Cloudflare Tunnel is free and a good solution for those behind CG-NATs or an ISP firewall. It also offers effortless DoS protection.
I will admit, however, that I think it’s slightly “cooler” in some sense to host your site directly from your home, with no assistance from Cloudflare or other giant tech companies, even if you don’t really get much tangible benefit from doing it that way.
(By these standards of course, my personal site is rather lame because it’s just your standard Jekyll + GitHub Pages site.)
What are the risks of port forwarding and hosting on home network? I get the general risk of giving the public internet direct access to my home devices. But how do people specifically exploit this? It depends on me misconfiguring or not properly locking down the web server, right?
Pretty much, but nobody has ever made an unhackable server. So even if you “properly” configure the server it’s not 100% secure because nothing is.
I did get my router hacked and it had third party malicious software installed on it and it didn’t function until I got the NetGear people to fix it which is why I installed fail2ban vibe has worked so far. But nothing is foolproof.
Let’s assume you forward port 443 to your Pi running Apache. You’re basically exposing the following bits of software to the Internet:
Your kernel’s TCP/IP stack
Apache
Any software you may choose to place behind an Apache reverse proxy
The biggest risk is an RCE in any of those pieces, because you’re truly pwned, but I’d lay pretty long odds against an RCE in the Linux network stack, and I don’t think your average Apache config is at much risk either – these things have both been highly battle-tested. Some sort of denial-of-service exploit is more likely but again, Linux+Apache have powered a huge chunk of the Internet for the last 25+ years. Now, if you write an HTTP server which executes arbitrary shell commands from the body of POST requests and proxy it behind Apache, you have only yourself to blame…
I expose HTTP and a few other services from my home network via port forwarding. I don’t lose sleep over it.
I agree. I’ve been Linux-as-my-main-desktop for 20 years. 2-3 years ago, Wayland was essentially unusable for me (despite a lot of stuff urging me to use it). Today, it’s got its quirks, but it’s usable, and actually a bit better than X in general. I’m not that deeply involved in the guts, but I appreciate that a lot of work got done to get it there.
This was my experience about 2 years ago. Then about 6 months ago I began experiencing crashes in GNOME. Civ V crashes non-stop, shortly after loading a game. A firefox video popout over a fullscreen video game. Or switching desktops when VLC is playing on another workspace. All three scenarios would hard crash GNOME leaving me with a terminal showing ^@^@^@^@^@^@^@^@^@^@^@^@. A couple weeks ago I decided to switch back to Xorg because it became untenable :( It is a shame because (a) it was working nicely before that but also (b) it seems like the compositor as grandparent of everything is destined to make these bugs lead to the most painful failure modes forever.
Yeah the only issues I tend to have are when there’s a legacy application that’s displaying via XWayland and it’s not doing something i take for granted from Wayland.
I do feel like Windows 7 was the last bearable release of Windows. There wasn’t anything completely infuriating about it, and it was good as far as Windows goes. Then came 10 which just felt like a mess with no benefits over 7 and a lot of half-finished parts. Windows 11 is by far the worst thing I’ve ever used, not just Windows. From 10 onward I really started cursing the need to use Windows in my day job, and I am so thankful that I can now use Linux and FOSS for both work and play. At least with Windows 7 I could sort of forget I was using Windows from 9-5.
You know, I was so preoccupied with giving faint praise to Windows 7 and cursing Windows 10 and 11 that I forgot to comment on this article in particular: notice how much of what makes legacy Windows usable is FOSS. Firefox, LibreOffice, etc. Think about your less technical friends and family who are fretting about replacing perfectly good computers because they can’t upgrade to the latest version of Windows. Help them migrate to the more sustainable FOSS options like [insert your distro of choice; mine’s Fedora]. Honestly, hardware support is great and all the software they need is right there.
I haven’t used it much but I’m under the impression they added these kind of things but new features were mostly not horrible and (almost?) everything could be disabled.
However, adoption was abysmal (maybe even worse than Vista) and after that they started not allowing to disable features, UIs and made away with actual versions so that people had to update. There are good reasons to do that but it also looks like they’ve been burnt and have been doing that for bad marketing reasons too.
i used Windows 8/8.1 daily for their entire commercial lifetime and honestly i really just remember it to be more ‘annoying’ than outright ‘bad’. at least for 8.1. the metro UI stuff was half baked garbage, but with 8.1 you could at least forget about its existence for the most part.
Also i think 8.1 had the best search feature in a Windows ever, up there with MacOS’s spotlight search, in terms of snappiness and being able to give me as the first result the specific thing that I want. Never really got it to work quite right in the little i’ve used Win10/11, even disabling web results it just usually gives me some completely unrelated file. Add to that some of the improvements 8/8.1 had over 7 (which i can’t really name off the top of my head, it’s been a while) and it was pretty good as long as you were willing to overlook some of the annoyances and what ultimately kept me from just downgrading back to 7.
Ha, so right! Admittedly, I was Windows-free at home before 7 even came out so my Windows experience has been in office environments. I never encountered 8 on any machines I used at work, and I only had a couple brief interactions with it on other folks’ home machines. Just enough to learn how to turn off the new Start screen.
I think that pretty much everyone avoided windows 8. I remember seeing browser stats and it was a very very minor OS that disappeared from the charts maybe even before XP.
It is the last version of Windows I will run, and indeed every computer I have acquired since 2016 is running a FOSS OS. I never really thought I’d see things this way, but I’m pretty done with proprietary software as (among other things) it enables extremely asymmetric power between vendor and “user”, and, well, that coincides pretty well with power asymmetry in other parts of life (like, say, government-mandated backdoors that you can’t escape because you can’t run any OS other than what the vendor provides – with mandatory “upgrades” of course).
I just recently moved-in to this house. I do a lot of software/design work. The table on the left is temporary. I want to redo this with a proper drafting table setup (against the other window, so opposite side) with wall-mounted cubbies for various markers, pens, pencils, erasers etc.
The room is a complete mess right now because we are rennovating a lot of the house.
Intel 13900k, 128GB ram, 2TB nvme for home (btrfs), 1TB nvme for root (todo: replace this with a 100% btrfs setup on top of a mirror)
Debian 12, KDE
Primarily doing software engineering, project management, lots of python, golang, and data engineering (hence the ram)
Display is an Apple 5K Studio Display connected to an RX6600. Works great but I cannot control brightness. Bought this display when I was predominantly on mac hardware but once my SSD died on my Mac mini I thought - F this I am going to dogfood 100% linux.
Fully Jarvis standing desk
POS Amazon chair (that is not a brand, it’s just a piece of shit)
A second rack is here ready to be assembled, which I will setup as the core networking/vital rack including patch panels etc.
ATM my homelab is primarily just a really over-engineered home network, security cameras, NAS for both the lab and business backups, as well as local services like a Trilium notes server, DNS, Jellyfin, Flightradar ADSB reciever, Gitea, and other services.
I have 2x R720 servers that I want to deploy as a K8s cluster but they are so power hungry and slow compared to modern hardware that I might just opt for some mini pc’s
I do want to have a PaaS solution locally. Oftentimes I will need a quick DB server, or RMQ queue, or want to quickly deploy container(s) with a friendly DNS name behind a proxy w/ https … been doing ops for over 15 years so I have a lot of opinions in this space and can’t wait to weave them alltogether into a comprehensive an clean solution.
Love the setup so far. Looking forward to completely redoing my home office with built-in storage and perhaps a huge butcher block side desk that I can use for drawing/illustration. The homelab is pretty ugly right now but I also want to dedicate some time to getting that cleaned up, running fiber to my external workshop, running more ethernet to install APs and cameras etc.
Display is an Apple 5K Studio Display connected to an RX6600. Works great but I cannot control brightness. Bought this display when I was predominantly on mac hardware but once my SSD died on my Mac mini I thought - F this I am going to dogfood 100% linux.
Ha! And oof. I’m pretty surprised that didn’t also work over displayport. Not that I ever change my brightness on my desktop display anyway. But that’s aggravating.
Realistically, is this going to affect us? Lobste.rs and most other small web forums are small and unlikely to be on the radar of regulators. If you’re doing best-effort moderation already to avoid illegal content (i.e. what you’re doing now), I think it’s unlikely you would get on said radar. In the event you somehow do piss them off, I suspect organizations like the EFF would be rallying around you and willing to help then.
Pretty much this. The UK is threatening enormous fines and jail time because it wants the law to be taken seriously. This is what taking the OSA seriously looks like absent the resources of one of the huge businesses it was written for.
I agree, while a lot of people - software engineers specifically - I know don’t even know about lobsters, you’re still exposed.
On topic - I’m curious why you include “commitment by American government that they’ll offer protection”?
I thought both American and UK governments (among others, of course) have been acting crazily enough lately that I didn’t think this would be applicable. As a few examples, I thought your govt wants to leave the WHO and has been on-again-off-again about the Paris climate agreement - they don’t seem like either willing to deal with international affairs that much, or are not stable in that dealing.
I understand having a commitment from ACLU or EFF to defend you, but other than an explicit law that protects you, it doesn’t seem like any “commitment” would be reliable. Maybe I’m just misunderstanding the context in which this would work.
Edit: to clarify, I’m asking what that commitment needs to look like.
A public statement or policy from a State Department official acting in their official capacity. It is the US agency that handles extradition hearings and the international diplomacy involved in whether the UK can claim jurisdiction over US entities like this. There’s a deliberateness and inertia to international State Department policy that I feel reduces the risk acceptably even as electoral politics shifts. I’m trying to be optimistic about this big hairy topic.
They have no jurisdiction as long as you don’t have assets in the country, visit the country, or visit a country that has an extradition treaty that would cover this.
The last two are the biggest risks. If you’re flying from the US west coast to Europe, a lot of flights go either over the UK or close enough that, in case of problems, you may have to make an emergency landing here. And then you suddenly find that there’s an arrest warrant out for you because you were convicted in absentia after ignoring the summons to appear in court, and now you face jail time. Your home country may be able to intervene, but that can take months, during which time you’re in prison.
Personally, I wouldn’t risk it. It would suck to be unable to access lobste.rs, but it’s our (previous) stupid government’s fault, not yours.
@lproven: When can El Reg run an article about all of the small web sites that are going to block UK citizens, requiring them to communicate via US-based multinationals, because of this stupid law? That’s probably the first step to getting it picked up by the mainstream press outlets.
This feels like a very hyperbolic series of concerns. LLC’s and corporations exist for this purpose, to shield folks from liability in cases like this.
I honestly find it kind of amusing that so many folks are spinning so many cycles on this topic. This is a tiny little corner of the internet where hackers talk about stuff. Why would the UK gov’t have any interest in targeting this group? Comes across almost like hubris.
That’s not really how LLCs work. A person who does a crime is always personally criminally liable for the crime. And this specific law allows the regulator to enforce directly against related companies or their owners, so breaking it from behind seven LLCs wouldn’t even necessarily slow them down.
I honestly find it kind of amusing that so many folks are spinning so many cycles on this topic.
Peter is worried about opening himself up to life-ruining legal liability over a site he runs in his free time. That doesn’t seem very amusing to me. And as a result of his (understandable) not wanting to do that, those of us who live in the UK are worried about the fact that we’re likely to be blocked from the site.
Why would the UK gov’t have any interest in targeting this group?
They don’t need to have any. Regulations might be weaponized by trolls against people over personal vendettas yet to be established; I have experienced the GDPR used this way. It’s easy to be confident this sort of thing won’t happen when the person it might happen to is someone else.
Peter is worried about opening himself up to life-ruining legal liability over a site he runs in his free time.
I just cannot imagine this happening, ever.
If this were my site, I would just ignore this situation until the UK government explicitly reaches out with some kind of legal document. At that point, initiate the geo block.
The risk-reward here is just not close to in favor of the site owner. Why would he ever leave himself open to criminal charges from a state actor? It doesn’t make any sense. Of course you’d block them before that could happen.
They don’t have to send you a letter. Why would you take the risk?
Because frankly we fought and won the Revolutionary War to explicitly defeat oppression like this. If I am operating within the context of a specific sovereign nation, I am really not going to give a shit about what any other sovereign nation thinks about me. Their laws are their laws, not mine.
You seem to have a flawed understanding of international law, including how it relates to USA-UK relations. Your opinions on what should and should not matter do not have any bearing in a court of law.
Community sites always draw a few cranks who enjoy making life miserable for folks who run it. For reasons. Shitty reasons.
So yeah, the risk is definitely non-zero, because one person can spend a lot of energy to cause the problem to happen. And at that point, the damage may already be done.
Even if there’s no legal recourse, it’s understandable that pushcx, and the other maintainers, are not willing to scratch off UK as a place they can ever visit.
IANAL, but it does look like the UK and US have at least some extradition treaties in place.
Though I highly doubt that US would allow extradition of their own citizens. IIRC a lot of countries have law that prohibits that unless the crime in question is also crime in the local law.
This is true, but the mapping doesn’t have to be 1:1. A barrister in an extradition hearing might argue that the US has laws prohibiting CSAM distribution and the OSA is a sufficiently similar law that the extradition treaty holds. Will this argument convince a judge? Depends how well the defence barrister argues against it. How much do you want to set aside in a defence fund to make sure you can hire a barrister who will argue more convincingly than whoever the British government pays?
Even winning an extradition hearing is expensive and time consuming.
While this is generally true, the OSA has some gnarly bits. (Note again, this comes from glance reading)
By and large, it’s a fine thing. It spells out the - already illegal things - that need to be mitigated. That part is fine. Your service should not host CSAM and if it is a large service, you need to take measures against it. Even before the OSA, if someone posted CSAM to lobste.rs and it stayed there, you’re in trouble. That part of the OSA is not a problem, it is even making things better by providing a framework. (Actually a thing that the often disliked DMCA makes easy - it gives you a relatively frictionless and easy to implement way to move yourself out of the firing line of legal action) No change here, lobste.rs would not be a legal and acceptable service if it allowed that, and it currently isn’t, so it’s compliant, easily so. A complaint path is there (send mods a message), action is also there (mods on lobste.rs are swift).
HOWEVER, there’s things like “you need to make sure that terrorists don’t communicate on your platform” and e.g. notes user handles as an indicator (ICU H1 in the document linked above). That means two things: this is by definition of the UK (groups designated terrorists is a state-by-state thing), that may run counter to local law in other places - or even just plain ethics. Do we expect @pushcx to have a list of terrorist organisations in all countries that expect that and check our user handles against them all the time? As not a legal professional - especially in international law - I’d not touch this with a stick. Still, this could be expected to be active or “on notification”.
And that’s the big problem that the whole OSA thing has. While it clarifies what things they expect service providers to look at (that’s by and large good, it clarifies things!), they don’t give a ladder of escalation. If they made it very clear that for smaller providers, they expect compliance on notification or get in touch with you on an advisory role first - fine. People get in touch with mods all the time, that flows well into their business, even if the letterhead is a bit more official.
My huge gripe about all of these regulations is that they don’t appreciate that a lot of non-commercial, citizen-guided, volunteer-driven and hobbyist stuff is happening on the internet and I appreciate that sector a lot. Every regulation/communication that ignores this is bad regulation/communication.
Like, @pushcx writing this message above is already a failure of the OSA in my book.
After all, still, legal compliance is more risk-assessment than a clear-cut case. I like my lawyer and his most asked question is “what is the risk of this happening”?
My huge gripe about all of these regulations is that they don’t appreciate that a lot of non-commercial, citizen-guided, volunteer-driven and hobbyist stuff is happening on the internet
What would be your opinion on the purpose of the legislation if they did understand that, very well?
I personally would be shocked that the shadowy forces hell-bent on suppressing the independent internet were so incompetent at it, if they’re using this legislation to do so.
Ah, I didn’t mean they were trying to destroy it: it’s nowhere near popular enough to matter. That will come much later, if / when it supplants (for want of a better term) mainstream social media.
I meant to imply that they know, and give precisely zero fucks about it.
The hardware is nothing special but I’m proud of all the colorful memories and trinkets that my wife and I have started to accumulate around the hardware! (we share this space) https://imgur.com/qqR8npz
My buddy Max has been trying to get me to read it for years. Finally made the plunge. I think the timing was right and I’ll be able to enjoy and appreciate it now
I bounced off of Anathem the first two times I tried to read it. It has a VERY slow start, but it ended up being a great book just like everyone said it would be once I got through that.
I wish the cushions were higher quality but it’s decent overall. I think I’m gradually slouching more and more so I don’t know if it’s accomplishing the “ergonomic” mission. Also people’s shins often hurt for the first day or two
I think in these situations it is only fair to really dig into your architecture. Was it a simple django/rails app with a db, a queue, and some worker processes? Or did you have 50+ services? In the former case, yeah Kube is overkill. In the latter case, it’s a very powerful and worthwhile tool.
I’m going to finally try and pull some Cat6 cables from my home to my detached garage. There is already conduit in the ground with a pull rope (thank you previous owner). But the entrypoint to the garage is covered in drywall so I am contemplating whether or not I want to cut a big hole and install an access panel or… we’ll see lol.
moving pihole duties from a rpi3 to an elitedesk that I just setup as a proxmox host (i7-8700, 64gb ram) along with my unifi controller vm and a few other vm’s for proxy duties, cloudflared duties, etc.
getting a pair of R720’s configured as additional proxmox hosts on a dedicated vlan for kubernetes testing
rolling out internal dns and certs for all my self-hosted apps
I just brought a 2nd R720 (2U rack server) online in my home rack to use as either a k8s lab box or a single-node k8s server.
I was an early adopter of k8s back in around 2015-2016, using it to migrate FarmLogs (a YC startup) from a series of Heroku apps to a self-managed cluster of a few big nodes that supported our big collection of microservices.
Since then I have not really used it in a production sense, so I want to freshen up and also begin using it to deploy my own private/self-hosted apps.
I essentially want AWS at home: need a random psql db? Need a redis instance too? I want to provision it with code and have it sandboxed for each of my clients, versus having a bunch of services running locally and needing to worry about state and what lives where.
I am exploring some of the pseudo-k8s tools like k3s and similar, but will probably go with k8s the hard way since I have done it from scratch a few times now.
If anyone has tips for a more ‘infrastructure-as-code’ approach to doing this in a homelab I am all ears!
The default environment being DEV put the project at risk, in the sense that when someone will try, for some reason, to spin the app in production environment it might break things in difficult ways, whereas making production default, will just fail fast.
Also, this article does not even touch the subject of distributed secret sharing. This is an approach that works with a single app, single service monolith, but does not scale to multiple services and distributed settings.
The pattern that the author describes is fairly popular and works for simple small projects.
It is pushed frequently by some projects including Django because it “looks good” to have the config be in the same language and write a simple variable assignment in it such as ‘DATABASE_USERNAME = “username”’.
However I disagree with calling it “doing configuration right”. Configuration should be “just data”. This turns configuration into executable code which is a bad idea. Before you know it non-primitive types like class instances, and side effects will creep into your “config” and it’s a world of pain from there.
Stick to “dumb” data formats such as JSON/Yaml/TOML and derive/calculate the other things that you need from that original raw information. This keeps your config as data, serializable, without side effects, and makes it easy for other tooling to read/write/generate/compare/switch it.
If you need something beyond that look into Dhall, CUE, or Jsonnet (but think twice before doing so, you probably don’t need them!)
This turns configuration into executable code which is a bad idea.
Where do you draw the line? At what point does your data become executable code with a YML file? Is a python module not data? It’s not a pure data structure like a dict, but that doesn’t mean it’s not data. At some point that conversion from plaintext to (your language of choice) needs to happen.
I’d go so far as to argue this is data. Yes you can abuse it, but at the end of the day you can treat it as simple key value data wrapped up in a module.
At what point does your data become executable code with a YML file?
Effectively at no point because it’s always “just” a yaml file. If my or some other application wants to read that and do stuff based on it that’s when code execution comes in.
I have to execute some code to read the Yaml file. But I don’t have to execute it.
When it is a Python source file I have to execute it.
One is data, the other one is code that contains data.
At some point that conversion from plaintext to (your language of choice) needs to happen.
Yes at some point that transformation needs to happen. If what your application needs internally is very close to the raw format you can get away with those two things being very similar. For example your raw JSON/Yaml becomes a python dictionary in a python application or an object in javascript.
If your application needs a richer format it can construct that form the raw data at the time of conversion. For example an array of file path strings from the raw configuration data may be transformed into a an array of file objects or class instances.
The temptation is for people to skip the serializable data format and turn a source file/module into their “config”. At that point in some ways you don’t really have a config. You are just asking the user/consumer of the application to provide a source file/module of their own that you combine with the rest of your application.
It makes it difficult to make the application robust and handle errors because the line between config data and application code gets blurred. For example your entire application may crash upon attempting to load the config.
There’s also another nasty pattern where the config module tries to dynamically decide its own values based on other things such as:
if something:
CONFIG_VALUE = “this”
else:
CONFIG_VALUE = “that”
If you make things like that, at that point basically you don’t have a config. What you have there is an application that contains and self-generates its own configuration by executing and evaluating its own code.
When your config is a source module in some language effectively it says:
Anybody who wants to read/inspect me must execute me to find out what my values are
Nobody can generate me in a sane way (you’d have to “template” a source file which is nasty and unsafe)
In contrast when your config is in a conventional data format it says:
Anybody who can read JSON/Yaml/TOML can also read me (up to them what they want to do with it)
Anybody who can write JSON/Yaml/TOML can generate me
“source file as config” is hostile in many contexts. For example your ops/security team may want to inspect/store/compare/validate/verify/generate all or some parts of the config for the applications. And they may not even use the same language as the app itself. If application config data is in a “source file in langauge X” it’s going to make things quite difficult.
If you’ve got a polyglot situation, then it seems like json read as loads in Python and whatever equivalent in the other language is better. An example is when you want to maintain some configuration invariant between your React app and your Flask backend.
The difference is so minor, though (if config['environment'] == 'development' is no less readable than if config.is_development) and while the theory is that with the latter you can then move your config[environment] to config[environments][canary] and only have to modify one thing, I don’t think that happens that often in practice. Probably not worth optimizing for at the cost of the indirection.
The advantage of the JSON approach is that you’re guaranteed there’s no logic and you get the polyglot support. The disadvantage is that you’re guaranteed no logic.
Nothing is preventing you from doing that here. They can coexist. The (truly) shared config can exist as a JSON file and get pulled into Python-land with json.loads().
I would argue that config['environment'] == 'development' is worse, although your point on readability is valid. I say this because development has now become a magic string that you need to be aware of.
I built one last week (Ryzen 7 3600X/32GB RAM/1 TB M.2 SSD), it was an upgrade after 7.5 years (minus graphics card). I also built the one before that and the one before that. I think the last one I bought off the shelf was in 2005ish.
Overall I’m not really into hardware anymore, but I’ve been buying stuff recommended by a friend who’s really into it for years.
The last laptop I bought was in 2004, since then I’ve exclusively used hand-me-downs, usually from work. Nothing too shabby, I have an x230 (that was broken and I had to replace the screen) and a T460p, but laptops have never been my personal main machine, ever.
My NAS is an HP Microserver N54L where I added RAM and disks, so kinda half off-the-shelf :P
For work I’ve used ThinkPads since roughly early 2010, the last (and first?) work desktop machine I had was from ~2001 to 2005 and sometimes when working at customers’ offices.
Playing catch up. I’m a consultant and for whatever reason I absolutely cannot make progress during the week or during business hours when I have people interrupting flow state.
This was supposed to be a 100% offline weekend for my wife and I but I’m afraid I’m gonna need to spend most of it holed up in my office jamming on client work.
Not dreading it, quite the contrary. But I definitely need to work on getting this under control so I can make the best use of my time during normal business hours so I’m free to spend what society considers off time with my wife.
Have Deep Work (the book) queued up but haven’t read it yet.
I have a trigger for the master branch that tags images as :master, and another trigger on all tags that tags to :latest, so my :latest images are the latest tag, so that I can sort of guarantee that :latest is stable and :master is master’s HEAD.
This is on the Docker Hub, Quay.io does this by default if you leave the default build trigger on.
(I also have a third trigger that tags images with the name of the tag ifself, too)
There was a lot of pain due to folks upgrading early to VS 2017, so I’m curious how this is working out for you.
We haven’t transitioned the compiler yet, so we still generate VS 2015 projects. Other than that the IDE is snappier, opens much faster and is generally nice.
Oh and BTW for Visual Studio user, I strongly recommend the Fast Find extension which has an excellent fuzzy finder that can deal with huge solutions. For around 15$, it is really worth the price.
It’s been a some years since I’ve done it, but I basically followed the OpenBSD/octeon guide which supported the EdgeRouter Lite at that moment.
Since the main drive is a USB flash, I remember setting noatime,softdep on the mount point in my fstab tab to minimize the amount of writes. I has being going strong since then, with the base install providing everything I would want for a router (even games ;)
I would suggest cloudflared (cloudflare proxy) versus opening a port on your home router and port forwarding.
cloudflare regularly blocks my access to sites, from both home and work, so I am not a fan of cloudflare services…
Cloudflare Tunnel is free and a good solution for those behind CG-NATs or an ISP firewall. It also offers effortless DoS protection.
I will admit, however, that I think it’s slightly “cooler” in some sense to host your site directly from your home, with no assistance from Cloudflare or other giant tech companies, even if you don’t really get much tangible benefit from doing it that way.
(By these standards of course, my personal site is rather lame because it’s just your standard Jekyll + GitHub Pages site.)
Can the cloudflare proxy reach the server without opening a port, etc ?
Ah, I did not read close enough. This thing creates a tunnel: https://github.com/cloudflare/cloudflared
What are the risks of port forwarding and hosting on home network? I get the general risk of giving the public internet direct access to my home devices. But how do people specifically exploit this? It depends on me misconfiguring or not properly locking down the web server, right?
Pretty much, but nobody has ever made an unhackable server. So even if you “properly” configure the server it’s not 100% secure because nothing is.
I did get my router hacked and it had third party malicious software installed on it and it didn’t function until I got the NetGear people to fix it which is why I installed fail2ban vibe has worked so far. But nothing is foolproof.
Let’s assume you forward port 443 to your Pi running Apache. You’re basically exposing the following bits of software to the Internet:
The biggest risk is an RCE in any of those pieces, because you’re truly pwned, but I’d lay pretty long odds against an RCE in the Linux network stack, and I don’t think your average Apache config is at much risk either – these things have both been highly battle-tested. Some sort of denial-of-service exploit is more likely but again, Linux+Apache have powered a huge chunk of the Internet for the last 25+ years. Now, if you write an HTTP server which executes arbitrary shell commands from the body of POST requests and proxy it behind Apache, you have only yourself to blame…
I expose HTTP and a few other services from my home network via port forwarding. I don’t lose sleep over it.
Oh I didn’t know they had a free tier but it looks like they do! I’ll look into it.
Also are you the same whalesalad on HN that gave me the advice on the browser text width?
Holding the two ideas of “php” and “quantum computing” in the same moment is quite hilarious for me personally.
imagine running
phpinfo()at subzero temperatures on a multi-million dollar piece of equipment.This is about post-quantum cryptography, not quantum computing.
I agree. I’ve been Linux-as-my-main-desktop for 20 years. 2-3 years ago, Wayland was essentially unusable for me (despite a lot of stuff urging me to use it). Today, it’s got its quirks, but it’s usable, and actually a bit better than X in general. I’m not that deeply involved in the guts, but I appreciate that a lot of work got done to get it there.
This was my experience about 2 years ago. Then about 6 months ago I began experiencing crashes in GNOME. Civ V crashes non-stop, shortly after loading a game. A firefox video popout over a fullscreen video game. Or switching desktops when VLC is playing on another workspace. All three scenarios would hard crash GNOME leaving me with a terminal showing
^@^@^@^@^@^@^@^@^@^@^@^@. A couple weeks ago I decided to switch back to Xorg because it became untenable :( It is a shame because (a) it was working nicely before that but also (b) it seems like the compositor as grandparent of everything is destined to make these bugs lead to the most painful failure modes forever.Yeah the only issues I tend to have are when there’s a legacy application that’s displaying via XWayland and it’s not doing something i take for granted from Wayland.
only issue I have atm is I cannot drag files into applications. native or xwayland, both seem to suffer. deb12, kde plasma.
I do feel like Windows 7 was the last bearable release of Windows. There wasn’t anything completely infuriating about it, and it was good as far as Windows goes. Then came 10 which just felt like a mess with no benefits over 7 and a lot of half-finished parts. Windows 11 is by far the worst thing I’ve ever used, not just Windows. From 10 onward I really started cursing the need to use Windows in my day job, and I am so thankful that I can now use Linux and FOSS for both work and play. At least with Windows 7 I could sort of forget I was using Windows from 9-5.
You know, I was so preoccupied with giving faint praise to Windows 7 and cursing Windows 10 and 11 that I forgot to comment on this article in particular: notice how much of what makes legacy Windows usable is FOSS. Firefox, LibreOffice, etc. Think about your less technical friends and family who are fretting about replacing perfectly good computers because they can’t upgrade to the latest version of Windows. Help them migrate to the more sustainable FOSS options like [insert your distro of choice; mine’s Fedora]. Honestly, hardware support is great and all the software they need is right there.
You forgot 8 and apparently not many people noticed. That probably says enough about that version.
8 is when they introduced the new wave of bullshit - metro ui, full-screen start menu shit.
I haven’t used it much but I’m under the impression they added these kind of things but new features were mostly not horrible and (almost?) everything could be disabled.
However, adoption was abysmal (maybe even worse than Vista) and after that they started not allowing to disable features, UIs and made away with actual versions so that people had to update. There are good reasons to do that but it also looks like they’ve been burnt and have been doing that for bad marketing reasons too.
i used Windows 8/8.1 daily for their entire commercial lifetime and honestly i really just remember it to be more ‘annoying’ than outright ‘bad’. at least for 8.1. the metro UI stuff was half baked garbage, but with 8.1 you could at least forget about its existence for the most part.
Also i think 8.1 had the best search feature in a Windows ever, up there with MacOS’s spotlight search, in terms of snappiness and being able to give me as the first result the specific thing that I want. Never really got it to work quite right in the little i’ve used Win10/11, even disabling web results it just usually gives me some completely unrelated file. Add to that some of the improvements 8/8.1 had over 7 (which i can’t really name off the top of my head, it’s been a while) and it was pretty good as long as you were willing to overlook some of the annoyances and what ultimately kept me from just downgrading back to 7.
Ha, so right! Admittedly, I was Windows-free at home before 7 even came out so my Windows experience has been in office environments. I never encountered 8 on any machines I used at work, and I only had a couple brief interactions with it on other folks’ home machines. Just enough to learn how to turn off the new Start screen.
I think that pretty much everyone avoided windows 8. I remember seeing browser stats and it was a very very minor OS that disappeared from the charts maybe even before XP.
It is the last version of Windows I will run, and indeed every computer I have acquired since 2016 is running a FOSS OS. I never really thought I’d see things this way, but I’m pretty done with proprietary software as (among other things) it enables extremely asymmetric power between vendor and “user”, and, well, that coincides pretty well with power asymmetry in other parts of life (like, say, government-mandated backdoors that you can’t escape because you can’t run any OS other than what the vendor provides – with mandatory “upgrades” of course).
Here is my home office and homelab.
Home office, where I do all of my consulting work:
I just recently moved-in to this house. I do a lot of software/design work. The table on the left is temporary. I want to redo this with a proper drafting table setup (against the other window, so opposite side) with wall-mounted cubbies for various markers, pens, pencils, erasers etc.
The room is a complete mess right now because we are rennovating a lot of the house.
Workstation:
Here is a screenshot of my desktop: https://s3.whalesalad.com/lobsters/office/lucifer-workstation.png
Homelab:
Love the setup so far. Looking forward to completely redoing my home office with built-in storage and perhaps a huge butcher block side desk that I can use for drawing/illustration. The homelab is pretty ugly right now but I also want to dedicate some time to getting that cleaned up, running fiber to my external workshop, running more ethernet to install APs and cameras etc.
What does this do?
This might be relevant to your interests:
https://github.com/nikosdion/asdcontrol
https://github.com/nikosdion/asdcontrol/issues/5
Ha! And oof. I’m pretty surprised that didn’t also work over displayport. Not that I ever change my brightness on my desktop display anyway. But that’s aggravating.
Realistically, is this going to affect us? Lobste.rs and most other small web forums are small and unlikely to be on the radar of regulators. If you’re doing best-effort moderation already to avoid illegal content (i.e. what you’re doing now), I think it’s unlikely you would get on said radar. In the event you somehow do piss them off, I suspect organizations like the EFF would be rallying around you and willing to help then.
Sure, but if it were me running the site, “unlikely” and “we suspect” wouldn’t be enough certainty to put my future on the line for a hobby.
Pretty much this. The UK is threatening enormous fines and jail time because it wants the law to be taken seriously. This is what taking the OSA seriously looks like absent the resources of one of the huge businesses it was written for.
I agree, while a lot of people - software engineers specifically - I know don’t even know about lobsters, you’re still exposed.
On topic - I’m curious why you include “commitment by American government that they’ll offer protection”?
I thought both American and UK governments (among others, of course) have been acting crazily enough lately that I didn’t think this would be applicable. As a few examples, I thought your govt wants to leave the WHO and has been on-again-off-again about the Paris climate agreement - they don’t seem like either willing to deal with international affairs that much, or are not stable in that dealing.
I understand having a commitment from ACLU or EFF to defend you, but other than an explicit law that protects you, it doesn’t seem like any “commitment” would be reliable. Maybe I’m just misunderstanding the context in which this would work.
Edit: to clarify, I’m asking what that commitment needs to look like.
A public statement or policy from a State Department official acting in their official capacity. It is the US agency that handles extradition hearings and the international diplomacy involved in whether the UK can claim jurisdiction over US entities like this. There’s a deliberateness and inertia to international State Department policy that I feel reduces the risk acceptably even as electoral politics shifts. I’m trying to be optimistic about this big hairy topic.
But the UK has zero jurisdiction. What are they gonna do? Send you a fine and beg you to pay it? Straight to the shredder.
They have no jurisdiction as long as you don’t have assets in the country, visit the country, or visit a country that has an extradition treaty that would cover this.
The last two are the biggest risks. If you’re flying from the US west coast to Europe, a lot of flights go either over the UK or close enough that, in case of problems, you may have to make an emergency landing here. And then you suddenly find that there’s an arrest warrant out for you because you were convicted in absentia after ignoring the summons to appear in court, and now you face jail time. Your home country may be able to intervene, but that can take months, during which time you’re in prison.
Personally, I wouldn’t risk it. It would suck to be unable to access lobste.rs, but it’s our (previous) stupid government’s fault, not yours.
@lproven: When can El Reg run an article about all of the small web sites that are going to block UK citizens, requiring them to communicate via US-based multinationals, because of this stupid law? That’s probably the first step to getting it picked up by the mainstream press outlets.
This is a dangerous misconception. Each state of the US is allowed its own policy on the enforcement of foreign judgments.
This feels like a very hyperbolic series of concerns. LLC’s and corporations exist for this purpose, to shield folks from liability in cases like this.
I honestly find it kind of amusing that so many folks are spinning so many cycles on this topic. This is a tiny little corner of the internet where hackers talk about stuff. Why would the UK gov’t have any interest in targeting this group? Comes across almost like hubris.
That’s not really how LLCs work. A person who does a crime is always personally criminally liable for the crime. And this specific law allows the regulator to enforce directly against related companies or their owners, so breaking it from behind seven LLCs wouldn’t even necessarily slow them down.
Peter is worried about opening himself up to life-ruining legal liability over a site he runs in his free time. That doesn’t seem very amusing to me. And as a result of his (understandable) not wanting to do that, those of us who live in the UK are worried about the fact that we’re likely to be blocked from the site.
They don’t need to have any. Regulations might be weaponized by trolls against people over personal vendettas yet to be established; I have experienced the GDPR used this way. It’s easy to be confident this sort of thing won’t happen when the person it might happen to is someone else.
I just cannot imagine this happening, ever.
If this were my site, I would just ignore this situation until the UK government explicitly reaches out with some kind of legal document. At that point, initiate the geo block.
Easy to say when it isn’t your site.
The risk-reward here is just not close to in favor of the site owner. Why would he ever leave himself open to criminal charges from a state actor? It doesn’t make any sense. Of course you’d block them before that could happen.
They don’t have to send you a letter. Why would you take the risk?
Because frankly we fought and won the Revolutionary War to explicitly defeat oppression like this. If I am operating within the context of a specific sovereign nation, I am really not going to give a shit about what any other sovereign nation thinks about me. Their laws are their laws, not mine.
You seem to have a flawed understanding of international law, including how it relates to USA-UK relations. Your opinions on what should and should not matter do not have any bearing in a court of law.
Community sites always draw a few cranks who enjoy making life miserable for folks who run it. For reasons. Shitty reasons.
So yeah, the risk is definitely non-zero, because one person can spend a lot of energy to cause the problem to happen. And at that point, the damage may already be done.
Even if there’s no legal recourse, it’s understandable that pushcx, and the other maintainers, are not willing to scratch off UK as a place they can ever visit.
IANAL, but it does look like the UK and US have at least some extradition treaties in place.
Though I highly doubt that US would allow extradition of their own citizens. IIRC a lot of countries have law that prohibits that unless the crime in question is also crime in the local law.
This is true, but the mapping doesn’t have to be 1:1. A barrister in an extradition hearing might argue that the US has laws prohibiting CSAM distribution and the OSA is a sufficiently similar law that the extradition treaty holds. Will this argument convince a judge? Depends how well the defence barrister argues against it. How much do you want to set aside in a defence fund to make sure you can hire a barrister who will argue more convincingly than whoever the British government pays?
Even winning an extradition hearing is expensive and time consuming.
The US does extradite citizens. Not extraditing citizens is more of a French-derived tradition.
Send it to your bank, which needs to be able to route orders in GBP through london, and get it applied anyway.
Do you have examples of UK fines being applied this way?
While this is generally true, the OSA has some gnarly bits. (Note again, this comes from glance reading)
By and large, it’s a fine thing. It spells out the - already illegal things - that need to be mitigated. That part is fine. Your service should not host CSAM and if it is a large service, you need to take measures against it. Even before the OSA, if someone posted CSAM to lobste.rs and it stayed there, you’re in trouble. That part of the OSA is not a problem, it is even making things better by providing a framework. (Actually a thing that the often disliked DMCA makes easy - it gives you a relatively frictionless and easy to implement way to move yourself out of the firing line of legal action) No change here, lobste.rs would not be a legal and acceptable service if it allowed that, and it currently isn’t, so it’s compliant, easily so. A complaint path is there (send mods a message), action is also there (mods on lobste.rs are swift).
HOWEVER, there’s things like “you need to make sure that terrorists don’t communicate on your platform” and e.g. notes user handles as an indicator (ICU H1 in the document linked above). That means two things: this is by definition of the UK (groups designated terrorists is a state-by-state thing), that may run counter to local law in other places - or even just plain ethics. Do we expect @pushcx to have a list of terrorist organisations in all countries that expect that and check our user handles against them all the time? As not a legal professional - especially in international law - I’d not touch this with a stick. Still, this could be expected to be active or “on notification”.
And that’s the big problem that the whole OSA thing has. While it clarifies what things they expect service providers to look at (that’s by and large good, it clarifies things!), they don’t give a ladder of escalation. If they made it very clear that for smaller providers, they expect compliance on notification or get in touch with you on an advisory role first - fine. People get in touch with mods all the time, that flows well into their business, even if the letterhead is a bit more official.
My huge gripe about all of these regulations is that they don’t appreciate that a lot of non-commercial, citizen-guided, volunteer-driven and hobbyist stuff is happening on the internet and I appreciate that sector a lot. Every regulation/communication that ignores this is bad regulation/communication.
Like, @pushcx writing this message above is already a failure of the OSA in my book.
After all, still, legal compliance is more risk-assessment than a clear-cut case. I like my lawyer and his most asked question is “what is the risk of this happening”?
What would be your opinion on the purpose of the legislation if they did understand that, very well?
I personally would be shocked that the shadowy forces hell-bent on suppressing the independent internet were so incompetent at it, if they’re using this legislation to do so.
Ah, I didn’t mean they were trying to destroy it: it’s nowhere near popular enough to matter. That will come much later, if / when it supplants (for want of a better term) mainstream social media.
I meant to imply that they know, and give precisely zero fucks about it.
The hardware is nothing special but I’m proud of all the colorful memories and trinkets that my wife and I have started to accumulate around the hardware! (we share this space) https://imgur.com/qqR8npz
I genuinely love that you have a camel toe directly above your monitor
Gal Costa! A Brazilian legend. This is probably my favorite of hers: https://www.youtube.com/watch?v=kbPV3sR9FMI
The camel toe probably would not fly if was an album I had picked / bought but my wife specifically wanted and loves that particular album
OK. So I was not the only one who noticed that.
Anathem! I love that book.
My buddy Max has been trying to get me to read it for years. Finally made the plunge. I think the timing was right and I’ll be able to enjoy and appreciate it now
I bounced off of Anathem the first two times I tried to read it. It has a VERY slow start, but it ended up being a great book just like everyone said it would be once I got through that.
I rocked a mouse like that for years until it finally died!
It’s not bad! My wife got the mouse and keyboard. I would have opted for different ones but they have grown on me.
What sort of chair is that?
It’s an ergonomic-y chair: https://a.co/d/9buaChe
I wish the cushions were higher quality but it’s decent overall. I think I’m gradually slouching more and more so I don’t know if it’s accomplishing the “ergonomic” mission. Also people’s shins often hurt for the first day or two
Trying to get caught up on Advent of Code. Doing it in Rust/Clojure this year. I’m quite far behind https://github.com/whalesalad/aoc
I think in these situations it is only fair to really dig into your architecture. Was it a simple django/rails app with a db, a queue, and some worker processes? Or did you have 50+ services? In the former case, yeah Kube is overkill. In the latter case, it’s a very powerful and worthwhile tool.
I’m going to finally try and pull some Cat6 cables from my home to my detached garage. There is already conduit in the ground with a pull rope (thank you previous owner). But the entrypoint to the garage is covered in drywall so I am contemplating whether or not I want to cut a big hole and install an access panel or… we’ll see lol.
I just brought a 2nd R720 (2U rack server) online in my home rack to use as either a k8s lab box or a single-node k8s server.
I was an early adopter of k8s back in around 2015-2016, using it to migrate FarmLogs (a YC startup) from a series of Heroku apps to a self-managed cluster of a few big nodes that supported our big collection of microservices.
Since then I have not really used it in a production sense, so I want to freshen up and also begin using it to deploy my own private/self-hosted apps.
I essentially want AWS at home: need a random psql db? Need a redis instance too? I want to provision it with code and have it sandboxed for each of my clients, versus having a bunch of services running locally and needing to worry about state and what lives where.
I am exploring some of the pseudo-k8s tools like k3s and similar, but will probably go with k8s the hard way since I have done it from scratch a few times now.
If anyone has tips for a more ‘infrastructure-as-code’ approach to doing this in a homelab I am all ears!
Is it my conn or are there no photos in this post?
Hm, there’s two pictures in the post
The default environment being DEV put the project at risk, in the sense that when someone will try, for some reason, to spin the app in production environment it might break things in difficult ways, whereas making production default, will just fail fast.
Also, this article does not even touch the subject of distributed secret sharing. This is an approach that works with a single app, single service monolith, but does not scale to multiple services and distributed settings.
Yep, that’s noted a few times in the post.
The pattern that the author describes is fairly popular and works for simple small projects. It is pushed frequently by some projects including Django because it “looks good” to have the config be in the same language and write a simple variable assignment in it such as ‘DATABASE_USERNAME = “username”’. However I disagree with calling it “doing configuration right”. Configuration should be “just data”. This turns configuration into executable code which is a bad idea. Before you know it non-primitive types like class instances, and side effects will creep into your “config” and it’s a world of pain from there.
Stick to “dumb” data formats such as JSON/Yaml/TOML and derive/calculate the other things that you need from that original raw information. This keeps your config as data, serializable, without side effects, and makes it easy for other tooling to read/write/generate/compare/switch it.
If you need something beyond that look into Dhall, CUE, or Jsonnet (but think twice before doing so, you probably don’t need them!)
Where do you draw the line? At what point does your data become executable code with a YML file? Is a python module not data? It’s not a pure data structure like a dict, but that doesn’t mean it’s not data. At some point that conversion from plaintext to (your language of choice) needs to happen.
I’d go so far as to argue this is data. Yes you can abuse it, but at the end of the day you can treat it as simple key value data wrapped up in a module.
Effectively at no point because it’s always “just” a yaml file. If my or some other application wants to read that and do stuff based on it that’s when code execution comes in.
I have to execute some code to read the Yaml file. But I don’t have to execute it. When it is a Python source file I have to execute it. One is data, the other one is code that contains data.
Yes at some point that transformation needs to happen. If what your application needs internally is very close to the raw format you can get away with those two things being very similar. For example your raw JSON/Yaml becomes a python dictionary in a python application or an object in javascript.
If your application needs a richer format it can construct that form the raw data at the time of conversion. For example an array of file path strings from the raw configuration data may be transformed into a an array of file objects or class instances.
The temptation is for people to skip the serializable data format and turn a source file/module into their “config”. At that point in some ways you don’t really have a config. You are just asking the user/consumer of the application to provide a source file/module of their own that you combine with the rest of your application.
It makes it difficult to make the application robust and handle errors because the line between config data and application code gets blurred. For example your entire application may crash upon attempting to load the config.
There’s also another nasty pattern where the config module tries to dynamically decide its own values based on other things such as:
if something: CONFIG_VALUE = “this” else: CONFIG_VALUE = “that”
If you make things like that, at that point basically you don’t have a config. What you have there is an application that contains and self-generates its own configuration by executing and evaluating its own code.
When your config is a source module in some language effectively it says:
In contrast when your config is in a conventional data format it says:
“source file as config” is hostile in many contexts. For example your ops/security team may want to inspect/store/compare/validate/verify/generate all or some parts of the config for the applications. And they may not even use the same language as the app itself. If application config data is in a “source file in langauge X” it’s going to make things quite difficult.
If you’ve got a polyglot situation, then it seems like json read as
loadsin Python and whatever equivalent in the other language is better. An example is when you want to maintain some configuration invariant between your React app and your Flask backend.The difference is so minor, though (
if config['environment'] == 'development'is no less readable thanif config.is_development) and while the theory is that with the latter you can then move yourconfig[environment]toconfig[environments][canary]and only have to modify one thing, I don’t think that happens that often in practice. Probably not worth optimizing for at the cost of the indirection.The advantage of the JSON approach is that you’re guaranteed there’s no logic and you get the polyglot support. The disadvantage is that you’re guaranteed no logic.
Nothing is preventing you from doing that here. They can coexist. The (truly) shared config can exist as a JSON file and get pulled into Python-land with
json.loads().I would argue that
config['environment'] == 'development'is worse, although your point on readability is valid. I say this becausedevelopmenthas now become a magic string that you need to be aware of.I built one last week (Ryzen 7 3600X/32GB RAM/1 TB M.2 SSD), it was an upgrade after 7.5 years (minus graphics card). I also built the one before that and the one before that. I think the last one I bought off the shelf was in 2005ish.
Overall I’m not really into hardware anymore, but I’ve been buying stuff recommended by a friend who’s really into it for years.
The last laptop I bought was in 2004, since then I’ve exclusively used hand-me-downs, usually from work. Nothing too shabby, I have an x230 (that was broken and I had to replace the screen) and a T460p, but laptops have never been my personal main machine, ever.
My NAS is an HP Microserver N54L where I added RAM and disks, so kinda half off-the-shelf :P
For work I’ve used ThinkPads since roughly early 2010, the last (and first?) work desktop machine I had was from ~2001 to 2005 and sometimes when working at customers’ offices.
I like your site. It’s clean.
it is! I love how simple it is!
Playing catch up. I’m a consultant and for whatever reason I absolutely cannot make progress during the week or during business hours when I have people interrupting flow state.
This was supposed to be a 100% offline weekend for my wife and I but I’m afraid I’m gonna need to spend most of it holed up in my office jamming on client work.
Not dreading it, quite the contrary. But I definitely need to work on getting this under control so I can make the best use of my time during normal business hours so I’m free to spend what society considers off time with my wife.
Have Deep Work (the book) queued up but haven’t read it yet.
+1 for Deep Work. I’m 75% done and it’s practical, if a tad fluffy.
Hm. Seems overkill. I just tag my docker images with the git hash. Done. Don’t deploy
latest, deploy the tag.I have a trigger for the
masterbranch that tags images as:master, and another trigger on all tags that tags to:latest, so my:latestimages are the latest tag, so that I can sort of guarantee that:latestis stable and:masteris master’s HEAD.This is on the Docker Hub, Quay.io does this by default if you leave the default build trigger on.
(I also have a third trigger that tags images with the name of the tag ifself, too)
OK, this is going to stand out from the rest of the crowd.
Extras @home
There was a lot of pain due to folks upgrading early to VS 2017, so I’m curious how this is working out for you.
LOL, we’re all just trying to get a decent terminal on WIndows. I initially tried Cygwin, but now I’m over on WSL.
We haven’t transitioned the compiler yet, so we still generate VS 2015 projects. Other than that the IDE is snappier, opens much faster and is generally nice.
Oh and BTW for Visual Studio user, I strongly recommend the Fast Find extension which has an excellent fuzzy finder that can deal with huge solutions. For around 15$, it is really worth the price.
How did you get OpenBSD on the edgerouter? I have an ER4.
It’s been a some years since I’ve done it, but I basically followed the OpenBSD/octeon guide which supported the EdgeRouter Lite at that moment.
Since the main drive is a USB flash, I remember setting noatime,softdep on the mount point in my fstab tab to minimize the amount of writes. I has being going strong since then, with the base install providing everything I would want for a router (even games ;)