Geronimo Wenja

The bridges are all open source, and they use matrix synapse as their server installation - though their client is a closed source fork of element with changes. You can use any matrix client to connect to it, and they say it's a standard synapse setup.

If privacy is a concern, bringing your own client should remove that concern as the rest is open source. It's also e2e encrypted, as any matrix server is.

I self host my own matrix homeserver with bridges set up using their code. The only bit of their stack I can't use is the client. I don't like that that's closed source, that's frustrating.

Edit: while writing this two more people made the same comment. Sorry!

Yeah sure.

I'm going to assume you're starting from the point of having a second linux user also set up to use rootless podman. That's just following the same steps for setting up rootless podman as any other user, so there shouldn't be too many problems there.

If you have wireguard set up and running already - i.e. with Mullvad VPN or your own VPN to a VPS - you should be able to run ip link to see a wireguard network interface. Mine is called wg. I don't use wg-quick, which means I don't have all my traffic routing through it by default. Instead, I use a systemd unit to bring up the WG interface and set up routing.

I'll also assume the UID you want to forward is 1001, because that's what I'm using. I'll also use enp3s0 as the default network link, because that's what mine is, but if yours is eth0, you should use that. Finally, I'll assume that 192.168.0.0 is your standard network subnet - it's useful to avoid routing local traffic through wireguard.

#YOUR_STATIC_EXTERNAL_IP# should be whatever you get by calling curl ifconfig.me if you have a static IP - again, useful to avoid routing local traffic through wireguard. If you don't have a static IP you can drop this line.

[Unit]
Description=Create wireguard interface
After=network-online.target

[Service]
RemainAfterExit=yes
ExecStart=/usr/bin/bash -c " \
        /usr/sbin/ip link add dev wg type wireguard || true; \
        /usr/bin/wg setconf wg /etc/wireguard/wg.conf || true; \
        /usr/bin/resolvectl dns wg #PREFERRED_DNS#; \
        /usr/sbin/ip -4 address add #WG_IPV4_ADDRESS#/32 dev wg || true; \
        /usr/sbin/ip -6 address add #WG_IPV6_ADDRESS#/128 dev wg || true; \
        /usr/sbin/ip link set mtu 1420 up dev wg || true; \
        /usr/sbin/ip rule add uidrange 1001-1001 table 200 || true; \
        /usr/sbin/ip route add #VPN_ENDPOINT# via #ROUTER_IP# dev enp3s0 table 200 || true; \
        /usr/sbin/ip route add 192.168.0.0/24 via 192.168.0.1 dev enp3s0 table 200 || true; \
        /usr/sbin/ip route add #YOUR_STATIC_EXTERNAL_IP#/32 via #ROUTER_IP# dev enp3s0 table 200 || true; \
        /usr/sbin/ip route add default via #WG_IPV4_ADDRESS# dev wg table 200 || true; \
"

ExecStop=/usr/bin/bash -c " \
        /usr/sbin/ip rule del uidrange 1001-1001 table 200 || true; \
        /usr/sbin/ip route flush table 200 || true; \
        /usr/bin/wg set wg peer '#PEER_PUBLIC_KEY#' remove || true; \
        /usr/sbin/ip link del dev wg || true; \
"

[Install]
WantedBy=multi-user.target

There's a bit to go through here, so I'll take you through why it works. Most of it is just setting up WG to receive/send traffic. The bits that are relevant are:

        /usr/sbin/ip rule add uidrange 1001-1001 table 200 || true; \
        /usr/sbin/ip route add #VPN_ENDPOINT# via #ROUTER_IP# dev enp3s0 table 200 || true; \
        /usr/sbin/ip route add 192.168.0.0/24 via 192.168.0.1 dev enp3s0 table 200 || true; \
        /usr/sbin/ip route add #YOUR_STATIC_EXTERNAL_IP#/32 via #ROUTER_IP# dev enp3s0 table 200 || true; \
        /usr/sbin/ip route add default via #WG_IPV4_ADDRESS# dev wg table 200 || true; \

ip rule add uidrange 1001-1001 table 200 adds a new rule where requests from UID 1001 go through table 200. A table is a subset of ip routing rules that are only relevant to certain traffic.

ip route add #VPN_ENDPOINT# ... ensures that traffic already going through the VPN - i.e. wireguard traffic - does. This is relevant for handshakes.

ip route add 192.168.0.0/24 via 192.168.0.1 ... is just excluding local traffic, as is ip route add #YOUR_STATIC_EXTERNAL_IP

Finally, we add ip route add default via #WG_IPV4_ADDRESS# ... which routes all traffic that didn't match any of the above rules (local traffic, wireguard) to go to the wireguard interface. From there, WG handles all the rest, and passes returning traffic back.

There's going to be some individual tweaking here, but the long and short of it is, UID 1001 will have all their external traffic routed through WG. Any internal traffic between docker containers in a docker-compose should already be handled by podman pods and never reach the routing rules. Any traffic aimed at other services in the network - i.e. sonarr calling sabnzbd or transmission - will happen with a relevant local IP of the machine it's hosted on, and so will also be skipped. Localhost is already handled by existing ip route rules, so you shouldn't have to worry about that either.

Hopefully that helps - sorry if it's a bit confusing. I learned to set up my own IP routing to avoid wg-quick so that I could have greater control over the traffic flow, so this is quite a lot of my learning that I'm attempting to distill into one place.

Those are the officially supported distros. You can install other ones just fine. I doubt you'd find another laptop that had even just more than 1 officially supported distro.

One of the really nice side-effects of it running rootless is that you get all the benefits of it running as an actual Unix user.

For instance, you can set up wireguard with IP route to send all traffic from a given UID through the VPN.

Using that, I set up one user as the single user for running all the stuff I want to have VPN'd for outgoing connections, like *arr services, with absolutely no extra work. I don't need to configure a specific container, I don't need to change a docker-compose etc.

In rootful docker, I had to use a specific IP subnet to achieve the same, which was way more clunky.

My favourite one is renaming a directory full of files in nnn. It opens in vim, and I'm in my happy place, where I really know how to edit text (or, in this case, filenames). Great when there's some minor variation between a lot of files. Full previewing before saving, multiple operations handled before doing anything etc.

Sure, fair enough. There are other distros supported by the community if you want to check that out too.

You honestly won't find better than the support for framework in the laptop space. The arch wiki entry for it is fantastic, and having multiple supported distros is almost unique.

I'm also on Migadu for email, and I can say the experience has been pretty excellent. They have good instructions for setup stuff, and their pricing model is great. The pricing model has things in common with rsync.net, where they impose a soft limit on storage and reach out if you start exceeding it to talk about upgrading.

I do wonder if other mail providers will at some stage support jmap, it seems like it could take away some frustrations.

But their internet is down, so it'll fail to send to telegram. Realistically it needs to be an external system that is tracking when it receives pings from the home network, so it can show periods where the bash script didn't ping for a while.

This is using matrix. You can even connect to it from any matrix client.

They mean the android community having moved over here. It's just a merger in name, there isn't any technical work happening in that process.

Check out borgbackup, it stores changes only, snapshots are created for every new backup, encrypts automatically and is pretty straightforward to use.

You can use any matrix client with beeper according to their FAQ. It's frustrating that they forked element and kept the source code closed, but it is Apache 2.0, so it's not against the licence terms.

Luckily, the DMA has a heap of requirements around what their messaging interoperability will have do. For one thing, it will enforce the providers to not downgrade any encryption along the way, so FB etc will have to handle messages without them being decrypted first. There are some great videos that the matrix foundation put on their YouTube channel of talks that go over much of this.

Up and down votes are federated with your username, along with posts and comments (obviously).

Clicking on links, favourites, email address (if you put one in when signing up), password and IP address are all only on your local instance.

Basically, unless another server needs to know about it for federation to work, it's going to be local to the instance you're using.

It'd be worth checking out Borg as an alternative to rsync. Borg will handle snapshotting, and automatically de-dupe on a block-by-block basis.

I use it for all of my remote backups, and it provides a lot of quality of life stuff that rsync isn't going to handle.

Maybe around 2006, I booted a live CD of Ubuntu and ran the 6 disc install of Unreal Tournament 2004 so that I could play UT with a friend who was staying over - the laptop was my mum's, so I wasn't allowed to install anything directly on it. UT2004 had a native Linux version on disc.

The install took until 4am and we played until the sun came up, absolute bliss getting it working.

It's really nice seeing people understanding that reducing the use of a word because of compassion is not a bad thing. Good work on examing your language.

I'd also encourage people to have a look at the words they use to describe erratic or unexplainable things. My partner has mental health issues, and hearing people constantly using "insane" and all of its fellows became really alienating for them. It's bizarre how quickly you start to find alternative words you forgot existed.

My partner has had similar issues - being scared of pasta definitely rings true. When you start to think about it and notice it, the amount of mental energy and emotion people expend worrying about food is pretty awful. The diet industry's advertising is extraordinarily pervasive too.

I'm glad you feel like you can talk about it here. Online spaces are so often aggressive to the idea that food shouldn't be constantly top of mind.

5 gallons per.hour? The article says 4-6 litres - a little over a gallon.

Yep, the app is by far the easiest way to deal with it, and it's got a great amount of troubleshooting options too.

Most of that extra stuff is there to handle user contact privacy and security with the bridges, which is fair. I don't have any interest in self hosting beepers full setup, I want to get the functionality of multiple messaging services in one client - which I have, with my self-hosted matrix instance and the bridges they help develop and maintain.

I wish all of it was open source, but I did feel it necessary to head off comments that imply that the entire thing is closed source. Their implementation around dynamic servers and isolated containers spinning up isn't really the bit that seems relevant regarding user privacy with regards to data scraping or anything. There are a lot of comments in here implying it's fully proprietary, but there's a lot more nuance to it than that, as you point out.

Personally, I think it'd be nice if you could self-host just the bridge instances and connect them with beeper yourself, so that the part that isn't e2e encrypted is running on software you can validate and hardware you control.

Are you not logged in? You need to have an account logged in, subscriptions are stored server-side.

Edit: Ah, I see that you've found that out. Good you got it sorted!

I'm all in on docker-compose + rootless podman. Definitely not no issues, but I've got the hang of the kinds of issues it presents at this point. They're mostly around SELinux and networking, though generally the networking only gets problematic on exotic compose setups - jitsi was a huge pain for me.

Raw server with SSH and an immutable OS too. I'm using fedora IOT for my homeserver, and apart from some initial issues with GPU drivers because of layering issues (now working) that's been basically flawless.

I was on OpenSuse MicroOS, but I had huge problems with BTRFS and decided to give it up in favour of EXT4 + XFS. That necessitated moving distro, because MicroOS uses BTRFS snapshots as the basis for its auto-updating/green/blue system. Fedora IOT uses rpm-ostree instead, and works on any filesystem.

You have to have a firewall rule on your public server to tell it to send any traffic on port 8096 to the IP of your private server. Currently, your public server isn't listening on that port, so the packets would just be dropped.

Ah, I did the bad thing and didn't read properly.

It looks correct, yes. Can you run iptables -L -t nat on the public host after bringing up the wireguard connection to see if it works?

Also, if you can do a netcat to that same port from a local computer to that public endpoint without the wireguard connection running, you can test that the port isn't being blocked anywhere else along the way.

Yeah, I should have clarified that. Hopefully the EU regulation regarding messaging interoperability removes this (currently unavoidable) flaw.

Yeah, I can second tinycam. It's very good, and let's you keep multiple streams available to switch between easily. Great for 3d printer monitoring too.

ZigBee devices are often able to be used with a 3rd party hub. For instance, all the IKEA stuff works with any standard ZigBee hub. They don't have a line to the internet if you control the hub.

I had a reasonably good time with it. I had issues with btrfs, which is why I moved off it and went to Fedora IoT for pretty much the same benefits.

For me, btrfs caused multiple drive corruptions because of unexpected power offs, and I didn't feel like trying to fix that on the fly - it might have been drives that were incompatible with CoW because of firmware "optimisations" that break if a write isn't completed prior to power off.

In general, outside of that, it was pretty solid. I didn't find much use for the orchestration/setup tooling they include, and I found their documentation pretty sporadic unfortunately. Fedora IoT has the advantage of basically being silverblue, with rpm-ostree, so it's easy to find people using it and discussing it.

There is a subscribe button, it's directly below the channel name. Up until recently there was a bug in invidious preventing it working but it looks like that's been resolved now.

If you're just looking to view a stream, mpv on Android should be less glitchy than vlc.

The 13 inch Intel ones aren't a pre-order - you can just order them.

The AMD 13 inch and the 16 inch laptop are both releasing soon and are on pre-order.

You can use any matrix client you want with it. The closed source one is just making bridging more straightward and adding some little quality of life features.

A PR was opened last week to add the biggest first element of external library support. Hopefully in the relatively near future it'll be merged. I'll be giving it a shot when it merges.

You're welcome. It has some really nice side-effects - i.e. if I want to quickly grab a file without it being from my normal IP, I can just SSH to the right user on my server and it just works - no configuration, no needing to interrupt other traffic.

Are you expecting sonarr to go after historical stuff? You have to manually request a search for anything added that isn't being released in the future. Sonarr only automatically checks for new episodes, not old ones. Like others have said, season searches and interactive searches are useful for anything that's not airing in the future.

I've seen a couple of people mention this bug. I'll check if there's an issue in their bugtracker for it.

archive org snapshot of the subreddit

Hopefully you can get the list from here?

might be this page

There are speed and developer experience improvements, and a whole bunch of it is there to optimise for mobile. They have some info in the FAQ on jmap.io. It's something I won't 100% take without any consideration - it is written by the fastmail Devs - but a modern stateless protocol is no bad thing.

If you tried a bunch of other proton versions, you may need to clear the compatdata dir for the game and then run again with experimental. The directory can get in a weird state with some games if you try to run multiple proton versions - i.e. one applies a fix on startup that breaks it in another version.