mbirth 🇬🇧

There’s also FreeDNS. Their only ask is that you log into the account once every 6 months so they know you’re still using it.

But can Prometheus + Grafana e.g. monitor a website’s content and alert when there is a new firmware version available?

Zabbix can be configured completely via its GUI. It’s really easy once you get the hang of it.

I have this running on a Raspberry Pi 5:

services:
  db:
    image: postgres:16-alpine
    environment:
      - POSTGRES_USER=zabbix
      - POSTGRES_PASSWORD=zabbix
      - PGDATA=/var/lib/postgresql/data
    volumes:
      - /opt/docker/zabbix7/pgdata/16/data:/var/lib/postgresql/data
    networks:
      - zabbix7
    restart: unless-stopped

  # fping needs setsuid
  # Connect to container as "root" and run: chmod +s /usr/sbin/fping
  server:
    image: zabbix/zabbix-server-pgsql:alpine-7.4-latest
    environment:
      - POSTGRES_USER=zabbix
      - POSTGRES_PASSWORD=zabbix
      - PHP_TZ=Europe/London
      - ZBX_SERVER_NAME=zabbix.domain.com
      - ZBX_NODEADDRESS=zabbix-server:10051
    cap_add:
      - NET_RAW
      - NET_ADMIN
    volumes:
      - /opt/docker/zabbix7/zabbix-server/alertscripts:/usr/lib/zabbix/alertscripts
      - /opt/docker/zabbix7/zabbix-server/externalscripts:/usr/lib/zabbix/externalscripts
      - /opt/docker/zabbix7/zabbix-server/mibs:/usr/lib/zabbix/mibs
      - /opt/docker/zabbix7/zabbix-server/modules:/usr/lib/zabbix/modules
      - /opt/docker/zabbix7/zabbix-server/export:/var/lib/zabbix/export
      - /opt/docker/zabbix7/zabbix-server/snmptraps:/var/lib/zabbix/snmptraps
    ports:
      - 10051:10051
    depends_on:
      - db
    links:
      - "db:postgres-server"
    networks:
      - zabbix7
      - traefik-public
    restart: unless-stopped

  web:
    image: zabbix/zabbix-web-nginx-pgsql:alpine-7.4-latest
    restart: unless-stopped
    environment:
        - PHP_TZ=Europe/London
        - ZBX_SERVER_NAME=zabbix.domain.com
        - ZBX_SERVER_HOST=zabbix-server
    #ports:
    #  - 10080:8080
    #  - 10081:443
    depends_on:
      - server
      - db
    links:
      - "server:zabbix-server"
      - "db:postgres-server"
    networks:
      - zabbix7
      - traefik-public
    labels:
      traefik.enable: "true"
      traefik.http.routers.zbx.rule: Host(`zabbix.domain.com`)
      traefik.http.routers.zbx.entrypoints: https
      traefik.http.routers.zbx.tls: "true"
      traefik.http.routers.zbx.tls.certresolver: le
      traefik.http.services.zbx.loadbalancer.server.port: "8080"

networks:
  traefik-public:
    external: true
  zabbix7:
    attachable: true

If you’re happy with how Apple Password works for you, I can recommend StrongBox. It keeps all data in a KeePass2 database and integrates into Apple’s AutoFill API. That means it feels almost native when using it. No browser plugin needed. (At least not for Safari.) And you can decide how you sync the database file.

Doesn’t get any more secure than a battle-tested web server hosting simple MP3 files and a text file.

Convenience might be a thing, though. I’m in the Apple ecosystem so their Podcasts app shows that feed on all devices and tracks listening progress, etc.

If I didn’t have that, I’m still a lifetime customer with PocketCasts and PocketCasts Web. So, that’s that. But if you don’t have anything similar in place, a self-hosted streaming server might be the best way to go, yes.

Do you need a web player? I’ve got several years of a radio show on my web server and wrote a script that created an RSS feed for them. This way I can open that in any podcast player (even web based ones) to listen to it.

If you’re on macOS, there’s blocs. It seems to pop up on BundleHunt for a fraction of their normal price every once in a while.

Then, there’s RapidWeaver Elements - which just went into Early Access.

However, you might want to evaluate whether a static site generator or some small CMS like GRAV can work for you.

Same here. It’s probably easier to print out the QR code(s) for your home wifi network(s) on a piece of paper and hand that to guests when they come over…

Which Pi did you try? Since the Pi4/CM4 (can even work with SAS drives) and especially with the Pi5 you can build some nicely performing NASes.

There are some passively cooled (i.e. no spinning fan) SFF Desktops (HP, DELL, etc.) or you could get a Raspberry Pi 5 and stick it into a Geekworm case. Power consumption with these devices should hover around 5W, maybe slightly higher under load. The Desktops most probably support WoL. The Raspberry Pi doesn’t.

The version I had played around with about 10 years ago could.

There’s also The Dude - although it’s a Windows-only application. But the visualisation is great.

I’m running SpotWeb to browse spots. It’s kind of a curated list of NZBs. So, most things you can find a spot for, are still actually available to download.

It was heavily used by the Dutch to distribute movies with baked-in (“ingebakken”) Dutch subtitles for older media players.

If you like to checkin manually to places, there’s PrivateSquare which will query places around you from Foursquare (so, 4sq will still see whereabout you are), but store the actual checkin in a local database.

If you want some automated tracking, I’m mostly happy with OwnTracks which logs to my DaWarIch instance. (I’ve previously used Traccar and php-owntracks-recorder.)

While I don’t see any battery usage from OwnTracks, my only gripe is that it can’t increase the amount of points logged when it detects movement because of Apple iOS limitations.

(For iOS, there’s also Geory which will log into a local database and CAN increase the logging by spawning a Live Activity. It gives me the most accurate logs so far. But they have to be exported manually to be stored elsewhere and the author wants to keep the app simple and doesn’t want to implement logging to external systems.)

I let CrowdSec determine that. I’m seeing /13, /12 and even /10 in my decisions list. All seem to be Amazon AWS ranges.

In the Traefik static configuration (usually traefik.yml), add this to load the CrowdSec plugin:

experimental:
  plugins:
    crowdsec-bouncer-traefik-plugin:
      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      version: "v1.4.2"

(The name for the plugin is defined here as crowdsec-bouncer-traefik-plugin.)

Then, in your dynamic configuration, add this (I’ve used a separate file dynamic_conf/050-plugin-crowdsec-bouncer.yml):

http:
  middlewares:
    crowdsec-bouncer:
      plugin:
        crowdsec-bouncer-traefik-plugin:
          CrowdsecLapiKey: "...YOUR CROWDSEC LAPI KEY HERE..."
          Enabled: true

(The name for this new middleware defined here is crowdsec-bouncer. It uses the crowdsec-bouncer-traefik-plugin defined in the previous step. Make sure these names match.)

You can get the LAPI key by registering a new bouncer in CrowdSec.

And, finally, make sure all incoming traffic routes through the bouncer plugin. You can do this individually, or in general via the static config:

entryPoints:

  websecure:
    address: :443
    http:
      middlewares:
        - crowdsec-bouncer@file
        - secure-headers@file

The middlewares are processed top to bottom.

Any change to the static configuration requires a restart of Traefik to become active.

I’ve recently enabled banning whole subnets if more than 3 malicious actors from that subnet are on the blocklist. This is great for all those DigitalOcean droplets and other cheap hosters used by those people…

I had fail2ban running for several years before switching to CrowdSec late last year. They both work in a similar fashion and watch your logfiles for break in attempts. With the small difference that CrowdSec also lets you use blocklists from the “crowd” to block malicious actors before they even get to try their luck on your machine(s).

I’m using CrowdSec with Traefik and nftables. But there are some bouncer plugins for nginx and OpnSense, too.

I just followed their example configurations for Docker, Docker Compose and then started tinkering with the config until everything worked as desired.

Or just something as simple as using a SMB/CIFS share for your data. Instead of mounting the share before running your container, you can make Docker do it by specifying it like this:

services:
  my-service:
    ...
    volumes:
      - my-smb-share:/data:rw

volumes:
  my-smb-share:
    driver_opts:
      type: "smb3"
      device: "//mynas/share"
      o: "rw,vers=3.1.1,addr=192.168.1.20,username=mbirth,password=supersecret,cache=loose,iocharset=utf8,noperm,hard"

For type you can use anything you have a mount.<type> tool available, e.g. on my Raspberry this would be:

$ ls /usr/sbin/mount.*
/usr/sbin/mount.cifs*  /usr/sbin/mount.fuse3*       /usr/sbin/mount.nilfs2*  /usr/sbin/mount.ntfs-3g@  /usr/sbin/mount.ubifs*
/usr/sbin/mount.fuse@  /usr/sbin/mount.lowntfs-3g@  /usr/sbin/mount.ntfs@    /usr/sbin/mount.smb3@

And the o parameter is everything you would put as options to the mount command (e.g. in the 4th column in /etc/fstab). In the case of smb3, you can run mount.smb3 --help to see a list of available options.

Doing it this way, Docker will make sure the share is mounted before running the container. Also, if you move the compose file to a different host, it’ll just work if the share is reachable from that new location.

why bother with the aliases

Because once some service “loses” (or sells) your email and you start getting spam, it’s pretty easy to burn that specific email address and change it to something else with that specific service and the spam will stop.