all my back ups are what they should be

Are you sure? While the cloud backups may not affect you the exclusions might, afaict no one even knows what exactly is excluded.

From the link:

This annoyed me. Firstly I needed that folder and Backblaze had let me down. Secondly within the Backblaze preferences I could find no way to re-enable this. In fact looking at the list of exclusions I could find no mention of .git whatsoever.

Which strongly implies that there might be other important folders that aren’t backed up. (Without .git inside a git folder it is no longer a git repository)

I don’t use backblaze but from the outside it looks like they’re cutting costs by worsening the backups to reduce storage usage.

https://rareese.com/posts/backblaze

Backblaze quietly stopped backing up .git, mounted remote storage and maybe more without showing the user what they’ve stopped backing up?

Dread it. Run from it. Enshitification arrives all the same.

Use a VPN, it’s not ideal but it’s secure.

When does your Server actually pull the repo though?

I have linkwarden set up for this.

On Android I share to the linkwarden app to save, on pc i use the Firefox addon.

Sure it’s fragmented but I’m already used to doing things different between mobile and pc anyways.

Pro tip: If you’re using openwrt or other managed network components don’t forget to automatically back those up too. I almost had to reset my openwrt router and having to reconfigure that from scratch sucks.

If logging is down and there’s no one around to log it, is it really down?

That won’t work in most cases, all https traffic isn’t cached unless you mitm https which is a bad idea and not worth it.

Only cache updates those are worth it and most have a caching server option.

Infrastructure diagram? No! In this homelab we refer to the infrastructure hyperdodecahedron.

Moral of the story. If you’re an engineer then expect enshitification through all available means.

I have set up Tor secret services in the past to do this.

The service exposed the SSH port which could then be accessed from anywhere as long as you can connect to Tor.

I don’t know anything about Talos but can you try it in a VM with a test disk? That should answer all your questions and show you possible pitfalls.

They are at the mercy of not being shit listed by companies.

That is if they can’t pay for the products through the revenue of the review. Though ofc they still have to have ads or sponsors. Much more important is if they are financially stable and convicted enough not to sell out.

for a homelab I don’t think it’s feasible to fully review the source code of everything you install

Here’s what you can actually do:

• Consider if you actually need the application and stop applications you don’t use
• Don’t allow public access unless it is necessary, consider VPN/reverse proxies with client authentication (if supported)
• isolate applications that don’t need to talk to each other
• • see also rootless podman, firewalls, virtual machines, etc
• • don’t forget network access, if everything runs on 127.0.0.1 and every service shares it then they can all talk to each other! (See also network namespaces or VMs)
• Don’t reuse passwords
• keep software up to date
• actually evaluate the quality of the project if it needs access to sensitive information
• • see open issues, closed issues that stand out
• • check for audits or at least a history of good effort™

Sure you wont always catch ai slop this way but you don’t need to read a line of code to at least be reasonably sure your arr stack won’t get to the family photos.

From the moment I understood the weakness of my flesh, it disgusted me. I craved the strength and certainty of steel. I aspired to the purity of the Blessed Machine. Your kind cling to your flesh, as though it will not decay and fail you. One day the crude biomass you call a temple will wither, and you will beg my kind to save you. But I am already saved, for the Machine is immortal… Even in death I serve the Omnissiah.

Launch multiple?

Here:

server {
    listen 443 quic;
    listen [::]:443 quic;
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name jellyfin.kitsuna.net;
    http2      on;
    http3      on;
    quic_gso   on;
    tcp_nodelay on;
    # You can increase the limit if your need to.
    error_log /var/log/nginx/jellyfin.access.log;
#    ssl on;
#    ssl_certificate /etc/nginx/certificate.crt;
#    ssl_certificate_key /etc/nginx/certificate.key;
#    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
        ssl_certificate /etc/letsencrypt/live/kitsuna.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/kitsuna.net/privkey.pem;
#        ssl_certificate_key /etc/letsencrypt/live/kitsuna.net/privkey.pem;
        ssl_protocols TLSv1.2 TLSv1.3;
        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
        add_header x-quic 'h3';
        add_header Alt-Svc 'h3-29=":$server_port"';
    location / {
        proxy_pass http://10.159.4.12:8096/;
#       proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;
    }
}

No? Everyone who uses the bitwarden app or browser extention has a local copy of the database that is used for read operations. You can’t disable this so everyone who uses bitwarden can still use their passwords even if the server dies.

Yeah I tried just now and it diesn’t seem to be working (anymore?) could’ve sworn that worked.

You can still kexec the installiers directly, I followed the netboot.xyz scripts and got the links they use. Here’s Debian as an example:

From the scripts: https://deb.debian.org/debian/dists/stable/main/installer-amd64/current/images/netboot/ looking at the boot config debian-installer/amd64/grub/grub.cfg

submenu '... KDE Plasma desktop boot menu ...' {
    set gfxpayload=keep
    menuentry '... Install' {
        set background_color=black
        linux    /debian-installer/amd64/linux desktop=kde vga=788 --- quiet
        initrd   /debian-installer/amd64/initrd.gz

so we need to download those two files and take the netboot.xyz cmdline arguments then

$ kexec --command-line="desktop=kde vga=788 mirror/suite=stable initrd=initrd.magic console=ttyS0,115200n8"  --initrd=initrd.gz -l linux´
$ systemctl kexec

and it boots.

also here’s an example for the nixos netboot commands, more on that in the nixos manual:

$ kexec --load bzImage \
  --initrd=initrd.gz \
  --command-line "init=/nix/store/n37nmcvbrblk9ahfzj9nxy01axs7zsf6-nixos-system-nixos-kexec-25.11pre-git/init nohibernate loglevel=4 lsm=landlock,yama,bpf"
$ systemctl kexec

Edit:

No console access

If that means that you can only connect to SSH and have no VGA/video then this will be limited, you could setup an automated install but that requires a lot more knowledge than what your guide requires.

Kexec can be used to load a new kernel and “reboot” quickly, it can also be used to load a new kernel, an initrd and never touch the disk. Such a system lives completely in ram and allows you to modify the disk in any way you want without breaking you running Linux (which is in ram)

Any distro that has a network boot installer that can be passed to kexec can be installed this way, any that don’t can still kexec any Linux distro and then install any other distro by passing the disk to a VM and installing linux through that.

You can also kexec the netboot.xyz image and get any distro supported there.