cyberwolfie

I am in love with my Jellyfin server (running in a Docker container) - it feels so nice to take back control over my media consumption again, after more than a decade in the land of streaming. So much, that I want to share this with my family.

So I was thinking of setting up a reverse proxy (Nginx Proxy Manager is what I have used before) and expose my Jellyfin-instance through that. However, I've seen several people be skeptical about this solution, instead opting for access through a VPN (I don't think that would be a good solution for some of my family members).

What are the potential pitfalls of setting it up this way, that makes people skeptical? Where could I go wrong, and what dangers would I expose myself to? As I understand it, this would only expose one port to the internet, direct all that traffic to the Nginx Proxy Manager, which then forwards traffic to specific ports internally on my home network, which sounds safe in my mind. Is it misconfiguration of the proxy manager I should be wary of? Or some exploits in the proxy manager?

I have a fairly new laptop where the audio has become increasingly janky - it can work fine for a while, and then suddenly descend into white noise before being completely gone until I bend the laptop ever so slightly for it to come back. Obviously a physical problem.

I contacted the vendor (until my dialogue with them is concluded, I will not name them), and was told that from my description, this sounded like an issue with a subboard where the audio port and sound chip is located. They wanted me to send it in, but this would require sending it out of the country for a 48 hour repair (+ shipping time) which I was not too keen to do, and especially as I am quite dependent on the laptop in my daily life, I wouldn't want to be without it for that long.

However, the problem has since gotten worse, and I recently contacted them again in preparation for finally sending it in, in fear of this become ever worse. However, now it has been more than 6 months since my purchase and they won't prioritize the repair anymore, bumping the repair time up to 2-3 weeks. This is way too long for me to consider at this point, so I am now looking at options to have it replaced locally instead, in case we cannot find a suitable solution.

However, I don't really know how to proceed with this, as I am quite clueless about hardware. Would such a repair be possible by someone not having the proper schematics? Would it be easy to identify the correct subboard to order if I am unable to get the information from the vendor?

It was also difficult to assess the quality of the local repair shops - some of them give the impression that they are quite competent, but rather seem like they might specialize in helping grandmothers set up their e-mail client. How would I determine if I can trust them with my device?

I am using ProtonVPN, and have (or so I thought) set up qBittorrent to bind to the network interface that ProtonVPN is using (tun0). The connection symbol turns red if I turn off the VPN, and downloads will stop. However, when checking the torrent address on ipleak.net, it seems that this bind is not working properly - my real IP shows up after I have disconnected my VPN. I thought that there shouldn't be any connections made when traffic is not via the tun0 interface, so that my real IP should never be known by the detection tool. Am I wrong?

I have not configured the kill switch, but perhaps I should do so?

I am running Pop_OS! and want to set up an old WiiMote I have lying around as a mouse. I have a USB-sensor bar, and I don't have any issues connecting the remote to the computer, and the inputs seems to register just fine when running xwiishow 1 after the remote is connected. I am also able to use it perfectly fine as a WiiMote in the Dolphin emulator.

Now, I want it to function as a mouse, and being a fairly new Linux user, this is where I get confused. I am not entirely sure what I need to have happen in order to make this work, but I realize there must be some translation of the IR-sensor data and some way for Pop_OS! to understand that this should be a mouse.

When searching for it, a lot of different names are thrown around, so I am not entirely sure what I should be looking for. However, from the ArchWiki (https://wiki.archlinux.org/title/Wiimote) it seems I have three choices:

1. MoltenGamepad (https://github.com/jgeumlek/MoltenGamepad), but this seems to only handle button presses? This is also something I would like, i.e. mapping buttons to Pause/Play media. But it is not the only thing I want, and mouse movement + clicks is higher in priority.

2. An X11 input driver - this I have tried to install according to the instructions on their GitHub-page (https://github.com/xwiimote/xf86-input-xwiimote), but failed to do so. The last commit to this project was back in 2014. The ArchWiki states:

"xf86-input-xwiimote has support for mouse-emulation via IR using the Option "MotionSource" "ir""

... which is what I want, but then also directly underneath:

"There is currently no user-space application that enables mouse-emulation with the IR-sensor. If you need that, you should consider using the no longer supported cwiid approach. However, the xwiimote tools are under heavy development and will soon support IR mouse-emulation, too. "

... which confuses me.

3. cwiid is also listed as an approach on the ArchWiki, but they also say that it should not be used since it is discontinued.

I'm sure the main issue here is a knowledge gap on my part, so if there is a solution that seems obvious to any of you, I would greatly appreciate the help in both getting this to work and in understanding my system better.

I recently started giving plain text accounting a go. For a long time I did not do any accounting, as my income was high enough to get by perfectly fine, but recently I wanted to get a lot more control over my personal finance in order to easier achieve more long term financial goals.

I've only been at it for about a month now, and I started out with ledger. So far I am enjoying the concept, but have not made much out of reporting yet. But I like the idea of also building my own reporting in Python on top of existing reports, and checking out the ecosystem around this (I understand BeanCount has a large Python ecosystem, so I will probably check this out once I have some months of data).

Are there anyone here doing this? I would love to hear some perspectives about this, both good and bad, from people having used this for a long time.

For some time now I have been trying to clean up my digital footprint by requesting deletion of accounts and associated data for unused accounts, and being critical about which accounts I actually benefit from keeping. This turned out to be far more time consuming than I imagined beforehand.

I've been using a password manager for about a decade, so I have a fairly good overview of a lot of the accounts I've opened over the years. However, while privacy has always been important to me, I was more concerned with increasing governmental surveillance rather than corporate surveillance for many years. So over the years I've signed up uncritically to a large number of services. Most of these do not have much data about me, but my username has generally been reused, along with e-mail and sometimes phone number and other more sensitive data. This of course doesn't take into account all those minor services I've signed up for with e-mail + reused password. I have no control over those...

Now GDPR thankfully makes the job of cleaning up the accounts I do have control over a lot easier, because I doubt many of these services would even let me delete my account if not for it. However, it does not regulate enough how easy this process should be, and there are so many different ways companies implement this. From extremely convenient and easy ways of exporting all data and deleting the account, such as implemented by Strava (kudos to these companies!), to the worst offender of them all: British Airways... Until recently you would have to send an actual letter to their data protection offer with a copy of your passport (yeah right...). Sometime this year they've changed this, so now you just have to upload a picture of a letter to their document's portal, but since that is borked, I can't even access it to complete the deletion request. Apple also rejected my deletion request for an unknown reason, and I had to spend 45 minutes on the phone with them to understand that a cancelled, but still active subscription (a 1-year subscription that had not expired yet) from the app store, was blocking the deletion. Most are in between these two extremes, and either require that I actively follow up that I get a reply when I send an e-mail to their data protection officer with my request, or have processes that take up to a month to complete.

Of course, cleaning up 10-15 years of uncritical online presence would take a long time anyway, but companies making it hard on purpose to delete your account and data is infuriating, and a testament to a status quo that should burn in hell.

On the plus side: I no longer have accounts with Microsoft and Twitter, accounts with Apple and Amazon should soon be closed. My goal is to have completely phased out Meta and Google by the end of this year, although the communication lock-in of Meta and the fact that my primary e-mail was Gmail for 15 years (I've switched two years ago to Proton), makes these transitions a bit more difficult.

If nothing else, this process has made me very conscious about platform lock-in and the "joys" of ecosystems...

This is a question mostly for the sake of trying to learn more about how self-hosting works, and it is not vital that I resolve this. But if anyone wants to help me understand this, I would greatly appreciate it.

I have a media server running at home with certain Docker containers (Jellyfin, Navidrome and Audiobookshelf currently). I have not exposed these services to the internet, so they are currently only accessible on my home network, which is all I need for the time being. The server itself is connected to an external VPN provider as there may or may not be some torrenting involved at some point. Let's say the name of the server is mediaserver.

From my laptop connected to the same network, I can access all these services through http://mediaserver.local: or http://:, while connected via the same VPN provider on the laptop also. On my cell phone (running CalyxOS), I am unable to do so. I need to disable VPN in order to access the services.

What is the difference between my laptop connected via VPN and my phone doing the same thing, both connected to my home network. I didn't actually think the VPN would come in to play before making requests outside my home network, but that's probably just me being ignorant.

I've been self-hosting Nextcloud for sometime on Linode. At some point in the not too distant future, I plan on hosting it locally on a server in my home as I would like to save on the money I spend on hosting. I find the use of Nextcloud to suit my needs perfectly, and would like to continue using the service.

However, I am not so knowledgeable when it comes to security, and I'm not too sure whether I have done sufficient to secure my instance against potential attacks, and what additional things I should consider when moving the hosting from a VPS to my own server. So that's where I am hoping from some input from this community. Wherever it shines through that I have no idea what I'm talking about, please let me know. I have no reason to believe that I am being specifically targeted, but I do store sensitive things there that could potentially compromise my security elsewhere.

Here is the basic gist of my setup:

• My Linode account has a strong password (>20 characters, randomly generated) and I have 2FA enabled. It required security questions to set up 2FA, but the answers are all random answers that has no relation to the question themselves.
• I've disabled ssh login for root. I have instead a new user that is in the sudo usergroup with a custom name. This is also protected by a different, strong password. I imagine this makes automated brute-force attacks a lot more difficult.
• I have set up fail2ban for sshd. Default settings.
• I update the system at the latest bi-weekly.
• Nextcloud is installed with the AIO Docker container. It gets a security rating A from the Nextcloud scan, and fails on not being on the latest patch level as these are released slower for the AIO container. However, updates for the container is applied automatically, and maintaining the container is a breeze (except for a couple of problems I had early on).
• I have server-side encryption enabled. Not client-side as my impression is that the module is not working properly.
• I have daily backups with borg. These are encrypted.
• Images of the server are also daily backed up on Linode.
• It is served by an Apache web server that is exposed to outside traffic with HTTPS with DNS records handled by Cloudflare.
• I would've wanted to use a reverse proxy, but I did not figure out how to use it together with the Apache server. I have previously set up Nginx Reverse Proxy on a test server, but then I used a regular Docker image for Nextcloud, and not the AIO.
• I don't use the server to host anything else.

I'm still a fairly new Linux-user (on Tuxedo OS), and I just ran into an issue that is new to me. If I try to update my system, either via command line or Discover, the apt update command fails. This is the output:

E: Could not get lock /var/lib/apt/lists/lock. It is held by process 1635 (apt-get)
N: Be aware that removing the lock file is not a solution and may break your system.
E: Unable to lock directory /var/lib/apt/lists/

Process 1635 is apt-get update run by root, and persists through restart. I am tempted to try to kill it (kill 1635), but I'm not sure if anything could break from that, so I thought I'd try to ask for help first before I do something stupid.

EDIT:

I have managed to update my system by killing the process, which releases the lock, and then going on to do normal sudo apt update and sudo apt upgrade. For the sake of troubleshooting, I tried to add back my third-party repos one by one, and none of them caused any problem. However, when rebooting the same issue as described above happens again. Software updates is set to "Manually" in the System settings.

In addition, everytime I ran sudo apt upgrade, at the end some update related to initramfs fails. My disk is encrypted using cryptsetup, and as I’ve come to understand, I should be very careful doing anything related to initramfs when that is the case. Here is the output:

Processing triggers for initramfs-tools (0.140ubuntu13.2) ...
update-initramfs: Generating /boot/initrd.img-6.2.0-10018-tuxedo
I: The initramfs will attempt to resume from /dev/dm-2
I: (/dev/mapper/system-swap)
I: Set the RESUME variable to override this.
zstd: error 25 : Write error : No space left on device (cannot write compressed block) 
E: mkinitramfs failure zstd -q -1 -T0 25
update-initramfs: failed for /boot/initrd.img-6.2.0-10018-tuxedo with 1.
dpkg: error processing package initramfs-tools (--configure):
 installed initramfs-tools package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 initramfs-tools
E: Sub-process /usr/bin/dpkg returned an error code (1)

EDIT 2:

The issue seems to have been narrowed down to a failure of Tuxedo's driver configuration service that runs at boot. It is this process that calls apt-get (and something I should've seen earlier...), and systemctl status reveals some errors:

aug. 08 15:33:56 laptop systemd[1]: Starting Tomte-daemon, finishes tasks that could not be accomplished before...
aug. 08 15:34:06 laptop tuxedo-tomte[1393]: no network found!! some fixes might not be applied correctly
aug. 08 15:34:06 laptop tuxedo-tomte[1393]: systemctlCmd: systemd-run --on-active="30sec" tuxedo-tomte configure all >/dev/null 2>&1

I really appreciate the help from everyone so far. It's a good experience asking for help here, and I've learned a lot from your answers. Makes being a Linux newbie a lot easier. So thank you :)

Since this seems to be a very specific issue related to Tuxedo's own services, I will contact their support to get their input on what to do next.