TCB13

uSentry is a lightweight, self-hosted Identity and Access Management (IAM) and Single Sign-On (SSO) solution designed for homelab and small-scale environments.

⚡ A single PHP file. < 400 lines of code. No database. No background processes. No cloud. Just works. ⚡

Most IAM and SSO solutions require databases, certificates and background services baked into a dozen containers. This is all fine but also also overkill for homelabs and impossible for low-power ARM devices. uSentry is different, it isn't pretty but it sucks less for a lot of use cases.

Enjoy!

cross-posted from: https://lemmy.world/post/23071801

Considering a lot of people here are self-hosting both private stuff, like a NAS and also some other is public like websites and whatnot, how do you approach segmentation in the context of virtual machines versus dedicated machines?

This is generally how I see the community action on this:

Scenario 1: Fully Isolated Machine for Public Stuff

Two servers one for the internal stuff (NAS) and another for the public stuff totally isolated from your LAN (websites, email etc). Preferably with a public IP that is not the same as your LAN and the traffic to that machines doesn't go through your main router. Eg. a switch between the ISP ONT and your router that also has a cable connected for the isolated machine. This way the machine is completely isolated from your network and not dependent on it.

Scenario 2: Single server with VM exposed

A single server hosting two VMs, one to host a NAS along with a few internal services running in containers, and another to host publicly exposed websites. Each website could have its own container inside the VM for added isolation, with a reverse proxy container managing traffic.

For networking, I typically see two main options:

• Option A: Completely isolate the "public-facing" VM from the internal network by using a dedicated NIC in passthrough mode for the VM;
• Option B: Use a switch to deliver two VLANs to the host—one for the internal network and one for public internet access. In this scenario, the host would have two VLAN-tagged interfaces (e.g., eth0.X) and bridge one of them with the "public" VM’s network interface. Here’s a diagram for reference: https://ibb.co/PTkQVBF

In the second option, a firewall would run inside the "public" VM to drop all inbound except for http traffic. The host would simply act as a bridge and would not participate in the network in any way.

Scenario 3: Exposed VM on a Windows/Linux Desktop Host

Windows/Linux desktop machine that runs KVM/VirtualBox/VMware to host a VM that is directly exposed to the internet with its own public IP assigned by the ISP. In this setup, a dedicated NIC would be passed through to the VM for isolation.

The host OS would be used as a personal desktop and contain sensitive information.

Scenario 4: Dual-Boot Between Desktop and Server

A dual-boot setup where the user switches between a OS for daily usage and another for hosting stuff when needed (with a public IP assigned by the ISP). The machine would have a single Ethernet interface and the user would manually switch network cables between: a) the router (NAT/internal network) when running the "personal" OS and b) a direct connection to the switch (and ISP) when running the "public/hosting" OS.

For increased security, each OS would be installed on a separate NVMe drive, and the "personal" one would use TPM with full disk encryption to protect sensitive data. If the "public/hosting" system were compromised.

The theory here is that, if properly done, the TPM doesn't release the keys to decrypt the "personal" disk OS when the user is booted into the "public/hosting" OS.

People also seem to combine both scenarios with Cloudflare tunnels or reverse proxies on cheap VPS.

---

What's your approach / paranoia level :D

Do you think using separate physical machines is really the only sensible way to go? How likely do you think VM escape attacks and VLAN hopping or other networking-based attacks are?

Let's discuss how secure these setups are, what pitfalls one should watch out for on each one, and what considerations need to be addressed.

Considering a lot of people here are self-hosting both private stuff, like a NAS and also some other is public like websites and whatnot, how do you approach segmentation in the context of virtual machines versus dedicated machines?

This is generally how I see the community action on this:

Scenario 1: Air-gapped, fully Isolated Machine for Public Stuff

Two servers one for the internal stuff (NAS) and another for the public stuff totally isolated from your LAN (websites, email etc). Preferably with a public IP that is not the same as your LAN and the traffic to that machines doesn't go through your main router. Eg. a switch between the ISP ONT and your router that also has a cable connected for the isolated machine. This way the machine is completely isolated from your network and not dependent on it.

Scenario 2: Single server with VM exposed

A single server hosting two VMs, one to host a NAS along with a few internal services running in containers, and another to host publicly exposed websites. Each website could have its own container inside the VM for added isolation, with a reverse proxy container managing traffic.

For networking, I typically see two main options:

• Option A: Completely isolate the "public-facing" VM from the internal network by using a dedicated NIC in passthrough mode for the VM;
• Option B: Use a switch to deliver two VLANs to the host—one for the internal network and one for public internet access. In this scenario, the host would have two VLAN-tagged interfaces (e.g., eth0.X) and bridge one of them with the "public" VM’s network interface. Here’s a diagram for reference: https://ibb.co/PTkQVBF

In the second option, a firewall would run inside the "public" VM to drop all inbound except for http traffic. The host would simply act as a bridge and would not participate in the network in any way.

Scenario 3: Exposed VM on a Windows/Linux Desktop Host

Windows/Linux desktop machine that runs KVM/VirtualBox/VMware to host a VM that is directly exposed to the internet with its own public IP assigned by the ISP. In this setup, a dedicated NIC would be passed through to the VM for isolation.

The host OS would be used as a personal desktop and contain sensitive information.

Scenario 4: Dual-Boot Between Desktop and Server

A dual-boot setup where the user switches between a OS for daily usage and another for hosting stuff when needed (with a public IP assigned by the ISP). The machine would have a single Ethernet interface and the user would manually switch network cables between: a) the router (NAT/internal network) when running the "personal" OS and b) a direct connection to the switch (and ISP) when running the "public/hosting" OS.

For increased security, each OS would be installed on a separate NVMe drive, and the "personal" one would use TPM with full disk encryption to protect sensitive data. If the "public/hosting" system were compromised.

The theory here is that, if properly done, the TPM doesn't release the keys to decrypt the "personal" disk OS when the user is booted into the "public/hosting" OS.

People also seem to combine both scenarios with Cloudflare tunnels or reverse proxies on cheap VPS.

What's your approach / paranoia level :D

Do you think using separate physical machines is really the only sensible way to go? How likely do you think VM escape attacks and VLAN hopping or other networking-based attacks are?

Let's discuss how secure these setups are, what pitfalls one should watch out for on each one, and what considerations need to be addressed.

New GNOME dialog on the right:

Apple's dialog:

They say GNOME isn't a copy of macOS but with time it has been getting really close. I don't think this is a bad thing however they should just admit it and then put some real effort into cloning macOS instead of the crap they're making right now.

Here's the thing: Apple's design you'll find that they carefully included an extra margin between the "Don't Save" and "Cancel" buttons. This avoid accidental clicks on the wrong button so that people don't lose their work when they just want to click "Cancel".

So much for the GNOME, vision and their expert usability team :P

cross-posted from: https://lemmy.world/post/14398634

Unfortunately I was proven to be right about Riley Testut. He's yet another greedy person barely batter than Apple. After bitching to Apple to remove GBA4iOS from the App Store he's now leveraging Delta to force people into his AltStore.

Delta has finally made its way to the App Store. Additionally, the Delta developer has also published their alternative marketplace, AltStore, in the EU today.

If you're in the EU you'll only be able to get Delta on the AltStore and that requires:

This is complete bullshit he could've just launched Delta on the App Store in Europe as well but he decided not to.

Thanks Riley Testut for being a dick to the people that actually forced Apple into allowing alternative app stores in the first place.

---

Github issue related to this dick move: https://github.com/rileytestut/Delta/issues/292

Unfortunately I was proven to be right about Riley Testut. He's yet another greedy person barely batter than Apple. After bitching to Apple to remove GBA4iOS from the App Store he's now leveraging Delta to force people into his AltStore.

Delta has finally made its way to the App Store. Additionally, the Delta developer has also published their alternative marketplace, AltStore, in the EU today.

If you're in the EU you'll only be able to get Delta on the AltStore and that requires:

This is complete bullshit he could've just launched Delta on the App Store in Europe as well but he decided not to.

Thanks Riley Testut for being a dick to the people that actually forced Apple into allowing alternative app stores in the first place.

Github issue related to this dick move: https://github.com/rileytestut/Delta/issues/292

Here's my take:

The domain aftermarket has a big problem... it exists. This market shouldn't ever be allowed to exist in the first place. ICANN should've blocked this bullshit a long time ago and forced registrars to just let domains expire and free the space. Also add a few provisions about unused domain names and about selling them.

Hello,

So I have a Motorola SM56 USB Data Fax Modem (aka Apple USB Modem for some people) and according to information online this modem supports V.92, Caller ID, wake-on-ring and most importantly telephone answering (V.253).

At a place I happen to have an old telephone analog line that gets calls and unfortunately I can't get rid of. Any ideias / links / software on how can I use the modem + a low end box / ARM SBC to "digitize" the phone line into a generic SIP / VOIP that I can then connect to using MicroSIP on another computer?

Thank you.

Update on this:

I just tried the modem under Windows with a few programs such as Phone Dialer Pro and the built in dialer.exe and while the modem can detect incoming phone calls and place calls I can't pass the audio back to the operating system / phone software.

I did some research about the SM65 and it seems like it was designed to have an headset directly attached to it like on those PCI cards that also use it:

The built in COM port of the modems seems to be only usable to control the modem via AT commands and can't be used to pass audio form and to the system.

Hello,

My IoT/Home Automation needs are centered around custom built ESPHome devices and I currently have them all connected to a HA instance and things work fine.

Now, I like HA's interface and all the sugar candy, however I don't like the massive amounts of resources it requires and the fact that the storage usage keeps growing and it is essentially a huge, albeit successful, docker clusterfuck.

Is there any alternative dashboard that just does this:

1. Specifically made for ESPHome devices - no other devices required;
2. Single daemon or something PHP/Python/Node that you can setup manually with a few systemd units;
3. Connects to the ESPHome devices, logs the data and shows a dashboard with it;
4. Runs offline, doesn't go into 24234 GitHub repositories all the time and whatnot.

Obviously that I'm expecting more manual configuration, I'm okay with having to edit a config file somewhere to add a device, change the dashboard layout etc. I also don't need the ESPHome part that builds and deploys configurations to devices as I can do that locally on my computer.

Thank you.

cross-posted from: https://lemmy.world/post/11162262

Hey,

For all of you that are running proper setups and use nftables to protect your servers be aware that pvxe/nftables-geoip now has the ability to generate IP lists by country.

This can be used to, for instance, drop all traffic from specific countries or the opposite, drop everything except for your own country.

https://github.com/pvxe/nftables-geoip/commit/c137151ebc05f4562c56e6802761e0a93ed107a2

Here's how you can block / track traffic from certain countries:

• https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching
• https://www.mybluelinux.com/nftables-and-geoip

Previously you had to load the entire geoip DB containing multiple GB and would end up using a LOT of RAM. Those guides aren't yet updated to use the country specific files but it's just about changing the include line to whatever you've generated with pvxe/nftables-geoip.

Hey,

For all of you that are running proper setups and use nftables to protect your servers be aware that pvxe/nftables-geoip now has the ability to generate IP lists by country.

This can be used to, for instance, drop all traffic from specific countries or the opposite, drop everything except for your own country.

https://github.com/pvxe/nftables-geoip/commit/c137151ebc05f4562c56e6802761e0a93ed107a2

Here's how you can block / track traffic from certain countries:

• https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching
• https://www.mybluelinux.com/nftables-and-geoip

Previously you had to load the entire geoip DB containing multiple GB and would end up using a LOT of RAM. Those guides aren't yet updated to use the country specific files but it's just about changing the include line to whatever you've generated with pvxe/nftables-geoip.

Hey,

I found this game I used to play a very long time ago and I wanted to experience it again. Unfortunately I wasn't able to run it in Windows 10 / Windows XP SP3 VM because it would lag on modern hardware.

Here is what you need to do in order to get the game running:

1. Search for "Midtown Madness 2 (Europe) (Rerelease)" on TPB and download it
2. Load the disk with WinCDEmu or other solution
3. Install the game (don't launch it)
4. Enable DirectPlay on Windows
5. Copy Crack\midtown2.exe to the gamefolder
6. Download dgVoodoo2 from http://dege.freeweb.hu/dgVoodoo2/dgVoodoo2/
7. Copy dgVoodoo2.exe to the game folder
8. Copy all files inside MS\x86 to the game folder as well
9. Run dgVoodoo2.exe as admin and set the following:

• Click the button .\ to create config file to MM directory
• In "General" > "Output API" select "Direct3D 11 MS WARP (software)"
• Go to "DirectX" tab and change the VRAM to 128MB
• Click "Apply" > "OK" to exit.

10. Launch the game > Options > Graphics > select from Display drop down menu, "dgVoodoo DirectX Wrapper" > "Hardware (3D video card with T&L) from the Renderer drop menu.
11. Click "Done" and that's it!

Note that whenever you change the resolution it won't apply any changes to the game menu - you'll only see it once you start a race.

Midtown Madness 2 should now run very smoothly under Windows 10, even on Virtual Machines. Enjoy.