• 1 Post
  • 19 Comments
Joined 2 years ago
cake
Cake day: June 18th, 2023

help-circle
  • I’m not going to watch the video, but what’s the procedure for switching between Linux and Windows? Usually you dedicate a GPU entirely to VFIO, with a 2nd GPU for the host OS (or run headless).

    Anyway, will it work? Yes, minus some anti-cheat software. Will it be a simple solution? Well, once you get things stable, yes. The tech behind this is mature, but it can be a rabbit hole.

    I would look into a non-Nvidia GPU for your 2nd PCIe x16 slot (x4, shared with the 2nd M.2 slot FYI). Good idea to check IOMMU groups before buying anything, but modern AMD motherboards are usually fine. Blacklist the Nvidia drivers and dedicate the 3070 to VFIO to make your life easier, and run Linux off the secondary GPU. Intel A380 might be a good choice. Do gaming stuff on Windows and stream via Parsec/Looking Glass/Moonlight+Sunshine; everything else on Linux.






  • If you are interested in this, also check out Robert Reich’s course Wealth & Poverty, which until his recent retirement he taught at Berkley. He’s probably best known for being Clinton’s secretary of labor, so not just someone who’s only taught at universities.

    His course goes more into the incentives built into the economy do not merely encourage but effectively require this sort of behavior, among other topics. A key takeaway that resonated with me is the observation that there have always been greedy, bad actors in the economy armed with too much power. It is wrong to simply blame individual companies, or their boards - though don’t let them off the hook either.

    If at nothing else, it’s one of the few investigations of the intersection between economics and power that I’ve found, and an important subject that otherwise doesn’t fit into any particular silo.


  • It’s easy* to setup Hashicorp Vault with your own CA and do automated cert generation and rotation, if you are willing to integrate everything into Vault and install your root CA everywhere. (*not really harder than any other Vault setup, but yaknow). I may go down this route eventually since I don’t think a device I don’t control has ever accessed anything I selfhost, or ever will.

    I have a wildcard subdomain pointing to my public IP, and forward port 80 to an LXC container with certbot. Port 80 appears closed outside the brief window when certbot is renewing certs. Inside my network I have my PiHole configured to return the local IP for each service.

    Nothing exposed to the internet at all. There is a record of my hostnames on Let’s Encrypt but not concerned if someone will, say, deduce apollo-idrac is the iDRAC service for a Dell rackmount server called apollo and the other Greek/Roman gods are VMs on it. Seemed like a house of cards that would never work reliably, but three odd years later I only have issues if a DNS resolver insists on bypassing my PiHole. And that DNS resolver is SystemD-ResolveD which should crawl back into whatever hellhole it came out of.


  • They could hijack your site at any time, but with a copy of your live private certs they (or more likely whatever third party that will invariably breach your domain provider) can decrypt your otherwise secure traffic.

    I don’t think there’s significant real tangible risk since who cares about your private selfhosted services and I’d be more worried about the domain being hijacked, and really any sort of network breach is probably interested in finding delicious credit card numbers and passwords and crypto private keys to munch on. If someone got into my network, spying on my Jellyfin streaming isn’t what I’m going to be worried about.

    But it is why CSRs are used.



  • Anyone more first hand familiar with the politics of Chino Valley? At a glance, it’s a solidly blue district and not where I’d expect this sort of culture war grand standing. Feels like an artifact of the weird nature of school boards where usually sleepy off year elections sometimes explode and elect crazies who have a small dedicated groups of voters.

    Mrs. Shaw received 51.58 percent of the votes (5,190) and Mrs. Gagnier received 48.42 percent (4,873).

    Not to be not alarmed, but seems more like an aberration. There’s a good reason why school board candidates tend to run on this:

    Mrs. Shaw, who campaigned on parental rights, said her goals include getting the school district back to the basics with reading, writing, and math, teaching age-appropriate curriculum, and ensuring transparency with parents.

    And not culture war nonsense. I feel like Cruz and Na have likely avoided too much attention, but tying themselves to a kook who is turning school board meetings into a circus with national attention is a bad strategy going into an on-cycle election in a blue district. Unless they don’t want their seats, then maybe it’s a great strategy.


  • I’ve found the idea of LXC containers to be better than they are in practice. I’ve migrated all of my servers to Proxmox and have been trying to move various services from VMs to LXC containers and it’s been such a hassle. You should be able to directly forward disk block devices, but just could not get them to mount for an MinIO array - ended up just setting their entire contents to 100000:100000 and mounting them on the host and forwarding the mount point instead. Never managed to CAP_IPC_LOCK to work correctly for a HashiCorp Vault install. Docker in LXC has some serious pain points and feels very fragile.

    It’s damning that every time I have a problem with LXC the first search result will be a Proxmox forum topic with a Proxmox employee replying to the effect of “we recommend VMs over LXC for this use case” - Proxmox doesn’t seem to recommend LXC for anything. Proxmox + LXC is definitely better than CentOS + Podman, but my heart longs for the sheer competence of FreeBSD Jails.











  • Only issue I had with a similar setup is turns out the old HP desktop I bought didn’t support VT-d on the chipset, only on the CPU. Had do some crazy hacks to get it to forward a 10gbe NIC plugged into the x16 slot.

    Then I discovered the NIC I had was just old enough (ConnectX-3) that getting it to properly forward was finicky, so I had to buy a much more expensive ConnectX-4. My next task is to see if I can give it a virtual NIC, have OPNsense only listen to web requests on that interface, and use the host’s Nginx reverse proxy container for SSL.