Skip Navigation
InitialsDiceBear„Initials” ( by „DiceBear”, licensed under „CC0 1.0” (
Posts 13
Comments 2.6K
PSA: New Samsung phones block sideloading by default. Here's how to re-enable it
  • If you mean the S24, the equivalent from Sony would be the Xperia 5 V. Has audio jack and sd card compared to the S24, Sony batteries last 2 days even after several years of use thanks to excellent optimization and battery care, there's almost zero bloat. On the downside it will only get 2 years of upgrades (until the end of 2025). Also you can't unlock the bootloader on US models if that's something you care about.

  • What am I doing with iptables?
  • Keeping a port open if you don't want it open is bad practice.

    Why even bother having a firewall then? I mean, why block any ports if you're going to open the ports for services anyway, and there's nothing listening on the others, right?

    The point of having a firewall is that you start with DENY on all possible chains and interfaces, and you describe explicitly what is allowed to happen.

    A firewall thus becomes a living specification of the networking rules for your server, the same way ansible for example describes the functionality.

    If you're not willing to do it like that then don't bother having a firewall, there's no point.

  • What am I doing with iptables?
  • Do not disable that docker feature unless you know what you're doing!

    99% of users want it on. If you have an active firewall you want it to be restrictive, and you want Docker to open ports only as needed, and to keep track of container networks for you and to take down the permissions when you stop a container etc.

    What clueless people do is disable this feature and then they make permanent rules that keep the ports open all the time, and/or attempt to keep track of rules by hand. The former is insecure, the latter is a hassle.

  • What am I doing with iptables?
  • You should not have to open such a permissive rule. Like you've seen, docker will set firewall rules as needed if you have services that actually need to listen on the public interface.

    If you've run that permissive input command on the VPS it's most likely not a good idea.

    What exactly are you trying to do? If you're trying to use curl from inside a docker container that is not the correct way to achieve that. In fact you should not need to do anything like that, outside connections should be allowed (OUTPUT), and incoming collections (INPUT) should be allowed only if they're related to an already ongoing connection (look up the ESTABLISHED flag).

    Any extra flag you can offer that would narrow things down would also be welcome. When you write firewall rules you should be as restrictive as possible. For example since this is curl you're probably going to connect to ports 80 and 443 so you can add --dport to restrict the ports to the OUTPUT rule. And you should specify the interface (in this case docker0) in almost all cases.

  • Immich relies on a third-party service that seems shady to me
  • You could also start by denying any outside connection to anything except private IP ranges for any docker container, and only allow it on a need to have basis.

    It's not enough to rely on the the good will and savvy of whoever made the software, you have to make the restrictions stick.

  • Let's bring back the webring.
  • It will happen out of necessity once LLMs make search engines useless. Bookmarks and human-curated content will be the only way to find stuff.

    It's already affecting small businesses worldwide, who aren't being discovered anymore by searches in their local area.

  • This ‘Google TV Streamer’ set-top box is what comes after Chromecast
  • It's going to be a bit tough considering that the Chromecast protocol is being used by pretty much every Android app.

    I'm not aware of any open source app that can pose as a Chromecast on the network and/or convert the protocol to DLNA, but maybe I haven't searched enough.

  • Follow up on supporting Immich announcement - change of wording
  • Immich recently had a bug where it would delete all the photos if you remove a gallery. It has breaking changes and API changes all the time. Why? I don't know. You do NOT need to break the API every other minor version, it's super dumb.

    That makes it impossible to use it with other users because I can't control how and when their mobile app gets updated, which means at any given time I have no idea if their apps will work with the server version. And when they do work, they're buggy.

    You can use it just for yourself if you're very careful but it's not something I can offer friends or family and promise it's better than Google Photos or iCloud. Not if it doesn't work half the time and may delete their photos every once in a while.

    A simple alternative is to use a sync app to upload photos from a person's phone and then use a reliable (doesn't break all the time) photo webapp to let them browse them. They can still manage their photos locally, and use other services, and other backups and so on, they just have an extra backup + viewer.

  • Follow up on supporting Immich announcement - change of wording
  • OK but that just means the offer for this particular type of app sucks. It doesn't make Immich good.

    It's not really uncommon in the selfhosted space, there are some huge gaps. Try finding a multi-account email webapp for example, or a CalDAV/CardDAV webapp.

  • Understanding Linux and choosing your first Linux distro, v2.0
  • It does need regular maintenance, as highlighted in every single stable update announcement.

    If you're talking about "Known issues and workarounds" those aren't caused by Manjaro, they're issues that crop up with various packages. The forum attempts to crowdsource fixes as part of Manjaro's mission to make it easier on its users.

    It's a great resource and it can be used by people on any Arch-related distro (and potentially other distros as well). I wish more distros would do this.

    It is absolutely not stable (as in Debian Stable or RHEL or SLES stable) as things are moving quickly.

    Well it's still a rolling distro with Arch heritage. It's as stable as you can make Arch. Which is quite stable in the sense that a Manjaro install won't stop working out of the blue (I can attest to that personally, going on the 5th year as a daily driver). And they've gone and added Timeshift snapshots as default so if you mess something up you can simply restore a snapshot, which takes care of user-related tinkering as well.

    Okay, almost-semi-regular then.

    Not sure I understand your point about the updates (or the "almost-semi" thing). What does it matter if updates come after 13 or 17 days? Is it important to you to be exactly 14 or what?

    AUR creators, on the other hand, are overwhelmingly Arch users who builds their scripts targeting an up-to-date Arch system.

    10% of AUR packages are abandoned. Another 20% have never been updated after the initial release. Only 35% have been updated within the last year.

    Anyway, it doesn't matter. AUR "packages" are recipes that either compile packages from source or download binary releases. Both methods are very resilient and don't care about delays of a couple of weeks.

    While you can in theory run into an AUR package that was just updated to require something that was just added to Arch the chances are extremely small. It's hardly a common problem.

  • Follow up on supporting Immich announcement - change of wording
  • Should I not be able to use the software if I'm donating?

    I see these comments going "oh it's still alpha, we need to encourage them". Well it should have exited alpha a long time ago, and secondly I'm not going to pay for the mere possibility of it being useful at some undetermined point in the future. Show my something useful now.

    If anything, Immich has demonstrated it has no intention of ever becoming a useful project. A perpetual alpha that breaks super often and plans to remain in that state on purpose indefinitely should not be asking for any support.

    Even in FOSS you have to show some modicum of practical sense. FOSS was founded on "scratch an itch" not on "break forever".

  • Understanding Linux and choosing your first Linux distro, v2.0
  • Wow, basically everything you wrote about Manjaro was wrong:

    • It doesn't need constant maintenance, and it doesn't break. The whole point of it is to be a stable variation of Arch.
    • It doesn't have a highly irregular update schedule, it's quite regular — every two weeks. There are also updates for outstanding security issues which can come faster (as needed). Occasionally very large updates can take longer in order to weed out all the issues, such as the recent example with Plasma 6 — those are announced in advance.
    • AUR doesn't "expect" anything, it's a dumping ground where anybody can put anything. I successfully run about 100 AUR packages on Manjaro without any issues, but nobody can guarantee anything when it comes to AUR. It's officially unsupported on Arch and every Arch-based distro. If you want to call it dangerous that's fine (if a bit hyperbolic) but don't blame that on Manjaro, it just shows that you don't understand how AUR works.
  • Photo manager that deals with RAW and JPG together?

    I took some photos at an event and I need to go through them and get rid of the bad ones (eyes closed, things in the shot, out of focus, blurred etc.) I'm not a pro photographer so no idea where to begin with photo apps. I've used RawTherapee and Gimp a bit.

    What app will let me quickly browse the photos and handle (delete/tag) photo formats together (both the RAW and the JPG)?


    How do you guys use Tailscale (or other VPN) with containers

    I wanted to run my VPN/Tailscale setup past you, see if anybody has suggestions on how I could do things better.

    • Setup: home LAN (, router+DNS on, server running docker containers on
    • LAN DNS points *.local.dom.tld to the server, public DNS points *.dom.tld to my dynamic public IP.
    • Containers run in bridge mode with host, expose ports on host IPs via "ports:" mapping.
    • NPM with LE certs also in container, exposes, forwards to various other services.

    Goals for Tailscale:

    • Accessing HTTP services via NPM from my phone when away from home.
    • Exposing select UDP and TCP non-HTTP services such as syncthing (:22000) or deluge RCP admin (:58846) to other tailnet devices or to phone on the go.

    Goals in general:

    • Some containers need to expose ports on the LAN.
    • Some containers need to expose ports via Tailscale.
    • Some containers need to broadcast on the LAN (DLNA stuff) – but I don't want them broadcasting to Tailscale.
    • Generally speaking I'd like to explicitly control what's exposed from each container on either LAN or Tailscale.
    • I'd like to avoid hacking images with Dockerfile. I can make my own images to do stuff, just don't want to keep up with hacking other images.

    How I progresed with Tailscale:

    1. First tried running it directly on the host. Good: tailnet IP (let's call it available on the host's default network stack. Containers can use "ports:" to map to (tailscale) and/or (LAN). Bad: tailscale would mess with /etc/resolv.conf on host. Also bad: tailscale0 on host picked up stuff that binds to
    2. Moved tailscale to a container running on the host network stack (network_mode: host). Made it leave /etc/resolv.conf alone. tailscale0 on host stack still picks up everything on

    This is kinda where I'm stuck. I can make the tailscale container bridged which would put the tailscale0 interface inside the container. It wouldn't pick up from host but how would I publish ports to it?

    • The tailscale recommended way of doing it is by putting other containers in the tailscale's container network stack (network_mode: container:tailscale). This would prevent said containers from using "ports:" to map to host anymore. Also, everything they publish locally would end up on tailscale0 whether I like it or not.
    • Tailscale has an env var TS_DEST_IP that can mirror another IP. I could allocate an IP on host eth0 like, mirror that from the tailscale container, and target it from other containers explicitly with "ports:" when I want to publish a port to tailscale. Downside: would be in the host's network stack so still picks up
    • I could bridge the tailscale container with other containers on a private subnet, say and use tailscale serve to forward specific ports to other containers over that subnet. Unfortunately serve is fairly limited; it can't do UDP and technically it refuses to forward TCP either to non-localhost (but you can dump the serve config to JSON, and hack that config, and use it with TS_SERVE_CONFIG= 🤮).
    • I could bridge tailscale with other containers and create a special container with a fixed IP on that subnet, mirror the IP from tailscale, and use iptables on that container to forward specific ports to other containers. This would actually solve everything I want except...
    • If I ever want to use another VPN which doesn't have the mirror feature. I don't know how I'd deal with that.

    Migrating away from Gandi, 9 months later

    I'm posting this in selfhosted because Gandi increasing prices actually helped me a lot with being more serious about selfhosting, made me look into things like DNS and reverse proxies and VPN and docker and also ended up saving me money by re-evaluating my service needs.

    For background, is a large and old (25 years) domain registrar and hosting provider in the EU, who after two successive rounds of being acquired by investment funds have hiked up prices across the board for all their services.

    In July 2023 when they announced the changes for November I was using their services for pretty much everything because I manage domains for friends and family. That means a wide selection of domains registered with them (both TLDs and European ccTLDs), LAMP hosting, and was taking advantage of their free email hosting for multiple domains.

    For the record I don't hold the price hike against them, it was just unsustainable for us. Their email prices (~5€/mailbox/mo) are in line with market prices and so are hosting prices. Their domain prices are however exaggerated (€25-30/yr is their lower price now). I also think they could've been smarter about email, they could've offered lower prices if you keep domains registered with them. [These prices include the VAT for my country btw. They will appear lower in USD.]

    What I did:

    Domains: looked into alternative registrars with decent prices, support for all the ccTLDs I needed, DNSSEC, enforced whois privacy, and representative services (some ccTLDs require a local contact). Went with (Germany) and (France). Saved about €70/yr. Could have saved more for .org/.net/.com domains with an American registrar but didn't want to spread too thin.

    DNS: learned to use a dedicated DNS service, especially now that I was using multiple registrars since I didn't want to manage DNS in multiple places. Wanted something with support for DNSSEC and API. Went with (Germany) as main service and (Slovenia) as backup. deSEC is free, more on Bunny pricing below. Learned a lot about DNS in the process.

    Email: having multiple low-volume mailboxes forced me to look into volume-based providers who charge for storage and emails sent/received not mailboxes. I've found Migadu (Swiss with servers in France at OVH), MXRoute (self-hosted in Texas) and PurelyMail (don't know). Fair warning, they're all 1-2 man operations. But their prices are amazing because you pay a flat fee per year and can have any number of domains and mailboxes instead of monthly fees for one mailbox at one domain. Saved €130/yr. Learned a lot about MX records and SPF/DKIM/DMARC.

    Hosting: had a revelation that none of the webpages I was hosting actually needed live dynamic services (like PHP and MySQL). Those that were using a CMS like WordPress or PHP photo galleries could be self-hosted in docker containers because only one person was using each, and the static output hosted on a CDN. Enter, who also offer CDN and static storage services. For Europe and North America it costs 1 cent per GB with a $1 minimum/mo, so basically $12/yr since all websites are low traffic personal websites. Saved another €130/yr. Learned a lot about Docker, reverse proxies and self-hosting in general.

    Keep in mind that I already had a decent PC for self-hosting, but at €330 saved per year I could've afforded buying a decent machine and some storage either way.

    I think separating registrars, DNS, email and hosting was a good decision because it allows a lot of flexibility should any of them have any issues, price hikes etc.

    It does complicate things if I should kick the bucket – compared to having everything in one place – which is something I'll have to consider. I've put together written details for now.

    Any comments or questions are welcome. If there are others that have gone through similar migrations I'd be curious what you chose.


    Webmail client with decent search and large mailbox support?

    I'm thinking of putting all my email archive (55k messages, about 6 GB) on a private IMAP server but I'm wondering how to access it remotely when needed.

    Obviously I'd need a webmail client but is there any that can deal with that amount of data and also be able to search through To, From, Subject and body efficiently?

    I can also set up a standalone search engine of some sort (the messages are stored one per file in regular folders) but then how do I view the message once I locate it?

    I can also expose the IMAP server itself and see if I can find a mobile app that fits the bill but I'd rather not do that. A webmail client would be much easier to reverse proxy and protect.


    What bootable "live" images of useful tools?

    I've repurposed a 32 GB M.2 SATA SSD as a bootable "USB stick" and I'm putting useful tools on it. So far I've got memtest, seatools, gparted live, system rescue, clonezilla, and a live install iso of the distro installed on my PC. What other great bootable tools am I sleeping on?


    Recommend me a graphical text editor that can deal with multiple workspaces (or lets you specify instance)

    I use multiple workspaces and I open text files all the time.

    Once upon a time Mousepad used to behave sanely and would open them in a new tab if there was already an instance on the current workspace, or open a new window (on the current workspace) if there wasn't.

    They broke that at some point. Now it's anybody's guess where the file will open. Maybe it opens in a tab in an existing window on this workspace. Maybe in a tab in a window on a random workspace. Maybe a new window on this workspace even though there's one open. I've given up trying to figure it out.

    As a last resort I can use wmctrl to figure out how to open the files and can script a sane launcher myself – provided that the editor has --tab and --window options AND lets you specify the window instance. Mousepad has the former but not the latter.

    So, do you know any editor that can do it by itself or has those options so I can do it myself? TIA


    Upgrading a self-hosted server (episode 3)

    Upgrading a self-hosted server (3)

    A short intro to Docker

    Docker is a lot less complicated than it was made out to be.

    Docker is a way of taking a service (something like Plex) and making it work in a sort of "slice" cut out of the real machine's resources (CPU, RAM and disk space). These slices are called containers.

    There are several benefits:

    • If someone breaks into one of your services, they only reach one container not the real machine, and not any of the other containers.
    • It's very easy to restore a container in case of machine reinstall, using "magical" recipe files called "docker compose yaml". If the main OS blows up you just need to reinstall stock Debian stable and Docker, then use the magical recipes.
    • The containers share similar files among themselves, so if you have 10 containers that use the same files it will only be stored once, not 10 times.
    • You can try out any server software without worrying you'll mess up your host machine. Or you can use a second configurations of the same service in a second container without worrying you'll mess up the first one.

    Basic Docker commands

    • docker-compose up -d: run this into the same dir as a magical yaml file to create a container for the first time.
    • docker stop cups, docker start cups, docker restart cups will stop/start/restart the cups container.
    • docker container list shows all containers you've created.
    • docker rm cups removes the cups container (if it's not running).
    • docker image list shows the software images that the containers are using.
    • docker rmi olbat/cupsd will remove the olbat/cupsd image, but only if the cups container that is based on it has been removed (and stopped).
    • docker exec cups ls /etc/cups will execute a command inside the container. You can execute /bin/sh or /bin/bash to explore inside the container machine.
    • ctop is a nice tool that will show you all containers and let you start/stop/restart them.

    Preparing for using Docker

    There are a couple of things you need to add to a fresh Debian install in order to use Docker:

    • docker, obviously, the package on Debian is called
    • ctop is a nice CLI tool that shows your containers and lets you do stuff with them (stop, start, restart, enter shell, view logs etc.) It's basically a simple CLI version of Portainer (which I never bothered installing after all).

    The following tools are indirectly related to services inside docker containers:

    • vainfo will verify that GPU-accelerated video encoding/decoding is working for AMD and Intel GPUs. This will be useful for many media streaming containers. See the Arch wiki for more.
    • avahi (which is avahi-daemon on Debian) and avahi-dnsconfd will help autodiscover some services on LAN between Linux machines. Only applicable if you have more than one Linux machine on your LAN, of course, and it's only relevant to some services (eg. CUPS).

    Some tips about Docker

    Should you use Docker or Podman? If you're a beginner just use Docker. It's a lot simpler. Yes, there are good reasons to use Podman but you don't need the extra headache when you're starting out. You will be able to transition into Podman easier later.

    Use restart: "always" in your compose yaml's and save yourself unnecessary trouble. Some people try to micromanage their containers and end up writing sysctl scripts for each of them and so on and so forth. With this restart policy your containers will stay stopped if stopped manually, but will start each time the docker daemon [re]starts, which most likely means at boot, which is probably all you want right now.

    The one docker issue that will give you the most trouble is mapping users from the real machine to the container machine and back. You want the service in the container to run as a certain user, and maybe you want to give it access to some files or devices on the real machine too. But some docker images were made by people who apparently don't understand how Linux permissions work. A good docker image will let you specify what users and groups it needs to work with (emby/embyserver is a very good example). A bad image will make up some UID and GID that's completely unrelated to anything on your machine and give you no way to change them; for such images you can try to force them to use root (UID and GID 0) but that negates some of the benefits a container was supposed to give you. So when looking for images see if they have a description, and if it mentions any UID and GID mapping. Otherwise you will probably have a bad time.

    How do you find (good) docker images? On, just search for what you need (eg. "cups"). I suggest sorting images by most recently updated, and have a look at how many downloads and stars it has, too. It's also very helpful if they have a description and instructions.

    One last thing before we get to the good stuff. I made a dir on my RAID array, /mnt/array/docker where I make one subdir for each service (eg. /mnt/array/docker/cups), where I keep the magical yaml (compose.yaml) for each service, and sometimes I map config files from the container, so they persist even if the container is deleted. I also use git in those dirs to keep track of the changes to the yaml files.

    Using Emby in a Docker container

    Emby is a media server that you use to index movies and series and watch them remotely on TV or your phone and tablet. Some other popular alternatives are Plex, Jellyfin and Serviio. See this comparison chart.

    Here's the docker-compose.yaml, explanations below:

    version: "2.3" services: emby: image: emby/embyserver container_name: emby #runtime: nvidia # for NVIDIA GPUs #network_mode: host # if you need DLNA or Wake-on-Lan environment: - UID=1000 # The UID to run emby as - GID=100 # The GID to run emby as - GIDLIST=100,44,105 # extra groups for /dev/dri/* devices volumes: - "./data:/config" # emby data dir (note the dot at the start) - "/mnt/nas/array/multimedia:/mnt/nas/array/multimedia" ports: - "8096:8096/tcp" # HTTP port - "8920:8920/tcp" # HTTPS port devices: - "/dev/dri:/dev/dri" # VAAPI/NVDEC/NVENC render nodes restart: always

    • version is the compose yaml specification version. Don't worry about this.
    • services and emby defines the service for this container.
    • image indicates what image to download from the docker hub.
    • container_name will name your container, normally you'd want this to match your service (and for me the dir I put this in).
    • runtime is only relevant if you have an Nvidia GPU, for accelerated transcoding. Mine is Intel so... More details on the emby image description.
    • network_mode: host will expose the container networking directly to the host machine. In this case you don't need to manually map the ports anymore. As it says, this is only needed for some special stuff like DLNA or WoL (and not even then, I achieve DLNA for example with BubbleUPnP Server without resorting to host mode).
    • environment does what I mentioned before. This is a very nicely behaved and well written docker image that not only lets you map the primary UID and GID but also adds a list of extra GUIDs because it knows we need to access /dev devices that are owned by 3rd party users like video and render. Very nice.
    • volumes maps dirs or files from the local real machine to the container. The config dir holds everything about Emby (settings, cache, data) so I map it outside of the container to keep it. When I installed this container I pointed it to the location of my old Emby stuff from the previous install and It Just Worked.
    • devices similarly maps device files.
    • ports maps the network ports that the app is listening on.
    • restart remember what I said about this above.

    Using Deluge in a Docker container

    Let's look at another nicely made Docker image. Deluge is a BitTorrent client, what we put in the Docker container is actually just the server part. The server can deal with the uploads/downloads but needs an UI app to manage it. The UI apps can be installed on your phone for example (I like Transdroid) but the Deluge server also includes a web interface on port 8112.

    version: "2.1" services: deluge: image: container_name: deluge environment: - PUID=1000 - PGID=1000 - DELUGE_LOGLEVEL=error volumes: - "./config:/config" # mind the dot at the start - "/mnt/nas/array/deluge:/downloads" ports: - "8112:8112/tcp" # web UI - "60000:60000/tcp" # BT transfers - "60000:60000/udp" # BT transfers - "58846:58846/tcp" # daemon remote control (for Transdroid) restart: always

    Most of this is covered above with Emby so I won't repeat everything, just the important distinctions:

    • Notice how environment lets you choose what UID and GUID to work as.
    • I use volumes to map out the dir with the actual downloads, as well as map all the Deluge config dir locally so I can save it across container resets/reinstalls.
    • The ports need to be defined in the deluge config (which you can do via the web UI or edit the config directly) before you map them here. IIRC these are the defaults but please check.

    Using Navidrome in a Docker container

    Navidrome is a music indexer and streaming server (sort of like your own Spotify). It's follows the Subsonic spec so any client app that works with Subsonic will work with Navidrome (I like Substreamer). It also includes a web UI.

    version: "3" services: navidrome: image: deluan/navidrome:latest container_name: navidrome environment: ND_SCANSCHEDULE: 1h ND_LOGLEVEL: info ND_BASEURL: "" ND_PORT: 4533 ND_DATAFOLDER: /data ND_MUSICFOLDER: /music volumes: - "./data:/data" - "/mnt/nas/array/music:/music:ro" ports: - "4533:4533/tcp" restart: "always"

    Again, mostly self-explanatory:

    • Environment settings are nice but this image stopped short of allowing UID customization and just said fuck it and ran as root by default. Nothing to do here, other than go look for a nicer image.
    • I mapped the data dir locally so I preserve it between resets, and the music is shared read-only.

    Using BubbleUPnPServer in a Docker container

    This server can do some interesting things. Its bread and butter is DLNA. It has a companion Android app called, you guessed it, BubbleUPnP, which acts as a DLNA controller. The server part here can do local transcoding so the Android phone doesn't have to (subject to some caveats, for example the phone, the DLNA source and the Bubble server need to be on the same LAN; and it can only transcode one stream at a time).

    It can also identify media providers (like Emby or Plex) on the LAN and media renderers (like Chromecast or Home Mini speaker) and DLNA-enables them so they appear in the Bubble app as well as on other DLNA-aware devices.

    version: "3.3" services: deluge: image: bubblesoftapps/bubbleupnpserver-openj9-leap container_name: bubbleupnpserver network_mode: "host" user: "0:0" devices: - "/dev/dri:/dev/dri:rw" volumes: - "./data/configuration.xml:/opt/bubbleupnpserver/configuration.xml:rw" restart: "always"

    • network_mode is "host" because this server needs to interact with lots of things on the LAN automagically.
    • user forces the server to run as root. The image uses a completely made up UID and GID, there's no way to customize it, and it needs to access /dev/dri which are restricted to video and render groups to access GPU-accelerated transcoding. So using root is the only solution here (short of looking for a nicer image).
    • I map the configuration file outside the container so it's saved across reset/reinstalls.

    Using Samba in a Docker container

    Normally I'd install samba on the host machine but Debian wanted me to install like 30 packages for it so I think that's a valid reason to use a container.

    version: "2.3" services: samba: image: twistify/anonymous-samba container_name: samba volumes: - "./etc/samba:/etc/samba:ro" - "/mnt/nas/array:/mnt/nas/array" ports: - "445:445/tcp" # SMB - "139:139/tcp" # NetBIOS restart: "always"

    Normally this should be a simple enough setup, and it is simple as far as docker is concerned. Map some ports, map the config files, map the array so you can give out shares, done. But the image doesn't offer UID customization and just runs as root.

    For reference I give the /etc/samba/smb.conf here too because I know it's tricky. This one only offers anonymous read-only shares, which mainly worked out of the box (hence why I stuck to this image in spite of the root thing).

    [global] workgroup = WORKGROUP log file = /dev/stdout security = user map to guest = Bad User log level = 2 browseable = yes read only = yes create mask = 666 directory mask = 555 guest ok = yes guest only = yes force user = root

    [iso] path=/mnt/nas/multimedia/iso

    You can add your own shares aside from [iso], as long as the paths are mapped in the yaml.

    Notice the ugly use of root in the Samba config too.

    Using CUPS inside a Docker container

    CUPS is a printer server, which I need because my printer is connected via USB to the server and I want to be able to print from my desktop machine.

    version: "2.3" services: cups: image: aguslr/cups:latest container_name: cups privileged: "yes" environment: - CUPS_USER=admin - CUPS_PASS=admin volumes: - "/dev/bus/usb:/dev/bus/usb" # keep this under volumes, not devices - "/run/dbus:/run/dbus" ports: - "631:631/tcp" # CUPS restart: "always"

    The docker setup is not terribly complicated if you overlook things like /dev/bus/usb needing to be a volume mapping not a device mapping, or the privileged mode.

    CUPS is complicated because it's a complex beast, so I'll try to add some pointers below (mostly unrelated to docker):

    • You can use lpstat -p inside the host to check if CUPS know about your printer, and /usr/lib/cups/backend/usb to check if it knows about the USB printer in particular.
    • You need CUPS on both the server and the desktop machine you want to print from. You need to add the printer on both of them. The CUPS interface will be at :631 on both of them, for printer management on the server the user+pass is admin:admin as you can see above, on the desktop machine God only knows (typically "root" and its password, or the password of the main user).
    • So the server CUPS will probably detect the USB printer and have drivers for it, this image did for mine (after I figured out the USB bus snafu). You need to mark the printer as shared!
    • ...but in order for the desktop machine to detect the printer you need to do one more thing: install Avahi daemon and dnsconfd packages on both machines because that's the stuff that actually makes it easy for the desktop machine to autodetect the remote printer.
    • ...and don't rely on the drivers from the server, the desktop machine needs its own drivers, which it may or may not have. For my printer (Brother HL-2030) I had to install an AUR package on desktop – and then the driver showed up when setting up the printer in the desktop CUPS.

    See you next time with more docker recipes! As usual any and all comments and suggestions are welcome, including "omg you're so dumb, that thing could be done easier like this".


    Upgrading a self-hosted server (episode II)

    << Episode i: outline >> Episode iii: docker recipes

    In this episode: installing a secondary disk in the machine, making a system backup, installing Debian, and configuring essential service.

    Adding a secondary disk to the machine

    Why? Because I'd like to keep the old system around while tinkering with the new one, just in case something goes south. Also the old system is full of config files that are still useful.

    To this end I grabbed a spare SSD I had lying around and popped it into the machine.

    ...except it was actually a bit more involved than I expected. (Skip ahead if you're not interested in this.) The machine has two M.2 slots with the old system disk occupying one of them, and 6 SATA ports on the motherboard, being used by the 6 HDDs. The spare SSD would need a 7th SATA port.

    I could go get another M.2 but filling the second M.2 takes away one SATA channel, so I would be back to being one port short. 🤦

    The solution was a PCI SATA expansion card which I happened to have around. Alternatively I could've disconnected one of the less immediately useful arrays and free up some SATA ports that way.

    Taking a system backup

    This was simplified by the fact I used a single partition for the old system, so there are no multiple partitions for things like /home, /var, /tmp, swap etc.


    • Use fdisk to wipe the partition table on the backup SSD and create one primary Linux partition across the whole disk. In fdisk that basically means hitting Enter-Enter-Enter and accepting all defaults.
    • Use mkfs.ext4 -m5 to create an Ext4 filesystem on the SSD.
    • Mount the SSD partition and use cp -avx to copy the root filesystem to it.

    Regarding this last point: I've seen many people recommend dd or clonezilla but that also duplicates the block ID, which you then need to change or there would be trouble. Others go for rsync or piping through tar, with complicated options, but cp -ax is perfectly fine for this.

    A backup is not complete without making the SSD bootable as well.

    • Use blkid to find the UUID of the SSD partition and change it in the SSD's /etc/fstab.
    • If you have a swap partition and others /home, /var etc. you would do the same for them. I use a /swapfile in the root which I created with dd and formatted with mkswap, which was copied by cp. I mount it with /swapfile swap swap defaults 0 0 so that stays the same.
    • Install grub on the SSD. You need to chroot into the SSD for this one as well as mount --bind /dev, /sys and /proc.

    Here's an example for that last point, taken from this nice reddit post:

    mkdir /mnt/chroot mount /dev/SDD-partition-1 /mnt/chroot mount --bind /dev /mnt/chroot/dev mount --bind /proc /mnt/chroot/proc mount --bind /sys /mnt/chroot/sys mount --bind /tmp /mnt/chroot/tmp chroot /mnt/chroot Verify /etc/grub.d/30-os_prober or similar is installed and executable Update GRUB: update-grub Install GRUB: grub-install /dev/SDD-whole-disk Update the initrd: update-initramfs -u

    I verified that I could boot the backup disk before proceeding.

    Installing Debian stable

    Grabbed an amd64 ISO off their website and put it on a flash stick. I used the graphical gnome-disk-utility application for that but you can also do dd bs=4M if=image.iso of=/dev/stick-device. Usual warnings apply, make sure it's the right /dev, umount any pre-existing flash partition first etc.

    Booting the flash stick should have been uneventful but the machine would not see it in BIOS or in the quick-boot BIOS menu so I had to poke around and disable some kind of secure feature (which will be of no use to you on your BIOS so good luck with that).

    During the install I selected the usual things like keymap, timezone, the disk to install to (the M.2, not the SSD backup with the old system), chose to use the whole disk in one partition as before, created a user, disallowed login as root, and requested explicit installation of a SSH server. Networking works via DHCP so I didn't need to configure anything.

    After install

    SSH'd into the machine using user + password, copied the public SSH key from my desktop machine into the Debian ~/.ssh/authorized_keys, and then disabled password logins in /etc/ssh/sshd_config and service ssh restart. Made sure I could login with public key.

    Installed ntpdate and added 0 * * * * /usr/sbin/ntpdate router.lan &>/dev/null to the root crontab.

    Mounting RAID arrays

    The RAID arrays are MD (the Linux software driver) so they should have been already detected by the Linux kernel. A quick look at /proc/mdstat and /etc/mdadm/mdadm.conf confirms that the arrays have indeed been detected and configured and are running fine.

    All that's left is to mount the arrays. After creating /mnt directories I added them to /etc/fstab with entries such as this:

    UUID=array-uuid-here /mnt/nas/array ext4 rw,nosuid,nodev 0 0

    ...and then systemctl daemon-reload to pick up the new fstab right away, followed by a mount -a as root to mount the arrays.

    Publishing the arrays over NFS

    Last step in restoring basic functionality to my LAN is to publish the mounted arrays over NFS.

    I installed and used aptitude to poke around Debian packages for a suitable NFS server, then installed nfs-kernel-server.

    Next I added the arrays to /etc/exports with entries such as this:

    /mnt/nas/array desktop.lan(rw,async,secure,no_subtree_check,mp,no_root_squash)

    And after a service nfs-kernel-server restart the desktop machine was able to mount the NFS shares without any issues.

    For completion's sake, the desktop machine is Manjaro, uses nfs-utils and mounts NFS shares in /etc/fstab like this:

    nas:/mnt/nas/array /mnt/nas/array nfs vers=4,rw,hard,intr,noatime,timeo=10,retrans=2,retry=0,rsize=1048576,wsize=1048576 0 0

    The first one (with nas: prefix) is the remote dir, the second is the local dir. I usually mirror the locations on the server and clients but you can of course use different ones.

    All done

    That's essential functionality restored, with SSH and NFS + RAID working.

    In the next episode I will attempt to install something non-essential, like Emby or Deluge, in a docker container. I intend to keep the system installed on the metal very basic, basically just ssh, nfs and docker over the barebones Debian install. Everything else should go into docker containers.

    My goals when working with docker containers:

    • Keep the docker images on the system disk but all configurations on a RAID array.
    • Map all file access to a RAID array and network ports to the host. This includes things like databases and other persistent files, as long as they're important and not just cache or runtime data.

    Basically the idea is that if I ever lose the system disk I should be able to simply reinstall a barebones Debian and redo the containers using the stored configs, and all the important mutable files would be on RAID.

    See you next time, and meanwhile I appreciate any comments about what I could've done better as well as suggestions for next steps!.


    Easy way to remote share the desktop?

    I need a very simple method for non-advanced users to share each other's screen explicitly when they need help. They're running XFCE on Manjaro and the machines involved are using Tailscale. Edit: SSH access is also available, with key authentication.

    I need something super simple because they are remote from me and from each other and any graphical setup will have to be assisted sight-unseen over phone. So ideally just (1) install something (which I can do for them over SSH), (2) pick something from the Applications menu and maybe (3) press a big "START" button.

    It's also ok-ish if the remote capability is present all the time and I can connect without their explicit permission, but you can see why it would be best if they did something to enable it...

    I've been looking for a solution but all I find is stuff that's way too complicated OR starts a new desktop session instead of showing the current one.

    Edited: to clarify I'm not the one who will be remoting-in and to mention SSH is available.



    Why I'm leaving Gandi and where I'm going

    I've been using Gandi for over 20 years, almost since it was founded. Since being acquired in 2019 by Montefiore Investment and this year by Total Webhosting Solutions their service have become more and more expensive and have finally priced me out.

    For context, I administer a bunch of domains, mailboxes and HTML websites for my family and extended family, and I prefer services hosted in the EU because of GDPR and local availability.

    This post is meant as a list of practical decisions in 2023 for the small time selfhoster. If anybody wants to comment on what Gandi (or rather TWS) is doing feel free to do so in the comments, I'm curious myself.

    Prices I've mentioned use my country's VAT so will vary slightly for you.

    Domain names

    Domain names have always been a bit on the expensive side with Gandi but they used to include a lot of features for free with them (SSL, DNSSEC, mailboxes, a small static website, WHOIS privacy, local contact for TLDs that need it etc.) and what they added extra was proportional to the base TLD cost.

    For the next renewal all my domains were slated to jump to €28 across the board. If you have domains with Gandi try adding some renewals to the cart and check in advance.

    I had to look for an European registrar because I have lots of European ccTLDs that the usual suspects like Cloudflare and Porkbun don't support.

    I'm moving to and will be saving 25-60% per domain. This takes into account WHOIS privacy where needed for an extra 5€/domain (EU ccTLDs are private due to GDPR but we own a couple of TLDs too) as well as local contact services where required (price varies by country).


    I manage multiple mailboxes but they have low traffic and low storage requirements. Gandi will be offering them at €55/mailbox/year. I'm not questioning their pricing, 3-4€/month for email is common, but typically charged by email-focused services.

    Anyway, this per-mailbox model would price us into hundreds of euros for resources that go 99% unused. I'm switching to, who allows unlimited domains and mailboxes (within common sense) under a single account and charges for the conflated storage space and emails sent/received across all mailboxes.

    Migadu tiers start at 20€/year for 5GB and 200/20/day (soft limits).


    We were using Gandi's smallest hosting package for about 100€/year, which was slated to jump to €135. Not an outlandish price for your typical PHP + MySQL hosting, especially since it had some VPS-like features. Then again the typical webhosting service would include a couple of mailboxes and some other goodies.

    This was a good opportunity for us to reevaluate out hosting needs and realize we can ditch PHP+MySQL (if we really have to revisit it we'll consider VPS offers in the future). It's mostly static sites, image galleries and a bit of blogging. We've cached all our stuff as plain HTML/CSS/images and moved it to BunnyCDN.

    Bunny lets you define a file bundle, gives you FTP access with a unique username+password, lets you pick the extent of replication, puts a CDN on top of it, and lets you point a domain name to it. Also throws a bunch of web server-ish features on top like rules/rewrites and Let's Encrypt SSL.

    They actually offer more features than that but I've just mentioned the minimum you need for serving a bunch of static websites.

    Bunny pricing starts at $0.01/GB (with a minimum of $1/month) and you pay as you go.


    Since we're doing this I've taken the opportunity to dab into DNS. Turns out it's not that hard. There's only like half a dozen of commonly used DNS record types and everybody's helping you with them – email services like Migadu generate the email-related ones for you, registrars and managed DNS services generate the SOA for you, they have forms that tell you what fields are needed etc.

    There are lots of managed DNS options. Registrars usually include nameservers and let you mess with the records so INWX was one choice. Bunny offers DNS service that integrates with their CDN. deSEC is a completely free service I'll be using as backup.

    All of the above also offer APIs so a bash script will be taking care of dynamic DNS.


    Upgrading a self-hosted server (episode 1)

    Upgrading a self-hosted server (1)


    Hi, I'm starting a series of posts that will follow the upgrades I'll be doing to a self-hosted machine that serves as NAS and also runs all kinds of self-hosted software. I'm lazy so it will probably take time, don't expect me to post too often.

    About me: I've been using Linux exclusively for personal use (both desktop and servers) for about 20 years now. I've used several distributions over the years, I've built my own stuff from source (including kernels) and I've done Linux From Scratch. I'm not a Linux expert or professional sysadmin but I know my way around it, and I can learn what I don't know. So don't be afraid to make any suggestions no matter how complicated.

    The current state of the machine

    • It's a PC using an i5 7400 CPU, has a built-in GPU with support for h264 hardware encoding and MPEG2, VP8, VP9 and HEVC hardware decoding (this will come in handy for video transcoding).
    • Only 4 GB of RAM, I have ordered a dual 2x16 GB kit.
    • The system drive is a Transcend M.2 SSD (32 GB). SATA rather than PCIe unfortunately but it will do fine for the time being.
    • The OS is Ubuntu Server 16.04 LTS using Expanded Security Maintenance for updates.
    • It's currently running SSH, NFS, Samba, CUPS, OpenVPN, Emby and Deluge on bare metal. Some of them come from distro packages, some from binary releases straight from the developer.
    • There are 6 HDDs forming 3 pairs of RAID 1 arrays. 6 drives was a limit I chose from the beginning, and the case and motherboard were chosen accordingly (cage for 6 drives and 6 SATA connectors).
    • My ISP provides a public dynamic IP and allows port forwards.
    • I have a router that I've recently upgraded to the latest OpenWRT so it also runs Linux, can install packages, it has a web admin interface etc. and can do some interesting stuff.

    What I'd like to do

    • Increase the RAM to 32 GB.
    • Stick with a Linux distro, as opposed to a NAS-tailored OS, Unraid etc.
    • Install Debian Stable on a SSD, most likely via debootstrap from the Ubuntu system.
    • Add a GRUB menu entry that makes a passthrough to the other system, so I can keep them both around for a while.
    • Use docker-compose and possibly Portainer for as many of the services as it makes sense. Not sure if it's worth bothering to make containers for things like SSH, NFS, Samba.
    • Add more services. I'd like to try Jellyfin, NextCloud and other stuff (trying to degoogle for example).
    • I'd like to find a better solution for accessing services from outside the LAN. Currently using OpenVPN which is nice for individual devices but gets complicated when you want an entire remote LAN to be able to access (to allow smart TVs or Chromecast to use Emby/Jellyfin for example). I'm hoping Authelia + reverse proxy will be able to help with this.

    What I'm not interested in

    • Not interested in using Plex. I've used it for a couple of years, it's a fine piece of software but I don't like the fact they now mandate access through their server or injecting ads.
    • Not interested in changing the filesystem or the RAID setup for the HDDs. RAID 1 pairs give me enough redundancy. The HDD upgrades are very simple. I'm fine with losing 50% of capacity.

    Any and all suggestions and comments are welcome! Even if they're about things I said I'm not interested in. It's always possible there are things I haven't considered.


    Google is moving reminders to Tasks, any other calendar app with a similar feature?

    So I got a notification that Google is going to retire the reminders feature from Calendar and make it a Tasks feature instead.

    The only reason I was using Google:s Calendar app was for their reminders (and because they've made it impossible for third party apps to use reminders).

    The most important part of reminders for me was the way they worked, by putting up a notification that didn't go away until manually dismissed. Very useful for important stuff like taking a medicine.

    Any suggestions for other apps that have similar notifications? It would be great if they were a calendar app, and even greater if they are synced to a calendar over a standard (like CalDAV etc.) so I can self-host it.