert, it got annoying seeing that all the time. Not sure if Apple devices can even do that, but regardless, it wasn’t practical for friends who wanted to use my self-hosted services to install a custom cert when they were over.







  • Depends on what I’m transferring and to/from where:

    • scp is my go-to since I’m a Linux household and have SSH keys setup and LDAP SSO as a fallback
    • sshfs if I’m too lazy to connect via SMB/NFS (or I don’t feel like installing the tools for them) or I’m traversing a WAN
    • rsync for bulk transfer and backups
    • Snapdrop/Pairdrop for one-off file/text shares between devices with GUIs (mostly phone <–> PC)
    • SMB if I’m on a client PC and need to work with the files directly from the fileserver
    • NFS between servers
    • To get bulk data to my phone (e.g. updating my music library), I connect via USB in MTP mode and copy from the server via SMB or sshfs.

  • I’ve always thought the firewall color codes were arbitrary, though I might just have not paid attention all these years lol.

    Just to clarify: I meant connect your OpenWRT device to your hotspot instead of the AP you’ve been working with. Just to rule out multiple MACs being blocked on the AP.

    Beyond that, I’m not really able to help troubleshoot further, but worst case and if all you need is internet, you can set your OpenWRT device up so that it just NATs your downstream connections. Double-NAT, in most cases, is fine.



  • I did that with a GL.iNet travel router after flashing stock OpenWRT, and used it as a wireless bridge for several years. It uses relayd to bridge the Wifi station interface and Ethernet. Once you have an ethernet bridge, you can connect another AP or do whatever from there.

    If you create a second wifi interface in AP mode (in addition to the station/client one connected to the upstream), you should be able to add that to the LAN bridge alongside the ethernet interfaces. That bridge will then be part of the relayd bridge, and it all should just work (should, lol. I haven’t tested that config since I only needed to turn wifi into wired ethernet with this setup).

    Interfaces:

    LAN Bridge: Ethernet interfaces to be bridged to the wifi

    I have both of its interfaces in this bridge, and it also has a static management IP (outside of the WLAN subnet). This management IP is a static out-of-band IP since the devices connected over ethernet won’t be able to access it’s WLAN IP (in the main LAN) to manage it. To access this IP, I just statically set an additional IP on one of the downstream ethernet client devices.

    The LAN bridge is in a firewall zone called LAN.

    WWAN: Wireless station interface that’s configured as a client to the AP providing upstream access. I have this configured statically, but DHCP is fine too. Firewall zone is WLAN.

    WLANBRIDGE: The relayd bridge (Protocol: relay bridge). It’s interfaces are the LAN bridge and the WWAN interface.

    Disregard the WGMesh parts; that’s separate and not related to the wireless bridging mode.



  • Pair Drop

    Quickly send files, paste images/text snippets between devices.

    I’m using the older Snapdrop (which PD was forked from) with some patches I made to:

    • Work behind Authelia for SSO + 2FA
    • Use the display name provided by Authelia instead of the random usernames it gives out by default
    • Send transfers over the internet without dealing with the temporary “rooms” that Pairdrop uses (it’s behind Authelia, so only authorized users can get to it).

    It has 100% replaced emailing things to myself or shuffling files to/from Nextcloud. I probably use it to send text (URLs, clipboard contents, etc) to/from my phone as much as I use it for sending files back and forth.






  • AI bots absolutely rip through your sites like something rabid.

    SemrushBot being the most rabid from my experience. Just will not take “fuck off” as an answer.

    That looks pretty much like how I’m doing it, also as an include for each virtual host. The only difference is I don’t even bother with a 403. I just use Nginx’s 444 “response” to immediately close the connection.

    Are you doing the IP blocks also in Nginx or lower at the firewall level? Currently I’m doing it at firewall level since many of those will also attempt SSH brute forces (good luck since I only use keys, but still…)



  • I always do some level of RAID. If for no other reason, I’m not out of commission if a disk fails. When you’re working with multi TB, restoring from a backup can take a while. If rapid recovery from a disk failure is not a high priority for you, then you could probably do without RAID.

    Either way, make sure you test your backups occasionally.

    Another way to put it: With RAID, a disk failure is like your Check Engine light coming on. You can still drive, but you should address the problem as soon as you can. Without RAID, it’s like your engine has seized up and you have to tow it for repair and are without your car until it’s fixed.