[-] moonpiedumplings@programming.dev 1 points 38 minutes ago

Okay I really want to write a longer post to this, but I don't have much time so I'll just jot down my thoughts real fast:

Are there good up to date tools, or checklists one could follow to audit the different parts of the network (most important the opnsense config)?

"Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win."

But I did jot down some tools I found interesting: https://moonpiedumplings.github.io/blog/watched-software/#vulnerability-scanning-greenbone

Unfortunately I haven't compared them or found out which is the best yet.

how do you handle client authentication for devices on the same subnet? I know IP/mac-adress ARP entries are easily spoofed and therefore not secure, but I haven’t seen how to do it correctly

On wifi, client isolation, on ethernet, port isolation and private vlans.

[-] moonpiedumplings@programming.dev 1 points 42 minutes ago

You can use local certs with nginx proxy manager as well. You can upload certs via the web ui.

Rather than local certs though, I would recommend buying a domain and using it locally, with https. The problem with the local cert approach outlined in the video, is that importing a root cert opens up a big security hole to MITM attacks. If an attacker gets the root certificate, they can now MITM everything else your browser is accessing. You turn the browser from one of the most secure components of a modern OS, into only as secure as the server hosting the root certificates.

The approach I would prefer, is to buy a domain, and use it locally, using DNS-01 challenges to get letsencrypt signed certificates even from within an internal network. Both Caddy and NPM have support for DNS-01 challenges.

No, they are trivial to block using techniques like deep package inspection.

In addition to that, they aren't truly decentralized (no decentralized network really is), both rely on relay/bootstrap servers to start up the connection. So, if you block the public relay/bootstrap servers, you effectively block access to the network.

Tailscale, netbird also can traverse NAT.

Iroh (the actually pretty interesting software which the vibecoded rayfish is based on) and Yggdrassil do have their uses, but evading blocks isn't one of them.

[-] moonpiedumplings@programming.dev 3 points 1 hour ago* (last edited 1 hour ago)

On all modern linux's, the iptables command is actually a compatibility layer controlling nftables.

I prefer it over the nft command because it's much easier to read and use. I only use the nft command when checking for the occasional chain/table that iptables didn't show me.

[-] moonpiedumplings@programming.dev 33 points 16 hours ago

You want a reverse proxy. A reverse proxy reads requests to subdomains and then forwards them to ports and back.

The easiest GUI one is: https://nginxproxymanager.com/

But there is also just straight nginx, or you can use Caddy or traefik or anything else.

[-] moonpiedumplings@programming.dev 1 points 1 day ago* (last edited 1 day ago)

http://pairdrop.net/

Depends on how large though, or how many files. But I think this would work for <80 gig stuff reliably.

You might have to zip it up beforehand if it's many small files.

[-] moonpiedumplings@programming.dev 2 points 1 day ago* (last edited 16 hours ago)

Yes, but it looks like the xdg.user.tags and xdg.user.comments are KDE software specific, and not part of the official spec. Meaning other softwarw probably can't read and interact with those attributss in the same way.

[-] moonpiedumplings@programming.dev 14 points 1 day ago* (last edited 1 day ago)

This workflow is tied to KDE Plasma's tagging feature. Moving away from KDE Plasma would likely mean abandoning parts of this workflow altogether.

~~It looks like these tags are stored in filesystem xattrs themself, not in dolphin or kde metadata. That is, even if you load up gnome's file browser, or another file browser, it should still be able to read them.~~

Nope, it looks like the tags used are KDE specific, even though any software could theoretically implement support for reading and writing them.

https://wiki.archlinux.org/title/Extended_attributes

https://www.freedesktop.org/wiki/CommonExtendedAttributes/

[-] moonpiedumplings@programming.dev 3 points 2 days ago* (last edited 2 days ago)

If an attacker breaks out of the container, through a kernel bug, a runtime bug, a careless bind mount, or a misconfigured capability, they can land on the host as root. This is not hypothetical, we have well known examples, such as CVE-2025-9074.

If the same happened with a rootless container, the attacker would be able to act in the host system as well, but with an unprivileged user, limiting the scope and impact of their “expedition”.

This is not true. I have addressed this in my other comment here: https://programming.dev/post/51095402/24088470

TLDR: Kernel bugs from inside a rootless container still get root on the host. Podman wasn't effected due to more restricted default seccomp policy (controlling what syscalls can be used), but podman being rootless didn't actually help in the example of that recent CVE.

After running rate mirrors, first try clearing your cache and then running a refresh update again:

sudo cachyos-rate-mirrors
sudo pacman -Scc
sudo pacman -Syyu

If this doesn't work, and you need to update, then you can temporarily remove the pacakges. BUT, this will probably break steam, which seems to depend on those packages.

sudo pacman -Rdd lib32-libffi lib32-expat

Sometimes this happens since not every package update is pushed out to every mirror in time. I would recommend waiting a bit, maybe up to a day or two. It looks like the versions of packages have been fixed:

https://archlinux.org/packages/multilib/x86_64/lib32-expat/

https://archlinux.org/packages/multilib/x86_64/lib32-libffi/

For both of them, the dependency versions required seem to be up to date.

If it still doesn't work after a wait, try a force refresh of the mirrors: sudo pacman -Syyu, which force pulls and doesn't use locally cached repo info.

If it still doesn't work, then it's probable that your mirrors themselves are outdated. You can switch them by running sudo cachyos-rate-mirrors.

Yes. Under the hood, gnome controls the power profiles daemon.

You can configure it from the cli via powerprofilesctl.

powerprofilesctl get gets the currently active mode. powerprofilesctl set performance set's it to performance mode.

There are three modes: 'power-saver', 'balanced', 'performance'

22

Pairdop is an open source, browser based, peer to peer file sharing application.

It is cool because it can find other devices on the network. So you open up pairdrop on one computer, and you open pairdop on another, and then you can see the devices and chat with eachother.

But, you also have the options of:

  • Creating a temporary public room for sharing files over the network to another device
  • Permanently pairing devices so that they can access eachother after you close the app

In addition to that, it's a progressive web application, so you can "install", and/or the web page does not need internet to load, firefox will cache it and let you use the app even if you don't have internet.

There is a publicly hosted instance you can try: https://pairdrop.net/

7
Swarm Simulator (www.swarmsim.com)

cross-posted from: https://programming.dev/post/52054729

Swarm simulator is an open source idle game:

https://github.com/swarmsim/swarm

16
Swarm Simulator (www.swarmsim.com)

cross-posted from: https://programming.dev/post/52054729

Swarm simulator is an open source idle game:

https://github.com/swarmsim/swarm

17
Swarm Simulator (www.swarmsim.com)

Swarm simulator is an open source idle game:

https://github.com/swarmsim/swarm

32
57

I can't find the source code for this, I am posting here to save it to remind myself to search later.

531

Other fun answers:

This site is: https://youraislopbores.me/

This site is a "fake chatgpt" where you can pretend to be chatgpt or ask questions to people pretending to be chatgpt.

32

Phone game that measures how high you can throw your phone into the air...

26
25
submitted 3 months ago* (last edited 3 months ago) by moonpiedumplings@programming.dev to c/linux@programming.dev

It was fairly easy. I used rustic to back up my entire home directory to a USB flash drive.

The trick is to ensure that all applications (except KDE) are closed. Firefox, for example, really hates if you try to actively sync or copy over it's profile directories while it is running.

And then I also nuked my podman user data. (podman system reset). Podman sometimes makes the ownership of it's files weird, but also the container images take up a lot of space that I don't really care about actually backing up. It's okay if those aren't on the new laptop.

Then I backed up to the usb flash drive:

rustic init -r /path/to/repo — this will prompt you for a password

rustic backup -r /path/to/repo /home/moonpie

One cool thing about the backups is that they are deduplicated and compressed. So I backed up 120 gb of data, but it was compressed to 80 gb.

restic snapshots -r /path/to/repo

The snapshots are deduplicated as well. Data that doesn't change between snapshot versions, doesn't take up any extra space.

rustic restore -r /path/to/repo snapshotid /

The / is needed because rustic restores to paths underneath the thing. It gave me a bunch of permission errors about not being able to read stuff not in my home directory, but eventually it restored all of my data.

And then yeah. All my data. Except Wifi passwords, which I had stored as unencrypted for all users, because I didn't like having to unlock the KDE wallet to get to Wifi passwords when connecting. I had (and have) LUKS encryption so I didn't worry about that too much. But it means that data not in my home directory was not copied over.

It was surprisingly smooth, and now I have all my data and firefox profiles and stuff on the new machine.

27

Finally I can doomscroll books

27
submitted 3 months ago* (last edited 3 months ago) by moonpiedumplings@programming.dev to c/linux@programming.dev

As usual, phoronix is full of trolls. I was surprised to see only 17 comments, but perhaps that's because I viewed this very early. A highlight from the first page:

Everyday we stray further from GNU, POSIX, C, X11 and now SysVinit. 80s are over. Party is over. Wake up. It's 2026. Adapt or perish in irrelevance. Future is bright and is inevitable. Long live systemd, Wayland, Rust, Gnome and atomic and immutable distros.

Given the way this covers Systemd, SysV, and AI agents, and the way that I see trolling on the first page, There is a very real chance this could be one of those legendary Phoronix threads that manages to hit the 500 comment limit.

EDIT: more relevant threads: https://www.phoronix.com/linux/systemd

view more: next ›

moonpiedumplings

0 post score
0 comment score
joined 2 years ago