It’s the meme version of a laugh track

Copper is antimicrobial, so it’s a pretty nice feature to have on a keyboard - you won’t be catching MRSA from these keycaps! Unfortunately copper’s way too expensive to be used in hospitals (or on my keyboard).

I just watched Hit Man, which claims there aren’t any such thing as hit men in real life - clearly that’s not the case!

“Commentator posts hot take, demonstrating a massive lack of empathy to people doing a stressful and important job.”

I guess some people might go with f-s-tayb, but I wouldn’t necessary recognise what they were saying.

True, most updates I don’t actually care about. I haven’t had any updates cause problems yet, but I like that I could choose to not enable updates on anything with a bad history (or critical stuff where I don’t want to run the risk).

Yes, I still have it showing up in Windows/Android, and phone numbers show their cost per minute.

I have a load of credit on there still (got tricked by them deactivating my credit and topped up unnecessarily). I still use it for international calls at least once a month, I hope this news story is overblown.

This is one of my favourites, despite the lack of Hobbes.

autoupdate is something I wouldn’t use

Yup, I expect lots of people feel like that, maybe most (I’d be interested to see some stats). I value security over availability, but you can choose per-container, of course.

network

You can set Internal=true, which I use whenever possible, which means access is only to anything on same network (for me that’s itself and Caddy) - no outgoing connections at all. Podman uses PASTA by default for rootless.

The docs say what they do and don’t do - and they don’t do that. Just actually read through them for yourself, you don’t have to be a lawyer.

This is just a bit of corporate box-ticking, but the pitchfork brigade has read 2 + 2 and is now screaming about 5s.

https://archive.ph/EszIB

In the advertising bit they say what data they use and it’s all broad stuff like device type and location, as well as aggregate data on how many people click on the ads. Of course, you can just disable this, which surely most people do - tbh I forgot there was even this “sponsored content” there at all (it was added a while ago I think).

They don’t say that your browsing habits, interactions or communications are used for anything besides doing what’s required to actually do what you asked.

Yes, Mozilla does some AI, like the in-browser, privacy-respecting language translation. If you use the same feature in Chrome, the text is submitted to a Google server, but in Firefox it never leaves your browser. I don’t see how this could be spun to count against Firefox/Mozilla.

My pleasure! Answering your question is a good motivation to actually document my setup.

Also, if you’re moving configs over, you might find podlet useful.

The Privacy Notice doesn’t say anything problematic at all, why is everyone acting like Mozilla is going to be feeding every keystroke into a database/AI? It’s just saying that they’re allowed use your inputs to browse to the sites you’ve asked for, and to give the form data/uploads/mic/whatever to the sites you’re using.

A few words cherry picked from the middle of a sentence isn’t how legal stuff works.

I use Caddy (with the Cloudflare module to handle the ACME stuff) as just another container. My setup is more classic internet server stuff - it’s a VPS and all the services are internet-facing, so the DNS is via standard DNS records. Every service is on its own subdomain.

My Caddy config is pretty minimal:

$ cat caddy/Caddyfile
{
        # Global configuration
        acme_dns cloudflare myapikey
        email mycloudflareaccount
        debug
        servers {
                metrics
        }
}

manga.example.com {
        reverse_proxy kavita:5000
}

...more containers

# healthcheck target
:8080 {
        respond 200
}

$ cat .config/containers/systemd/caddy.container
[Unit]
Description=Caddy reverse proxy
After=local-fs.target

[Container]
ContainerName=caddy
Image=caddycustom
Network=kavita.network
...more networks
PublishPort=1080:80
PublishPort=1443:443
PublishPort=1443:443/udp
PublishPort=2019:2019
Volume=${HOME}/caddy/Caddyfile:/etc/caddy/Caddyfile:Z
Volume=${HOME}/caddy/data:/data:Z
Volume=${HOME}/caddy/config:/config:Z
Volume=${HOME}/caddy/httpdocs:/var/www/httpdocs:Z
HealthCmd=wget -q -t1 --spider --proxy off localhost:8080 || exit 1

[Service]
Restart=always
ExecReload=podman exec caddy /usr/bin/caddy reload -c /etc/caddy/Caddyfile

[Install]
WantedBy=multi-user.target default.target

I have a dedicated podman user (fairly restricted, no sudo, etc) that just hosts podman (i.e. the service containers and Caddy). As it’s all rootless, I use firewalld to make caddy show up on ports <1024: firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080. I prefer the tiny performance hit to mucking around with the privileged ports but for completeness you can do that with sysctl -w net.ipv4.ip_unprivileged_port_start=80.

I don’t specify subnets at all; I specify podman networks (one per service) and let podman handle the details.

I HATE those sites where popups come up when you are halfway reading something.

Agreed, if I did want to sign up it would be when I’ve finished, not when I’m trying to read your own bloody content. I often sign up using their own domain with something like sales@ or something ruder. Petty, but it’s a small vent. and if one person stops because of it I can die happy.

I love quadlets, here’s an example:

$ cat .config/containers/systemd/kavita.container
[Unit]
Description=Kavita manga server
After=mnt-files.mount

[Container]
ContainerName=kavita
Image=docker.io/jvmilazz0/kavita:latest
AutoUpdate=registry
Network=kavita.network
PublishPort=5000:5000
Environment=TZ=Etc/UTC
Volume=/mnt/files/books/comics:/comics:ro
Volume=/mnt/files/books/gnovels:/gnovels:ro
Volume=/mnt/files/books/manga:/manga:ro
Volume=${HOME}/kavita:/kavita/config:Z
HealthCmd=curl -fsS http://localhost:5000/api/health || exit 1

[Service]
Restart=always

[Install]
WantedBy=default.target

$ cat .config/containers/systemd/kavita.network
[Network]
NetworkName=kavita
Options=isolate=true # library add uses Kavita site

If you’ve dealt with systemd service files this will look familiar, with the addition of the container section.

AutoUpdate=registry gives you automatic updates to ‘latest’ (or whatever tag you’ve set) and there’s rollbacks too, so you just have to worry about the less-critical bugs in newer versions. Personally, I feel more secure with this setup, as this box is a VPS.

Network=kavita.network - I put all my containers in different networks (with minimal privs, so many don’t have outgoing internet access), and my reverse proxy is also in all of those networks so it can do its thing.

This is gloriously insane and I love it.

And then to casually drop in that