

it’s actually the recommended way if you use jellyfin, theres a few security/privacy vulnerabilities with publicly exposing the jellyfin server anyway, they are being worked on but, the safest way to do it is just use a vpn regardless.
Just your normal everyday casual software dev. Nothing to see here.
People can share differing opinions without immediately being on the reverse side. Avoid looking at things as black and white. You can like both waffles and pancakes, just like you can hate both waffles and pancakes.
been trying to lower my social presence on services as of late, may go inactive randomly as a result.


it’s actually the recommended way if you use jellyfin, theres a few security/privacy vulnerabilities with publicly exposing the jellyfin server anyway, they are being worked on but, the safest way to do it is just use a vpn regardless.


I’m not sure, I was running 2.7.5 myself but i am not sure what version of immich I started with. I didn’t think this would effect fully docker setups much. I think this would mostly effected people who had configured with a preexisting database. I believe the docker edition with postgres built in upgraded for you awhile back unless you supplied an environment variable telling it to do otherwise.


I personally would never trust a p2p backup solution, even if it supposedly was zero knowledge.
There are some things I would never trust to a decentralized network, and personal files easily hits that metric.
This is of course ignoring the legal nightmare that would cause. Especially for peers that are located within one of the 14 eyes.
A single report for CP or a IP claim would bring cause you a massive headache.
edit: to the person who responded to this, That’s a cool bit of info I wasn’t aware about, I apologize, I’m unable to actually interact with you due to either the name or the symbols I assume? No idea, I can see that a reply was done, and I can see your post in a private tab but, when I sign in the response starts giving an “api unable to respond” error. So I expect there is some form of bug in lemmys software somewhere in processing your name.


you’re welcome, glad it worked for your use case.
Rsync is an insane tool when you look at it, half the flags you wouldn’t even know existed unless you were looking for them.


hey everyone gotta learns somewhere, and defo don’t expect you’ll ever stop learning on this adventure. That’s part of what makes this hobby fun!


is there any reason in particular that you are using both SSHFS and rsync? Rsync supports sftp which runs over an ssh connection via rsync -e ssh source dstUser@dstHost:/path
if you are only using the sshfs system to allow a local ssh directory on your system to use with rsync, you could likely skip that entire part and just use rsync.
LinuxConfig.org has a pretty decent page on it


As an FYI to people who are upgrading and use a preexisting postgres database If you still use pgvecto.rs (if the command \dx on the immich database responds with vectors not vector) you will need to install both pgvector and vectorchord in order to continue using immich. This will require restarting your postgres instance at least once if not twice.
It threw me for a loop at first because of the similar naming. Just thought I would share.


Yea hopefully. I know that short lived certs is currently an additional parameter when requesting, hopefully when the default changes they will have a higher rate limit. That won’t be for quite some time though I expect.


I wasn’t aware of that they managed registered domains the way they do. I may need to reconcider my certificate setup currently, as I currently run a certificate per service because its more secure and looked cleaner, but if they count x.website.com certificates as website.com certificates, its entirely possible that when they switch to short lived certificate defaults I may come close to that rate limit.


If the part is on par with non-Chinese counterparts at a cheaper price, definitely


this right here. If you have immich setup behind a reverse proxy, just route any requests that use the /share/ and /s/ (the custom link version) on the proxy manager to route to the immich instance, and have it 403 on anything else when the request is not via the vpn
Just be aware that immich uses links like share-* as well so be sure to have that trailing / to make it so only shared links and albums can be.
edit: Actually looking into this route further, it looks like immich as a whole needs more than just the /share/ and the /s/ endpoints exposed to function correctly. I will update this in a little when i figured out more on what is actually needed
update: So it seems immich will not support this style setup without quite a bit of hands on. You need to give at minimum /share/, /s/, /_app/ and /api/ in order to actually go this route. and at that point since you’ve given /api/ you’ve essentially publicly opened the instance anyway. While you can go through and individually do each endpoint. It requires access to /api/albums /api/assets and a few other endpoints, these endpoints do seem to need auth or some form of verification tho
for anyone wanting to still go through with it. You can reverse proxy it by allowing the endpoints
The nginx location regex I used for my testing(although not very read friendly) was
location ~ /(api/(server/(config|media-types|features)|shared-links/me|albums/|timeline/(bucket|buckets)|assets/)|(share|s)|_app/){
proxy_pass *immich instance*;
}
note: this was found just by basic testing using NPM on my environment, I may have missed some more specific calls especially regarding videos as I don’t really do any video photography to allow for testing.
Additional note: You may end up confusing your users with the UI though, as since lets you click on the immich banner to get to login, but everything would be blocked. You may just want to use the immich public project that was linked later in this discussion…


If it’s running as root anyway, then I change my statement. No I don’t see any security risk with it. Patchmon is running as root anyway, so no matter what your permissions are on the links or the original sock, as long as it’s smart enough to follow the link it should be fine. Generally symlinks follow the same permission as their target, with the exception of changing its owner with chown or removing it. I.E they are going to almost always just be whatever the permission of the target is. So your /var/run/docker.sock is going to be whatever permissions your /run/user/{userid}/docker.sock is normally and since patchmon is running as the root user, it’s not going to care what permissions are present as root overrides all restrictions/permissions anyway.
I have my concerns that patchmon might try to change docker files while as the root user, which could create files that docker couldn’t read but since it seems to be using the docker sock anyway, I expect it’s just going to operate over the sock which means it would be using dockers built in system which would be using its docker user.


I’m not fully understanding here, are you saying that the symlink is root because root is required to access /var/run or that its root because its required by patchmon.
If its root because the rest of the /var/run is root, is it not on the table to just chown the /var/run/docker.sock symlink to be the userid? since I would assume that patchmon would be running as the docker user anyway since you are running in a rootless environment? I might be misunderstanding.
As long as your permissions to the symlink are in line with the permissions on the original sock, I wouldn’t expect there would be too much risk there. Of course a malicious vector /could/ see that a /var/run/docker.sock exists and try to manipulate it, but, since docker itself isn’t root which means that user executing the symlink isn’t root, I don’t think it would allow for escalation.


Heavy agree with this, and that the source is shown in three locations(duplicate info is all over the page) as well as the heavy push into how fast deploying the software is, when that’s not usually a metric anyone actually cares about as its a one and done setup


Yea but a tag system will allow it to be seen from outside the community. a general requirement in the body of the post of disclosing if AI was used and how I think would go a long way better in the long run, and requires the person to have entered the post and read it first.
I think I’m leaning more towards that style instead. if something interests me I can join it read it and if its AI and I don’t want to see it I can go elsewhere, that requires people to put bare amount of effort instead of just seeing a [AI] tag from all[/active/hot] (idk what the actual lemmy endpoint is I use tess) and being like “oh ai downvote”


the only way they could prevent that was to mandate that disclosure had to be in the post body somewhere and not the title, that way it only appears once someone opens the post. Mostly because some posts are visible from feeds other than subscribed which means that members would see it that are outside of the normal/average visitors here.
Honestly I think i would prefer that. Instead of requiring a tag, require AI disclosure on the project somewhere in the post body.


That way a certain subset of members could just drive-by downvote without getting themselves dirty.
Honestly. I was fully on board with this until you brought that up. Yea that just 180’d my opinion on if it should be tagged significantly.
I don’t want something to be tagged to be able to allow people to mass downvote it or hide it from sight, that’s not productive to anyone. I wanted the tag to be able to filter it out when I didn’t want to see it, but be able to see it if I felt I wanted to. Allowing for mass downvote on it will significantly hinder that.
I want to add on to this comment that there are also users who use clients that hide the ability to downvote if negative scores or downvotes are disabled in the settings (which is fair). Tesseract is one that comes to mind with that restriction, where if downvotes are turned off, your downvote button is removed and the upvote button is replaced with a like/heart button.
Being said, agree I don’t see many low quality posts in the first place. But it would be nice if reports or comments could be included as a way to judge low effort as well,


As others have stated, if your model is able to have the battery removed and have it still run off power, no problem, do so.
You should be using a dedicated UPS for something like that if you’re concerned about power going out , For a power input that a laptop requires, you could very easily find a $30 or $40 one at your closest big box retail store.
If you must keep the battery in it be careful to monitor it. I ran a laptop as a server for almost four years. It does work really nice. But depending on model, they may be prone to having the battery expand if it’s on 24-7. And even if it doesn’t, that battery is going to be shot after two or three years of constant use anyway.
You can mitigate the battery health issue by making sure you have some form of battery management software running where it stops charging the battery once it hits like 80-85%. and allows it to discharge on its own. But realistically using a laptop battery as a backup power source isn’t super recommended.
Plus with a UPS, you could also hook your router and modem/ONT up to it, which means that not only is your laptop going to remain on, but usually your network will remain up as well since communication lines are quite a bit more durable and generally stay alive even if the power goes down
Didn’t he already do this early 20’s and then never update it past the original commit? Or was that only the algorithm.