My solution is to use Rathole. I rent a wildly cheap (2 core, 4GB memory) VPS and basically just run Traefik there. Then I use Rathole to make some services hosted on my desktop available to Traefik.
I like this solution better than Wireguard for my application. It reduces attack surface to services you’ve explicitly set up, rather than a full data layer trunk between your machine and a potential malicious actor.
Ooh, I’ll definitely check out Voice!
I’m more of a desktop Jellyfin container person myself, but all roads lead to Rome in this case :) thanks for the input!
Does anyone know of a good alternative for Android?
Right now I just use Antennapod, but it would be nice to get chapters and whatnot built in.
My $0.02:
NixOS is excellent, and actually pretty easy if you’re not trying to do anything fancy (running all services under a single user, etc.). Personally this is my pick because I primarily host services for myself, so down time in exchange for learning a new thing is acceptable.
As I mentioned elsewhere, Debian + Incus is a great minimal and rock solid solution for longer standing services. Although, it’s not composeable :(
More directly to your preferences, I would also recommend considering Rocky. Being in the RHEL ecosystem has its perks (especially with rootless support for podman and podman-compose). I’m also generally a fan of SELinux. Rocky is a little less bleeding edge than Fedora with many of the same conveniences and recent packages. In my mind, for my purposes, that makes it a better choice than Fedora for a server OS.
I tend to not use the webui, so I prefer the similarly useful combination of Debian + Incus (spawned from the LXC project).
Sure, HA isn’t baked into Incus (to my knowledge) but similar to OP I only have one physical box and don’t necessarily care to manage multiple.
That being said, Proxmox is a good solution in the scheme of things and generally a good recommendation.
Hm, so it’s encrypted from your beeper client to the bridge, decrypted, then re-encrypted with the outgoing platform’s protocol. Seems like a good reason to host your own bridge, and a good call on it being a glaring attack surface.
Seems like the secret sauce is in how they deal with messaging platform integrations? Maybe the goal is to avoid another iMessage lawsuit. With Beeper as a proof of concept it would be cool to start adding integrations in a fully open source way (legality permitting)
That’s a cool solution! I’d be interested in making a nix flake to do something similar to that Ansible project. Thanks for linking!!
Agreed! I’m pretty psyched about their transparency and the overall model. Especially in the universe where this Apple lawsuit results in Beeper being allowed to connect to iMessage again.
Would love to hear any results you find with hosting! I’ll give it a try too and maybe do a follow on post with what I learn.
Try this, friend
{ config, pkgs, ... }:
let
lock-false = {
Value = false;
Status = "locked";
};
lock-true = {
Value = true;
Status = "locked";
};
in
{
/*
** ffextid
** Usage: `ffextid [install_url]`
** Description: simple script to find the extension id from an extension's manifest
** using the url found by right clicking the install add-on button and
** selecting "copy link"
*/
home.packages = with pkgs; [
(pkgs.writeShellScriptBin "ffextid" ''
#!/usr/bin/env bash
$(curl $1 > /tmp/ffext.xpi) 1> /dev/null
$(unzip /tmp/ffext.xpi -d /tmp/ffext) 1> /dev/null
# If ripgrep exists, use that. Otherwise default to grep
if ! command -v rg &> /dev/null;
then
rg id /tmp/ffext/manifest.json
else
grep id /tmp/ffext/manifest.json
fi
rm -rf /tmp/ffext*
'')
];
programs = {
firefox = {
enable = true;
package = pkgs.wrapFirefox pkgs.firefox-unwrapped {
extraPolicies = {
DisableTelemetry = true;
# add policies here...
/* ---- EXTENSIONS ---- */
ExtensionSettings = {
"*".installation_mode = "blocked"; # blocks all addons except the ones specified below
/*
Format:
"[Manifest id]" = {
installation_mode = "force_installed" # will install the extension for you!
install_url = "[url]" # found by right clicking the install button on the add-on page
};
*/
# uBlock Origin:
"uBlock0@raymondhill.net" = {
installation_mode = "force_installed";
install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
};
# Privacy Badger:
"jid1-MnnxcxisBPnSXQ@jetpack" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi";
installation_mode = "force_installed";
};
# Bitwarden
"{446900e4-71c2-419f-a6a7-df9c091e268b}" = {
installation_mode = "force_installed";
install_url = "https://addons.mozilla.org/firefox/downloads/file/4225453/bitwarden_password_manager-2024.1.1.xpi";
};
# XBrowserSync
"{019b606a-6f61-4d01-af2a-cea528f606da}" = {
installation_mode = "force_installed";
install_url = "https://addons.mozilla.org/firefox/downloads/file/3546070/xbs-1.5.2.xpi";
};
# Decentraleyes
"{jid1-BoFifL9Vbdl2zQ@jetpack}" = {
installation_mode = "force_installed";
install_url = "https://addons.mozilla.org/firefox/downloads/file/4158232/decentraleyes-2.0.18.xpi";
};
# Clear URLs
"{74145f27-f039-47ce-a470-a662b129930a}" = {
installation_mode = "force_installed";
install_url = "https://addons.mozilla.org/firefox/downloads/file/4064884/clearurls-1.26.1.xpi";
};
#Dark Reader
"addon@darkreader.org" = {
installation_mode = "force_installed";
install_url = "https://addons.mozilla.org/firefox/downloads/file/4223104/darkreader-4.9.76.xpi";
};
# Cookie AutoDelete
"CookieAutoDelete@kennydo.com" = {
installation_mode = "force_installed";
install_url = "https://addons.mozilla.org/firefox/downloads/file/4040738/cookie_autodelete-3.8.2.xpi";
};
# I don't care about cookies
"jid1-KKzOGWgsW3Ao4Q@jetpack" = {
installation_mode = "force_installed";
install_url = "https://addons.mozilla.org/firefox/downloads/file/4202634/i_dont_care_about_cookies-3.5.0.xpi";
};
# Youtube Sponsor Block
"sponsorBlocker@ajay.app" = {
installation_mode = "force_installed";
install_url = "https://addons.mozilla.org/firefox/downloads/file/4229442/sponsorblock-5.5.4.xpi";
};
# add extensions here...
/*
"" = {
installation_mode = "force_installed";
install_url = "";
};
*/
};
/* ---- PREFERENCES ---- */
# Set preferences shared by all profiles.
Preferences = {
"browser.contentblocking.category" = { Value = "strict"; Status = "locked"; };
### BOOLEANS
"extensions.pocket.enabled" = lock-false;
"extensions.screenshots.disabled" = lock-true;
"privacy.donottrack.heater.enable" = lock-true;
"browser.compactmode.show" = lock-true;
# add global preferences here...
};
};
};
/* ---- PROFILES ---- */
# Switch profiles via about:profiles page.
# For options that are available in Home-Manager see
# https://nix-community.github.io/home-manager/options.html#opt-programs.firefox.profiles
profiles ={
sunstoned = { # choose a profile name; directory is /home/<user>/.mozilla/firefox/profile_0
id = 0; # 0 is the default profile; see also option "isDefault"
name = "sunstoned"; # name as listed in about:profiles
isDefault = true; # can be omitted; true if profile ID is 0
settings = { # specify profile-specific preferences here; check about:config for options
"browser.newtabpage.activity-stream.feeds.section.highlights" = false;
"browser.startup.homepage" = "https://nixos.org";
"browser.newtabpage.pinned" = [{
title = "NixOS";
url = "https://nixos.org";
}];
# add preferences for profile_0 here...
};
};
# add profiles here...
};
};
};
}
In my head they’re different use cases. Nix is amazing for a living build. Ansible is more pigeon-holed to production systems where you don’t want (or need) that history baked into every system
nix develop is going to change your workflow. Don’t fear the flake my friend :)
Idk flatpak and docker are pretty easy to set up. If anything gets too complicated it’s easy to go back to old reliable.
I’m an old man when it comes to major changes. If it’s salvageable then maybe stick with what you’ve got. Have you used lazy docker or watchtower?
Lazy docker should give you a more reliable interface (TUI, over ssh, not a GUI)
Watchtower (aims to) update your containers for you so you don’t have to go through this pain in the first place :)
Personally, I run my Nextcloud and Jellyfin servers on NixOS with auto updates on. It’s been chugging along great!
I agree gluetun is de way 😂 unfortunately my CPU is nowhere near 100%
Save some sex for the rest of us
Using gluetun to connect my containers to Mullvad I’m getting 60+% of my bare network speeds.
Another option that doesn’t achieve that performance is torproxy which can achieve a similar result.
Using gluetun to connect my containers to Mullvad I’m getting 60+% of my bare network speeds.
Another option that doesn’t achieve that performance is torproxy which can achieve a similar result.
send to the dumpster any computer produced before 2018
You mean send into the arms of a frugal Linux enthusiast ;)
What would you tout?