https://lm.mlfh.org/u/mlfh
https://lemmy.sdf.org/u/mlfh
https://lemmy.ml/u/mlfh

  • 0 Posts
  • 7 Comments
Joined 2 months ago
Cake day: April 7th, 2026
  • mlfh@lm.mlfh.orgtoSelfhosted@lemmy.worldSelf-hosted Image/Video Gallery Options?English
    7·
    19 days ago

    I run the immich container stack on a vm with 4GiB memory and 2 cores, with db on local disk and external libraries over smb, and it runs perfectly fine. I offload the machine learning jobs to another sometimes-on machine, sometimes, but don’t really need to unless I’m dumping thousands of new images into the external library at a time and want it all to process quickly.

  • mlfh@lm.mlfh.orgtoSelfhosted@lemmy.worldWhy are my VMs ignoring my DHCP server?English
    7·
    20 days ago

    Looks like both of your vms probably have the same mac address - the 172 ip address is likely a self-assigned fallback when the dhcp server replies to the second vm that it can’t give it an address. Double-check and make sure the mac address in each vm’s proxmox network adapter settings match your pfsense dhcp reservations, and let me know if that resolves it.

  • mlfh@lm.mlfh.orgtoPrivacy@lemmy.mlI was a week away from buying a Pixel Pro 10 for GrapheneOSEnglish
    6·
    1 month ago

    From the grapheneos faq section on device support, which details the kinds of hardware and firmware security features required and present on pixels (but may be missing on other devices):

    Hardware, firmware and software specific to devices like drivers play a huge role in the overall security of a device. The goal of the project is not to slightly improve some aspects of insecure devices and supporting a broad set of devices would be directly counter to the values of the project. A lot of the low-level work also ends up being fairly tied to the hardware.
    Non-exhaustive list of requirements for future devices, which are standards met or exceeded by current Pixel devices:

    • Support for using alternate operating systems including full hardware security functionality
    • Complete monthly Android Security Bulletin patches without any regular delays longer than a week for device support code (firmware, drivers and HALs)
    • At least 5 years of updates from launch for device support code with phones (Pixels now have 7) and 7 years with tablets
    • Device support code updated to new monthly, quarterly and yearly releases of AOSP within several months to provide new security improvements (Pixels receive these in the month they’re released)
    • Linux 6.1, 6.6 or 6.12 Generic Kernel Image (GKI) support
    • Hardware accelerated virtualization usable by GrapheneOS (ideally pKVM to match Pixels but another usable implementation may be acceptable)
    • Hardware memory tagging (ARM MTE or equivalent)
    • Hardware-based coarse grained Control Flow Integrity (CFI) for baseline coverage where type-based CFI isn’t used or can’t be deployed (BTI/PAC, CET IBT or equivalent)
    • PXN, SMEP or equivalent
    • PAN, SMAP or equivalent
    • Isolated radios (cellular, Wi-Fi, Bluetooth, NFC, etc.), GPU, SSD, media encode and decode, image processor and other components
    • Support for A/B updates of both the firmware and OS images with automatic rollback if the initial boot fails one or more times
    • Verified boot with rollback protection for firmware
    • Verified boot with rollback protection for the OS (Android Verified Boot)
    • Verified boot key fingerprint for yellow boot state displayed with a secure hash (non-truncated SHA-256 or better)
    • StrongBox keystore provided by secure element
    • Hardware key attestation support for the StrongBox keystore
    • Attest key support for hardware key attestation to provide pinning support
    • Weaver disk encryption key derivation throttling provided by secure element
    • Insider attack resistance for updates to the secure element (Owner user authentication required before updates are accepted)
    • Inline disk encryption acceleration with wrapped key support
    • 64-bit-only device support code
    • Wi-Fi anonymity support including MAC address randomization, probe sequence number randomization and no other leaked identifiers
    • Support for disabling USB data and also USB as a whole at a hardware level in the USB controller
    • Reset attack mitigation for firmware-based boot modes such as fastboot mode zeroing memory left over from the OS and delaying opening up attack surface such as USB functionality until that’s completed
    • Debugging features such as JTAG or serial debugging must be inaccessible while the device is locked
  • mlfh@lm.mlfh.orgtoSelfhosted@lemmy.worldZpool scrub taking days? And HDD issues... Am I cooked?English
    19·
    1 month ago

    You have enough failures on each disk to make me suspect an issue with the usb-connected drive bay. I ran into similar issues with a cheap pci-e sata adapter, where little hiccups and latency in the communication layer would cause zfs to take disks offline randomly. Read, write, and checksum errors would slowly accumulate across all of the disks. Switched that machine to a proper enterprise hba, the issues vanished, and the disks are all healthy 3-4 years later.

  • mlfh@lm.mlfh.orgtoSelfhosted@lemmy.worldHow Do you keep your services updated?English
    28·
    2 months ago

    Everything I run, I deploy and manage with ansible.

    When I’m building out the role/playbook for a new service, I make sure to build in any special upgrade tasks it might have and tag them. When it’s time to run infrastructure-wide updates, I can run my single upgrade playbook and pull in the upgrade tasks for everything everywhere - new packages, container images, git releases, and all the service restart steps to load them.

    It’s more work at the beginning to set the role/playbook up properly, but it makes maintaining everything so much nicer (which I think is vital to keep it all fun and manageable).