where I created the email:
support@manpageblog.boxbsd.bsd.hosting.gyptazy.ch

finally, I save money :)

#Proxmox crashes again and again in some corner cases when running #IPv6 and using the integrated #firewall. This is not a general problem, because all my nodes run with #IPv6 and all management, backup and monitoring is done on IPv6. Need some time to debug this...

Currently I only see:
* Providing dummy fee by CC, SEPA or PayPal (or a small onetime setup fee). But dealing with money means to have much more data safety in place. I do not want to have knowledge or any thing else of banking data etc. Next, it could lead into issues with tax offices.
* No joke: Sending a real letter to the residence address of a user (which just takes too long, overhead and money from my site to send a letter)

I already use dedicated networks for this service to be at least safe from blacklist etc. for my personal systems. It's really a pity...

Some may remember #BoyBSD which got heavily abused during the beta test. Now, I'm trying it again with longterm VMs. Currently, I grant only VMs to very active user accounts that are providing valuable content to the community (in the hope they're not abusing the service, especially not in a bad way). However, this feels unfair, especially I want to target people that cannot afford VMs to learn and practice on #FreeBSD, #NetBSD and #OpenBSD - especially when it requires a static IP for name server etc.

Currently, I have no clue except of processing financial data like SEPA, PayPal etc. to have at least a minimum of safety. I thought about GPG, by signings - but I guess GPG is not really used by newer dev- & sysops.

I'm hosting this services for free, with my personal efforts and hardware. I do it to bring some help and valuable things back to the community and especially to newcomers in this field but I don't want to deal everytime with ddos, email spamming, torrent or tor exit nodes. While this is still annoying, there're still some other things you really don't want to deal with. So, I need a useful safety net for me.

Sharing some technical details about how I'm setting up the hosted email service. It will not be a service of BSD Cafe but tied to my own business. It will run entirely on BSD systems and on bare metal, NOT on "cloud" VPS. It will use FreeBSD jails or OpenBSD or NetBSD VMs (but on bhyve, on a leased server - I do not want user data to be stored on disks managed by others). The services (opensmtpd and rspamd, dovecot, redis, mysql, etc.) will run on separate jails/VMs, so compromising one service will NOT put the others at risk. Emails will be stored on encrypted ZFS datasets - so all emails are encrypted at rest - and only dovecot will have access to the mail datasets. I'm also considering the possibility of encrypting individual emails with the user's login password - but I still have to thoroughly test this. The setup will be fully redundant (double mx for SMTP, a domain for external IMAP access that will be managed through smart DNS - which will distribute the connections on the DNS side and, in case of a server down, will stop resolving its IP, sending all the connections to the other. Obviously, everything will be accessible in both ipv4 and ipv6 and in two different European countries, on two different providers. Synchronization will occur through dovecot's native sync (extremely stable and tested). All technical choices will be clearly explained - the goal of this service is to provide maximum transparency to users on how things will be handled.

#BSD #FreeBSD #OpenBSD #NetBSD #emailHosting #encryption #ZFS #dovecot #opensmtpd #rspamd #emailSecurity #techTransparency #ipv6 #Europe

Let’s see what will come next week…

Happy Easter!

#arm64 #aarch64 #vagrant #vagrantcloud #applesilicon #vm #vmware #fusion #bsdcafe #netbsd10

Last successful back: 6 years ago
Last run: Failed

just kidding... I'm not doing any backups at all.

Ok, ok, still kidding

cc: @stefano@bsd.cafe

This is huge: Backdoor in upstream xz/liblzma leading to SSH server compromise

https://www.openwall.com/lists/oss-security/2024/03/29/4

#ssh #SysAdmin #IT #Security #InfoSec

src: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

#fedora #rawhide #redhat #linux

PostgreSQL maintainer Simon Riggs has died in a small airplane crash, on Tuesday.

For those who didn't know Simon, he's responsible for PostgreSQL Binary Replication and many big data features. He and I worked together at Greenplum 2006-2008. Postgres would not be the world-leading DB it is today if it weren't for him.

https://www.bbc.com/news/articles/cjex992z0wlo

Here you find more information about it and how to install/use it.

https://gyptazy.ch/blog/proxmox-new-import-wizard-for-migrating-vmware-esxi-virtual-machines/

Being too long absent in this topic feels like starting from scratch again…

Now, I’m running a friendly beta test within the #BSD Community (primary #BSDCafe & BSD fans) for free small sized hosted #VMs / #Jails (IPv6 only).

The first system is already full. Let’s see how this will be (ab)used?! Maybe, the next stack will start after Easter.

CC: @ben@kwiecien.us

Not going into details, this should not result into flamewars. We should be happy, that we have to possibilities to choose.

cc: @romanzolotarev@mas.to #RUNBSD

😂😏

2x Epyc 7473X 24 cores (48 threads)
1x Epyc 7453 28 cores (56 threads)

Please don’t ask any questions why different cpus were used 😉

Guess, I can finally run a single Java app without running oom (hopefully) 😉

See also:
https://freebsdfoundation.org/netapp-case-study/

🔐 Linux 6.9 Adds New RISC-V Vector-Accelerated Crypto Routines - Phoronix

「 RISC-V with Linux 6.9 implements support for more vector-accelerated crypto routines. Among the work is RISC-V vector accelerated AES-{ECB,CBC,CTR,XTS}, ChaCha20, GHASH, SHA-256, SHA-384, SHA-512, SM3, and SM4 algorithms 」

https://www.phoronix.com/news/Linux-6.9-RISC-V

#Linux #RISCV #Cryptography #Kernel #Opensource

I need to process more than 8TB of photos and additional TBs of videos…

So, sure - let's go! You'll find it here (currently uploading):
https://app.vagrantup.com/gyptazy/boxes/casaos0.4.7-debian12-arm64

#CasaOS 0.4.7 based on #Debian 12.

- #Debian 12 #AnsibleSemaphore
- #FreeBSD 14 #snac (#ActivityPub / #Fediverse)
- #Debian 12 #Nextcloud 28 (#nginx / #mysql)

What do you want next?

#AppleSilicon #virtualization #aarch64

https://gyptazy.ch/blog/collection-of-vagrant-boxes-images-for-apple-silicon-based-on-arm64/

The series of articles on the quest for one's digital freedom continues: Make your own E-Mail server - Part 2 - Adding Webmail and More with Nextcloud

https://it-notes.dragas.net/2024/03/21/make-your-own-email-server-freebsd-adding-nextcloud-part2/

#FreeBSD #email #Nextcloud #SysAdmin #OwnYourData #IT

@patrizia
Linux still doesn't have an actual jail feature. Or CTRL-T. Or faster networking. Or a ZFS-compatible license.

But GNU/Linux is 20% slower with ZFS and 100GbE networking.

There's a reason they're leaving, but I have no idea what it is.
@trashheap

QualvoSec is supposed to be very minimalistic and only to keep the systems up to date on the latest patches given in a used repository. In theory, you could already do this with the whitelist mechanism and defining the package version (https://github.com/gyptazy/QualvoSec/blob/main/src/server/patch.yaml#L20-L21), but in that case you need a utility to include all the packages (sure, you could do this by hand but you probably don't want to do this).

1. This leads us to the first solution. It could be done by the admin tool and generate the patch manifest. Current packages can be requested from the client if the http server is activated (optional, up to everyone to use it).
2. A solution could also lead into freezing the repositories itself but only works when having own repositories (e.g. with aptly, repomgr, etc.). This is independent of QualvoSec.
3. Don't integrate similar solutions

I can clearly see the reasons and needs for patch freezing (especially when having the typical ends for dev, stage and prod). I'm happy to hear more feedback and I will have a look into such an implementation. Thanks!

"If you’re a new creator and you’ve been trying to grow your #TikTok platform, don’t!"

Imho, if you want to contribute, like in opensource and bring in value for the community - yes you're right. But if you want to make money, TikTok & Co is probably the better way.

Just my 2 cheap cents...

My internal papers:
https://cdn.gyptazy.ch/tech-talks/QualvoSec_Security_Patch_Management/QualvoSec_A_Security_Patch_Management_Tool.html

#callforpapers #techtalk #froscon2024 #conferences

Endkiller solution: Just keep your phone home (which might be difficult nowadays)

I had similar ideas only for vacation, but having flight plan, credit card etc. on it already killed that idea. But the watch was able to also solve this.

For me, it's just going out with my watch on my wrist. Still able to communicate by email, iMessage, sms and to answer phone calls. But that's not all - I can still track my sport activities, pay by nfc, open the door at home, open the car etc. What I could do - but isn't fun at all - write on matrix, X, Fediverse. I could, but I also deactivated all notifications. Social media is only pull - I do it when I have time, instead of push and getting anything of a pressure or similar.

The dir is browsable and contains all ones:
https://cdn.gyptazy.ch/files/docs/freebsd/jails/

I cannot say this too often - not only from a team leading perspective, but also from a good friend one!

I joined in freshly, they taught me - I taught them! Together we improved day by day! Almost 10 yrs later, the team is still the same - no one left. I think I can say that everyone enjoys the work and everyone is doing a really great job! I really love this team and it works out that well because we're:
honouring, understanding, trusting & respecting each other!

This is not only about "happy posting" etc. - it's more about also getting taught. It does not automatically mean that a teamlead is always right. It does not mean that this person is always choosing the right path. And it is really good and important that everyone can take the opportunity without any fear to talk about any concerns. This should always be taken seriously, no one can know everything and no one is always right! What did I say in my first sentence - they taught me! And yes, this was the first thing what happened. They taught me!

But what is my hope? I had two really (and I mean it this way) good mentors. I hope, I can be the same for other ones. Helping to improve, to become better... But everyone is special in its own way and needs to treated that way. Hopefully, I can find the right directions...

#OneTeam

@padukajorat@mastodon.social (all credits to him!) released his FreeBSD Jails - Part IV sheet! This series of slides is perfectly to explain jails to new users!

The PDF (and all other parts) are hosted here:
https://cdn.gyptazy.ch/files/docs/freebsd/jails/FreeBSD_Jails_Part_4.pdf

Got one very cheap at netcup.de

Keep in mind: You should always have an additional monitoring node out of your own infrastructure!

@gyptazy @alpinelinux there is no bhyve on OpenBSD. Never tried FreeBSD except for OpnSense. Also I guess I am used to my favourite stack KVM with libvirt.

One of it also runs a production tor node (https://gyptazy.ch/misc/running-a-riscv-based-production-tor-relay-node/) and another one this Fediverse instance :)

But sure, KVM does its job great. :)

But I can also fully understand and see the needs of everyone else running Linux - so I created the related Linux images and collection for RV.

#amd64 offers the best support and is fast.
#arm64 is very efficient and also very fast.
#riscv is amazing & exciting (but slow with my current hw, but I can deal with it)

While amd64 & ARM64 work perfectly fine with #FreeBSD, the #RISCV hardware support (beside #qemu stuff) is still very limited. Currently, #Ubuntu and #OpenBSD work very well there.