Hacker News new | past | comments | ask | show | jobs | submit | ggpsv's comments login

That is what I ended up doing, I wrote a blog post about it some months ago [0].

The gist of it is using private dns and exposing services only on the private network. Implementation details can vary, you decide whether to use tailscale or bare wireguard, and any reverse proxy and dns server will do. In my case, I use Tailscale, NextDNS, and Caddy.

[0]: https://garrido.io/notes/tailscale-nextdns-custom-domains/


If you don't, can you expand on how you're doing this? Is it simply backing up the Thunderbird profile?


I rsync the files in the directory that I specified Thunderbird should store all the folders and associated data. I restore it any time I rebuild my OS, also with rsync. That backup goes to a NAS which then gets backed up to multiple external SSD/NVME and one of those goes in my vehicle as a low-effort off-site backup.


Every case is different but as a baseline, you could use Ubuntu or Debian for automatic security upgrades via unattended-upgrades[0], harden ssh by allowing only pubkey authentication, disallow all public incoming connections in the firewall except for https traffic if you're serving a public service, everything else (ssh, etc) can go over wireguard (tailscale makes this easy). Use a webserver like nginx or caddy for tls termination, serving static assets, and proxying requests to an application listening on localhost or wireguard.

[0]: https://wiki.debian.org/UnattendedUpgrades


Fedora has worked flawlessly for me.


After years on Ubuntu, then Arch I also just recently discovered Fedora as a well polished alternative.

I do love the Arch community. But I feel less motivation to tinker nowdays and Fedora was a pretty nice works out of the box experience so far.


I set up Fedora for family but I still use Arch myself, because there is no good alternative to AUR on Fedora and there are more packages that I need for software development.

Sometimes Arch saves so much time, that even the infrequent necessary manual maintenance after updates makes it worth it.

And even when trying to run stuff on distros other than Arch, I frequently look up instruction on Arch Wiki and in AUR PKGBUILDs.


I'm using Nix package manager on Fedora and it's OK.


As I founnd out myself, there is almost no tinkering involved once you get the initial Arch setup done. Just update once a week. Fedora repos have considerably fewer packages than Arch or Debian. For some reason Redhat land has always been off putting for me. SELinux, dropping docker in favor of podman, CentOS debacle are just a few things that make me look elsewhere. I'm glad you found your sweetspot though. Just a friendly banter from a fellow Linux user.


Fedora was almost required on AMD framework for a while, because hardware was brand new and Debians were too old. Now with Mint updated, I'd recommend take Fedora or Mint and Cinnamon.

Beware, I just realized my AMD does not support S3 sleep. Too late to return.


Mint was the worst experience for me. The trackpad acceleration curves are bad and there's no easy configuration for it. I was willing to either toy with sliders or copy an already tuned config into a file. But the best I found was how to go into a config file and disable the acceleration entirely.


Can you elaborate on how age (and the downstream packages) has made a difference in your workflows?


With agenix, you can encrypt your secrets, such as API keys, and have them stored in your git repo alongside the system configuration (which in nixos is just a bunch of text files). Then you only need to provision the server with the ed25519 private key corresponding to the pubkey the files were encrypted with, and agenix will automatically decrypt the files on boot and place them in /run/agenix, with the specified access permissions.


So you still need a secret when provisioning, and you need to handle change management for that, and storing it securely outside of the git repo. And agenix did not change that workflow, or did it?


Yes and no.

I only need to care about my SSH key(s). Which I had to anyway. But now the secrets for all the services (except SSH) lie right besides their config. Any change in one or other is directly visible in git log.

In short, age cut down on the number and types of secrets that I have to manage out of band. Which is very good. It's always easier to be able to remember 2 things (config + SSH keys) than 2+n things (config + SSH keys + whatever secret mechanism any service uses, times number of services).


You could also include SSH keys as public secrets.

https://github.com/Foxboron/ssh-tpm-agent


So like SOPS, but specific to nix somehow? What is the advantage of the nixy integration here vs the universality of SOPS? Better native integration with NixOS?


To clarify maybe, NixOS puts all configuration and program files it handles in a world-readable object store on disk. If you want to manage secrets on NixOS securely, you have two choices:

- Manage it out of band. That negates all of the benefits of NixOS, at least for those files. (I.e. you would need additional deployment steps, rollback wouldn't work, you would have to stop and migrate system services that depend on those secrets yourself, etc.)

- Encrypt it and only decrypt it on activation (which happens when switching to a new config or on boot). agenix and nix-sops (the premier SOPS/NixOS integration) are two libraries that you can include in your config to do that. With this, the world-readable store only contains encrypted secrets.

Of course with #2 you still have to manage your private keys (age or whatever SOPS uses) out-of-band but that is significantly less work since those aren't expected to change nearly as much. You can also generally decouple that from your day-to-day deployment workflow.


I see. So you do need one of these libraries if you want to do things The Nix Way with secrets


Similar to sops in a sense that both allow encryption/decryption with SSH keys.

In terms of NixOS integration, both are on equal footing.

I'm just unfond of yaml is all.


I use git-crypt for this, and love it.


This is not the only way. See Vienna's public housing system as an example of what else can be done.


That is how it actually works in Spain. You must present the contract when you legally register as a citizen in the city's town hall.

That doesn't stop people from circumventing this requirement, on either side of the contract.


Thanks for that info! So why is this such a big problem? Is it just that the government doesn't want to trust it's own records? If people are bypassing the law, I would think it reasonable to allow the consequences to transpire - eg evicted if you don't have a written contract.


As mentioned in other comments by Spaniards weighing in, it's not really a big problem as in that's happening all the time. It is a multi-faceted issue, and for some, a philosophical standpoint stemming from the economic crisis, gentrification and speculation, and related problems.

Take in mind that the post shared here is written by a company that provides listing services.

Housing is more of a right in Spain than in other countries, and at least in Catalonia, there is precedent that it supersedes property rights.


Ah, I see. The article was claiming it was "surging", but I guess it's hyperbolic advertising.


You'll understand the inevitable tension on policing this issue considering that a couple of years ago Spain passed a law that made access to adequate and dignified housing a constitutional right.


You are saying that as if it is never the owner's fault.

If your revenue is not enough to pay for an housing under regular contract but a shaddy owner allows you to pay a rent for the place so that he can bypass a number of regulations by pretending he has no tenants, would you choose living in the street or a car or would you accept it, hoping it is a temporary situation?

Most people would choose the later hence the way the laws are written. Landowners are usually the wealthy ones, so the less at risk of suffering.


There needs to be penalties on the landowner side too. The paper requirement should carry penalties enforced against them if they are violating it. This would be better than just a chance of pain from the eviction process. After all, if they are shady landlords they might push people out in other ways to avoid the eviction process currently anyways.


If you read through the article, it becomes a bit clearer exactly why it still happens.


I saw some of the different factors in the article but none of them seemed to really address the lack of checking a registered source of data for the leases and why they wouldn't be a good idea.


I found his first appearance [0] in Rupert Spira's show to be a good introduction to his arguments.

For a more thorough examination, his book "The Idea of the World".

[0]: https://m.youtube.com/watch?v=MQuMzocvmTQ&pp=ygUNa2FzdHJ1cCB...


The problem here is that this creates negative externalities on the housing market unless regulation is in place. Otherwise, it creates an incentive for short-term housing over long-term housing, which affects the people who do live there. This is the crux of the matter in many places that have a problem with tourism.


Regulation is definitely necessary to protect low-income residents. Areas that understand this and implement it well will be rewarded for it.


tax stays of less than 3 months by 50%


Oh, I did not know about this essay! Thank you for sharing.

To others reading this, this short essay [0] by Julian Jaynes is a good introduction to his idea of the Bicameral Mind. He later developed the idea further in his book "The Origin of Consciousness in the Breakdown of the Bicameral Mind". If you've watched the series "Westworld", how the androids begin to develop something akin to consciousness is inspired by Jaynes' ideas.

[0]: https://www.julianjaynes.org/resources/articles/consciousnes...


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: