Alpine has entered the chat...

No support for comments? Hard pass

I went a different path than the VPN route that seems popular in the other comments...

I use a reverse proxy (caddy) with wildcard SSL (so all my hostnames aren't in the public cert registry) plus port knocking. So normally no outside IPs are allowed to access my internal services, but I can knock and then access anything for a while. Working well so far.

That's a basic requirement for almost any company. If you're into hard coding credentials just use wireguard directly.

Good write up. Thanks for the good lessons learned section.

Tmux is your friend for running stuff disconnected. And I agree with the other post about btrfs send/receive.

This isn't a cloudflare limitation. It's a TLS limitation. It was a conscious decision not to support multi-level wildcards. You won't find a service that supports it. Most people get around this by just not using TLS certs like this. You can encode your multi-level name spacing in 1 level So instead of something like svc1.svcgroup.dev.domain.org You can do it like svcgroup-svc1.dev.domain.org

Never heard of a tool to get around this TLS limitation. There are tools that manage lots of certs (cert-manager in k8s comes to mind). If you had a more concrete example it might help people to suggest solutions.

Internet:

• 1G fiber

Router:

• N100 with dual 2.5G nics

Lab:

• 3x N100 mini PCs as k8s control plane+ceph mon/mds/mgr
• 4x Aoostar R7 "NAS" systems (5700u/32G ram/20T rust/2T sata SSD/4T nvme) as ceph OSDs/k8s workers

Network:

• Hodge podge of switches I shouldn't trust nearly as much as I do
• 3x 8 port 2.5G switches (1 with poe for APs)
• 1x 24 port 1G switch
• 2x omada APs

Software:

• All the standard stuff for media archival purposes
• Ceph for storage (using some manual tiering in cephfs)
• K8s for container orchestration (deployed via k0sctl)
• A handful of cloud-hypervisor VMs
• Most of the lab managed by some tooling I've written in go
• Alpine Linux for everything

All under 120w power usage

You are wrong. ~23% of Americans voted for Trump. The problem is that a shit ton of people sat out.

Just as an aside, you're half way to being able to use wildcard certs, you might as well just do the last bit of work so the domain names you're using are a little less public. Let's Encrypt puts every domain name on every cert in a public database. I've seen much less random probing of my services since moving to wildcards

I prefer projectivy launcher. It's got a few more features and feels a little more polished.

The only Radxa I'd bother with is the Rock 5 and for the price, I'd probably just go with rpi5 (unless you like to tinker... a lot). That's coming from someone that owns 3 Rock5's. The new Orion board looks interesting, but if it's like any other Radxa products it'll be 2+ years before it gets decent software support.

Containers don't need VT/SVM (unless you're doing something weird like Kata Containers)

Look at the faces in the crowd... The lady is like "how can this be happening?!?!" And the guy with the glasses is just like "I told you this would happen"

Argus https://release-argus.io

We must be looking at different polls, because the ones I've looked at clearly show him having terrible approval ratings. Definitely not even close to a simple majority or "wide, perhaps perfect, acceptance".

We haven't been dealing with Trump for as long as Venezuela has been dealing with Maduro (and Chavez before him). Give us a couple more decades and I'm sure you'd see more people happy to see him "arrested" by a foreign power. Fwiw, I'd be happy to see it tomorrow, but I know a lot of my fellow USians wouldn't take so kindly. Not because they actually like Trump, but because it'd be a sobering reminder that we're no longer top of the food chain

I'm not familiar enough with cloudflare proxy stuff. I just have my DNS pointed at my router external IP (and luckily my ISP doesn't reset my IP ever.) It sounds like CF has designed this intentionally as a profit center. Sorry couldn't be more help

I'm pretty sure they're referring to hdmi-cec, nothing to do with a phone.

Not where I thought that was going...

This law is stupid, but it's coming from some nobody in the bay area trying to get her name out there, not Newsom