Cardiff, Wales. One of the few places in the world that felt like a Real City while also having its own distinct culture and feel. Every other city I’ve been to feels like the same sort of dull corpo-district monoculture.

Old Montreal also has a bit of this, but only the central city areas, the outside periphery quickly devolves back into the “this could be anywhere in North America (version francaise)”

A decent solution is to install shairport-sync on the Pi and advertise the service over multicast dns (Apple bonjour protocol). This effectively creates an AirPlay device on the network that’s usable from any iDevice. This had a very high “wife approval factor” when I did something similar at home.

https://docbot.onetwoseven.one/linux/airplay/

Anybody who’s ever exposed any service to the internet knows this as the “background radiation” of the net. My boxes get thousands of random connection attempts per day. The best practice for years has been to use keypairs and/or VPNs. Friends don’t let friends expose RDP to the web.

Going to go against the grain a little here and say, why bother? If you already have a background in Linux, that will get you further in your career much faster. My education was 100% windows/cisco, but I haven’t touched either in the better part of a decade since I’ve been working with mostly “web stuff” where Linux dominates.

Invest the time you would spend slogging through learning Active Directory and grinding MCSE into something useful like Docker, ansible, bash, infra-as-code, etc. It’s more fun, and it’ll make you way more money!!

I guess this is the next chapter in the endless middle-east war. The British & French got exactly what they wanted when they drew up those borders. It’s truly tragic how many people are going to die in the next decade because of religious and nationalistic despots and their egos.

It’s fine. RAID is not a backup. I’ve been running simple mirrors for many years and never lost data because I have multiple backups. Focus on offsite and resilient backups, not how many drives can fail in your primary storage device.

Wait… you’re telling me that these devices are connected directly to the CAN bus and also have default root passwords? Did nobody involved in this ever stop and think it might possibly be a bad idea??

This brings a new meaning to the old phrase “war driving”

Someday, years from now, we will finally have Windows 10 Gold Edition.

https://archive.org/details/GoldWindowsXPSP32016Drivers

Not sure how to do that in docker, I’ve run mine as a plain old PHP-FPM site for years and years. It might be something that can be tweaked using config files or environment variables, or might require building a custom image.

ClamAV is slow and doesn’t catch the nastiest of malware. Its entire approach is stuck in 2008. It’s better than nothing for screening emails, but for a private file store it won’t help much considering that you’ll already have the files on your system somewhere. And most importantly, it slows down file uploads 10x and increases CPU load substantially. The only good reason to use ClamAV for nextcloud is if you will be sued if you don’t!

It needs some tweaks to be snappy. The defaults are really bad.

• change database from SQLite to a proper database like MySQL or Postgres, and configure the database server to use your memory fully
• increase the PHP memory limit from the default (128M on many distros) to >1G, the more the better
• install APCu in-memory cache for PHP
• add Redis as additional cache
• turn off the antivirus extension, if installed (ClamAV is useless)
• use http/2 on Apache/nginx to increase performance with multiple connections

https://docbot.onetwoseven.one/services/nextcloud/

This was my setup from about four years ago. Other than moving suricata elsewhere, it’s largely the same. Worth a shot if it’s something you’re into!

https://nbailey.ca/post/linux-firewall-ids/

OpenBSD is also great, I’m just more familiar with the Linux tools. All the required tools are in the base image, and they have a great official guide:

https://www.openbsd.org/faq/pf/example1.html

Yep. Firewall, routing, dhcp, dns, everything you’d expect from a gateway device. Plain Debian (or really any distro) can do it all. With a 1gbps bi-directional connection fully saturated it will run at about 10% cpu on my very crappy low power Celeron CPU.

Plus, there’s no web UI full of janky and insecure CGI scripts to exploit, and software updates are forever (well, until x64 is deprecated, so basically forever).

IPtables on Debian because I like my life to be boring and unchanging.

For about a year I was running a full out of band IPS on my network. My core switch was set up with port mirroring to spit out a copy of all traffic on one port so that my Suricata server could analyze it. Then, this was fed into ElasticSearch and a bunch of big data crap looked for anomalies.

It was cool. Basically useless because all it did was complain about the same IP crawler bots as my nginx logs. But fun to setup and ultimately good for my career lol.

Sadly the Canadian mint takes a loss on every coin and bill. Every $50 note they create actually costs about $65 (with the tip).

I just got my first Chucky Buck this weekend, we can’t switch to a new currency this quickly! Our economy is in shambles!

That will never happen. SSL is based on trust, and the trust root will never blindly delegate to whatever happens in random LANs. Subdomain is 100% the right approach for internal network.

Nextcloud - slick web UI and good desktop app. Bit of work to install and maintain the server software but worth it imo.

Syncthing - barebones cross device peer to peer file sync. Simple but works great.

Most unixey option - just use rsync to do incremental backups of your homedir to your server with a crontab. Easy and simple.

iptables-save > /etc/iptables/rules.v4

Or install iptables-persistent if you’re on a Debian-derivative system.

https://linux.die.net/man/8/iptables-save

I mean it is possible to run your own authoritative nameservers on a server you own with a static IP. It’s a pretty irresponsible thing to self host, but it is possible :)