Sure. I do run some things on the host, but I do default to containers unless I have a good reason to avoid them. Containers make it really easy to move to a new piece of hardware, and I want my disaster recovery process to be as close to:

1. set up new device
2. restore data
3. copy down container configs
4. start containers

Some UPSs communicate over the network, and if that’s what you have, containers are a fantastic solution. If you have a USB or serial (??) one, then yeah, maybe the host will give less trouble, just make sure to not forget to document the setup and config.

all new posts and comments inside that community will be mirrored to your instance

And that’s my biggest issue w/ Lemmy. It seems to scale okay, provided you have enough users to make all that traffic worthwhile. However, I’m unlikely to actually self-host since I really don’t want a copy of literally everything I sub to. Ideally, I could host my own authentication server and only the communities I host (which would probably be 0), and I’d just fetch whatever I needed from wherever it’s hosted.

What problems?

A VM certainly seems like overkill, but a simple podman container should be pretty problem-free.

I’m considering it. Our storage needs are modest (8TB capacity, 2-3TB stored), our HDDs are getting long in the tooth, and I want to downsize so it can fit under my bed and plug directly into the router (it’s currently connecting over wifi). So something relatively inexpensive could convince me to switch.

PCIe 3.0 is 1 GB/s per lane. So nothing life changing, but still reasonably fast (way faster a HDD). If you rarely need swap, you should be fine for the few times you do.

Sure. I just don’t see myself needing more than 8GB RAM, especially w/ fast NVMe drives as swap. It’s a simple NAS running Jellyfin (max 1-2 clients) and a handful of other services.

If I need more RAM, chances are I’ll also need more CPU as well, in which case a larger upgrade is in order. If I truly only need more RAM, I could pretty easily move some services to an SBC like a Raspberry Pi.

It’s certainly a bummer, but not a deal breaker. If the price is right and I can find inexpensive enough NVMe drives, I can compromise a bit on RAM.

Yeah, my NAS uses 3GB out of my 16GB total. I don’t think I’ve ever seen it use more than 5GB.

Eh, 12GB is plenty for me. I’m currently using ~3GB out of 16GB, so I’m nowhere close to that cap. My NAS really doesn’t do much.

I’ve been on the lookout for a quiet, inexpensive NAS that I can put under my bed and forget about. I currently have 2x8TB in a mirror, and I’m only using 2-3TB.

In fact, I might even feel comfortable eliminating the RAID w/ SSDs once I clean up our backup strategy (yes, RAID isn’t a backup, I know and I feel bad).

My current nas sucks down about 120-140w 24/7, so…

Ouch. I’m around 50W, and my HW isn’t anything special: Ryzen 1700 + 2 HDDs + 1 SSD.

🤦‍♂️

Oh man, that’s exactly the cultural thing I’m talking about. Thanks!

adds to its security and ease of handling

PHP… security?

Any security you get from running as a separate process/thread is undermined by sloppy language semantics and standard library. The built-in “mysql_” library was atrocious and stayed in the standard library for years (removed in 7.0, ~10 years after the previous release). Errors at least used to be really inconsistently communicated (sometimes need to call another function to check error status, sometimes returns 0 or - 1, sometimes raises exceptions). Types are pretty loose and subtly change type (e.g. when an int overflows, it becomes a float?). Variables spring into existence when you use them, so no warning about typos, shadowing, etc.

The language wasn’t really designed, it evolved from a simple templating engine to a full fledged language, and it cleaned up a little along the way. But a lot of the old cruft still remains.

super fast and easy to setup and get going

Yeah, that was always the goal. All you need is a webserver and a directory of scripts and you’re golden.

But lowering the barrier to entry comes with costs. It encourages people to just copy and paste crap until it works, I know because that’s exactly what I did when I first used PHP (JS w/ jQuery is the same way). This encourages a “just get it working” mindset instead of actually understanding what’s going on.

You can certainly write good PHP code, my point is that it actively encourages cludgy code, which means security holes, and the best example is the language and standard library themselves.

Web sockets work just fine

Do they? I assume they hog a whole process/thread for themselves instead of being efficiently managed in something with proper async tooling, so it sounds like it would scale horribly. What happens if you have a million open websockets?

They did an audit and found issues? Great, I applaud people searching and finding issues. Shall we do the same for Rust, go, or chuckle JavaScript?

Yes. I would be very surprised if Go or Rust yield even a fraction of the vulnerabilities as PHP. Even if we expand the scope a bit to a full-fledged web server framework. And that’s with all the server bits, while PHP only worries about its standard library.

I’ve used each of those languages. I’ve built sites in PHP, Go, and Rust, as well as Python and JavaScript (nodejs). PHP is by far the jankiest, and that’s including all the footguns w/ Go’s concurrency model.

Never point your DNS at two different IP addresses like this. It will only cause you pain and unexpected behaviour.

Why?

I have a similar setup, but to add to the problem, I’m also behind CGNAT. Here’s my setup:

• LAN - 192.168… addresses
• WAN - 10… address from ISP
• VPS - public address

To access my LAN from outside, I have a WireGuard tunnel to my VPS.

The address my DNS resolves to is absolutely unrelated to any addresses my router understands. So to prevent traffic to my locally hosted resources from leaving my LAN, I need my DNS to resolve to local addresses. So I configured static DNS entries on my router to point to local addresses, and I have DHCP provide my router as the primary DNS source and something else as a backup.

This works really well, and TLS works as expected both on my LAN and from outside my LAN. The issue OP is seeing is probably with a non-configured device somewhere that’s not querying the local DNS server.

Yeah, NextCloud doesn’t follow ideal containerization style, but they do have an FPM package, so I can co figure PHP FPM separately from the web server, which is separate from my Collabora container. I don’t use the AIO image so I can control each piece separately.

PHP isn’t complex, you just need a webserver (nginx, Apache, etc) and PHP. That’s one process (webserver) that runs a few child processes (PHP scripts). When using PHP fpm, use two containers.

Each container should run one process. Each container can run whatever base you want. If you want a newer PHP on an older image, go for it! Nobody is forcing you to use the repo version of PHP, you can install it separately. More complexity should mean more containers, not more complex containers.

SSH tunneling is absolutely amazing, glad you figured it out.

We had a similar issue at work. Basically, we had a corporate laptop (Windows) that we couldn’t install anything to, and we needed to set up local development against a service running on the laptop. But since we couldn’t actually install anything w/o going through the IT dept (nobody wants to do that), I remembered that they had gotten git installed, and that comes w/ a shell which has SSH available. So I used that to SSH tunnel to the dev laptop (running macOS) and they were able to continue working.

SSH tunnels are a fantastic tool to have in your toolbox. :)

Someone who strongly associates with barbaric beliefs is less likely to want to spend their spare time working in peace for all, and more likely to be wanting to work on software that at least in some way carries or represents those beliefs, for example in capturing and using user data, or in aiding systems used by the military to kill children of “non-citizens”. So being “absolutely” uncaring does not really make sense.

Let’s look at Linux, for example, which is perhaps the most successful FOSS project in the world. It takes contributions from people of a wide range of motivations, such as:

• hardware vendors who just want their stuff to work
• intelligence agencies, who want stable systems to spy on people
• hacking groups that want low level control to facilitate exploits
• militaries that want reliable guidance systems to bomb women and children abroad
• freedom fighters who need top security to protect themselves from repressive governments
• free software advocates who believe computing should be accessible to all
• ad agencies that need a scalable solution to push their dark patterns more efficiently
• IT pros building a career on maintaining complex systems

And so on. The net result is a solid, general purpose kernel and a rich ecosystem of supported software. All Linux did was focus on technical details and largely ignore the source.

In the words of Linus Torvalds:

With enough eyeballs, all bugs are shallow.

Does it really matter who those eyeballs belong to? Yes, we should be careful about malicious intent (e.g. xz scandal), but that’s a technical problem, not a political or cultural one.

At the end of the day, everyone is free to associate or not associate with any groups they want. If you’re a maintainer, that means you get to decide which contributions you accept and who you let into your communication channels.

I use software maintained by people I really don’t like, such as:

• GrapheneOS - lead dev is a giant pain to deal with
• Lemmy - both lead devs have extreme political views that I strongly disagree with and find dangerous
• Brave - CEO’s political views are distasteful, to put it mildly
• Tor - pretty sure it’s largely maintained by spooks and militaries (at least it started that way)
• React web framework - developed and maintained by Meta, whom I actively avoid and refuse to do business with

I’ve also contributed patches to some of those as well. Why? Because the technical merits of those protects is pretty much all that matters. If the maintainers go off the deepend and piss people off, I or someone else can fork it. That happened with various OpenOffice (LibreOffice), ownCloud (NextCloud and OpenCloud), and now Redis (Valley), though those had more to do with licensing changes than technical project direction.

That’s why I’m concerned when projects put non-technical concerns (say, a COC) above technical concerns. Yes, civility is expected, and enforcement of that is a lot easier when the project focuses primarily if not exclusively on technical concerns.

Sorry, I used “real-time” fairly loosely. I didn’t mean it in the sense of a real-time OS (hard deadlines), more in the sense of “fast updates” (like a chat server). Go is great if you want very low latency in a highly concurrent system since task-switching is so lightweight.

Looks like it’s the new default in OpenCloud.

They didn’t son win either, the dispute is ongoing.