I use headscale on a VPS as an ingress point into my network and I love it. On top of headscale, I use two instances of traefik to make my network. I have one instance of traefik running on the vps which runs a couple of services that I want running 24/7(headscale-ui is nice). It pulls a subdomain certificate for TLS. So any services under say *.vps.example.com get routed to the VPS.

Then I have a wildcard TCP rule pointing the rest of the network traffic to my home server through headscale. My home server is running another instance of traefik where all my services are running. This pulls another wildcard cert for the rest of the *.example.com subdomains.

Cool thing about this setup is I can now have my DNS server rewrite *.example.com to my servers LAN IP. Now when my device is home, it works even when WAN is out. But when I’m out and about, it hits the public DNS and goes through my VPS. With traefik I can write a not !ClientIP rule and essentially block the VPS. Now I can host a service at home but also block it from being accessed from the public. But if I need access to the LAN remotely, I can just use a tailsacale client and get into headscale and see everything.

Its an odd network, but it’s super flexible and works very well for my use case. If you have any questions I’d love to help you set something like this up :D

The over lap of docker containers needs to happen from inside the perspective of the container. If you send Radarr to pull a movie from bittorrent, they both need to “be in the same spot”. If bittorrent thinks it’s saving a movie to /data/torrent then Radarr also needs to see the movie at /data/torrent.

That’s why so many guides use the /data/ label scheme. Its just easy to use and implement. Side note, for hard links to work, all the folders need to be on the same drive. Can’t hard link between different drives.

Ah sorry to hear that. Did you find something better that works for you? I’m open to suggestions :D

I followed along the nixos wiki for kubernetes and creating the “master” kublet is super easy when you set easyCerts = true. Problem is, it spits out files to /var/lib/kubernetes/secrets/ that is owned by root. Specifically, the cluster-admin.pem file. If I want to push commands to the cluster using kubectl I have to elevate to a root shell. I could just chmod or chown the file but that seems like a security risk.

Now I’m not familiar with k8s at all. This is my first go through, so I could be doing something wrong or missing a step. I saw something about the role based security but I haven’t jumped down that rabbit hole yet. Any tips for running kubectl without root?

I’m working on my first kubernetes cluster. I’m trying to set the systems up with NixOS. I can get a kublet and a control plane running. But I’m getting permission errors when trying to use kubectl rootless on the system running the control plane. I think I figured out which file i need to change, now I just want to record that change in my configuration.nix.

:3c

Well yeah let’s elaborate on that. Merriam-Webster defines elitism as

1. Leadership or ruled by an elite
2. The selectivity of the elite
3. Consciousness of being or belonging to an elite.

That comment was suggesting open source tools while you’re posting in an open source social media platform in a community that is geared towards open source software. Please explain how that comment fits the definition above. It’s not elitist to assume that you’ve heard of git if you’re posting here. Someone suggesting something to you is not elitist just because it doesn’t work for you.

I don’t think I’m better than you because I know git or nix, but I do know that in the right circumstances, knowing how to use git or nix is a very valuable tool. I would love to help you solve your problems with these tools if given the opportunity. When a member of the community finds a tool they love, they just want to help others and suggest what worked for them. You really think that’s elitist attitude?

You talked about linux devs not embracing change and then promptly shit on NixOS for not understanding it lol

Lol how funny. I was also very into modding the PSP growing up. I had a couple of Pandora batteries. The only reason I caught onto it was because my name is also Alex haha hello fellow Alex!

… are you the DaX from the PSP modding scene?!

Oh boy I went down this same rabbit hole awhile ago. Here is a git repository that will explain why this happens and also offers a fix on how to modify your IP tables to ensure that docker respects the UFW.

Docker and UFW

Running Plex in a docker container will be your best bet. After installing docker you can run a docker compose file that has your /config folder mapped to a separate location. Here is a sample compose file from the linuxserver.io group, which I highly recommend.

---
services:
  plex:
    image: lscr.io/linuxserver/plex:latest
    container_name: plex
    network_mode: host
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - VERSION=docker
      - PLEX_CLAIM= #optional
    volumes:
      - /path/to/plex/library:/config
      - /path/to/tvseries:/tv
      - /path/to/movies:/movies
    restart: unless-stopped

Pay special attention to the section marked “volumes” you’ll see the first line is a mapping for the plex config from the host to inside the container. The left side of the “:” is the path as the host sees it, the right side is from inside the container. You can use this compose file in each installation of linux to share your config and watch history as plex will always find it in the /config folder. That’s the beauty of containerization!

That being said I wouldn’t run two containers at the same time. That could have unintended consequences as each may try to write to the same file at the same time. As long as only one instance of plex is using the config at a time you’ll be alright. You can find more info about the compose file here!

If you have any questions, feel free to ask! 😁

It’s really not that hard to use a local account. When it askes for a Microsoft account just hit SHIFT+F10 then type in the command “oobe\bypassnro” and the pc will reboot. Now just don’t let the computer connect to internet, and when it askes for internet hit “I don’t have an internet connection” and then it will let you continue with a local account.

…I admit though… as I typed that out its pretty annoying lol Not hard, but like… just annoying.

35k for a base Kia? Hell naw, I bought a fully loaded 2024 hyundai elentra hybrid for 34k out the door. Base Kia K4 is 22k plus tax title and reg. That’s like almost a third less than what I paid lol

It shouldn’t mess with your current routing but if you’re running other VPNs you may run into issues.

After you join the machines to the tailnet, each machine gets a new IP address ( only visible to other machines in the tailnet), by default it’s a 100.x.y.z you can check the tailnet for the device IP.

Now you can keep the port closed on your router and it will still be accessible over the usual lan ip and port. But when you want to access remotely, turn on tailscale and connect using the tailnet IP.

Another cool thing you can do with this setup is turn your home server into an exit node. By default it will only route things that are in the tailnet (100.x.y.z subnet). But if you turn your home server into an exit node you can funnel all your traffic back through the exit node. Instant free VPN back home!

Here you go friend, enjoy! 😁

https://tailscale.com/blog/how-tailscale-works

Unencrypted HTTP can mean that anyone can see your traffic as it passes through their network. Your ISP will see that traffic. If you’re streaming pirated music and you’re in a country that cares about those things, might not go very well. From a security stand point though, you still wouldn’t want to trust the authentication on the open port. A vulnerability may exist that you don’t know about. It’s always better to keep them closed and add another layer or two between your home computer and the public.

Tailscale let’s you tunnel into your home network without opening any ports, and it encrypts the traffic. Much safer way of doing it.

Go on…

What kinda issues are you having? Most of my problems with Nix are solved with overlays or creating a module. Admittedly, in order to do that you still have to know how to fix your issue the usual linux way. Afterall, Nix is more of an abstraction tool IMO; good for replicating something across a ton if devices. If you don’t need that, there’s other distros that work much better out of the box.

Another tip, please be very careful when exposing ports to the public. With docker you’re already mitigating your attack surfaces but an open port allows anyone to make a connection and there are lots of bots out there looking for open ports and vulnerabilities. A good alternative would be to setup wireguard and instead then connect through that or if you like simplicity check out Tailscale.