Marelooke's mess

marelooke · July 1, 2023, 12:25pm

With all the Reddit issues, and having recently migrated to Mastodon I started looking into Reddit alternatives. There’s two main ones I’m aware of: Lemmy, and Kbin.

Lemmy was out, from my perspective, for a combination of two reasons

there’s some serious, as of yet, unaddressed, concerns about the lead developer.
researching performance issues with Lemmy lead me to have some concerns about the backend skills of the devs, who claim to be mostly frond-end specialists.

Unfortunately Lemmy seems to be the more mature of the two.

Kbin, on the other hand, really doesn’t even have any proper installation procedure. The application needs to be built from source, and all the pieces assembled, making installation much more cumbersome and raising serious concerns about maintainability in the longer run. The first I could deal with, the second, less so.

For now I’ve just decided to wait and see. Bit of a missed opportunity for these Fediverse Reddit alternatives, if you ask me, especially now that Reddit appears to have just gone back to “business as usual”, because, as Louis Rossman correctly pointed out, people have no spine to even fight for issues that barely require anything from them.

marelooke · July 19, 2023, 9:47am

So when I started my new job a Linux laptop was an option. It came with Ubuntu LTS (22.04), which wouldn’t have been my pick, but it certainly beats having to use Windows (or Mac OS, for that matter).

At first I tried to just use Gnome, it being the default. That didn’t last long. I have honestly no idea how people can use this mess of a DE that needs plugins to be brought up to what I would consider a “functional” level, so KDE it is (for now).

I still ran into two major issues.

The first being that everything was extremely slow, like “having to pause while typing for the pc to catch up”-slow. It was also eating absolutely ridiculous amounts of memory.
So I purged snapd (can this trend of containerizing everything die already, please?) and rebooted and it’s now using about 10GiB less memory. Coincidence? Maybe, but I have my doubts.

The other big issue was continuous flickering/glitching of the laptop display when also using an external display. While working from home it was practically unusable. I’m not entirely sure what the difference between the two setups was other than the screen being on the left, rather than the right in my home setup.
As for the (partial) solutions, it turns out the laptop has two GPUs, a built-in one and an nVidia GPU and it was probably switching between the two all the time. Forcing the nVidia GPU with prime-select made the flickering issue much better (but it’s not gone)

marelooke · July 26, 2023, 8:18am

Ended up just moving everything behind the tunnel, and just proxying the connections through Wireguard. Massive performance improvement (shocker, I know).

One issue I ran into though is that after a power outage all the Apache reverse proxy started spitting out DNS errors even though resolution on the host worked fine. Turns out mod_proxy caches connections indefinitely.

A solution would be to entirely disable connection reuse: ProxyPass http://foobar.com/ retry=0 disablereuse=On but that seems a bit heavy handed given that power outages aren’t exactly common.

Haven’t found a better solution yet though, unfortunately. If anyone is aware of anything, please let me know.

ThatGuyB · July 28, 2023, 12:16am

Gratz on your new job. At my previous workplace, initially I was running Ubuntu on my laptop, because that’s what the previous sysadmin was installing on the laptops (although he had me install the laptop myself, so I just went with that too). I used Unity 7 on 18.04 and it kept freezing. Had no dgpu, just the intel igpu.

Went with plasma5 (technically, kubuntu-desktop, which was the package I installed) and it was much more stable… but Ubuntu had some quirks (among them being getting stuck in infinite waiting when systemd was trying to unmount a cifs mount and always increasing the timeout timer from 2min to 5, to 10, to 15 etc.). I wiped Ubuntu and installed arch (no AUR, had no need for it) and was happy with it for a while, but had to change my laptop (were out of laptops and had new people coming in and I would’ve rather used an old latitude e5530 myself, rather than giving someone a laptop that old, so I passed my e5570 to them).

I switched to a retired toshiba kira (always just moving the OS, either by moving the ssd or cloning). It worked for a while, until I started having a hardware issue (ram related - and it was soldered ram) and I got an os corruption so catastrophic, that I decided I didn’t want to use arch anymore. It literally broke the ext4 fs, telling me to check the date on my system, because some inodes or something have been written “in the future.” The date on both the bios and the os before the crash were correct.

I moved the m.2 sata ssd in a retired latitude e5440, wiped it and went with Fedora KDE spin and never looked back. All of that happened in the span of 1.5years and used fedora for about half a year, before leaving the company (switching from plasma5 to sway after about a month or two). I was testing void with jwm on a e5530 and a rpi2 and would’ve probably moved to it if given just a bit more time. I moved to void at home (from manjaro, which was another buggy mess, even without ever having the aur installed - and yes, I kept up to date both manjaro and arch as soon as there were updates available, they still broke without me doing anything).

Nowadays, I suggest people stay away from Fedora (only because of magenta hat). As for KDE, with latte-dock, it was great. Also used to have it at home (in kwin_wayland mode). But I wasn’t using much of the plasma’s capabilities and I was kinda ram restricted (8gb), so I had to go a bit more minimal. With sway and pcmanfm-qt, I could just do my job (and run my many browser tabs in firefox, chromium and falkon).

marelooke · July 28, 2023, 12:08pm

Fedora wasn’t even on my list of options, really, Red Hat’s behaviour with RHEL, while apparently shocking to some, isn’t exactly new (nor is it unique to them) so I’ve just avoided commercially backed distro’s when I have the chance (that would include Ubuntu, but, well, it came preinstalled)

If I end up reinstalling was considering either Arch or Debian Testing (supposedly an acceptable desktop experience nowadays).

In the past I’d just have slapped Gentoo on it (because of familiarity) and called it a day as I only used the laptop as a mobile workplace, but nowadays I do need to drag it around multiple times during the day, so having things like suspend, webcams, and the like “just work” (insofar suspend ever “just works” on any OS, but I digress…) is kind of important.

ThatGuyB · July 29, 2023, 1:59am

Been doing the same thing on home stuff, but since the fiasco, I’ve been heavily discouraging corporate backed distros even for others, including the ones that didn’t yet do any anti-consumer tactics (like Pop!_OS, if anyone asks, I just point them to mint or ldme, or artix if they need something with newer kernel and drivers, because artix comes with community desktop versions).

marelooke · July 30, 2023, 8:32pm

Been running into some weird DNS issues with pfSense that I haven’t been able to figure out yet. So figured this is a good a time as any to pick up that migration to OpenBSD I’d been panning for, errr, a very long time now.

First step was upgrading the VM from 7.0 to current, which, as it turns out, wasn’t quite as straightforward as I had hoped since the OpenBSD team only carries that two latest releases on its cdn, so sysupgrade resulted in a 404. Easily solved by passing it the location of a mirror like so sysupgrade https://ftp.nluug.nl/pub/OpenBSD, and off we go.

Apparently it does run some stuff after it’s rebooted:

pufferfish# syspatch
syspatch: cannot apply patches while reorder_kernel is running

but a second invocation worked without issues.

Two more upgrades to go after this one, and then to look into setting up DNS on OpenBSD so I can use it as a secondary server while I (finally) start to slowly supplant pfSense.

diizzy · July 30, 2023, 9:24pm

Given the widespread usage of pfSense and the fact that it Unbound I’m going to guess that there’s something else going on rather than “pfsense being wonky”. Neither blocky or adguard-home is packaged in OpenBSD if you want such functionality but you can of course setup your own solution I guess.

ThatGuyB · July 30, 2023, 11:30pm

I liked pfSense, but I really like seeing OpenBSD as a router / firewall. As far as DNS goes, I never had issues with it on pfsense, but I’m planning for rolling over my own dns solution at some point, probably based on PLL’s infrastructure series (both a recursive and an authoritative DNS, so I’ll need at least 4 containers, maybe 6).

I should probably look into DNS already. I have a bind9 container configured already, but I recall having trouble making it resolve anything besides local zone, I couldn’t forward, but I could resolve on that network, so I know at least it’s not the firewall.

diizzy · July 30, 2023, 11:41pm

That sounds really excessive and many are moving away from bind to for example NSD and Unbound or Knot these days

For common usage I don’t see why you’d run anything else than unbound, blocky and possibly adguard-home at home as caching and resolver.

ThatGuyB · July 31, 2023, 1:36am

I like NSD and Unbound. The reason for bind9 is because of my familiarity with it (certainly not a good reason and I’m open to change) and because I’m not aware if NSD supports both DoT and DoH. Planning for Unbound for recursive caching though (that’s why I said 4 to 6 containers, 2 - 3x unbound, 2 - 3x bind9, with some simple failover process, probably keepalived).

marelooke · July 31, 2023, 2:39pm

It’s more than likely a configuration issue on my end. It’s just annoying there doesn’t seem to be any log actually, well, logging why the domain isn’t resolving. It is very possible pfBlockerNg is the culprit, but neither Unbound nor pfBlocker’s logs are showing me much of anything.

With regards to pfSense specifically: I’ve been planning to move away from it for quite a while, mostly because of Netgate’s behaviour. But, well, it’s just mostly “just worked”, and, as you noted, replacing pfBlocker is going to be …fun…, so it was very low on my priority list.

Alas lately it has been causing some issues, like eating up all of the space in /var for…reasons (my initial suspect was ntopng, but that turned out to not be the case), which leads to Unbound crashing. And now this weird DNS issue.

OpenBSD I always wanted to get more familiar with, but another option would be to give OPNSense another shot, but the reason I settled on pfSense was annoying (and pretty major) issues with OPNSense, so yeah…

I’d been planning to migrate off of pfSense for a long time, but there’s quite a bit of inertia when things just work…especially things my other half will notice when they don’t

I never had issues with Unbound on Linux either (which I used as router for a decade or so before switching to pfSense).

If you’re familiar with bind, well, damn! Bind has a bit of a… reputation, to put it mildly

diizzy · July 31, 2023, 7:57pm

Out of curiosity, why not FreeBSD?

@ThatGuyB
I dont see why you need failovers on the same host but oh well…

shadragon · July 31, 2023, 8:40pm

Testify brother. Amen! Preach to the rooftops!

If my missus lost access to her period dramas on Netflix, I’d be hamstrung.

ThatGuyB · August 1, 2023, 3:24am

They wouldn’t all be on the same host, that’d be very dumb of me. Which isn’t unheard of, but I never went that far, lmao. But the reason I’d like to have some spares would be for redundancy purposes in case I break anything (although if I’m going to be using nixos, it’d be hard to break the dns flake). If one DNS server fails, I’d like to first be able to failover the service via something like keepalived (or maybe just for fun pacemaker + corosync, albeit that’d be overkill) and if that one fails too, move to the secondary DNS in my resolver. Having a failover is good to prevent having to wait until the dns timeout, which can make the internet appear slow.

marelooke · August 1, 2023, 5:38pm

Aside from the security reputation I do want to gain some familiarity with OpenBSD in general, as it’s the BSD supporting the most architectures, including some very dead ones I care about (cough UltraSPARC cough)

The main “competing” option in that space is Gentoo, and well… binary packages are a thing, of course, but still…

diizzy · August 2, 2023, 8:45pm

I would be a bit more reserved by the supported part but sure, go ahead

Shadowbane · August 4, 2023, 1:36am

marelooke:

One of the things on my ToDo list has been to move off of my web hosting provider and get more control over my domain, so I can run a wider range of services from my domain than my current provider offers.

I can’t just host my domain locally since I don’t have a static IP (and getting one ain’t cheap)

My plan of attack is.

get VPS, set up tunnel to my network

find an email service to host my email (suggestions welcome), as I don’t really fancy dealing with the complexity of email myself

move my domain to the VPS provider (it’s transfer-locked, so going to have to get my webhost to free it up for transfer) and update all the relevant DNS records

I’ve sort of done #1 by setting up a WireGuard tunnel between the VPS and the local network.

I’m not entirely sure how I want to handle re-routing traffic. Right now I Just (reverse)proxy all web traffic from the VPS to my local webserver, which allows me to exclude certain services through proxy configuration to decrease easily discoverable attack surface (eg. don’t forward /nextcloud). Multiple nested proxies doesn’t seem like a great idea though.

It would probably be cleaner to use the VPS firewall to just forward all that traffic, and maybe limit the tunnel to only accessing the local firewall, turning the VPS into a dumb forwarding machine.

I’m sure there’s people here that run similar setups, so I’d love to hear some opinions

@marelooke if you sre still looking for an email service company may I suggest Proton Mail. The company is based in swiserland which has the best pro consumer laws in the world. I used their free plan for a year. Then when I purchased the domain I owned I upgradeed to their payed plan they handel all my domain emails. I am starting on my second year for the payed plan. I sm very happy with them.

marelooke · August 4, 2023, 12:28pm

Don’t think I mentioned in this thread, but I ended up going with mailbox.org, which is a German company.

I don’t remember why I ended up going with them over Protonmail, might just have been the price difference.

The biggest annoyance with mailbox.org so far is that they don’t appear to support automated payments. Other than that it’s been smooth sailing.

marelooke · August 10, 2023, 12:50am

Welp, turns out NUT is broken on pfSense 2.7.0 as well, and has been since well before the release.

The interruptonly workaround suggested basically disables all information coming from the UPS aside from it being on power or not.

This is annoying as I’d rather not run NUT on separate hardware, and the firewall, being one of the last things I’d shut down, was kinda the natural place to put it.