So I’m looking to spend money on a new TV and audio setup.

I have two bedrooms, a living room, kitchen, an office, and two bathrooms that I’d like to fit with speakers. I do rent so I do need wireless.

For the TV in the living room and one bedroom I want a sound bar, but am planning for bookshelf style speakers for the rest of the rooms. I live in apartment building so I want to avoid a subwoofer. There’s decent sound proofing though, and I don’t plan on cranking the volume for any of these.

I want to be able to combine any rooms with each other and play music from any tv or Spotify.

Im currently looking at Sonos systems, but want to consider something more self hosted.

I wouldn’t know where to start looking for good systems. I imagine music assistant would handle the logic of what I need, but no clue on speakers and amplifiers.

Any ideas?

Hello

I'm looking for a NAS OS, the hardware is 2bay Intel n100 machine (AOOSTAR R1), I want to run a RAID1 with few containers (syncthing, immich, jellyfin etc.) all of it to be configurable by web interface, tried some systems in a VM (hardware didn't arrive yet), casaos has nice 'app store', it's a nice docker wrapper, but it doesn't let me manage any kind of RAID (md, brfs, etc), openmediavault is ok for raid, but the containers aren't one click wonder like in other NAS OSes, TrueNAS SCALE seems to be an obvious choice, zfs is cool and everything but it uses kubernetes and it failed to deploy immich for example (100% CPU), i know its called SCALE but kube is a bit too complicated to me (IMO I'm 100% competent but i don't want to tinker), and there's... xpenology, this thing let's me install Synology's DSM and it's a breeze, it deployed immich right away though i had to do it with docker-compose.yml, but in web UI. Also let's say im in favor of xpenology... should i go bare metal or use it inside of proxmox? any pros and cons of both solutions?

Hey guys, version 2.4.0 of Tasks.md was just released. The biggest change is the improved drag-and-drop experience, which feels much better to use. For touch devices it was fully overhauled, since it was not really working before (which is embarrassing tbh). You can see below a comparison between the previous version and the current release.

Previous:

New release:

Tasks.md is a self-hosted, Markdown file based task management board. It's like a kanban board that uses your filesystem as a database, so you can manipulate all cards within the app or change them directly through a text editor, changing them in one place will reflect on the other one.

You can see below the main changes included in the new release.

• Feature: Greatly improves drag and drop experience: New swap animations, visual indications and better interactions for touch and mobile devices;
• Feature: Adds autoscroll when you drag cards and lanes partially out their container;
• Bugfix: Fix touch and navigation on touch devices;
• Bugfix: Fix issue where navigation bar outgrows lanes;
• Bugfix: Prevents saving card name with invalid characters;
• Bugfix: Fix some smaller issues;
• Documentation: Remind user to hard-reload the browser after changing a theme.

Hi guys quick question say you run a a application on your localhost (example lets say couchdb runing directly on localhost:3434 not in docker).

Now you have a docker container (say caddy, ngnix, etc). Is there a way to allow docker container to acess localhost:3434 WITHOUT using the Host network driver (--net=host)

I see so many posts and people who run NGINX as their reverse proxy. Why though? There's HAProxy and Apache, with Caddy being a simpler option.

If you're starting from scratch, why did you pick/are you picking NGINX over the others?

Thx in advice.

This was posted on the other site. It can be found below on this post.

They talk about how even Jellyfin & Jitsi were valuable for dealing with government's actions in shutting down the internet. Does anything else come to mind? In addition to giving advice, can we host anything to help people in this kind of situation?

Suddenly our Self Hosted application became more than just hobby.

If you already don't know, Bangladesh was disconnected from the internet for majority of the last week due to government order. It was shut down without any warning. We were put under curfew 24/7, so no leaving home.

On the second day of curfew, me, with nothing to do, figured the intranet in our country still worked. So I opened my Jellyfin service up and gave access to my immediate family and friends. Then we had people stepping up. One opened a simple chat application. Believe me, I never felt happier reading messages from a bunch of random people on the internet. Once people started communicating it only got better. We had a jitsi meet up and running within a few hours. People opened up their media library. Last couple of days, I almost didn't miss the traditional internet.

I have to thank you guys for all the encouragement. Also I do have a few questions for you guys.

I'm fearing this will not be the last time we will be blocked from the world. What can we do to make things even better next time? One major problem was TLS CERTS stopped working. So the communication was in http using IP address

What are some apps to host if the same situation to arise again?

Sorry for the bad English, not my first language.

Its new homelab time. And with that, potentially a new OS time too.

I currently am very happy with Debian and Docker. The only issue is I am brand new to using data redundancy. I have a 2 bay NAS I'll use, and I want the two HDDs to be in raid 1.

Now I could definitely just use ZFS or BTRFS with Debian, and be able to use Docker just like I do currently.

Or I could use a dedicated NAS OS. That would help me with the raid part of this, but a requirement is Docker.

Any recommendations?

I have been trying to set this up for the past 2 days and I am losing my mind.

The issue I seem to be having is that synapse cannot find the necessary postgres information in the the database. I have been trying to setup a docker container for it but to no avail. The container just continues to restart. When I check docker logs it seems like it cannot find the database info it needs but its there. I deleted the sqlite3 info so it most certainly isn't still using that.

Is there possibly a casaos friendly version of matrix? Is there an easy to follow tutorial for docker matrix and duckdns? Any help would be appreciated.

Opening your router to the Internet is risky. Are there any guides for the basics to keep things secure? Things like setting up fail2ban? My concern is that I'll forget something obvious.

Edit: I haven't had much of a chance to read through everything yet, but I really appreciate all these long, detailed responses. ❤️ Thanks folks!

Context : Immich default map tile provider (which gets sent a bunch of PII every time you use the map feature) is a company that I see no reason to trust. This is a follow-up to this post, with the ~~permanent~~ temporary fix I came up with. I will also summarize the general opinion from the comments, as well as some interesting piece of knowledge that commenters shared.

Hacky fix

This will use Nginx proxy module to build a caching proxy in front of Open Street Map's tileserver and to serve a custom style.json for the maps.

This works well for me, since I already proxy all my services behind a single Nginx instance. It is probably possible to achieve similar results with other reverse proxies, but this would obviously need to be adapted.

Caching proxy

Inside Nginx's http config block (usually in /etc/nginx/nginx.conf), create a cache zone (a directory that will hold cached responses from OSM) :

http {
     # You should not need to edit existing lines in the http block, only add the line below
    proxy_cache_path /var/cache/nginx/osm levels=1:2 keys_zone=osm:100m max_size=5g inactive=180d;
}

You may need to manually create the /var/cache/nginx/osm directory and set its owner to Nginx's user (typically www-data on Debian based distros).

Customize the max_size parameter to change the maximum amount of cached data you want to store on your server. The inactive parameter will cause Nginx to discard cached data that's not been accessed in this duration (180d ~ 6months).

Then, inside the server block that serves your Immich instance, create a new location block :

server {
    listen 443 ssl;
    server_name immich.your-domain.tld;

    # You should not need to change your existing config, only add the location block below

    location /map_proxy/ {
        proxy_pass https://tile.openstreetmap.org/;
        proxy_cache osm;
        proxy_cache_valid 180d;
        proxy_ignore_headers Cache-Control Expires;
        proxy_ssl_server_name on;
        proxy_ssl_name tile.openstreetmap.org;
        proxy_set_header Host tile.openstreetmap.org;
        proxy_set_header User-Agent "Nginx Caching Tile Proxy for self-hosters";
        proxy_set_header Cookie "";
        proxy_set_header Referer "";
    }
}

Reload Nginx (sudo systemctl reload nginx). Confirm this works by visiting https://immich.your-domain.tld/map_proxy/0/0/0.png, which should now return a world map PNG (the one from https://tile.openstreetmap.org/0/0/0.png )

This config ignores cache control headers from OSM and sets its own cache validity duration (proxy_cache_valid parameter). After the specified duration, the proxy will re-fetch the tiles. 6 months seem reasonable to me for the use case, and it can probably be set to a few years without it causing issues.

Besides being lighter on OSM's servers, the caching proxy will improve privacy by only requesting tiles from upstream when loaded for the first time. This config also strips cookies and referrer before forwarding the queries to OSM, as well as set a user agent for the proxy following OSM foundation's guidelines (according to these guidelines, you should add a contact information to this user agent)

This can probably be made to work on a different domain than the one serving your Immich instance, but this probably requires to add the appropriate headers for CORS.

Custom style.json

I came up with the following mapstyle :

{
  "version": 8,
  "name": "Immich Map",
  "sources": {
    "immich-map": {
      "type": "raster",
      "tileSize": 256,
      "tiles": [
        "https://immich.your-domain.tld/map_proxy/{z}/{x}/{y}.png"
      ]
    }
  },
  "sprite": "https://maputnik.github.io/osm-liberty/sprites/osm-liberty",
  "glyphs": "https://fonts.openmaptiles.org/{fontstack}/{range}.pbf",
  "layers": [
    {
      "id": "raster-tiles",
      "type": "raster",
      "source": "immich-map",
      "minzoom": 0,
      "maxzoom": 22
    }
  ],
  "id": "immich-map-dark"
}

Replace immich.your-domain.tld with your actual Immich domain, and remember the absolute path you save this at.

One last update to nginx's config

Since Immich currently does not provide a way to manually edit style.json, we need to serve it from http(s). Add one more location block below the previous one :

location /map_style.json {
    alias /srv/immich/mapstyle.json;
}

Replace the alias parameter with the location where you saved the json mapstyle. After reloading nginx, your json style will be available at https://immich.your-domain.tld/map_style.json

Configure Immich to use this

For this last part, follow steps 8, 9, 10 from this guide (use the link to map_style.json for both light and dark themes). After clearing the browser or app's cache, the map should now be loaded from your caching proxy. You can confirm this by tailing Nginx's logs while you zoom and move around the map in Immich

Summary of comments from previous post

Self-hosting a tile server is not realistic in most cases

People who have previously worked with maps seem to confirm that there are no tile server solution lightweight enough to be self hosted by hobbyists. There is maybe some hope with generating tiles on demand, but someone with deep knowledge of the file formats involved in the process should confirm this.

Some interesting links were shared, which seem to confirm this is not realistically self-hostable with the available software :

• OSM Foundation's policy on using their tile server
• Switch2OSM
• https://wiki.openstreetmap.org/wiki/Sequentially-generate-planet-mbtiles

General sentiment about this issue

In all this part, I want to emphasize that while there seems to be a consensus, this is only based on the few comments from the previous post and may be biased by the fact that we're discussing it on a non-mainstream platform. If you disagree with anything below, please comment this post and explain your point of view.

• Nobody declared that they had noticed the requests to a third-party server before
• A non-negligible fraction of Immich users are interested in the privacy benefits over other solutions such as Google photos. These users do not like their self-hosted services to send requests to third-party servers without warning them first
• The fix should consist of the following :
  • Clearly document the implications of enabling the map, and any feature that sends requests to third parties
  • Disable by default features that send requests to third parties (especially if it contains any form of geolocated data)
  • Provide a way to easily change the tile provider. A select menu with a few pre-configured style.json would be nice, along with a way to manually edit style.json (or at least some of its fields) directly from the Immich config page

Im using Ollama on my server with the WebUI. It has no GPU so its not quick to reply but not too slow either.

Im thinking about removing the VM as i just dont use it, are there any good uses or integrations into other apps that might convince me to keep it?

Update : I made a follow-up post containing a Nginx-based solution to cache map tiles from OSM and limit the amount of PII you send

While monitoring the logs in Rethink DNS (awesome app BTW) today, I noticed the Immich app making requests to api-l.cofractal.com.

After reaching out on Immich's discord, the devs explained to me that it is used as a tile provider for the map feature. I can confirm it is not realistic to self-host a tile provider without heavily tuning down the level of details on the map (which would still require a lot of disk space and CPU time). I understand the need for a third-party service to provide the map tiles, but I'm concerned by this one.

Visiting cofractal.com only tells us that they're selling APIs. I did not find any details about the company, not even the country they're registered in. The website is also missing informations about what they are logging or not. Everything else seems gated behind a login page, but they "are not currently accepting new customers". The whois for the domain says they're in California. Digging a bit more, I find AS26073 which apparently is the same company.

This bothers me, because Cofractal gets sent every location you viewed (and the zoom level) on Immich's map, along with your client's IP address and a "Referrer" header pointing to your Immich instance. This sounds like a lot of PII to me. It's also behind cloudflare which gets to see the same stuff.

When asked about it, one dev (thanks to them for almost instantly replying to every concern/question I threw at them) explained that they personally know the people behind Cofractal. According to this Immich dev, Cofractal provides free access to its paid service to Immich's user base as a way to support the project, with the side benefit of load testing their platform.

This explanations seems plausible and reasonable to me. However, I do not personally know the people behind Cofractal, and by default, I do not trust for-profit companies to act in an altruistic way. Here's a summary of everything that makes me uneasy about this company :

• it does not say anything about the kind of data they are logging or not
• it requires digging through whois records to find the most basic info about the company
• it freely provides access to its normally paid service (for the whole Immich user base), but it does not communicate about it (or it is really hard to find)
• it does not communicate about anything : searching for its name only returns its home page and websites with informations on Autonomous Systems
• it is "not currently accepting new [paying] customers" while providing the service for free to a quite large user base (Immich v1.109.2 got 170k downloads in 5 days, v1.108.0 got 438k downloads in 13 days )
• It is not mentioned anywhere in the whole immich.app website (searching for site:immich.app "cofractal" gave me no result). Not even a "Thank You" or "Sponsor" note on the homepage for the free API
• (it is behind cloudflare)

The dev I talked to encouraged me to create a feature request, and seemed favorable to adding a switch for disabling maps client side. It is already possible to disable it server-wide, and the "URL to a style.json map theme" option seems to provide a way to customize the tile provider. Which leads to this post : I'm trying to collect feedback on this before creating the feature request.

• It should be made prominently clear to server admins that leaving maps enabled causes clients to send requests to a third party-server and give details about what is sent (viewed locations, zoom level, IP address, Immich instance URL). The Post Install Steps in the docs and a paragraph above the switch on the config page seem like good places to me. Are there other/more appropriate place for such a warning ?
• The "URL to a style.json map theme" option should probably be renamed to make it clearer that it allows changing tile providers. Or better yet, it could be reworked to make it easier to choose which third-party you decide to trust
• What do you think about the idea of providing instance admins with a list of choices for tile providers ? Maybe with a short pros/cons list in the docs for each provider. I'd be fine with using a more reputable provider with the extra step of configuring my own API key (which would probably require proxying requests to the tile provider to not share the API key with all clients)
• Should the Immich server proxy requests to the tile provider in any case ? Since the tile provider has access to the Referrer and Origin headers (which is probably required for CORS), they are currently able to link user IP addresses with Immich instances. Proxying requests with the Immich server should prevent that.
• I would go as far as making maps disabled by default for new installs. I understand that "disabling by default would be a significant downgrade for a majority of users", but I feel like there's a strong overlap between the self-hosting and privacy communities. So we should at least have some debate about it

I've also been told that I'm the first one to raise concerns about this, which leads to one more question : Did nobody complain because nobody noticed ? Or are my concerns unjustified ?

cross-posted from: https://infosec.pub/post/15386345

Hi everyone,

This is my CONTAINERFILE for Bind9:

FROM debian

ENV LC_ALL C.UTF-8

# Update and upgrade system
RUN apt-get update -y && apt-get upgrade -y && apt-get dist-upgrade -y

# Install BIND 9 and sudo (for debugging if needed)
RUN apt-get install -y bind9 bind9-dnsutils bind9-libs bind9-utils sudo

# Configure permissions for BIND directories
RUN mkdir -p /var/cache/bind /var/lib/bind /var/log/bind
RUN chown -R bind:bind /var/cache/bind /var/lib/bind /var/log/bind
RUN chmod 664 /var/cache/bind /var/lib/bind /var/log/bind
RUN chmod -R 664 /var/cache/bind /var/lib/bind /var/log/bind

# Create and configure log files
RUN touch /var/log/bind/default.log /var/log/bind/update_debug.log /var/log/bind/security_info.log /var/log/bind/bind.log
RUN chown -R bind:bind /var/log/bind
RUN chmod 644 /var/log/bind/*.log

# Define volumes
VOLUME ["/etc/bind", "/var/cache/bind", "/var/lib/bind", "/var/log/bind"]

# Set the entrypoint to the named executable
ENTRYPOINT ["/usr/sbin/named"]

# Set the default command arguments for the named executable
CMD ["-g"]

I keep getting this error when I run it with podman:

26-Jul-2024 03:18:21.328 loading configuration from '/etc/bind/named.conf'
26-Jul-2024 03:18:21.328 directory '/var/cache/bind' is not writable
26-Jul-2024 03:18:21.332 /etc/bind/named.conf.options:2: parsing failed: permission denied

As you can see from the CONTAINERFILE, the bind user should be able to read and write to /var/cache/bind but for some reason it doesn't.

I have been at this for a while and I'm at my wits end. Your help is appreciated!

I am an Obsidian user and quite happy. But there isn’t a good way to review and scroll daily notes in a Loqseq like fashion in Obsidian. (The plugins for that are unreliable and weak performance.) I have used Logseq but left because of mobile problems, cluttered markdown, and once losing months of data.

I don’t need most of the fancy plugin features of Obsidian aside the robust linking and snappy UI. But I would really like a Logseq like scrollable journal. So is it possible in Silverbullet or do you have another competitor that sounds what I want? Linux + iOS. Not necessarily self hosted but can be.

tldr is that you can hide the button that asks for payment and it says "purchase immich" instead of "purchase liscence"

I'm an immich user, switching from a standard u/p login to an SSO-based login.

I've tested the SSO login successfully, it seems to work, and I'm not having any issues with that.

However, the account generated by SSO login has a different email address and identifiers from the account I created earlier. I don't want to start from scratch with my photos, as I've spent countless hours updating metadata.

I think I need one of the following:

1. a supported, tested way to merge an account with another account. I don't know if this is going to be similar to the "partner sharing" feature. I don't want to simply share the photos, I want to have full control over them; including, if I delete a photo, it's gone forever.
2. a tested way to manually update the database to change all identifiers over to the new account
3. a way to login to the existing account via my SSO portal. I can create any SSO user I want, for example.
4. a way to export the entire library with metadata and re-import it to the new SSO account, structured exactly the same way. Ideally this would also restore anything ML has done with my photos, but it's not a disaster if I have to wait for ML to recreate what it already did in the new account.

Does anyone have information on how to achieve one of the above?

Followup question:

• can anyone confirm with certainty that metadata changes I made in immich have been saved in the image files in /library/upload/*? I am already making backups (both pg_dump and the entire contents of the library), but it would be nice to know where the metadata is actually kept, in case I have to do DR.

Recently, my 10-year old drive that I pulled out of an old computer died. I want to buy another one now. The machine will run Jellyfin (I have an existing collection that I will be transferring from another drive), Immich, and the *arr stack.

I have this motherboard which has one SATA port and one PCIe x1 port. For this reason, I won't be able to add a second drive for redudancy, unless I add a PCIe to SATA card.

My biggest concern is that I want the drive to last. I don't want much capacity, I think 1-2 TB is enough. My budget is from 0€ (of course) to 65-70€.

So I have a couple of questions:

• Should I buy an SSD or an HDD?
• I live in Greece and ServerPartDeals is not an option because shipping is really high. Do you know a place where I could purchase it? (Preferably in Greece, but not necessary)
• Do you have any specific drive suggestions?
• Is there any other way (except for buying a PCIe to SATA card) to add more drives in the motherboard?

Thank you.

I love the concept of apple’s in house journal app which allows you to create dated posts that include text, videos, and photos. I hate the idea of writing anything private in a journal hosted by apple as well as the fact that apple could discontinue at any time. Any ideas on a way to achieve something similar in a clean interface (a long word document wouldn’t cut it) without the middle man? A dedicated un-networked device even?

I want to use Linkwarden to backup websites I find but I can't afford a subscription right now. What's the easiest way to selfhost it on my desktop pc (windows) that will keep it updated and working without having to mess with it or do a bunch of command line stuff?

Sorry but I can't think of another word for it right now. This is mostly just venting but also if anyone has a better way to do it I wouldn't hate to hear it.

I'm trying to set up a home server for all of our family photos. We're on our way to de-googling, and part of the impetus for the change is that our Google Drive is almost full.We have a few hundred gigs of photos between us. The problem with trying to download your data from Google is that it will only allow you to do so in a reasonable way through Google takeout. First you have to order it. Then you have to wait anywhere from a few hours to a day or two for Google to "prepare" the download. Then you have one week before the takeout "expires." That's one week to the minute from the time of the initial request.

I don't have some kind of fancy California internet, I just have normal home internet and there is just no way to download a 50gig (or 2 gig) file in one go - there are always intrruptions that require restarting the download. But if you try to download the files too many times, Google will give you another error and you have to start over and request a new takeout. Google doesn't let you download the entire archive either, you have to select each file part individually.

I can't tell you how many weeks it's been that I've tried to download all of the files before they expire, or google gives me another error.

How do i you decide whats safe to run

I recently ran Gossa on my home server using Docker, mounting it to a folder. Since I used rootless Docker, I was curious - if Gossa were to be a virus, would I have been infected? Have any of you had experience with Gossa?