• 0 Posts
  • 228 Comments
Joined 2 years ago
cake
Cake day: June 10th, 2023

help-circle
  • First of all let me make this absolutely clear, docker is not expected to be secure to that level. While they try to make it hard for someone to escape a container, it’s not their main concern so expect that there are vulnerabilities that would allow an attacker to escape.

    Now the second thing, the Overseer login screen might be secure enough for your case, the problem is that login is hard to do right, and Overseer are doing several other stuff as well, so they might not give it enough emphasis, and even if they do, maybe Immich devs don’t, or any one of the dozens of other services, so there are dozen of possible points of failure. Things like Authelia or Google OAuth are focused on authentication, so they do that absolutely right, and then they become the only point of failure for authentication.

    To be fair, if you keep things updated it’s unlikely not having auth would be a problem. Mostly because most hackers won’t even know of your server to begin with. And most systems are secure enough for most casual hacks. But it’s an investment worth the time if you plan on making something available to the internet.



  • I’ll try to ELI5, if there’s something you don’t understand ask me.

    Op has a home server where he’s running immich, that’s only accessible when he’s at home via the IP, so something like http://192.168.0.3:3000/, so he installed Tailscale on that server. Tailscale is a VPN (Virtual Private Network) that allows you to connect to your stuff remotely, it’s a nice way to do it because it is P2P (peer-to-peer) which means that in theory only he can access that network, whereas if he were using one of the many VPNs people use for other reasons, other people on the same VPN could access his server.

    Ok, so now he can access his immich instance away from home, all he has to do is connect to the VPN on his phone or laptop and he’ll be able to access it with something like http://my_server:3000 since Tailscale adds a DNS (Domain Name System) which resolves the hostnames to whatever IP they have on the Tailscale network.

    But if you want to give your family access it’s hard to explain to them that they need to connect to this VPN, so he rented a VPS (Virtual Private Server) on some company like DigitalOcean or Vultr and connected that machine to the Tailscale network. He probably also got a domain name from somewhere like namecheap, and pointed that domain name to his VPS. Só now he can access his VPS by using ssh user@myserver.com. Now all he needs to do is have something on the VPS which redirects everything that comes to a certain address into the Tailscale machine, Caddy is a nice way to do this, but the more traditional approach is ngnix, so if he puts Caddy on that VPS a config like this:

    immich.myserver.com {
        handle {
            reverse_proxy my_server.tailscale.network.name:3000
        }
    }
    

    Then any requests that come to https://immich.myserver.com/ will get redirected to the home server via Tailscale.

    It is a really nice setup, plus OP also added authentication and some other stuff to make it a bit more secure against attacks directly on immich.


  • It’s not required, but probably OP has a home server with Immich and a VPS which exposes it to the internet. In that setup you need Tailscale for the VPS to access your home server. Sometimes you can’t directly expose your home server for different reasons, e.g. ISP doesn’t give you an external IP directly (I’ve had this, where my router would get a 10.x IP so I couldn’t port forward because the internet IP was being shared between multiple houses), or the ISP gives you a dynamic IP so there’s no guarantee that your IP won’t change next time you reset the router, etc.

    Also it provides an extra layer of separation, so for example a DDOS would hit the VPS which probably has automatic countermeasures, and even if someone were to gain access to the VPS they still need an extra jump to get to the home server (obviously if they exploit something on immich they would get direct access to the home server).


  • Vanilla Arch is the better one in terms of performance and ease of use (yeah call me weird for saying Arch is easier to use than other distros XD)

    Not weird at all, I use Arch on my main system exactly because I’m lazy and it’s easier to use. It’s harder to install, but a lot easier to use.



  • what does the community think of it?

    Everyone has their own opinion, personally I think they’re a great idea and have lots of great applications. But just like rolling vs non-rolling release it’s a personal and application dependant choice.

    Do the downsides outweigh the benefits or vice versa?

    Again, depends, for my personal computer I wouldn’t use it because I think it could get complicated to get specific things to work, but for closed hardware like the Deck or even a fairly stable desktop used as a gaming system it’s perfect.

    Could this help Linux reach more mainstream audiences?

    It could, it can also hamper it because people might start to try solutions that only work until next boot and not understanding why, or having problems getting some special hardware to work (more than it would be a mutable distro). But there is a great counter to this which is that once it’s running it will be very difficult to break by user error.

    At the end of the day I think it’s a cool technology but that people should know what they’re getting into, just like when choosing rolling vs non-rolling distro, it’s not about what’s better, but what suits your needs best.


  • It’s perfectly normal, especially when you’re still so green. I’ve distro hopped lots for my first 4 years, started with Ubuntu, and tried a bunch of stuff until settling for Arch back in 2008. Since then I’ve tried one or another distro for some amount of time or specific purpose, e.g. servers running Debian, work machines running Ubuntu, and there was a 2 year gap where I used Gentoo as my main system (but despite things that I loved there, I just didn’t had the patience). Just the other day I was talking about Bazzite with someone here on Lemmy, and they made such a good defense for it that I might install it on a VM for testing, I’ve also been wanting to give NixOS a serious try any day. All of which is to say, yes man, trying different stuff is normal, even if you’re perfectly happy with what you have you won’t know if there’s anything better for you unless you try it, I used to think I was happy on Windows.



  • I think you got docker mixed with something else, since docker does the exact opposite, i.e. allows you run services without all of the arcane shit involved. Just put the compose file in a folder and run docker compose up -d and you’re done, whereas the alternative would be to install a database, configure it, install the immich service, connect it to the database, write a service file for both database and service to allow it to be auto-started, and face multiple issues due to missing dependencies or permissions.




  • It’s not though, but people have used it to promote pyramid schemes so it gets the bad faith. It’s almost like considering e-mail to be spam, it’s not, even though a large chunk of emails are spam the rest is very useful.

    Ethereum can be used to represent ownership in a way that’s non-transferable by anyone other than the owner, this can have real life applications such as deeds for houses or car registrations. Someone noticed that another excellent application for this is art ownership, for example a token that represents a painting could be used by art collectors as a proof of authenticity, since only one person could be the owner of the token, and that person can prove that he owns the token, if the painting were to be stolen there’s a way to prove you’re the rightful owner. Someone heard that and convinced artists to sell art using those tokens without fully understanding what they were selling, and a bunch of people bought them without understanding what they were buying. Then they noticed that this would only work if others were onboard, so they tried to push it to other people, and eventually you had people who didn’t understand a thing paying thousands of dollars for a drawing of a monkey…

    Ethereum could be used for so many awesome things, but obviously we live in the awful reality where the biggest and most known application for it was used to scam people.



  • Not aware of any, but I’ll do my best on my own.

    Let’s abstract money to its bare minimum, in the most basic form money is an abstract fungible (i.e. 1 of it is the same as another one, they’re interchangeable) token that can be sent or received, and the most basic way to keep track of this is with a ledger. A ledger is in its most basic form a lot of entries saying stuff like “Alice earned 5 coins” and “Alice paid Bob 3 coins”, by looking at these 2 (and assuming they’re the only ones in our ledger) we know that Alice now has 2 coins and Bob 3. Therefore if now Alice tries to send 3 coins to someone else we know this is invalid because she doesn’t have that amount of coins.

    Ok, so that’s the basic of what money is, but as a general rule the ledgers for most coins are centralized, e.g. your bank has that ledger for your account. For years people tried to have a way to create a decentralized ledger, so anyone could have a copy of the ledger and validate it on their own, that way this currency on that ledger could not be controlled by anyone. There are two big problems with that, first you need a way to ensure that only the owner of an account can give away those coins, and secondly we need a way to ensure no one cheats the system, for instance in the example above if Alice could remove her previous transaction from the ledger and input a new one she could convince Bob she paid him, but actually send the money to someone else.

    Problem 1, ownership. This is a slightly difficult answer, so I’ll not explain this fully, if you’re interested read about public and private keys. Essentially in cryptography there’s a way to sign a message in a way that you can verify who signed it without being able to reproduce the signature, in practice this means each account/wallet has 2 numbers, one is the private one used to sign messages (anyone who knows this number can spend the coins) and the other is a public number used to verify who coins are sent to and that the spending of coins was properly signed. This has been a solved problem for decades and it’s a very secure and acceptable solution, we use it on things like ssh, SSL and the likes.

    Problem 2, consensus. This is the hardest problem to solve, and this is the brilliance of Bitcoin. The way Bitcoin solved this issue is: A block is several entries in the ledger; The entries can be arranged in multiple ways, each way yielding a different hash for that block; Each block has a reference to the hash of the block that came before; Only certain hashes are acceptable (e.g. hashes that end with 0, or with 00), and this hash cannot be predicted, so it needs to be brute forced; Whoever creates a block can insert a transaction giving themselves some amount of coins. Phew, that’s a lot, but what does it all mean? It means that everyone sees every transaction in the network and try to build a block that will be accepted, the first person who does shows their block to the world, and everyone tries to find the next block after that. For Bitcoin the largest chain is the valid one, so if someone found a block it’s in your best interest to start to try to find the next one, it’s also in your best interest to show the world your block as soon as possible so others will build on top of it, the more blocks on top of yours the more unlikely it is that someone will be able to overwrite it (they would need to find more blocks that what has been built on top of yours, and even finding one block is hard because of the specific hash that needs to be generated). The difficulty (i.e. rules for which hashes are acceptable) are adjusted in order to make sure that on average one block is found every 10 minutes by the entire amount of people trying to find blocks.

    All together now: Currently Alice has 10 coins, she uses her private key to sign a transaction giving Bob 6 coins. This transaction gets picked by several miners. One of them finds the next block and includes this transaction there. Now all miners are trying to find the next block from that one, and when they do this transaction will have been validated by 2 blocks so it’s way more likely to keep being validated. After 6 blocks it would take the entire mining network 1 hour to undo that block, and unless 51% of the random strangers mining Bitcoin decide to cooperate, the rest of the miners will keep adding blocks on top making this transaction impossible to be reverted. If after that Alice now tries to spend 5 coins no miner will include that transaction, because it would create an invalid block that other miners would just ignore.

    There’s a bit more to Blockchains, for example each transaction also pays some amount to the miners as an incentive, so you can have a transaction be more priority than another by paying more to the miners.

    What about other coins? There are lots of them out there, I’ll only mention one, Ethereum. Ethereum takes this concept to the next level, instead of a ledger storing transaction it stores programs, so one can have a program that if you pay it X coins it gives you Y other tokens, or any other number of complicated stuff. Also recently Ethereum changed from the proof of work (i.e. finding the hash) to proof of stake, in which people pay some amount of coins to be allowed to validate transactions, but if they generate an invalid transaction they lose those coins.

    I strongly recommend you read the Bitcoin white paper, it’s not as difficult as you would think, and it will go into a lot more details on how things work.


  • In that sense it is a bit of scripting, it’s a templating language similar to Jinja, so you put things you want to display between {{ }}, for example {{name}} will get rendered as the content of the name variable. [[ ]] is the way Silverbullet habgles links, so [[Something]] is a link to the file Something.md, so [[ {{ name }} ]] is a link to the file with the name from the variable.

    Also that’s because I wanted a custom view, a very similar thing could be done with:

    \```query
    recipe
    \```
    

    BTW, you can have a table of contents on Silverbullet by just putting a block named toc, i.e. ```toc and closing it on the next line.



  • Let me give you an example, I have a page with this:

     ```template
     | Name | Keywords |
     |-----------|-----------------|
     {{#each {recipe}}}
     | [[{{name}}]] | {{keywords}} |
     {{/each}}
    \ ```
    

    Then each recipe page has a header, so for example if I have a file named Recipes/Steak.md with the content:

    ---
    tags: recipe
    keywords: beef easy
    ---
    
    # Ingredients 
    
    Yadda yadda yadda...
    
    

    So that table gets populated with all of the recipes wherever they are and I can add other columns or info there. It’s very neat and customizable.


  • Silverbullet is open source and has a very simple architecture with slightly extended markdown files which are easy to sync using whatever you use for syncing files. Plus it syncs files locally and allows you to edit offline and sync later (with a basic sync conflict resolution to avoid losing changes) and a very cool feature is that it allows you to write your own scripts to get whatever feature you want.


  • Another vote for Silverbullet, I’ve been using it for a while and it’s great. There is a tree view plugin that’s very easy to install, however I disabled it after a short while because I realized that, because of the way I take notes, that is a lot less useful than other features.

    For example, I have a folder with all my cooking recipes, at first I thought having a Tree view would be good there, but actually if I use the querying mechanism I can have tables that give me more information than just the name, e.g. tags, difficulty, etc. also this works regardless of where the recipes are, so if I want to create a subfolder structure or scrap recipes from elsewhere in the whole space it would work (granted, not very useful for recipes, but I also have a table for work tools, some of which are embebed on another page, some of which are a page of their own, and I have a table that lists all of the tools to give me an overview)