Max-P

Did you install the certificates at all the appropriate locations?

No certs like that will ever be recognized by browsers by default. You need to add your CA to your browser, and also every other applicable certificate stores. Usually that’d be /usr/share/ca-certificates or command line flags to explicitly define the chain of trust (for example, curl --cacert), or sometimes environment variables like SSL_CERT_FILE.

Also if you have an intermediate CA and only trust the root CA, the intermediate certificate needs to be bundled with the server’s certificate so the browser can trace the chain of trust all the way to something it already trusts (ie. your root CA).

That’s kind of a rabbit hole on its own since it varies from software to software how it’s done, and also OS to OS. On Mac for example, that’s managed through Keychain.

Google’s phones have always supported the full spec. OnePlus used to also do that, but quietly removed support for it. OnePlus 8T on Android 11 (last OxygenOS version) you could, but when they switched it to Oppo’s ColorOS that got removed, that’d be 2021-2022 ish so that fits your experience.

For Samsungs, I don’t know. They let you relock the bootloader with a custom ROM on it, not just after flashing back a stock image? And it does the whole verified boot dance, TPM works and everything?

The key feature here is relocking with your own keys and retain all the security features as if it was a manufacturer’s build. Rollback protection and everything.

Google phones are pretty much the only ones that lets you relock the bootloader with your own signing keys. OnePlus used to, but not anymore. That means anyone can just flash anything to your phone and there’s no way to prevent it, except on Google’s phones. So, 30 seconds while you’re not looking and there’s a potentially a keylogger running as root on your phone.

With that in mind I can see why the authors aren’t interested in other devices. To release builds for a device you really need to own that device so you can test it on, maybe several of them. Each phone needs its own custom build and hacks and quirks. That’s expensive and time consuming. So you need someone with your particular model to be interested and volunteer in porting, maintaining and releasing builds of GrapheneOS for that phone. And the GrapheneOS guys are unlikely to buy those phones in the first place because it doesn’t have the features they want for their OS.

There’s probably builds floating around on XDA for GrapheneOS, for people like you that don’t need the security but just the privacy features. LineageOS’ list of official devices is pretty small but there’s unofficial builds for damn near anything on XDA, so it wouldn’t surprise me to see some unofficial GrapheneOS builds as well. Once you do have a device and a build setup, working on multiple ROMs at the same time is fairly easy, so I’ve seen the same developer releasing builds of whatever they can get to build.

Because porn sites are known to be serious, trustworthy entities that definitely don’t have a long history of distributing viruses and scammy penis enlargement products, and generally trustworthy ad networks that aren’t spooked out by porn as their source of revenue. They totally wouldn’t sell user data as extra income.

There totally won’t be fake porn sites that needs your credit card and now your ID to verify your age and identity before they show you all those hot chicks in your area.

If you want something a bit more managed, HashiCorp’s Vault can do CAs and is very automation-friendly.

I used this guide a few times and it’s pretty well made and general, doesn’t focus on just one task or end goal, just lets you set up a proper CA with intermediates and all: https://jamielinux.com/docs/openssl-certificate-authority/

My main concern would be security I suppose if I’m hosting a web server on the same computer I store all my family backups and stuff. Would using virtual machines solve that?

Mostly yeah. Even VMs aren’t perfect, but so widely used in the clouds of AWS and Google and whatnot that it’s good enough.

I have an old laptop running Linux to play around with and a fast and stable home internet connection.

That’s pretty much all you need!

When I started self hosting things, I literally ran the thing off my one and only laptop. Young me was getting into web development and I was fed up with the available free hosting options, so I was like, I’ve already got Apache running for development, I’ll just open the port and point a domain at it. My friends would check if I’m online by checking if my website loads. Sometimes I had to turn it off because I wanted to use my computer and they kept hogging my connection.

Your old laptop will run NextCloud and Samba/NFS just fine even if it’s a Core 2 Duo. Sure there’s Plex/Jellyfin and they require a lot more power for live transcoding and stuff, but to start off, you can just play your stuff over a simple network share.

Then when you’re happy or want to expand you’ll have a better idea of what kind of hardware you want. I’ve ran my NAS of a Raspberry Pi 2B for several years, but ultimately always wanted at least one real server.

As for setup guides, I have none. But don’t let yourself get too overwhelmed: there’s so much stuff you can do with a server and just as many ways to set it up. One thing at a time: get the server set up, make sure you have SSH access to it. Then pick a thing you want to run on it, and try to figure out how to run it. Don’t get too ambitious, you don’t have to do VMs, or containers, or anything at all. Get something done, play with it, experiment with it, see what you like.

Docker containers are pretty good, they do make setting up some services pretty easy. Sometimes they also add additional complexity. It’s okay to install things directly on the host.

There’s no hard rules and everyone have their preferences. When the time has come you will know and you will be seeking solutions of the likes of Proxmox or maybe some cloud servers.

It doesn’t have to be perfect from the first try. You will fuck it up a couple times, and that’s okay, that’s called experience.

then I tried signing-up to lemm.ee but was greeted with a couldflare of non ending page reload after solving captcha.

That particular instance was very recently the source of a lot of CSAM and spam, so that’d be why. A lot of instances recently upped their security to combat that.

There’s nothing forcing anyone to use those services, but the reality is that instances that aren’t quick to respond to those kinds of incidents will get defederated.

Cloudflare is a lazy but very effective and economical solution to this. The alternative is staff to monitor everything that goes through 24/7 which for most instances isn’t easy or possible. Many can barely afford the infrastructure costs.

The fact that very big instances hold the majority of the communities and discussions on lemmy and the fediverse in general is concerning.

It’s concerning regardless of the whole proxy banning debacle. A healthy fediverse is a well spread out fediverse.

But I doubt all instances will ever be that way. You don’t need a lemmy.world account to use lemmy.world’s communities, any instance would do.

My instance for example doesn’t use Cloudflare or any CDN, although it is invite only because I really don’t have time to deal with moderation. But I can access it over Tor if I want, and you can access it over Tor and browse it (read-only) just fine.

Reddit on the other hand wants to keep the data for themselves. Their VPN, Tor and proxy block isn’t just for posting, it’s for reading too and that is a much worse problem. They want to hoard the data so they can train their own Reddit AI on it. On lemmy you’ll always have at least read access to the platform through Tor and VPNs through random instances.

At least on Lemmy, a fully featured Tor hidden service instance is entirely possible, if someone is willing to vet the account getting registered and potentially malicious uploads. And anyone can make it happen.

I thought the whole point of bill C-18 was to take a whole bunch of money from Google and Meta and funnel it towards media. Did it fail completely as predicted?

Mine’s running on a VM with 2c/4t 2GB of RAM it shares with my Lemmy instance and it’s been working fine. I’m running Synapse, there’s more lightweight alternatives as well.

The Matrix servers don’t do all that much, it’s pretty much just plumbing data streams and storing data. You need enough disk to store all the messages and reactions and enough bandwidth to sync the rooms, and that’s about it. Most of the encryption is client-side for proper E2EE, so it just moves data around.

Les profs de philo, c’est vraiment ou bien tu tombes sur quelqu’un de vraiment passionnant, ou bien quelqu’un vraiment, vraiment plate.

You can layer them however you want, so you can slap luks on the physical drives, or the mdraid, or the individual LVM volumes as you do right now. If the entire setup is either locked or unlocked, luks between the raid and LVM PV makes sense. Having luks on the individual LVs have the advantage that you can have your data partially unlocked.

2FA is complicated. You can use a second factor like, you need to enter both a password and be in possession of the flash drive, but you can’t do it with the standard TOTP codes because you need the key to validate them in the first place.

One thing you can explore is TPM: the computer can detect if it’s been tampered with, and if all checks out, it will unwrap the key. You can add a password or flash drive as a second factor. There’s also the whole smartcard rabbit hole.

What exactly are you unsatisfied with? I think that’s a better starting point to advise on.

It wants you to put in whatever nameservers you will be using. It’s pretty nice, it’s even offering you glue records if you’re to self host your DNS too!

Most domain registrars tend to also offer DNS services and even default to using theirs, so it’s often thought those come together. It seems like eu.org doesn’t. So you have to provide your own. That could be Cloudflare or any number of DNS providers out there.

Most of those DNS providers will give you two name servers that you can input there. Minimum is 2 but some have 4 and 8 too, but it’s rare. You just put them there for the first two and you can leave everything else blank.

And this is why we have access to the votes, and why the protocol doesn’t obfuscate them.

Admins can deploy scripts to detect those kinds of patterns and act on it.

The votes are public. Kbin displays them right in the UI. Lemmy semi-hides it, but it’s never been designed to be private in any way.

Changing instance won’t do shit if that’s a concern to you. As an admin I can see them even if my instance isn’t involved with the post at all:

Yeah, people wouldn’t be coming and staying if there wasn’t anything for them to go to.

We’ve also been putting lots of roadblocks for immigrants that make it hard to do it legally. When you’re desperate, people turn to doing it the illegal way.

It would take me 4 years to legally bring my wife home, through marriage. It already took us over 2 years to get me in the US with her. We want things to work out fine long term so we’re doing everything proper, but I definitely understand why people decide to opt out. We might as well not allow immigrants in since it’s so difficult to get in.

The whole thing is a manufactured problem anyway. We’re sitting on brand new homes for years that go unsold because the developers are greedy and try to sell them for way too much. There’s still big worker shortages in many sectors, shops closed because there’s nobody to run it.

I wouldn’t be on Lemmy if it wasn’t federated.

Why? Because I don’t want to be trapped into another ecosystem that will do a Twitter/Reddit when it gets big enough. Reddit clones are plentiful, but they’re all fragmented in the user base. At least with Lemmy that doesn’t matter, I can use any community from my home instance.

ActivityPub in itself really isn’t that bad, there’s a lot more that goes into the platform as a whole. And it’s also a good choice because it’s a standard protocol that everyone agrees on. Is it perfect? Probably not. But it works good enough, and we now have Lemmy alternatives in the form of Sublinks and K/Mbin. There’s also a decent chunk of toy ActivityPub projects out there as well.

I can still be trapped in a dying ecosystem but that’s true of every site and at least I have the option of taking my data and converting it to another software if I want to.

Any reason the VPN can’t stay as-is? Unless you don’t want it on the unraid box at all anymore. But going to unraid over VPN then out the rest of the network from there is a perfectly valid use case.

Meanwhile Québec runs on 95% renewables, and we’ve not had grid load problems in decades. We have problems with trees taking out the power lines, but we’ve never been asked to turn it down despite most people having electric heaters.

They’re always blaming renewables, but so far renewables is the one I’ve had the least amount of issues with, and by far the cheapest too. My energy bill is 5x the amount in the US and it’s barely freezing. It’s all fossil fuels, of course, the supposed cheap and reliable.

Renewables are great except for the big oil companies.