Both of those documents agree with me? RedHat are just using the terms “client” and “server” to make it easier for people to understand, but they explicitly say that all hosts are “peers”.

Note that all hosts that participate in a WireGuard VPN are peers. This documentation uses the terms client to describe hosts that establish a connection and server to describe the host with the fixed hostname or IP address that the clients connect to and, optionally, route all traffic through this server.

–

Everything else is a client of that server because they can’t independently do much else in this configuration.

All you need to do is add an extra peer to the WireGuard config on any one of the “clients”, and it’s no longer just a client, and can connect directly to that peer without using the “server”.

There’s no such thing as a client or server with Wireguard. All systems with Wireguard installed are “nodes”. Wireguard is peer-to-peer, not client-server.

You can configure nftables rules to route through a particular node, but that doesn’t really make it a server. You could configure all nodes to allow routing traffic through them if you wanted to.

If you run Wireguard on every device, you can configure a mesh VPN, where every device can directly reach any other device, without needing to route through an intermediary node. This is essentially what Tailscale does.

Setting up typescript takes an hour or two if you have no clue what you’re doing

Modern versions of Node.js have native TypeScript support. For scripts, you can just write the script then run it. That’s it. No build process needed. A beginner could just rely on type checking in their editor (I think VS Code has the TypeScript tooling installed by default?)

For web apps, just use something like Bun or Deno. Bun gives you practically all the tooling you’d need (JS runtime, TypeScript, package manager, test runner, bundler, and framework for building web apps) out-of-the-box. It doesn’t have a formatter, but you can just use your editor’s formatter.

you can also do the exact same thing with any other HikVision camera too

Most people that install security cameras don’t directly connect them to the internet like this. A company that’s installing them at scale should be aware of this.

using default credentials

Modern Hikvision and Dahua cameras don’t have a default password. They require you to set a strong password during initial setup.

In general, a lot of electronics have moved away from generic default passwords, as many jurisdictions ban them now. Any modern device should either require you to set the password during initial setup, or have a randomly-generated password printed on a sticker under the device.

The device you found was either a very old one, or one where the owner intentionally set a basic password.

Wow, this is very useful!!

a program that runs as root

Does it have to run as root? It’s common to run Docker in rootless mode in production environments.

You might be interested in StirlingPDF too.

you can override this by setting an IP on the port exposed so thet a local only server is only accessable on 127.0.0.1

Also, if the Docker container only has to be accessed from another Docker container, you don’t need to expose a port at all. Docker containers can reach other Docker containers in the same compose stack by hostname.

If you are good at manipulating iptables there is a way around this

Modern systems shouldn’t be using iptables any more.

Yeah, a Black Friday sale.

They do have some deals always available, but the specs aren’t as good as the Black Friday ones: https://greencloudvps.com/billing/store/budget-kvm-sale

RackNerd also have some deals that are always available on their site. .

I’m running mine on a ~$33/year VPS at GreenCloudVPS. It’s a small instance (just me) but it federates with all the major instances which means it still does a bunch of work (since it has to handle incoming posts and comments from federated servers). It’s a decently powerful VPS with an AMD EPYC Milan CPU, 10GB RAM, and 100GB NVMe storage.

For a medium-sized instance, I imagine you could get pretty far with a single <$100/month dedicated server from Hetzner or a similar provider.

Some servers have ECC. If you get a cheap one (like a Hetzner auction server), it’s less likely to have ECC. ECC protects against bitflips, but it won’t help if the RAM is starting to die. ECC isn’t magic - it just has an extra 8 bits of parity data per 64 bits of data. It still uses the same type of RAM chips.

If you want to try alternate UIs, you might be interested in trying Photon and Alexandrite.

Their deep investigations are so good. I liked their documentary about GPU smuggling in China.

Still up here in the San Francisco Bay Area. Maybe only some regions are affected.

why is a tower defense game listed under Automation?

and two of the most popular automation programs are missing (n8n and Node-RED).

who on earth needs customer live chat and a lot of business-scale website analytics, webshop systems and CRM and ERP in their homelab??

Maybe not in a homelab, but plenty of people self-host these. I’m setting up customer live chat (Chatwoot) and invoicing and account (Bigcapital) for my wife for example. I self-host website analytics (Plausible) and bug tracking (used to be Sentry but it got too complex to host, so now I’m trying Bugsink and Glitchtip) for my personal sites/projects, too.

Oh… Oops. Hahaha

DigiCert have said they’re not changing their prices as a result. It’s still a yearly payment (or every 2 or 3 years if you prefer that).

7-day validity is great because they’re exempt from OCSP and CRL. Let’s Encrypt is actually trying 6-day validity, not 7: https://letsencrypt.org/2025/01/16/6-day-and-ip-certs

Another feature Let’s Encrypt is adding along with this is IP certificates, where you can add an IP address as an alternate name for a certificate.

This is one of the reasons they’re reducing the validity - to try and convince people to automate the renewal process.

That and there’s issues with the current revocation process (for incorrectly issued certificates, or certificates where the private key was leaked or stored insecurely), and the most effective way to reduce the risk is to reduce how long any one certificate can be valid for.

A leaked key is far less useful if it’s only valid or 47 days from issuance, compared to three years. (note that the max duration was reduced from 3 years to 398 days earlier this year).

From https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days:

In the ballot, Apple makes many arguments in favor of the moves, one of which is most worth calling out. They state that the CA/B Forum has been telling the world for years, by steadily shortening maximum lifetimes, that automation is essentially mandatory for effective certificate lifecycle management.

The ballot argues that shorter lifetimes are necessary for many reasons, the most prominent being this: The information in certificates is becoming steadily less trustworthy over time, a problem that can only be mitigated by frequently revalidating the information.

The ballot also argues that the revocation system using CRLs and OCSP is unreliable. Indeed, browsers often ignore these features. The ballot has a long section on the failings of the certificate revocation system. Shorter lifetimes mitigate the effects of using potentially revoked certificates. In 2023, CA/B Forum took this philosophy to another level by approving short-lived certificates, which expire within 7 days, and which do not require CRL or OCSP support.