I love grammars. It’s like an API or a data schema, but for a language. This would be very cool and I would love to see it!

Devops is a meaningful term

You’re out here solving impossible problems. You’re “The Fixer” from Pulp Fiction. Fools look at story points. Pros see an unsolvable story that languished for years until you came along and defeated it. A single point for you is an entire epic to other teams.

Everything is a differentiator that can be spun to your advantage. The points aren’t accurate, and you’re the only one with enough guts to step up to the plate and finally work these neglected tickets; even if it won’t “look good” on some “dashboard” - that’s not what’s important; you’re here to help the organization succeed.

If the system doesn’t make you look good, you have to make yourself look good. If you weren’t putting in the effort, it would be hard - but as you say, everyone who takes a deeper look clearly sees the odds stacked against you, and how hard you’re working / the progress you’re making; despite those odds.

Don’t let some metrics dashboard decide your worth, king!

I’m very flaky here, as rust is the big one, but I think zig and/or nim might be

Indeed, and good points. How many users do you have? I assume this isn’t just for you, and setting up multiple nfs shares with tailscale access policies isn’t feasible. SMB might be the best play. I’ll have to refresh my memory on file sharing protocols

NFS for storage, tailscale / wireguard for access control?

Put http://0.0.0.0:11473

Your current setting is the “loopback” address. You’re listening for traffic to this address, and the only thing that can send to the loopback is yourself. This is a safe default, it means only the computer running the software can talk to it. Generally 0.0.0.0 listens on all available addresses. If that doesn’t work, use your local / internal ip.

This ui smells like it’s trying to hide the implementation details, but that makes things extremely difficult when troubleshooting

Vscode already supports linting yaml against a schema file. Once you start configuring your code with configuration-as-code, you’re just writing more code.

If I need to “generate” some insane config with miles of boilerplate, I would use js to build my json, which can be ported to just about anything. This would replace js in that process.

I’m not sold on the need for this.

Even with something like k8s, I’d reach for pulumi before I put another layer on top of yaml.

You can reduce doorknob turning dramatically by running on a non-standard port.

Scanners love 80 and 443, and they really love 20, but not so much 4263.

I used to run a landing page on my domain with buttons to either the request system / jellyfin viva la reverse proxy. If you’re paranoid about it, tie nginx to a waf. If you’re extra paranoid, you’ll need some kind of vpn / ip allow-listing

That looks promising. Just keep in mind that this will take a very long time to run. I believe there is a *arr out there that can manage this / show progress, but the name escapes me

Other comments here do a great job pointing to DH key exchange; I’d like to try explaining it with the paint analogy.

You and Youtube need to agree on a “color of paint” (encryption key) without ever sending it over the network.

You and Youtube agree on a common “yellow” in the clear, and you each pick a secret color. Youtube mixes yellow and their secret and sends it to you. This is okay, because un-mixing paint (factoring large prime numbers) is really hard. You add your secret to the mixture, and now you have yellow+Youtube’s secret+your secret.

You mix yellow and your secret and send it to youtube. Youtube adds their secret; now they’ve got yellow+Youtube’s secret+your secret. You both have the final color!

An eavesdropper can’t reconstruct this - everything sent over the network had yellow mixed in, and un-mixing paint can be really hard. Maybe you can guess that green minus yellow is probably blue, but you can’t get close enough to decrypt anything. And what if it’s brown? Is that blue + orange, or is it red + green?

Cryptographers have worked very hard to make the communications secure. I would be more worried about the other end ratting you out - using a relay / proxy / vpn that you trust is a good idea :)

I don’t do anything interesting. I’ve got the ten workspaces, and win+p to start stuff.

The only interesting thing is win+PrintScrn, which takes a screenshot to /tmp, and then opens it in pinta to crop.

Actually I also have win+z bound to turning off the laptop screen. That’s all I can remember

JavaScript / TypeScript are famously free-form, but a number of styles (and style-enforcing tools) have emerged.

“Prettier” is the most recent. It actually parses your code into an AST and then re-prints it according to its style.

“ESLint” is the most widespread; it is more of a framework into which rules can be plugged.

I use “XO”, which is essentially a custom eslint ruleset with a few other nice things tacked on.

The best part of eslint/xo is the “—fix” command, which can auto-fix most mistakes.

The VPN catches all network traffic and puts it far away - you can’t be on vpn and see local network resources (casting targets) at the same time.

If your vpn has an app, check your settings for something like “local network access”.

Otherwise, start reading about split-tunnels and/or default gateways

I think we’ll see some very cool stuff start to happen once Veilid’s block storage is off the ground

Optimus gets complex quick. You’ll be reading pci bus ids before you know it. Keep the wiki open, go slowly; you got this :)

Yes - the nodes are obsidian pages (markdown files), this view is a napkin-type layout thing that is built in; I haven’t played much with it

You’re running docker inside a vm? Why?

The first thing I would do is learn the 5-layer OSI model for networking. (The 7-layer is more common, but wrong). Start thinking of things in terms of services and layers. Make a diagram for each layer (or just the important layers. Layers 3 and up.)

If you can stomach it, learn network namespaces. It lets you partition services between network stacks without container overhead.

Using a vm or docker for isolation is perfectly fine, but don’t use both. Either throw docker on your host or put them all in as systemd services on a vm.

In networking, you generally either have an authentication mechanism, or you don’t.

It sounds like you don’t have “control” (can install a vpn) on the client devices. This makes authentication difficult. We need some aspect of the client that the server can use to make a decision.

Without touching the client, there’s only really two details we can use - the source ip address of the client, and the port that they are connecting to.

If a client wants to connect to the default minecraft port, it could be a scanner - but if it’s non-default, then the probability of being a scanner is much lower.

A firewall to do geo-based ip blocking will also cut down significantly on noise.

After that, minecraft’s built in authentication is pretty good.

With all of the above, we would know that the connector is coming from an allowed location, knows to ask for your non-standard port number, and has a valid minecraft account - that sounds pretty good to me.

And if you’re running a cracked server, there are other assorted tricks to avoid bots. I ran an open-to-the-world, default port, no auth server for some time; and probably ran into a single robot. Thankfully I shut things down before log4j

Spread-spectrum audio watermarks will survive multiple re-encodings and are extremely difficult to detect.

Iirc google widevine will embed a device code, and if a pirated copy of some content is found, they will blacklist the gpu’s device code so it can’t receive 4k content anymore. That’s video, but it’s the same idea.