Відео

You should only have one gateway on a system (unless its a router itself)

draw.io

Doesn't appear to. Hoping for OpenWRT support eventually.

Thanks!

you can convert single drives to/from mirrors or add more disks to a mirror using zpool attach and zpool detach. In this example I attach the one new drive then detach the one old drive (so it goes single -> 2-way mirror -> single), but you could just as easily prep the 2 new drives (using the same boot / efi partition process on each drive) then attach both (now in a 3-way mirror). Once resilvering is done with both drives, you can detach the first (now in a 2-way mirror).

@@apalrdsadventures thanks for the information I have started to do it now and when I write the partition file back to the first new disk (not tried the other yet) it comeplets but i get this error too Partition 1 does not start on physical sector boundary. is this ok?

ok also just realized my single boot drive is not in a zpool by its self am i screwed here?

hrm I wonder if your existing drive is using 512 byte sectors and the new drive is using 4096 byte sectors? Usually we partition everything assuming 4096 byte even if the drive claims 512 byte. As to the zpool, is the zpool combined with more disks or is it not using zfs at all?

@@apalrdsadventures Yes its using 512 if i recall now when i installed (just installed with the proxmox installer gui) i remember thinking why would i use zfs with only 1 drive so didnt now that im learning im moving over to 2 drives in a zfs pool, do i have a way around this?

That looks super useful, especially in a test environment

In general a Git repo is stored as files in a folder, so recovering it doesn't require Gitea to be running. As to recovering infrastructure, sometimes it's good to have a bootstrapping plan on how to setup a minimal set of functions to get the code back to provision everything again.

@@apalrdsadventures I assume that Ansible, Terraform, and other related tools are part of a good recovery plan. Is your Ansible video still in the works?

Ansible is in the long term plans, not being produced yet. I'm slowly working on setting up some things I'd like to have in place before I start with IaaC (specifically, Netbox). I won't make a video until I'm using Ansible, so that's part of the delay. I did work through a Netbox test setup, so at least that is moving along and a video on that will come out eventually. I did just have to do a disaster recovery (ironically, the backup server itself failed) and the PBS dataset was very useful. I'll probably have a video on mounting / using PBS datasets for disaster recovery soon.

Moonlight would be lower latency.

The mobile devices generate a random MAC, but it does not change over time for the same network. So you can initially log them in with the 'default' password, find the MAC they are using, and then change the password for that MAC specifically. Visitors get the default password / vlan.

@@apalrdsadventures WoW I did not realized that. Thank you a lot.

@@apalrdsadventures I have microtik as main router. So I tried to figureout how to setup this only with UserManager as a Radius server. But I did not find out how to do something as you did with mobile generated MAC adrs. So I thing, that I have to setup Radius server as you did. Thank you a lot for this video.

I'm guessing their UserManager has an implicit default deny if there is no user. Instead, I have default accept with a default password.

File and LDAP are the options with Authelia. LDAP is a bit of a lowest common denominator, it's so old that it's generally the core of most big networks. Some more complex options support other backends, for example Keycloak supports Kerberos.

Mutual TLS works well, but requires client-side involvement

It's more popular when there's overlap with Home Automation, but it's also an app I use that has no authentication and made a good demo

add enx1.2 and enx2 as bridge ports on a non-vlan-aware bridge.

Is the setup as "simple" as the authelia setup seems here? And how easy is it to integrate it with common applications like nextcloud, jellyfin, etc?

basically just that. There are 29 possible 20mhz channels in the 5ghz band, over half of which are in the DFS region, and not including DFS there is not a single 160Mhz channel possible (just one 80+80). There are 59x 20mhz channels in the 6ghz band, and currently there are barely any users of that band, so it's currently realistic to use higher bandwidth channels (80Mhz and beyond) without having a bad time. 6Ghz will have somewhat less range indoors than 5Ghz for the legal transmit power limit, but it's not a drastic difference like it is between 2.4 -> 5Ghz.

Currently have a Protectli FW4B as 'primary' and a FW4C as my test system, but I eventually plan on swapping the two.

@@apalrdsadventures Those look really nice. Thanks for the info!

Yep. I use pfsense's HAProxy and ACME to handle the certificates for Let's Encrypt. Real happy that it supports DNS to verify the domain.

client TLS certs are an extremely secure form of auth if the CA is properly hardened / offline I've been using client tls certs before I had this setup, it's just a pain to re-key clients every few months.

@@apalrdsadventures hello, can authella be used to add 2FA to wireguard?

I'll consider it... it does Kerberos so maybe

@@apalrdsadventures Thank you! I don't have much experience with Kerberos Know there are some cool SSO Stuff

Kerberos is actually quite old (Developed in the 80s), so it's unrelated to 'modern' standards like TLS and doesn't even use public key cryptography at all (purely AES). So while it's extremely well designed from a security and usability standpoint, it's hard to integrate into web apps and requires a client program. Microsoft Active Directory uses Kerberos auth for domain joined computers, so that's where it's most commonly used. The client requirement means it's really only usable on domain-joined or similarly managed devices.

Authelia itself has a GUI for managing password reset and TOTP/WebAuthn configuration. The only thing 'missing' is the initial user creation.

if you connect to an LDAP service you can create users with a GUI. LLDAP is an easy, lightweight way to do this

I'm expecting this to be used by people with <20 users, where adding them to the file is weighed against the suffering of running an LDAP server

RADIUS, LDAP, SAML… Kerberos, NTLM, OIDC, OAuth 2… Fk me no wonder so many apps don’t implement SSO, it shouldn’t be this hard…

Part of the issue is that different industries have different historical standards which they follow. RADIUS came from dial-up authentication and became the standard in everything networking (like 802.1X), OIDC/OAuth run over HTTP(s) so they can be done by web apps without an installed client, and Kerberos is a great solution and could be universal but is really only possible on domain-joined computers (at least with current implementations), unfortunately.

@@apalrdsadventures Yeah it definitely makes sense how we got to this point, just sad we haven't seen a unified push to adopt or build a universal standard. And I don't think we're likely to see it happen in my lifetime...

fixed