Hello all! I have never selfhosted before, but I have a pretty extensive digital library of videogames (ROMs from a couple dozen retro systems among other executables) that my friends have expressed interested in having access. What's the ideal software for giving them access to the library hosted on my drives? I'm picturing something like a selfhosted Steam where they see all of the games and can search via retro system, game tags, by name, etc. and each of could keep track of separate user accounts by playtime, favorites, recently played, etc. I use RetroArch and a few standalone emulators myself connected to RetroAchievements, so I figured they would need to download any emulators on their ends and then just pick and play the games as they see fit without having to have their own copies of the games.

This docker overlay enable you to switch of screen resolution in your headless steam automatically by only choosing the moonlight resolution. So now you can play on all your screens in the steam headless docker.

NutriTrace is a self-hosted nutrition tracker (Docker on the server, PWA in the browser, native Android app). AGPL-3.0, no telemetry, no accounts on external services, your data stays on your hardware.

This release is the biggest one since the Android app shipped: the Wellness layer moves off the legacy Fitbit Web API (which Google is sunsetting in September 2026) onto the new Google Health API, the numeric Stress Score becomes Resilience (Optimal / Balanced / Low), Fitbit's new Sleep Quality sub-metrics show up under Sleep, and the Diary gets a Cronometer-style Split Recipe action.

What's new

Google Health migration — Wellness data now flows through Google Health instead of the deprecated Fitbit Web API. Existing Fitbit data still comes from the same device; only the connection method changes. Fitbit users will see a "Re-link required" notice in Settings → Wellness with the migration steps. Old tokens keep working through a transition window.

Resilience replaces the numeric Stress Score — Fitbit retired the 0-to-100 score and renamed it Resilience with three buckets (Optimal / Balanced / Low). The Wellness page reflects the change with a category badge, a one-line interpretation, and a breakdown of the three pillars Fitbit uses (Physical Calmness, Activity Balance, Sleep Patterns). Historical Stress values stay in the database for reference.

Sleep Quality sub-metrics — Time to Sound Sleep, Sound Sleep, Restlessness, and Interruptions appear under the Sleep tab when data is available. Restlessness under-counts vs Fitbit because Google Health doesn't expose the raw motion data Fitbit's app uses internally; the others track within a few minutes on most nights.

Split Recipe on the Diary — Long-press a saved recipe in your diary and tap Split Recipe to break it into its component ingredients in place. The recipe stays as the parent (so totals are preserved); a chevron expands to reveal each ingredient scaled by however much of the recipe was logged. Each child is editable (adjust portion, remove one) without touching the saved recipe in your library.

Info button on saved meals and recipes in the Foods picker — tap the i on any meal or recipe row to see the full ingredient list with portions and per-item energy before logging it. Mirrors the existing yesterday-meals expand pattern

Issues, feature requests, and integration test reports are all welcome on GitHub.

[edit] Solution

In addition to the instructions in the link, make the paths relative in frontend/config.json (in /srv/modoboa/instance)

{
  "API_BASE_URL": "/api/v2",
  "API_DOC_URL": "/api/schema-v2/swagger/",
  "OAUTH_AUTHORITY_URL": "/api/o",
  "OAUTH_CLIENT_ID": "blablabla",
  "OAUTH_REDIRECT_URI": "/login/logged",
  "OAUTH_POST_REDIRECT_URI": ""
}

and I also added this in the nginx conf, don't remember if all was useful. In mail.domain2.com.conf

    location ~ ^/(api|accounts|autodiscover) {
        include uwsgi_params;
        uwsgi_param UWSGI_SCRIPT instance.wsgi:application;
        uwsgi_param Host $host;
        uwsgi_param X-Forwarded-Host $host;
        uwsgi_param X-Forwarded-Proto $scheme;
        uwsgi_param X-Real-IP $remote_addr;
        uwsgi_pass modoboa;
    }

...

    location /radicale/ {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
...
}

As many have advised against it, I decided to start (almost self-)hosting my mail service.

I have tried with one domain, it has been running fine so far. I have not tested deeply but it works.

I want to host another domain, so I followed this guide which seems mostly still applicable: https://www.linuxbabe.com/mail-server/modoboa-multiple-domains

One thing though, with the current basic modoboa install, after following the steps in this guide, I can go to mail.domain2.com to access the webmail, however it is some kind of redirect and I end up on mail.domain.com. It must be on wsgi level because there is no redirect in nginx? So technically it's still working since it's what's actually under the hood. But would it be possible to stay on mail.domain2.com?

Or maybe I have missed something somewhere, because unlike mentioned in the guide, it seems I have to use mail.domain1.com to set up client IMAP and not mail.domain2.com.

I know this is not a modoboa support community but I am not going to create one (yet) and I am not going to reddit. And I can't open issues in Github. So live with it.

(First blog post ever, would appreciate your input!)

Edit: Title was a lil clickbaity

I'm currently facing a dilemma. Right now, I have a synology NAS that I use to host my homelab containers (*arr, pi-hole, vaultwarden, Plex, etc).

I am planning to offload as much of that as possible to a dedicated machine, which hopefully will allow me to continue self-hosting even more demanding services (Immich, etc).

I was lucky enough to get a proper server - Supermicro, for free, with 64GB Ram DDR4 and 1TB. However, I plugged it in and that thing is NOISY.

My rack will be in the home office, where I will spend at least 8 hours a day, so I can't afford that level of noise.

What should I do? Should I try to sell the supermicro and buy something else with that money? Should I keep the RAM and SSD (and CPUs?) and build something else with them? Are there any quiet servers I could look into (I am guessing better performance but more expensive), or Should I go the MiniPC route instead (cheaper and smaller, but more limited specs)?

What is everyone else using for VPN solutions and what are the trade offs?

I want a VPN to access all my personal devices and use services like Syncthing. I use it on my phone so it can't use ungodly amounts of idle data.

I looked at Netbird but found the idle data usage almost 1GB per few days using JetBird with Lazy connections. I tried the default app but it makes me SSO login every day or two, it wouldn't stay connected, and it still used a reasonable amount of idle data.

I looked at Tailscale but I'm not going to lock access to all my devices behind a Google account login or some other third party service login for no reason. It seems like hosting my own auth server is too much additional risk as well. I tried self hosting headscale which worked well except that I have no decent front end to easily add devices. I have to log into a terminal, then execute docker commands which was a huge pain in the ass. I didn't even touch on any of the firewalling or routing that can be done because it was so much more complex in headscale then in a web interface. I tried hosting two or three headscale front ends but couldn't get one working that supported most of the available feature set. Usually I was given generic connection errors with no clear way to diagnose or clear troubleshooting steps so after a few hours I moved on.

I have looked at paperless in the past and just asked why? I just spent a little time setting it up to see what it was about, then I spent hours configuring it and my email server creating paperless email addresses that other emails forward to! I cannot believe I have lived this long without it.

cross-posted from: https://awful.systems/post/8238756

Basically, STT quality has kept me from switching to HomeAssistant's voice assistant features. The default matcher (Hassil) is waaaaaaay to strict, and LLMs are slow, constly, and/or a privacy nightmare, plus I don't like them.

I really thought there would be something available that just matches your STT output to the configured intents, but apparently not, so I've built in myself.

Finally convinced my GF to throw Alexa in the bin :)

Here's an excerpt from the README, and feel free to AMA:

🌲 Problem statement and solution

Speech-To-Text (STT) output, especially fast and local STT output, is often simply bad. HomeAssistant's own Hassil is incredibly picky: your STT output must match exactly to one of the configured intents.

There's two paths forward from this: Upgrade your hardware to support better STT, or try to figure out what the speaker probably meant to say from the garbled output.

This project does the latter.

With this custom integration, "Lights on in live in room" will actually turn on the lights in your living room. So will, for that matter, "lighrts on inn livainriomm".

Short demo, first with closest-intent, then with bare Hassil:

 

📜 Highlights

• Pattern expansion. Expanding <expansion_rules>, (alternatives|to), and [optional|alternatives] all work, including on HASS-defined lists like your home's areas and entities!
• Slot extraction. Both for wildcard slots (like for adding something to the shopping list, where the {item} is a wildcard), and against slots like {timer_hours:hours} with a fixed set of possibilities.
• Fuzzy slot resolution. For list-like slots and expansion rules (including your areas and entities!), fuzzy match the slot values to the available options. Allows "livikroom" to be corrected to "living room".
• Actual intent handling still done by Hassil. closest-intent simply corrects your STT output or typos to the closest matching intent, and then forwards a nice, canonical sentence to Hassil, who then deals with the intent just like if you had spoken/typed perfectly.
• 100% LLM-free. Just uses relatively simple fuzzy matching of the input against your intents, plus some clever-ish (well... working, at least) tricks to improve the results.
• Fallback agent support. OK, I said 100% LLM-free, but if you absolutely want to, you can use one as fallback. More on this below.
• Is fast :) (as in: basically instant for a couple hundred configured custom intents).

Note: closest-intent is completely language-agnostic. All the examples in this README are in English, but you can use it with any language you like; personally, I use it in German.

 

📋 Examples

Here's some examples of things I said, what my STT (wyoming-faster-whisper-base) understood, what HomeAssistant was able to do/answer after passing the STT output through closest-intent, and what the same STT output would have resulted in with just bare Hassil.

Note: These are actual results I got when speaking the "what was said" sentences in my phone. I'm a native German speaker, and so I do have an accent, but this pretty closely matches my experience when using the German-language version of whisper. The "bare Hassil" responses are what I got after 1:1 pasting the STT output into the voice assist chat window with closest-intent disabled.

| what was said | STT output | with Closest Intent | bare Hassil | |

|

|

|

|

| start cleaning | Star cleaning. | ✅ Cleaning started. | ❌ Sorry, I couldn't understand that | | stop cleaning | Stop clenching! | ✅ Cleaning stopped. | ❌ Sorry, I am not aware of any device called clenching | | vacuum the living room | Vacuum Believing Room | ✅ Cleaning the living room. | ❌ Sorry, I am unaware of any floor called Believing Room | | clean the office | King the Office | ✅ Cleaning the office. | ❌ Sorry, there are multiple devices called Office (author's note: no there aren't, wtf?) | | vacuum the kitchen | Back here in the kitchen. | ✅ Cleaning the kitchen. | ❌ Sorry, I couldn't understand that | | how warm is it in the bedroom | Our all is in the best room. | ✅ In the bedroom, the temperature is currently.... | ❌ Sorry, I am not aware of any area called best room | | add milk to the shopping list | Add milk to the chauvinist. | ✅ "milk" added. | ❌ Sorry, I am not aware of any device called chauvinist | | put call dentist on my todo list | put call dentist on my tudu list | ✅ "call dentist" added. | ❌ Sorry, I am not aware of any device called tudu | | turn on the water pump | turn on the what her pump | ✅ Turned on the water pump. | ❌ Sorry, I am not aware of any device called what her pump | | play some music | Place on music | ✅ Playing music. | ❌ Sorry, I am not aware of any area called music | | resume the music | Renew Music | ✅ Resuming. | ❌ Sorry, I couldn't understand that | | pause the music | Post music | ✅ Paused. | ❌ Sorry, I couldn't understand that | | next track | next rack | ✅ Next track. | ❌ Sorry, I am not aware of any device called rack | | enable shuffle | an able shuffling | ✅ Shuffle enabled. | ❌ Sorry, I couldn't understand that | | disable shuffle | Disable to schaffen. | ✅ Shuffle disabled. | ❌ Sorry, I am not aware of any device called Disable | | restart the player | Reset the plan. | ✅ Restarting the player. | ❌ Sorry, I am not aware of any area called Reset | | play a random album | Player random album | ✅ Playing a random album. | ❌ Sorry, I couldn't understand that | | play a random artist | Player and Immartist. | ✅ Playing a random artist. | ❌ Sorry, I couldn't understand that | | play the latest tracks | Plan the ladder tracks. | ✅ Playing recently added tracks. | ❌ Sorry, I am not aware of any area called Plan | | play recently played songs | Player recently played so... | ✅ Playing recently heard tracks. | ❌ Sorry, I couldn't understand that | | play playlist NieR | Play playlist NEAR! | ✅ Playing the playlist NieR. | ❌ Sorry, I couldn't understand that | | play my daily briefing | and play my daily breathing | ✅ Here is your daily briefing: ... | ❌ Sorry, I am not aware of any area called and play | | what time is it | What the hell is it? | ✅ It is 16:36. | ✅ It is 16:36. (author's note: okay, know what? earned. did not expect that.) | | what day is it today | One day is today. | ✅ Today is Friday. | ✅/❌ May 8th, 2026 (author's note: that's the output for "What date is it?", but, eh, close enough) | | make the tv brighter | Make that CV brighter. | ✅ Screen is now bright. | ❌ Sorry, I couldn't understand that | | set the screen darker | The screen doctor. | ✅ Screen is now dark. | ❌ Sorry, I am not aware of any device called screen doctor | | what's the weather today | What's the matter with you? | ✅ Today, the weather is... | ❌ It is 16:36. (author's note: wait, WHAT?) | | how's the weather tomorrow morning | How's the better tomorrow? | ✅ Tomorrow morning, it will be... | ❌ Sorry, I am not aware of any area called How's | | what's the weather this week | What's the matter this weak | ✅ Monday:..., Tuesday:..., | ❌ It is 16:36. (author's note: sigh...) | | how's the weather at 5 o'clock | cast the red there at 5 o'clock | ✅ At 5 o'clock, it will be... | ❌ Sorry, I am not aware of any area called cast | | how windy is it right now | how windy is IR low | ✅ The wind is currently blowing with... | ❌ No timers. | | how windy will it be tonight | How will you be tonight? | ✅ Tonight, the wind speed will be around... | ❌ Sorry, I couldn't understand that | | how hot will it get today | How hard will it get today? | ✅ Today, temperatures will reach up to... | ❌ Sorry, I couldn't understand that | | will it rain today | with it right today | ✅ No rain is expected today. | ❌ Sorry, I couldn't understand that |

...you get the idea.

 

💡 How it works

closest-intent is registered in HomeAssistant as a conversation agent. On startup, it parses (by default) all user-defined intents (or optionally, also the builtins ones). In this process, it also expands all rules, like <expansion_rule>, (alternatives|to), and [optionals], and notes where {slots} are located, and whether they are wildcards or belong to some list (like areas, entities, or the numbers 1-100).

When a user request comes in (via voice command or the chat box), closest-intent fuzzy-matches that request against those expanded rules. If the rule does not contain a slot, it is picked immediately. If it does contain a slot, closest-intent performs a sequence of fancy magic steps to find the best-fitting slot value among a range of possible positions within the top-scoring matched sentences. In practice, this often means "smallest slot-value on a word-boundary", but the extraction is not limited to that.

With the best match found, we then reconstruct the "canonical form", i.e. a sentence that Hassil will actually understand. If in your configured intents, "Play some music." exists, and closest-intent got "Place on music" and matched that to the intent, it will simply forward "Play some music." to Hassil. If the intent contained a slot, the extracted value will be substituted.

This guarantees that the sentence passed to Hassil will actually be understood, and allows us to not have to worry at all about performing actions, running scripts,...

If no matching intent could be found, we pass the exact input we got to the configured fallback agent. By default, that is simply Hassil (which again allows us to be lazy and not worry about proper error responses), or another agent, like a LLM.

cross-posted from: https://lemmy.world/post/46584454

Local Privilege Escalation "Dirty Frag" made public

• https://www.openwall.com/lists/oss-security/2026/05/07/8
• https://thehackernews.com/2026/05/linux-kernel-dirty-frag-lpe-exploit.html
• https://safecomputing.umich.edu/security-alerts/linux-kernel-vulnerability-%E2%80%9Cdirty-frag%E2%80%9D
• https://www.bleepingcomputer.com/news/security/new-linux-dirty-frag-zero-day-with-poc-exploit-gives-root-privileges/

To the people here that host a synapse server, how do you handle registration?

Do you use the new matrix authentification server? How does that work?

If not, registration works via element web, where you can have a captcha to avoid a bot swarm. However the only accepted captcha in the synapse config is recaptcha. Have you read the news? Well, we will have to change the captcha method. I think I read somewhere it was possible to use hcaptcha on elementweb however the setting does not exist in synapse, or I did not find it.

How do we do?

GITHUB

hister.org

histerdocker

This is the config I used.

So it's my first time setting up a VPS. Is it to be expected to ban 54 IPs over a 12h timespan? The real question for me is whether this is normal or too much.

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 3
|  |- Total failed:     586
|  `- Journal matches:  _SYSTEMD_UNIT=ssh.service + _COMM=sshd
`- Actions
   |- Currently banned: 51
   |- Total banned:     54
   `- Banned IP list:   [list of IPs]

fail2ban sshd.conf

$ sudo cat /etc/fail2ban/jail.d/sshd.conf 
[sshd]
enabled = true
mode = aggressive
port = ssh
backend = systemd
maxretry = 3
findtime = 600
bantime = 86400

I have disabled SSH login via password. And only allow it over an SSH key.

$ sudo sshd -T | grep -E -i 'ChallengeResponseAuthentication|PasswordAuthentication|UsePAM|PermitRootLogin'
usepam no
permitrootlogin no
passwordauthentication no

Seems like it might be time to build my next router before they become unaffordable. I've done some research, but I'd like to get the pulse of the community since other self-hosters may have a similar use care.

Should I use PFsense or OpenWRT? Should I use purpose built or minipc hardware?

This is for a home network (symmetric gigabit fiber). A few of the devices have 2.5LAN ports and it would be nice to make use of that speed locally. Primary uses include streaming Disney+ and YouTube, web browsing, and self-hosting a few services I connect to via wireguard. Sometimes I play games, but not competitively, so an extra ms of ping isn't going to throw me into a rage. I do use a remote desktop feature like steam link to play gamed on my home office PC from my bedroom. Ping is currently acceptable according to the system with occasional slowdowns when my family is slamming the WiFi.

I will need to provide WiFi access. If my existing router(s) have an AP mode, I imagine I can just plug them in via ethernet?

What kind of wireless AP hardware do I need if I want connections to transfer between a basement and attic AP with minimal interruption?

For the router itself, I see people using what look like barebones routers and others using a minipc with dual LAN. What do you use and what advantages/disadvantages have you experienced as a result.

Can I set up a wireguard VPN server in either pfSense or OpenWRT?

Are there any enshittification risks or open-source purity concerns with either choice?

Is there a significant difference in popularity between pfsense and openwrt?

I will happily accept hardware recommendations for 2.5GB capable router hardware for a home network with 1GB fiber. It needs to be able to handle inbound and outbound wireguard connections. I'm overwhelmed by the many options between all the minipcs and purpose built hardware. Location is USA.

I appreciate any insight you may have. I'm a Linux guy, but networking has always been my weak point so I'm asking for help.

I thought self-hosting requires, like, paid ownership of a website or something. I don't think I've ever self-hosted before and am lost with its guide.

My primary concern is RustDesk's warning about possibly shutting down its free self-hosting because of bot abuse, despite now requiring GitHub accounts. There seems to be nothing even remotely close to RustDesk, except possibly HopToDesk, which I heard is a fork of an older version or something.

It'd be nice to be able to keep this going just in case. Or are there free, E2EE servers out there that anyone knows of?

So I was trying to download a torrent (while seeding like 5 others) when I noticed my rates just kept gradually falling to 0B upload/download until spiking back up to 1-2MB before falling again. I check my Proxmox SMART test of my drives and then it shows one disk was degraded. When I try to view the overall "disks" tab in Proxmox it just times out and shows an error [communication failure (0)]

So I try to do a zpool scrub tank_name, which started Monday May 4 22:02:21 2026....

While scrubbing the checksum errors on the online repairing disk (wwn-0x5000c5004d033fc1) just keep climbing... I made the degraded disk go offline. Here's the current status of zpool status tank_name:

root@nova:~# zpool status Orico2tera4
  pool: Orico2tera4
 state: DEGRADED
status: One or more devices has experienced an error resulting in data
        corruption.  Applications may be affected.
action: Restore the file in question if possible.  Otherwise restore the
        entire pool from backup.
   see: https://openzfs.github.io/openzfs-docs/msg/ZFS-8000-8A
  scan: scrub in progress since Mon May  4 22:02:21 2026
        3.53G / 378G scanned at 36.9K/s, 3.47G / 378G issued at 36.3K/s
        9.61M repaired, 0.92% done, no estimated completion time
config:

        NAME                                              STATE     READ WRITE CKSUM
        Orico2tera4                                       DEGRADED     0     0     0
          mirror-0                                        ONLINE       0     0     0
            ata-ST2000NM0011_Z1P2D6SC                     ONLINE       0    13     1
            usb-External_USB3.0_DISK01_20170331000C3-0:1  ONLINE       0     0     3  (repairing)
          mirror-1                                        DEGRADED     0     1     0
            wwn-0x5000c500357c0b91                        OFFLINE      0     0    21
            wwn-0x5000c5004d033fc1                        ONLINE       0     1 2.00K  (repairing)

errors: 49 data errors, use '-v' for a list

I haven't used these disks for super long, it's only been about 5 months of my homelab actually being used, and I wasn't doing constant torrenting until February. The disks are refurbished, 2TB each, and they're stored in a USB connected drive bay. my usage is pretty low, just 432.80 GB of 4TB (11.13%)

I've looked at my snapshots with zfs list -t snapshot, not sure when I should try to restore from a snap, but I've never done it before. I'll make sure to take backups more seriously from now on, don't be me...

Update:

Turned off the machine and bay, realized it had shit ventilation and that the drives were pretty hot, let it cool and gave everything a quick dust down. Nothing seemed to be bad or visibly fucked up?

After letting it chill out for about 2-3 hours I put the drive bay in a better vented spot and did a scrub, then resilvered the drive, then did another scrub. About to do some SMART tests.

Here's zpool status -v:

zpool status -v Orico2tera4
  pool: Orico2tera4
 state: ONLINE
status: One or more devices has experienced an unrecoverable error.  An
        attempt was made to correct the error.  Applications are unaffected.
action: Determine if the device needs to be replaced, and clear the errors
        using 'zpool clear' or replace the device with 'zpool replace'.
   see: https://openzfs.github.io/openzfs-docs/msg/ZFS-8000-9P
  scan: scrub repaired 0B in 00:56:51 with 0 errors on Wed May  6 23:37:43 2026
config:

        NAME                                              STATE     READ WRITE CKSUM
        Orico2tera4                                       ONLINE       0     0     0
          mirror-0                                        ONLINE       0     0     0
            ata-ST2000NM0011_Z1P2D6SC                     ONLINE       0     0   199
            usb-External_USB3.0_DISK01_20170331000C3-0:1  ONLINE       0     0   125
          mirror-1                                        ONLINE       0     0     0
            wwn-0x5000c500357c0b91                        ONLINE       0     0   100
            wwn-0x5000c5004d033fc1                        ONLINE       0     0   462

errors: No known data errors

And then it again after a clear:

zpool status -v Orico2tera4 
  pool: Orico2tera4
 state: ONLINE
status: Some supported and requested features are not enabled on the pool.
        The pool can still be used, but some features are unavailable.
action: Enable all features using 'zpool upgrade'. Once this is done,
        the pool may no longer be accessible by software that does not support
        the features. See zpool-features(7) for details.
  scan: scrub repaired 0B in 00:57:18 with 0 errors on Thu May  7 01:28:30 2026
config:

        NAME                                              STATE     READ WRITE CKSUM
        Orico2tera4                                       ONLINE       0     0     0
          mirror-0                                        ONLINE       0     0     0
            ata-ST2000NM0011_Z1P2D6SC                     ONLINE       0     0     0
            usb-External_USB3.0_DISK01_20170331000C3-0:1  ONLINE       0     0     0
          mirror-1                                        ONLINE       0     0     0
            wwn-0x5000c500357c0b91                        ONLINE       0     0     0
            wwn-0x5000c5004d033fc1                        ONLINE       0     0     0

errors: No known data errors
root@nova:~# 

What have we learned?

• Do biweekly scrubs
• Put your drives in a not shit location
• Do trims like, once a month maybe
• Make way more frequent snapshots
• Backup your shit!!! NOW!!! To literally anywhere else but just do it!!!

Also see https://docs.docker.com/engine/storage/containerd

Technitium DNS Server v15.1.0 has been released with support for OIDC! Now you can use your preferred identity provider to log in to user accounts, and manage your DHCP/DNS deployments with approriately granular permissions controls.

I've played around with it, and safe to say that the SSO integration works well. I've written a guide to set it up against Kanidm here. There were some OIDC/clustering bugs in prior v15 releases, and with v15.1.0 they have been squashed and solved.

The major release of version 15 also include various important changes, such as the following highlights:

• A new API call for Prometheus metrics
• Query Logs apps can now follow live updates
• Codebase updated to .NET 10 runtime
• HTTP tokens are now accepted via the Authorization: Bearer <token> header
• Many other bugfixes, secfixes, and improvements...

Technitium is pretty great. Hope everyone enjoy the release :)

Hey all, I did check for an immich sub first, but you smart people seem to be my only option now reddit has banned me for refusing to give them an email address.

Background: So, I have a Ugreen DH2300 NAS it runs a cut down version of debian. I've got docker running on it, which is happily hosting Jellyfin. Basic config of the drive volume is from root I have a docker tree and also a data tree. Immich & Jellyfin under docker, movies pictures tvshows books under data. I have pictures indexed by Jellyfin and it works but it isn't great. I have a vanilla copy of immich up and running, I can upload via web browser a pic at a time. The vanilla config puts those files in ./volume1/docker/immich/library/upload/very-long-random-number-directory

Where volume1 is the mounted displayed nas volume (from the nas host it's /mnt/volume1 if you ssh in)

Problem:

I have a terabyte of pictures under ./volume1/data/Pictures that is not visible in docker

Importing 1 by 1 via web browser is obviously not ideal. It also copies the set of pictures from one directory on the NAS volume to a duplicate under library/upload - not great for space.

I've seen the CLI tool exists and if I ssh into the NAS I can see the /Pictures directory as well as the docker/immich/library etc directory but it also has the downside of duplicating all the photos into the immich directory

Ideally I'd like to just index it like jellyfin does when you add files to movies or tv shows. I can't seem to even find a way to point the docker instance to the folder (i modified the .env file but it ignored it, so obviously got that wrong).

Is this the only way ?

EDIT Thank you all for the quick responses - I somehow managed to break the container altogether, so I'll reinstall from scratch and then add your suggested "external folders" config and see how I go.

Thanks again

Edit: Even with 0.0.0.0/0 split tunnel the interface stays active, which can be verified using curl --interface CloudflareWARP ipinfo.io.
So I can just set-up PBR and NAT:

iptables -t nat -A POSTROUTING -s VPN_IP_RANGE ! -d VPN_IP_RANGE -j SNAT --to-source 172.16.0.2
ip rule add from VPN_IP_RANGE table TABLE_ID
ip route add default dev CloudflareWARP table TABLE_ID
ip route add VPN_IP_RANGE dev VPN_INTERFACE # to keep connection between devices

warp-cli is Cloudflare's program to use their Warp VPN/DNS thingy. Since it only allows for closest server being used, I thought about putting it on my VPS.

So I did. I enabled the connection, and oh, SSH froze. No worries, I'll reconnect.
Unless... Yeah, it blocks incoming connections.
Tailscale comes to rescue.

But anyway, the warp-cli settings only allow excluding IP ranges for both directions, so 0.0.0.0/0 makes it pointless.
My only current idea is caveman solution - another VPS (for static IP) as first hop, excluding just that IP on second hop, for third hop to Warp.
Sadly, RackNerd has finally removed all the old offers, so no more $10.29/year VPSs.

Oh, and Tailscale will only work over relay when Warp is connected, so that's not an option.

I'm fairly new to self-hosting and privacy. I used to be all about Apple. I scanned all my important documents and stored them in iCloud. That worked pretty well, but because I tend to make my life harder than necessary, I switched from an iPhone to a Pixel with GrapheneOS. It's a hassle, but I'm happy with my decision overall. Unfortunately, my files are still in iCloud. As a Mac user, that's not too bad, but not being able to access my files on the go is annoying.

I'm afraid to store all my important files in an LXC on my Proxmox server, even with daily backups.

Should I switch from iCloud to Nextcloud, Proton, or something similar? Or should I create an offsite backup—one encrypted in the cloud and one in my house? How are others handling this? Would an extra backup at a family member's house be a good idea? Is paying for cloud storage common? I'd really appreciate any suggestions or ideas. Right now, I'm feeling overwhelmed by all the possibilities. Also, having 2 TB of iCloud storage made it too easy, since I didn't carefully choose the files to upload. But paying 10 bucks a month feels a little stupid now that I don't have the comfort factor any more.

Security fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

SSO Login CSRF - GHSA-pfp2-jhgq-6hg5, GHSA-w6h6-8r66-hcv7
User/Organization Enumeration - GHSA-hxqh-ff5p-wfr3
SSO existing-user binding - GHSA-j4j8-gpvj-7fqr
GHSA-6x5c-84vm-5j56
SSRF via Icon Endpoint - GHSA-72vh-x5jq-m82g
Some crate's updated and other minor security enhancements

These are private for now, pending CVE assignment.

https://github.com/dani-garcia/vaultwarden/releases/tag/1.36.0

Original Reddit discussion: https://www.reddit.com/r/selfhosted/comments/1t2qd26/vaultwarden_1360_patches_vulnerabilities/