cross-posted from: https://lemmy.world/post/23071801

Considering a lot of people here are self-hosting both private stuff, like a NAS and also some other is public like websites and whatnot, how do you approach segmentation in the context of virtual machines versus dedicated machines?

This is generally how I see the community action on this:

Scenario 1: Fully Isolated Machine for Public Stuff

Two servers one for the internal stuff (NAS) and another for the public stuff totally isolated from your LAN (websites, email etc). Preferably with a public IP that is not the same as your LAN and the traffic to that machines doesn't go through your main router. Eg. a switch between the ISP ONT and your router that also has a cable connected for the isolated machine. This way the machine is completely isolated from your network and not dependent on it.

Scenario 2: Single server with VM exposed

A single server hosting two VMs, one to host a NAS along with a few internal services running in containers, and another to host publicly exposed websites. Each website could have its own container inside the VM for added isolation, with a reverse proxy container managing traffic.

For networking, I typically see two main options:

• Option A: Completely isolate the "public-facing" VM from the internal network by using a dedicated NIC in passthrough mode for the VM;
• Option B: Use a switch to deliver two VLANs to the host—one for the internal network and one for public internet access. In this scenario, the host would have two VLAN-tagged interfaces (e.g., eth0.X) and bridge one of them with the "public" VM’s network interface. Here’s a diagram for reference: https://ibb.co/PTkQVBF

In the second option, a firewall would run inside the "public" VM to drop all inbound except for http traffic. The host would simply act as a bridge and would not participate in the network in any way.

Scenario 3: Exposed VM on a Windows/Linux Desktop Host

Windows/Linux desktop machine that runs KVM/VirtualBox/VMware to host a VM that is directly exposed to the internet with its own public IP assigned by the ISP. In this setup, a dedicated NIC would be passed through to the VM for isolation.

The host OS would be used as a personal desktop and contain sensitive information.

Scenario 4: Dual-Boot Between Desktop and Server

A dual-boot setup where the user switches between a OS for daily usage and another for hosting stuff when needed (with a public IP assigned by the ISP). The machine would have a single Ethernet interface and the user would manually switch network cables between: a) the router (NAT/internal network) when running the "personal" OS and b) a direct connection to the switch (and ISP) when running the "public/hosting" OS.

For increased security, each OS would be installed on a separate NVMe drive, and the "personal" one would use TPM with full disk encryption to protect sensitive data. If the "public/hosting" system were compromised.

The theory here is that, if properly done, the TPM doesn't release the keys to decrypt the "personal" disk OS when the user is booted into the "public/hosting" OS.

People also seem to combine both scenarios with Cloudflare tunnels or reverse proxies on cheap VPS.

---

What's your approach / paranoia level :D

Do you think using separate physical machines is really the only sensible way to go? How likely do you think VM escape attacks and VLAN hopping or other networking-based attacks are?

Let's discuss how secure these setups are, what pitfalls one should watch out for on each one, and what considerations need to be addressed.

Considering a lot of people here are self-hosting both private stuff, like a NAS and also some other is public like websites and whatnot, how do you approach segmentation in the context of virtual machines versus dedicated machines?

This is generally how I see the community action on this:

Scenario 1: Air-gapped, fully Isolated Machine for Public Stuff

Two servers one for the internal stuff (NAS) and another for the public stuff totally isolated from your LAN (websites, email etc). Preferably with a public IP that is not the same as your LAN and the traffic to that machines doesn't go through your main router. Eg. a switch between the ISP ONT and your router that also has a cable connected for the isolated machine. This way the machine is completely isolated from your network and not dependent on it.

Scenario 2: Single server with VM exposed

A single server hosting two VMs, one to host a NAS along with a few internal services running in containers, and another to host publicly exposed websites. Each website could have its own container inside the VM for added isolation, with a reverse proxy container managing traffic.

For networking, I typically see two main options:

• Option A: Completely isolate the "public-facing" VM from the internal network by using a dedicated NIC in passthrough mode for the VM;
• Option B: Use a switch to deliver two VLANs to the host—one for the internal network and one for public internet access. In this scenario, the host would have two VLAN-tagged interfaces (e.g., eth0.X) and bridge one of them with the "public" VM’s network interface. Here’s a diagram for reference: https://ibb.co/PTkQVBF

In the second option, a firewall would run inside the "public" VM to drop all inbound except for http traffic. The host would simply act as a bridge and would not participate in the network in any way.

Scenario 3: Exposed VM on a Windows/Linux Desktop Host

Windows/Linux desktop machine that runs KVM/VirtualBox/VMware to host a VM that is directly exposed to the internet with its own public IP assigned by the ISP. In this setup, a dedicated NIC would be passed through to the VM for isolation.

The host OS would be used as a personal desktop and contain sensitive information.

Scenario 4: Dual-Boot Between Desktop and Server

A dual-boot setup where the user switches between a OS for daily usage and another for hosting stuff when needed (with a public IP assigned by the ISP). The machine would have a single Ethernet interface and the user would manually switch network cables between: a) the router (NAT/internal network) when running the "personal" OS and b) a direct connection to the switch (and ISP) when running the "public/hosting" OS.

For increased security, each OS would be installed on a separate NVMe drive, and the "personal" one would use TPM with full disk encryption to protect sensitive data. If the "public/hosting" system were compromised.

The theory here is that, if properly done, the TPM doesn't release the keys to decrypt the "personal" disk OS when the user is booted into the "public/hosting" OS.

People also seem to combine both scenarios with Cloudflare tunnels or reverse proxies on cheap VPS.

What's your approach / paranoia level :D

Do you think using separate physical machines is really the only sensible way to go? How likely do you think VM escape attacks and VLAN hopping or other networking-based attacks are?

Let's discuss how secure these setups are, what pitfalls one should watch out for on each one, and what considerations need to be addressed.

cross-posted from: https://lemmy.world/post/21563379

Hello,

I'm looking for a high resolution image of the PAL cover from the Dreamcast (I believe).

There was this website covergalaxy that used it have in 2382x2382 but all the content seems to be gone. Here's the cache https://ibb.co/nRMhjgw . Internet archive doesn't have it.

Much appreciated!

Hello,

I'm looking for a high resolution image of the PAL cover from the Dreamcast (I believe).

There was this website covergalaxy that used it have in 2382x2382 but all the content seems to be gone. Here's the cache https://ibb.co/nRMhjgw . Internet archive doesn't have it.

Much appreciated!

The most severe restrictions to the general public are imposed within a 20-mile (32 km) radius of the Green Bank Observatory.[5] The Observatory polices the area actively for devices emitting excessive electromagnetic radiation such as microwave ovens, Wi-Fi access points and faulty electrical equipment and request citizens discontinue their usage. It does not have enforcement power[6] (although the FCC can impose a fine of $50 on violators[7]), but will work with residents to find solutions.

As a middle ground, we could implement a solution for the bottom tier: small to medium sites and blogs. These sites don’t necessarily need a full-fledged MySQL database.

SQLite seems to be the perfect fit:

• It is the most widely used database worldwide
• It is cross-platform and can run on any device
• It is included by default on all PHP installations (unless explicitly disabled)
• WordPress’s minimum requirements would be a simple PHP server, without the need for a separate database server.
• SQLite support enables lower hosting costs, decreases energy consumption, and lowers performance costs on lower-end servers.

What would the benefits of SQLite be?

Officially supporting SQLite in WordPress could have many benefits. Some notable ones would include:

• Increased performance on lower-end servers and environments.
• Potential for WordPress growth in markets where we did not have access due to the system’s requirements.
• Potential for growth in the hosting market using installation “scenarios”.
• Reduced energy consumption – increased sustainability for the WordPress project.
• Further WordPress’s mission to “democratize publishing” for everyone.
• Easier to contribute to WordPress – download the files and run the built-in PHP server without any other setup required.
• Easier to use automated tests suite.
• Sites can be “portable” and self-contained.

Source and other links:

• https://make.wordpress.org/core/2022/09/12/lets-make-wordpress-officially-support-sqlite/
• https://make.wordpress.org/performance/roadmap-2023/#category-database-optimization
• https://wordpress.org/plugins/sqlite-database-integration/

New GNOME dialog on the right:

Apple's dialog:

They say GNOME isn't a copy of macOS but with time it has been getting really close. I don't think this is a bad thing however they should just admit it and then put some real effort into cloning macOS instead of the crap they're making right now.

Here's the thing: Apple's design you'll find that they carefully included an extra margin between the "Don't Save" and "Cancel" buttons. This avoid accidental clicks on the wrong button so that people don't lose their work when they just want to click "Cancel".

So much for the GNOME, vision and their expert usability team :P

Hi,

Is there anyone using Amcrest IP4M-1041B with Home Assistant? I've a few questions about software and integration.

1. From what I hear, this camera can be setup 100% offline, connected via cable to any computer and by using a built in WebUI the camera has, is this true?

2. It offers pan, tilt or zoom. Does it work really good with HA? Can it be operated without any Amcrest software / internet connection?

3. The features above allow you to set preset locations, can that be done on HA / WebUI / without the Amcrest app as well?

4. Does it really operate all features offline and is it reliable? Eg. motion detection works as expected / doesn't miss events?

5. What's your overall experience with the camera? Does it compare to let's say a TP-Link tapo?

Thank you.

cross-posted from: https://lemmy.world/post/14398634

Unfortunately I was proven to be right about Riley Testut. He's yet another greedy person barely batter than Apple. After bitching to Apple to remove GBA4iOS from the App Store he's now leveraging Delta to force people into his AltStore.

Delta has finally made its way to the App Store. Additionally, the Delta developer has also published their alternative marketplace, AltStore, in the EU today.

If you're in the EU you'll only be able to get Delta on the AltStore and that requires:

This is complete bullshit he could've just launched Delta on the App Store in Europe as well but he decided not to.

Thanks Riley Testut for being a dick to the people that actually forced Apple into allowing alternative app stores in the first place.

---

Github issue related to this dick move: https://github.com/rileytestut/Delta/issues/292

cross-posted from: https://lemmy.world/post/14398634

Unfortunately I was proven to be right about Riley Testut. He's yet another greedy person barely batter than Apple. After bitching to Apple to remove GBA4iOS from the App Store he's now leveraging Delta to force people into his AltStore.

Delta has finally made its way to the App Store. Additionally, the Delta developer has also published their alternative marketplace, AltStore, in the EU today.

If you're in the EU you'll only be able to get Delta on the AltStore and that requires:

This is complete bullshit he could've just launched Delta on the App Store in Europe as well but he decided not to.

Thanks Riley Testut for being a dick to the people that actually forced Apple into allowing alternative app stores in the first place.

---

Github issue related to this dick move: https://github.com/rileytestut/Delta/issues/292

Unfortunately I was proven to be right about Riley Testut. He's yet another greedy person barely batter than Apple. After removed to Apple to remove GBA4iOS from the App Store he's now leveraging Delta to force people into his AltStore.

Delta has finally made its way to the App Store. Additionally, the Delta developer has also published their alternative marketplace, AltStore, in the EU today.

If you're in the EU you'll only be able to get Delta on the AltStore and that requires:

This is complete bullshit he could've just launched Delta on the App Store in Europe as well but he decided not to.

Thanks Riley Testut for being a dick to the people that actually forced Apple into allowing alternative app stores in the first place.

Github issue related to this dick move: https://github.com/rileytestut/Delta/issues/292

Here's my take:

The domain aftermarket has a big problem... it exists. This market shouldn't ever be allowed to exist in the first place. ICANN should've blocked this bullshit a long time ago and forced registrars to just let domains expire and free the space. Also add a few provisions about unused domain names and about selling them.