@mb_

mb_@lemm.ee · edit-2 20 days ago

There are a few ways to do it, but you don’t use caddy for SSH.

host SSH on port 22, forgejo on a different port. Expose both ports to the internet
host SSH on a different port, forgejo on port 22. Expose both ports to the internet
host SSH on port 22. Forgejo on port 2222. Only 22 exposed to the internet. Change the authorized_keys user of the git user on host to automatically call the internal forgejo SSH app

Last option is how I run my Gitea instance, authorized keys is managed by gitea so you don’t really need to do anything high maintenance.

~git/.ssh/authorized_keys:

command="/usr/local/bin/gitea --config=/data/gitea/conf/app.ini serv key-9",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict ssh-rsa PUBLICKEYHASH

/usr/local/bin/gitea:

ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.14 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"

127.0.0.14 is the local git docker access where I expose the service, but you couldn’t different ports, IPS, etc.

mb_@lemm.ee · 3 months ago

distcc so you can compile on the faster ones and distribute it

mb_@lemm.ee · 6 months ago

On nvidia, there are still too many edge cases involving Wayland that are just crippled. Orca slicer doesn’t work for me for example, you are completely missing any of the 3d accelerated graphics in there.

On the other hand, the AMD 7x00 series have different kind of bugs, with ring0 errors leading to full resets.

I think once nvidia drivers are squared out (the proprietary ones) it will be smooth sailing.

mb_@lemm.ee · 8 months ago

mb_@lemm.ee · 9 months ago

While I don’t use TPM myself (I dislike being tied to a specific hardware) the way it protects you is:

Disk is protected through encryption, so you can’t remove and inject anything/hack the password.

If boot is protected/signed/authorized only, a random person can’t load an external OS and modify the disk either.

All this together would say, even if someone acquires your computer, they can’t do anything to it without an account with access, or an exploit that works before a user logs.

In a way, the attack surface can be bigger than if you simply encrypted your disk with a key and password protect that key.

mb_@lemm.ee · edit-2 11 months ago

You can always compile your own Iosevka and adjust several pieces, I have done that selecting what I consider the best pieces a long time ago.

The compiled font lives in an easy to access internal webserver that I just grab from every computer I use (=