How locked down are the Chromebooks?

Remote VM seems overkill if you can just enable “Linux for Chromebook”, which gives a sandboxed terminal at which point you can setup and install software like Blender, PrusaSlicer, etc.

It won’t be the fastest because they are thin clients, but even modern thin clients do decently for ‘light’ work.

There are good reasons for why both JPEG-XL and WebP exist though.

If you’re running an email server for more than a handful of persistent users, I’d probably agree. However, there are self-host solutions that do a decent job of being ‘all-in-one’ (MailU, Mailcow, Docker-Mailserver) that can help perform a lot of input filtering.

If your small org just needs automation emails (summaries, password resets), it’s definitely feasible to do actually, as long as you have port 25 available in addition to 465, 587 and you can assign PTR records on reverse DNS. Optionally you should use a common TLD for your domain as it will be less likely to be flagged via SpamAssassin. MXToolbox and Mail-Tester together offer free services to help test the reliability of your email functionality.

I’m currently going through a similar situation at the moment (OPNSense firewall, Traefik reverse proxy). For my solution, I’m going to be trial running the Crowdsec bouncer as a Traefik middleware, but that shouldn’t discourage you from using Fail2Ban.

Fail2Ban: you set policies (or use presets) to tempban IPs that match certain heuristic or basic checks.

Crowdsec Bouncer: does fail2ban checks if allowed. Sends anonymous bad behavior reports to their servers and will also ban/captcha check IPs that are found in the aggregate list of current bad actors. Claims to be able to perform more advanced behavior checks and blacklists locally.

If you can help it, I don’t necessarily recommend having OPNSense apply the firewall rules via API access from your server. It is technically a vulnerability vector unless you can only allow for creating a certain subset of deny rules. The solution you choose probably shouldn’t be allowed to create allow rules on WAN for instance. In most cases, let the reverse proxy perform the traffic filtering if possible.

It doesn’t.

Ocis/OpenCloud can integrate with Collabora, OnlyOffice but don’t currently have things like CalDAV, CardDAV, E2EE, Forms, Kanban boards, or other extensible features installable as plugins in Nextcloud.

If you desire a snappy and responsive cloud storage experience and don’t particularly need those things integrated into your cloud storage service, then Ocis or OpenCloud might be something to look into.

Under what means? The target is public sector and the OS to replace (Windows 10, Windows 11) would be a relatively compatible release target. Fedora is a competent leading edge (Wayland, Pipewire, BTRFS) distro that runs as a 6 month point release. I wouldn’t see many reasons to not go with Fedora Workstation as a base unless going for an immutable base or a different core distro (OpenSUSE or Debian mainly).

EDIT: Missed that this is going to be immutabe, so it is likely being based on Fedora Kinoite, meaning there really aren’t many alternatives besides OpenSUSE’s offerings.

Authentik has blueprints, which while not as simple as Authelia’s config, do provide a functional way to have version-controlled configuration.

As far as KDE vs. GNOME is concerned: KDE contains a lot of customizable features as an expectation and thus has great support for a wide array of customization. Both KDE and GNOME are extensible, with third-party extensions to extend or change functionality available. What makes GNOME less customizable, albeit supporting stylesheets and extensions, both are not expected to be used in any form (outside of defaults provided via Adwaita), and neither do many independent apps written in GTK3, GTK4. GNOME offers fairly minimal customization options without resorting to GNOME Tweaks, third-party extensions, and unsupported customized themes: all things that can break GNOME as while the customization does exist, the developers don’t embrace it and have no expectation to not break it with any update.

What board/connector is affected? At worst, a replacement connector and a soldering iron should be able to replace the damaged connector and get your printer in a functional state.

UPDATE: if you are referring to certain mainboard connectors, it may be best to replace the mainboard if you don’t have the tools for replacement. I see surface-mount connectors for some things on the mainboard that can be difficult to replace correctly without more unique tools.

For what it’s worth, I do think OCIS is worthy of switching to if you don’t make use of all of the various apps Nextcloud can do. OCIS can hook into an online office provider, but doesn’t do much more than just the cloud storage as of right now.

That said, the cloud storage and UX performance is night and day between Nextcloud/Owncloud and OCIS. If you’re using a S3 provider as a storage backend, then you only need to ensure backups for the S3 objects and the small metadata volume the OCIS container needs in order to ensure file integrity.

Another thing to note about OCIS: it provides no at-rest encryption module unlike Nextcloud. If that’s important to your use case, either stick with Nextcloud or you will need to figure out how to roll your own.

I know that OCIS does intend to bring more features into the stack eventually (CalDAV, CardDAV, etc.). As it stands currently though, OCIS isn’t a behemoth that Nextcloud/Owncloud are, and the architecture, maintenance is more straightforward overall.

As for open-source: OCIS released and has still remained under Apache 2.0 for its entire lifespan thus far. If you don’t trust Owncloud over the drama that created Nextcloud, then I guess remain wary? Otherwise OCIS looks fine to use.

Persistent keep alive is configured per connection by all peers (server and client typically). As I understand it, Wireguard’s peer-based architecture will let both client and server peers define an optional persistent keep alive timer in order to send heartbeat packets on interval. Otherwise Wireguard on either peer may keep opening and closing connections for inactivity (or get its connections forcefully closed externally) if traffic isn’t being regularly sent. This can occur even though the network interfaces for Wireguard on both communicating peers remain up.

I do agree that running some kind of health-check handshake service over the Wireguard tunnel is an easy enough way to periodically check the state of the connection between peers.

Depending on how your connection is negotiated, it may partially not be possible due to the architecture of Wireguard. There is likely some way to hook into capturing handshakes between clients (initial handshake, key rotations). To determine disconnects and reconnects however is a challenge. There are no explicit states in the connection. The closest thing to disconnect monitoring is utilizing a keep alive timeout on the connections. There are some caveats to using a keep alive timer, however. Additionally, not every connection may use a keep alive timeout, making this a full solution infeasible.

Detailed information about Wireguard session handling can be found in section 6 of this PDF.

I believe it’s mostly drawing tablet support in Qt and in turn porting to Qt6 that’s holding native Wayland builds back.

An aside to the technical question of how to migrate profiles to older versions:

DO NOT DOWNGRADE FIREFOX BELOW 131.0.2 OR ESR 128.3.1, 115.16.1

I feel that given this recent vulnerability, it is important to make this notice.

Otherwise:

For migrating profiles between the same major version, Mozilla provides a guide for full profile migration. This also works with forwards compatibility. I generally wouldn’t try to go backwards however as many new major versions change the data format and contents of your profiles, which older versions have no idea how to interpret.

For downgrading, it’s best to export bookmarks, go through your important addons and backup the settings for each one that needs configuration, and take note of anything you’re previously modified in about:config to your preference. Perhaps take screenshots of your tab bar and overflow menu as well so you can recustomize them to your liking easily on the downgraded version.

Just note that with Bambu printers about past data collection practices and their in general mid to atrocious after-sales support. If this doesn’t deter you, then go ahead and get one.

I do a lot of my functional parts in ABS, ASA though printing such material may be difficult on an open-air machine. The two obvious choices will generally be PLA or PETG. PLA is one of the most common printed materials, and is fairly balanced in material strength. PETG parts are more likely to permanently deform heavily before fully snapping, as well as they have a but more temperature resistance than PLA. Additionally most PETG plastics hold up decently well to UV, often making them more suitable for parts that need to be outdoors.

PLA takes not much consideration on surface to print, as most printers come with a smooth PEI build sheet by default. It will however need more cooling than printing with PETG at equivalent speeds. If you use a PEI sheet for PETG, make sure it is textured. You will destroy a smooth sheet if it doesn’t have some kind of release coating to lower its adhesive properties to PETG.

There is no guarantee for spools of filament to actually arrive dry, so a filament dryer isn’t a bad idea. I don’t have any particular recommendations for a good filament dryer. I have a Filadryer S2 from Sunlu, but am not impressed by it.

Just took a couple minutes to install and setup the fork to try it out. Turns out there is a flatpak on Flathub under the id dog.unix.cantata.Cantata that looks to be maintained directly by nullobsi. I’ll have to see where rough edges show up, but this fork looks good thus far. A full port from Qt5 -> Qt6 isn’t a trivial amount of effort, so mad respect to everyone working on this ported version.

As I found out recently myself, you should almost always set the minimum amount of reserved memory for the iGPU on modern hardware. The reserved memory is just that— reserved. The kernel still dynamically allocates memory for GPU usage as needed on iGPUs.

The specific patent links seem to be broken. All return 403. Here are functional alternatives.

• 9421713
• 9592660
• 7555357
• 9168698 / 10556381

Largely things look good. It might be a good idea looking for a motherboard that has Intel ethernet rather Realtek. I’m also a bit curious if the barebones VRM design on the board is adequate as well.