Internal HTTPS with Headscale by sudo in c/tailscale@programming.dev
[-] sudo@programming.dev 1 points 1 day ago

Some of my services (eg headscale) are public and a firewall would block those since it doesn't know what a domain name is, just IPs and ports.

I do have a firewall fwiw but it keeps 443 open. Otherwise a remote device wouldn't be able to connect to the headscale node and get onto my tailnet.

6
Internal HTTPS with Headscale (programming.dev)
submitted 5 days ago* (last edited 5 days ago) by sudo@programming.dev to c/tailscale@programming.dev
2 comments fedilink

The goal is to share an http service privately on my tailnet but with an HTTPs connection. It seems others have spent lots of time figuring out and never sharing their solutions. I just got a setup to work satisfactorily so I'll share it. Criticism is welcome. First a few notes:

  • I'm using headscale on a VPS behind Caddy.
  • Official tailscale allegedly can do this out of the box with tailscale serve or tailscale cert.
  • Headscale supports tailscale serve but not with https. Maybe if I removed caddy and let headscale to https directly it would. I haven't tested that yet.
  • Yes I know https over wireguard is redundant. This effort is not only to make Firefox shut up but to make some clients that demand https work.

I also have deliberately avoided the "Private CA" because installing the cert of every client on my tailnet sounds like a nightmare. If someone can prove me wrong there, please share.

The context

  1. I have a VPS and a public domain with DNS A and AAAA records that point all sub domains *.mydomain.net to that VPS.
  2. The VPS runs caddy and headscale and is on the tailnet itself.
  3. Caddy route the hs subdomain to headscale.
  4. I have numerous devices on my tailnet, many running different http services but only some of them I want public.
  5. I can publicly expose a service with https by simply adding an entry to caddy like so,
publicservice.mydomain.net {
    reverse_proxy privatehost:8080
}

Restart caddy and that's it.

The solution

First, I used sub domains of the public domain instead of headscales base domain. eg Use *.ts.mydomain.net instead of ts.net. I made a *.ts.mydomain.net A record pointing to my servers public IP. Caddy will automatically fetch https certificates for any *.mydomain.net domains automatically. It cannot for a domain not routed to it. (DNS01 authentication might circumvent this but I haven't tested that yet).

Second, I restrict caddy to only accept tailscale connections by using the bind directive. Otherwise it will accept and route public traffic. A caddy entry for a private service would look like this,

privateservice.ts.mydomain.net {
    bind 100.64.0.1 [fd7a:115c:a1e0::1]
    reverse_proxy privatehost:8081
}

The IP addresses come from the output of tailscale ip on the caddy/headscale machine.

Now privateservice.ts.mydomain.net routes to the caddy server with https but it gets a default blank 200 response from caddy because its coming from the machine's public IP instead of the tailnet.

The last step is to configure headscale's DNS to route private services to the headscale server on its its tailscale IP instead of the public IP.

# /etc/headscale/config.yaml
# ...
dns:
  magic_dns: true
  # base_domain is irrelevant
  nameservers:
    global: [ whatever ]
    split:
        # required to override the public dns records
        ts.mydomain.net: 100.100.100.100
  extra_records:
     - type: "A"
       name: "privateservice.mydomain.net"
       value: "100.64.0.1"
     - type: "AAAA"
       name: "privateservice.mydomain.net"
       value: "fd7a:115c:a1e0::1"
     # repeat for each service, always the same IPs

You can have base_domain be whatever or make it ts.mydomain.net if you want to be consistent and aren't worried about collisions with your extra records.

I tried using wildcard DNS records in headscale and it didn't work. It felt like it completely broke DNS without any clear warnings or errors. Idk if that's a bug or what. DNS just timed out internally

Limitations

All internal HTTPS traffic is routed through my VPS instead of directly peer to peer, which is a real bummer for internal latency. I think the only way around that is to give each internal host their own caddy server, have the DNS records point directly to them, but then use a private CA and all the hassle that's worth. Maybe DNS01 challenges will work...

Also while I have no public records indicating what private subdomains I have beyond *.ts.mydomain.net for DNS, I do have them for my TLS certificates... somewhere. I'm not super concerned about that though. I think only a private CA will hide those.

Ladies and gentleman, we have reached peak Agentic AI Coding - Goblin instructions in OpenAI's Codex system prompt by sudo in c/programming@programming.dev
[-] sudo@programming.dev 87 points 2 weeks ago

I still can't get over how the only fine tuning you can do for an LLM is yell at it with markdown files. We should be able to retrain local models so they can develop an actual experience without prefilling the context.

Pollsters are now asking AIs to answer surveys as if they were humans and passing the results off as poll statistics by sudo in c/technology@lemmy.world
[-] sudo@programming.dev 75 points 1 month ago

“The idea behind silicon sampling is simple and tantalizing,” they write. “Because large language models can generate responses that emulate human answers, polling companies see an opportunity to use AI agents to simulate survey responses at a small fraction of the cost and time required for traditional polling.”

Somebody invested money into this company. And there's at least hundreds, maybe thousands, of other businesses with these asinine ideas about how to use AI. They're all getting capital from someone who's supposed to be smart because they have capital. Remember that when llm providers cost correct token prices.

12
CPU barely detected (programming.dev)
submitted 6 months ago by sudo@programming.dev to c/buildapc@lemmy.world
4 comments fedilink

I recently swapped motherboards between two builds. One went well but the other is being very finicky with detecting the CPU. Right now its laying on its side like a beached whale with the left side panel open. The heatsink is simply sitting on the CPU, no mounts, no fans. Sometimes I can strap the heatsink down, stand up the box, and close the case, but never with the fans on. Its like that's too much weight and some connection is broken. Is anyone familiar with this problem?

I had this issue previously with a different motherboard and fixed it by using a stock heatsink. But this is a fairly simple CoolerMaster 212. Its not massive. I feel like its a problem with the board or the socket.

More details: when uninstalled the old motherboard in this build, it had the same CM212 heatsink in it. When I removed that heatsink the CPU (Ryzen 5700) came out with it to my horror. Neither that CPU or that motherboard are in this build though. But that CPU was supposed it be. It did have bent pins and I did try to install it before discovering the bent pins. After straightening them the CPU still didn't work so i switched to an old Ryzen 1600, which is currently being finicky. Maybe I damaged the motherboard socket?

Apparently /r/democrats on Reddit is deleting any posts about Mamdani, and people are mad and unsubscribing because of it by sudo in c/politics@piefed.social
[-] sudo@programming.dev 88 points 7 months ago

This is why Mamdani is so important. Average progressives are going to finally see what socialists have been saying for decades. If you want to move left on anything economical. If you just want to raise the minimum wage $1. The democratic establishment will treat you as the enemy. They will come at you harder than they do the GOP because they can and because you are a threat to them personally.

Anon learns about history by sudo in c/greentext@sh.itjust.works
[-] sudo@programming.dev 140 points 8 months ago

If you want a sample of how crazy Chinese history can get look at the Tai Ping rebellion:

  • Student fails Civil Servant Exam for the third time and has a mental breakdown
  • starts claiming he's Jesus' little brother who trained him to fight demons in his dreams
  • more dead than WWI
A German ISP tampered with their DNS - specifically to sabotage my website by sudo in c/piracy@lemmy.dbzer0.com
[-] sudo@programming.dev 150 points 9 months ago

In Germany, we have the Clearingstelle Urheberrecht im Internet (CUII) - literally 'Copyright Clearinghouse for the Internet', a private organization that decides what websites to block, corporate interests rewriting our free internet. No judges, no transparency, just a bunch of ISPs and major copyright holders deciding what your eyes can see.

This is worse than whatever the UK is doing IMO.

What If by sudo in c/politicalmemes@lemmy.world
[-] sudo@programming.dev 82 points 10 months ago

For the record: numerous women have spoke out against Trump for sexual misconduct while underaged. All the named ones are from Miss America or Miss Universe competitions. A couple of Epstein's victims have filed charges against Trump too but those remain anonymous.

Fuck this ICE mask bullshit by sudo in c/thepoliceproblem@lemmy.world
[-] sudo@programming.dev 262 points 11 months ago

Utterly delusional to think any of that would work. At every step you would just get your face beaten in. When the cops come they too will just beat your face in.

Thinking you can castle doctrine a squad of ICE agents is equally delusional. You could probably take a couple out but you'd still die in the end and be risking the lives of anyone that lives with you.

The only solution is well known and already in practice in places like LA: have an active community response force that will show up and intimidate and harass the ICE agents. All of the previous delusions assume you, alone, can stop an ICE with just your privledge.

Why Won't the Media Mention Israel's Nukes? by sudo in c/world@lemmy.world
[-] sudo@programming.dev 122 points 11 months ago

Because then the US any every other IAEA signatory would be obligated to sanction Israel which would be the end of Israel's economy.

No news media dares mention it because they have no proof and would both loose any insider access and get buried in libel cases.

Inside House Dems' 11th-hour plot to sabotage Trump's agenda by sudo in c/news@lemmy.world
[-] sudo@programming.dev 89 points 2 years ago* (last edited 2 years ago)

Jayapal said one plan is to propose a raft of executive orders President Biden could issue to "protect existing structures," such as shielding career civil servants and Justice Department officials.

Yes! Good!

Some Democrats are also sensitive to the perception that they are adopting the tactics of Republican state legislators who used their supermajorities to kneecap incoming Democratic governors.

Fucking gauge my eyeballs out. You can't call them fascists and then object to playing dirty against them.

"We're trying to show how the United States is supposed to conduct itself every four years when a new person takes over the reins of government," said Cleaver.

McConnell denied Obama a Supreme court appointment! The precedent is already set! Your norms are already broken!

If democrats want to win they must purge their own ranks of members like Cleaver and rebuild with more Jayapals or else they will keep ceding grounds to fascists.

21
How do I change the clipboard program that neovim uses? (programming.dev)
submitted 2 years ago by sudo@programming.dev to c/neovim@programming.dev
4 comments fedilink

I start my coding workspaces in tmux sessions which persist when I log out. If I switch from a wayland session to an x11 session, then my copy and paste functionality in those neovim sessions are broken because it's still trying to use wl-copy. To be more precise:

  1. Start a wayland session.
  2. Open a terminal and start a tmux session.
  3. Open neovim and do some work.
  4. Log out of wayland, log into an X11 environment
  5. Open a terminal and reconnect to the tmux session
  6. "+y broken. clipboard: error invoking wl-copy: Failed to connect to a Wayland server...

Restarting neovim isn't sufficient. I have to restart the entire tmux session or switch back to wayland. Is there some short cut I can take here?

CrowdStrike broke Debian and Rocky Linux months ago, but no one noticed by sudo in c/linux@programming.dev
[-] sudo@programming.dev 189 points 2 years ago

The analysis revealed that the Debian Linux configuration was not included in their test matrix.

You might as well say you don't support Linux.

"Crowdstrike's model seems to be 'we push software to your machines any time we want, whether or not it's urgent, without testing it'," lamented the team member.

I wonder how this shit works on NixOS.

ACAB. by sudo in c/leftymemes@lemmy.dbzer0.com
[-] sudo@programming.dev 78 points 2 years ago* (last edited 2 years ago)

Patrol Cop once told me a joke about how he ran over a black kids bike. When got back to the station he saw the kid at the desk trying to report the incident. He'd carried his busted up bike the entire way. The cop behind the desk called out "Hey Rob, did you run over this kid's bike?". "Nope". Case closed. No report filed.

Edit: PS: This was one of the "good ones". He voted Clinton in 2016 because the rival faction in the Union was showing up to Trump rallies in class A's. Took him the entire Trump admin but he works retail now.

23
Vim Wayland users: how do you bind CAPSLOCK to Escape? (programming.dev)
submitted 2 years ago by sudo@programming.dev to c/linux@programming.dev
12 comments fedilink

Everything I read says it's a feature enabled in what ever compositor you choose, if your compositor supports it. Why isn't there a general purpose keybinding program like setxkbmap? Does it just not exist yet or must it be built into the compositor?

I've read [this stackexchange thread] on something related but it all seems to be using XKB which should imply I'm using XWayland?

view more: next ›

sudo

joined 2 years ago