Enabling SSH password authentication is unnecessary and not a good idea, especially if your temporary passwords are simple. I haven’t used Hetzner but there is probably a way to upload a file or to paste into the console, or else if you fix your keyboard you could at least type a URL to download the public key from the internet. You may want to look into cloud-init instead of manually installing and configuring your VMs.

LUKS may not make your server meaningfully more secure. Anyone who can snapshot your server while it’s running or modify your unencrypted kernel or initrd files before you next unlock the server will be able to access your files.

curl bash is not as bad as people think. Nobody downloads and reverse engineers binary packages off of these websites before running them with the same permissions.

If you’re running insecure services, you can restrict them to be accessible by vpn. I have a mix of internet accessible and vpn accessible services using the tailscale nginx plugin.

If you want to send all your traffic over a vpn, you will either need to route all your traffic through your own vpn or use some sort of multiplexed vpn. tailscale can do this with mullvad, but it’s not yet possible with headscale.

Kubernetes is much more complicated and powerful than Docker, and Docker Compose is more similar to the way you work directly with Kubernetes than it is to Helm, which adds in a templating system. Basically, from a Docker perspective, Helm allows you to configure your compose file, but not just by substituting variables. Helm can make structural changes such as completely adding or removing sections based on the variables used when loading the chart. The output of Helm is YAML, sort of like a compose file.

Kubernetes has a much more complicated system for describing workloads and their resources than Docker Compose, and it is extensible. For example, if you are running on AWS you can have Kubernetes attach EBS volumes to your pods, or if you’re on bare metal you might use LVM, and it’s not limited to things that Kubernetes natively understands like storage volumes: Cert Manager is a common piece of software that is deployed into Kubernetes that takes care of issuing and renewing TLS certificates for other software in Kubernetes.

I used to run Kubernetes at home with ArgoCD, but I’ve moved on to NixOS instead. NixOS is less powerful because it doesn’t have dynamic workload scheduling, but I don’t actually need dynamic workload scheduling or all the configuration necessary to facilitate dynamic workload scheduling in my house, and Nix is much nicer to work with than Helm’s gotmpl templating. Unless you like this kind of stuff or want to get into Kubernetes, you probably want to avoid it for running a few things on one host.

Helm is what is used for real world software deployments. It has its problems but it’s better than Docker Compose.

Just be careful with SD cards if you’re using SBCs. Home Assistant does a lot of writing and if your SD card can’t handle repeated writes you may suddenly lose everything. Keep backups to another device and have a replacement SD card ready if extended downtime is going to be a problem for you.

What is RentAHuman’s cut? This is a very expensive service to operate. If an LLM posts a request for somebody to go pick up a package, what happens if the package never existed? What happens if the human just says that it never existed and takes the money or even the money and the package? Somebody in the middle needs to be arbitrating between AI agents that are notorious for making things up or getting details wrong and humans that just want to make quick money. Nobody is going to send requests if the humans are randomly stealing and nobody is going to fulfill requests if sometimes the request is unsatisfiable and you don’t get paid.

I’m not sure. If non-VPN connections are blocked, any non-VPN IP that is leaked cannot be confirmed to be yours, because a connection cannot be established to that IP. However, if the client can see those unusable addresses, it can still send those addresses over the VPN connection as part of ICE and that may be enough of a problem for you.

WebRTC isn’t magic. WebRTC does not bypass a VPN, nor is it the only–or even most common–way that software on your phone, Android or otherwise, can exfiltrate potentially sensitive information, intentionally or unintentionally. The way WebRTC on your phone might leak an IP is that during ICE, which is used by more than just WebRTC, the phone’s local IP addresses may be sent, and IPv6 addresses on your WiFi or cell connection may be globally unique. IPv4 local addresses will almost certainly be meaningless, private addresses due to IPv4 address space exhaustion, and any non-local address will be from your VPN gateway.

You cannot block ICE per app or system wide because it is not a system facility, and the permissions required to implement it on Android are not very specific.

I have 1 podman container on NixOS because some obscure software has a packaging problem with ffmpeg and the NixOS maintainers removed it. docker: command not found

Quarto and Docusaurus are for documentation. You may be looking for a more general static site generator like 11ty.

Claude says he’s sincerely sorry that users feel software quality isn’t a priority, probably.

I don’t know what the plugin does but script to append an audio file to all audio files is possible to do cleanly in just three lines. Being able to write three lines doesn’t make something good at programming, and taking many more lines would make it bad at programming.

Many senior level “software engineers” are just tenured programmers and they’re managed by business people who don’t know software engineering either. One of the major benefits of using off the shelf software libraries is that they generally work as expected and have been through much more testing than something you just wrote, and often these libraries even receive free or cheap maintenance updates. You don’t want your developers wasting time reimplementing things and then wasting more time maintaining those reimplementations.

Getting the AI to write it is like mitigating the initial reimplementation cost by going to Fiver.

Wireguard normally runs with higher than root privileges as part of the kernel, outside of any container namespaces. If you’re running some sort of Wireguard administration service you might be able to restrict its capabilities, but that isn’t Wireguard. Most of my devices are running Wireguard managed by tailscaled running as root, and some are running additional, fixed Wireguard tunnels without a persistent management service.

Check the README for piper. It moved to https://github.com/OHF-Voice/piper1-gpl

Nextcloud shouldn’t be seeing your MAC address. However, my guess is that Nextcloud has been configured to invalidate the session if the client IP changes, and randomizing the MAC address is one way that can happen.

Are you looking for a VPN or are you looking for an IPv6 tunnel broker like Hurricane Electric?

An immutable distro… like NixOS? Or do you mean your root filesystem is immutable? NixOS can do that too. You could normally mount your nix store as readonly and remount rw during updates if you really care about filesystem immutability, or use some snapshot system if you’re paranoid about adding new files to the store corrupting other files already in the store during an update.

The nixpkgs VM creation module, which I’ve never seen documentation for, has a mode where it generates a kernel, initrd, kernel command line, and erofs image containing a prepopulated /nix directory and that’s enough to boot the VM.

Ansible is disappointing as an IAC tool. It’s good for doing things, but it’s not good for converging systems to a desired state. Too often you end up with playbooks that are not idempotent or rely on something that was done during a previous execution of the playbook or just don’t do something that was done by a previous version, and then unless you are constantly recreating your systems you won’t notice until it’s a problem and you can’t get your system back.