

Do you have specific examples of the “different firewall requirements” ?


Do you have specific examples of the “different firewall requirements” ?


I have a custom made ansible role that does what you are asking for. I’ve wanted to clean it up a bit before putting it up on Github, and your post just gave me a motivation to stop procrastinating it :) This was initially made for my own use, and I’m not an Ansible expert so it can have some rough edges, but I tried my best to make it adhere to the Ansible way of doing things (applying the same role to a host twice should be idempotent).
Using this role, I’m able to quickly define wireguard networks, define which peer participates in which network, optionally configure a peer as a router (with NAT and port forwarding) for a given network. For Ansible-managed hosts, it installs wireguard, generates and deploys wireguard configurations, and enables IP forwarding on exit nodes. It can also generate ready-to-deploy wireguard configurations for externally managed hosts.
The repo is at https://github.com/pcouy/ansible-wireguard . I tried giving some instructions in the readme but they may not be detailed enough. If you try it, please open an issue for anything that’s not clear enough from the readme so I can improve it. (I tried making a “Quick start” section for people who never used ansible before)


As someone who teaches CS and grades assignments, the last few years have been really rough. Academic dishonesty has skyrocketed with models becoming smarter and students becoming more dependent on them. Any assignment that’s above average will make me suspicious, and when it appears to be 100% AI generated, the feeling that I spend more time grading than the student spent working on it is awful. Even when I’m almost sure a work is AI generated, unless there are some dumb leftovers such as “As an AI assistant […]”, I can never be 100% sure. This causes me a lot of headaches because the only thing worse than rewarding dishonesty would be not appropriately rewarding an outstanding assignment.
As much as I’d love to have à software tell me with 100% certainty which parts (if any) of an assignment are AI written, AI detectors are all snake oil, no exception. They exploit teachers’ helplessness to make false promises that we really want to believe in.
Moreover, I don’t think fully banning AI use is a sensible thing to do. LLMs are a thing, whether we like them or not, and using them in a sensible way is a useful skill to learn. There’s one big issue though : on one hand, assignments are made so that the problems students have to solve all have well-known solutions. This is required to make sure the assignment is doable in the first place, and that teachers will be able to help. On the other hand, LLMs are disproportionately good at classic assignment problems since there are so many published solutions online (which then end up in training datasets). Moreover, assignements are usually made to guide students through a larger problem by breaking it down into smaller problems, which is basically the perfect prompt for a LLM. This means students can get away with the laziest uses of LLMs (which usually won’t work with real world problems). In the worst cases, the only “skill” some students learn is to throw a PDF at whatever AI they paid for, ask it to solve the assignment, and copy paste the output without thoroughly reading it first.
Teachers clearly need to adapt. There will always be a few students who fail to learn in every class, but when so many students don’t learn, it’s the teacher who is failing to teach.
I did something similar for digitizing old camcorder family videos. I hooked up a VCR through a cheap elgato RCA -> USB capture card to my home server, and did something similar to you with a preview feed available on my LAN.
I even built a (really ugly) web UI which lets me pick an audio and video source, start the preview stream and display it in the browser without actually starting the capture, then start/stop the capture, edit the ffmpeg flags, and set the output file name. I can share it with you if you are interested


We actually moved recently from GPLv3 to MIT to be fully permissive.
Can you explain how this is a good thing for users ? From my own (admittedly limited) understanding of licenses, the main difference between GPL and MIT is that MIT allows freeriding off open source project by making closed-source forks.


The fact that OP only ever posts or comments about this software bothers me a lot more than them using AI (which is usually a bad sign, but if they know what they are doing, it is possible that they used AI in a sensible way. I have not looked at the code though)


I always love seeing “quirky” innovations
I say quirky as in “there’s already an established way of doing it that everyone is using, but I’m gonna build my own totally different thing”, similar to how Linus created Git because the established way was not good enough for his taste. Who knows, graph-based UIs for chats might be the next big thing !
Sadly, the network effect makes it hard to have people adopt a new messenger (I can’t even get relatives to move to Signal…). I wish Matrix wasn’t such a pain to make clients for. If your graph UI was able to show me all my conversations across all my matrix rooms and bridges, I’d be using it for sure


A few years ago I deleted my whole home folder by bind-mounting it inside a chroot. When I was done with the chroot, I rm -rf-ed it without unmounting my home first.


I have it installed for when I need something closer to a computer keyboard on my phone


After trying to run postmarketos on an old phone of mine, I’m really excited for anything that improves support for android devices to mainline linux !
I usually have Debian on all my servers for stability, and run almost everything inside containers for convenience. The few things that run directly in Debian are nginx for reverse proxying to container services, fail2ban+firewall, and wireguard for everything that moves data between servers/computers/devices I own
Debian is already noiriously lagging behind latest package versions (that’s how they make it so stable : they freeze all package versions when they release a new version of Debian, and only backport security fixes).
Either your AI was trained before Debian 13 came out, or it is giving you really bad advice. I can’t think of a single good reason to use an older Debian for a fresh install…
What’s failed about their newest release ?


I’ve been in a similar situation, and I’m also blocking large ranges of IP addresses in addition to running Anubis in front of my most scraped services (Git/forgejo and Lemmy)
I came up with a hacky python script that watches my fail2ban logs, counts bans for IP ranges going from /28 to /8, applies some heuristics (based on range size n and how offending IPs are split between the 2 /(n+1) subranges) I came up with to detect ranges that should be blocked, the issues a log line that is picked up by fail2ban to manage bans of increasing length on récidive.
It’s quite contrived and I often fear it will be too agressive and block something I rely on, but it has been working really wellin my experience.
It will initially block a lot of small ranges, but over time the ranges will grow larger. Smaller ranges having a lower threshold helps it block only the narrowest ranges needed, which gives some time for larger ranges that contain them to drop out of fail2ban’s watchlist.
I should clean up this mess and make it a git repo, maybe even try to have it merged in fail2ban
I think your post is missing a link


The ISP would only see “encrypted video call”-like traffic between you and the people who connect to Tor through your snowflake.


How/why would a VPN be useful for this ?


This lets people use your computer as an entry point into the Tor network and camouflage the traffic as a video call between you and them (if the regular, publicly known, entry nodes are blocked by their ISP or gouvernement). The snowflake extension will then forward people’s traffic through the Tor network, and services they use will only see a tor exit node’s IP, not yours. As long as you trust Tor to be secure and anonymous (I personally have very high trust in its guarantees), you don’t have to worry about legal consequences or being blocked by services.
I used to run a few (public) tor relays (entry or middle nodes, not exit ones), including one from my home network and IP. Never had any issue except for one service which blocked everything that had anything to do with Tor. I reached out for their admin, who claimed Tor users can show up with any node’s IP (which they definetly can’t, only exit nodes will forward traffic to the regular internet)


I don’t know about other homeserver implementations but synapse kinda sucks. It used to randomly eat 100% of 1 or 2 CPU cores (including the database) until I tracked it down to 3 rooms having a messed up state which caused costly SQL queries. I removed the rooms from my server (using a third party admin panel because there’s no proper admin GUI built in, the documentation just mentions curl commands to hit the admin API, with placeholders to manually replace). It has been fine since I did it, but I’m the only user on my server. And I expect other issues to come up at any time…
It also eats a lot of storage, mostly the database. It grew very large quickly, but it’s more stable now
The ansible role I made does not cover this. If you make a server an exit node for a network, the server gets configured to forward everything that comes from the wireguard network. Since my use case does not need this, I don’t think I’ll add it, but the role could be expanded to support ACLs by taking inspiration from how it deals with port forwarding.