I appreciate the sentiment, people being nice to eachother should always be encouraged. But thanking people always seemed odd to me. I drank a lot. :(

But Granny Smith Apple.

Thankfully, I’m doing better now :)

Theres a couple of mistakes there. For example, a Bronze star would be above the Navy Marine Corps Achivement ribbon since its a much more prestigious medal. I cant tell what the devices are but this is the stack.

Row 1

1. Navy Marine Corps Achievement Ribbon

Row 2

1. Navy Marine Corps Combat Action Ribbon
2. Navy Marine Corps Presidential Unit Citation Ribbon
3. Marine Corps Good Conduct Ribbon

Row 3

1. National Defense Service Ribbon
2. Iraq Campaign Ribbon
3. Global War on Terrorism Expeditionary Ribbon

Row 4

1. Global War on Terrorism Service Ribbon
2. Humanitarian Service Ribbon
3. Navy Sea Service Deployment Ribbon

Source: Eaten a couple crayons.

Not OP but I use headscale and have it configured using Authentik for SSO. Works flawlessly once its up and running. I also use headplane for the UI. It has SSO integration as well which makes everything a breeze.

Edit: Forgot to mention, all running in docker with traefik as the reverse proxy.

Its not as cut and dry as everyone here is making it out to be. This is an organization of people, rules are bent and broken CONSTANTLY.

Each branch has a form of peer-mentoring. In some form or another you’re graded on your ability to do your job and those grades get looked at for your promotion.

It starts off as a negative counseling. Sometimes written, most times just verbal. These are the “oh man I forgot to do this duty at the end of the day” type offenses. More than likely someone is just gonna tell you to pull you’re head out of your ass and fix it.

Get enough of these and eventually you will get whats called a “non-judical punishment”. These are punishments handed out by commanding officers. See “UCMJ Article 15”. These are offenses under the rest of the UCMJ. Some things like adultery are still chargeable offenses. If they cant find something to charge you with “UCMJ Article 134” is a general offense. Basically “hey we didnt like what you did, its not illegal, but were gonna charge you anyway”

Think of NJPs as a misdemeanor, smaller but still serious infraction. When you leave the military, nobody will know that you got charged with something. But these do come with punishments. You basically get “grounded” cant leave your barracks room / get put on restriction. Also loss of pay.

Decide to commit a serous crime defined in the UCMJ? Well thats what a court-martial is. That is equivalent to a felony and will show up on any criminal background check. These often include jail time and reductions in rank.

Its all incredibly suggestive and depends on all the parties involved.

Have you tried setting up qemu with virt-manager? Theres a lot of info on how to set it up for most distros and I find the GUI is very straightforward and easy to use.

Thank you for the laugh (⁀ᗢ⁀)

You can use Authentik to setup an LDAP outpost then use a jellyfin LDAP plug-in to sync everything up.

https://github.com/jellyfin/jellyfin-plugin-ldapauth?tab=readme-ov-file

Course, feel free to DM if you have questions.

This is a common setup. Have a firewall block all traffic. Use docker to punch a hole through the firewall and expose only 443 to the reverse proxy. Now any container can be routed through the reverse proxy as long as the container is on the same docker network.

If you define no network, the containers are put into a default bridge network, use docker inspect to see the container ips.

Here is an example of how to define a custom docker network called “proxy_net” and statically set each container ip.

networks:
  proxy_net:
    driver: bridge
    ipam:
      config:
        - subnet: 172.28.0.0/16

services:
  app1:
    image: nginx:latest
    container_name: app1
    networks:
      proxy_net:
        ipv4_address: 172.28.0.10
    ports:
      - "8080:80"

  whoami:
    image: containous/whoami:latest
    container_name: whoami
    networks:
      proxy_net:
        ipv4_address: 172.28.0.11

Notice how “who am I” is not exposed at all. The nginx container can now serve the whoami container with the proper config, pointing at 172.28.0.11.

Well if your reverse proxy is also inside of a container, you dont need to expose the port at all. As long as the containers are in the same docker network then they can communicate.

If your reverse proxy is not inside a docker container, then yes this method would work to prevent clients from connecting to a docker container.

Something like this. This is a compose.yml that only allows ips from the local host 8080 to connect to the container port 80.

services:
  webapp:
    image: nginx:latest
    container_name: local_nginx
    ports:
      - "127.0.0.1:8080:80"

Excuse me have you heard about our lord and savior, NixOS?

Ooo I do love me some Nix modules. Any particular options to look out for in order to configure something like that?

Edit:

It’s programs.chromium.extraOpts isnt it? Lol

Check out Letchworth State park. Its the Grand Canyon of the East!!

https://parks.ny.gov/parks/79/details.aspx

Did you allow the containers to talk to eachother with ufw after setting it up?

You can setup wild card certs with a DNS challenge using traefik. No plug-ins needed, works right out the box.

Personally, I quite prefer traefik. Its harder to use than Caddy but offers more features. Also, it uses yaml or docker labels for config. I’m not a fan of the nginx .conf format.

Did you watch ‘I am Legend’? This is exactly what starts the apocalypse lol

Side note, book was waaaayyyyy better

The routers or computers you are using for this have to support forwarding traffic. With Linux this is pretty straight forward for other OSes I’m not sure how easy it is.

You can get around this by having tailscale installed on the default gateway (router) of each network. It might be quite a pain for OP to change routers at each location. On the plus side, OpenWRT has some other cool features like PXE booting.

Here is an article about tailscale on an OpenWRT router.

Im at the compose2nix phase of this pipeline. Ive got a bunch or sevices in Docker compose files and all of my systems have been running Nix for over a year now. Ive gotten the hang of my repo and made a couple modules for my specific uses and im hooked.

What would you suggest to migrate all my compose files into a nix friendly environment? I use flakes as well.

Ahhh interesting video! I appreciate the post. I see the mTLS is more about authenticating who the client is outside the application.

Don’t worry, Im not just exposing thing willy nilly 🤣 For client-side authentication I use Authentik combined with 2FA, Duo, and fail2ban. Authentik provides identity management through LDAP to jellyfin and any sign in request goes to MFA and you get a Duo notification to approve. You can do other MFA, i just havent set it up.

Ive got a lot of family who use my server. Asking them to install a TSL cert on every machine would be impossible. My method also monitors all sign in requests. Setting up Authentik was a hugggeee game changer for me.

Well ya know this is a forum and I was trying to engage in a friendly conversation to learn about something you brought up.

But yeah I know how to fucking Google lol