I'm having an issue with my Jellyfin server and hoping that you lovely wizards can help me...again.
So I initially tried and failed to set up Jellyfin on elementaryOS(skill issue), I wasn't really invested in the OS so I just switched to Ubuntu. Things have been much easier for the get go. I now have set up Jellyfin on my ubuntu 24.04.2 and uploaded my library from my external hdd. Now I cant figure out how to connect other devices so I can watch my media on my macbook. I currently also use a PIA vpn with port forwarding on due to my qbit seeding. I feel like that is important info. I've looked up how to connect while one the same network but since I need my vpn to stay on I'm feeling a little outside my depth again. Ultimate goal is to be able to access my library on other devices mainly, mainly my macbook, while also being able to seed from Qbit safely.
I think I understand your question. The VPN should let you connect in the exact same method you use when you're on the same network. Example: connecting to 192.168.X.X:8096 when local, is exactly how you would with the VPN on.
Ohhh, I think I understand now, they can't connect to jellyfin because that computer has the VPN on. I thought their question was turning on a VPN to connect to Jellyfin outside their house.
Then yea split tunneling would be a good solution. Set up so only the torrent application uses the VPN. Or that Jellyfin is excluded from the tunnel.
Unfortunately I'm not too up to date on VPNs and which offer that. Perhaps their network equipment could apply the VPN to only the torrent traffic, and then they match the port number used inside the torrent application's settings?
I haven't had to deal with this specific kind of use case before (accessing the local Jellyfin service while the laptop is connected to a VPN), but after some cursory research, one of these approaches may work for you:
Easy Option (only available on some VPN software):
There may be an option in your VPN client that lets you access local network addresses like your Jellyfin server. Check your settings and see if there are any options like "allow local network traffic" and then try opening up your Jellyfin server in a browser (e.g.: 192.168.1.100:8096/)
Less Easy Option:
If your VPN client doesn't have an option for allowing local traffic, you can open up the command prompt on your macbook and run a command like this:
sudo route add -net 192.168.1.0/24 192.168.1.1
Where 192.168.1.0/24 is the local network you want to connect to (where the Jellyfin server is located), and 192.168.1.1 is your local gateway (probably your wifi router's address). Change both of these depending on how your network's local IPs are formatted.
This should update your routing table to handle local network addresses without the VPN and this should persist between reboots.
Is all your traffic going through the VPN? You can bind the VPN in the torrent client so that only torrent traffic goes through the VPN, while other traffic does not. This way, you should be able to connect to your local network.
An option is also to switch to docker (compose) which would allow you to VPN just the qbit container instead of your whole host machine. Recommend hotio, he has containers for a bunch of apps in this realm and has VPN support built in with pia support.
Well, for starters thanks to everyone who replied so far. I really appreciate you taking time out of your day to try and help me.
Unfortunately while waiting I was playing around with my files and I noticed that I could no longer add, move, or edit folders on my external hdd(the one with the library content for Jellyfin). While initially setting up the server I could not find my external hdd in the files section of Jellyfin despite knowing the path. I looked it up and someone said it was to do with mounting and I needed to go into disks>mount options> and uncheck "User session Defaults" and check "Mount at system startup". After doing such the path changed but I was able to get jellyfin to access the files. (Unfortunately this meant that my qbit no longer knew where said file were for seeding so I had to go through and point them to the drive....again). So i put 2 and 2 together and figured I did not have read write permission for the dive anymore. I did not know how to change such so I reverted my change in disks and now, obviously, jellyfin cant access the files but I cant change, move, and add my files again.
I also noticed while Jellyfin was actually working, On the server pc Jellyfin was extremely slow and laggy. And Many of my files were changed into random pieces of media that I did not own. I have my files separated into Eastern and Western. With further file groups in each like Anime>Scifi>Gundam>TurnA Gundam. I thought intuitive but maybe I'm the one at fault. It changed the data for Scifi into a single series called Scifi Harry with all my other files being episodes or seasons. It also did this with the entire parent file of Western, changing it into Western Line with a crazy image that I'm guessing is from the show/movie it is confusing my media with.
Overall I'm pretty frustrated and I might have to walk away from this project for a little. If anyone wants to add any info of tell me some obvious mistakes I made please do, I appreciate all the knowledge being passed around here. I'm still reading it all but I'm going to go build some Gunpla to take my mind off this for a few.
Don't get too crazy into categorizing your media. Keep it simple with your folders, so Jellyfin can know what the file is then scrape the internet for meta-data.
Media -> Movies -> Example Movie (year) -> Example.movie.file
Media -> Shows -> Example Show (year) -> Season 1 -> Example.show.S01E01.file
Ideally your media downloads will have the name and release year in the folder name already. It knows to ignore or match things like x264, DD.5.1, and release group name.
Mycorrhizal fungi are vital to ecosystems around the world, but remain largely understudied, especially in arid regions. They may prove critical to the survival of fragile deserts stressed by climate change.
Prime minister says Iran’s nuclear programme is a ‘grave threat to international security’
Keir Starmer has backed the US strike on Iran’s nuclear facilities and called on Iran to return to negotiations, saying the country’s nuclear programme was a “grave threat to international security”.
Donald Trump announced overnight that the US had bombed three nuclear sites in Iran, joining Israel’s attack on the Tehran regime.
There was no UK involvement in the action. Starmer and the foreign secretary, David Lammy, had pushed for a diplomatic solution amid fears a wider action could further destabilise the region.
I see a lot of misinformation about bluesky here, so I want to address a lot of the talking points against atproto/bluesky.
This is partially inspired by accounts like mastodon migration and feditips being really annoying about bluesky.
How Bluesky Works
I see a lot of people misunderstanding how it works. The network has three main parts: 1. A PDS -- This stands for Personal Data Server. These store information in records, like who you are following, your posts, who you are blocking and your images. 2. A relay -- These crawl PDSes and keep a copy of all the records on them. They give a "Firehose" of all the data on the network (that they crawled). 3. An AppView -- These index and work through the data from the firehose. All interactions are handled through these, meaning if someone follows me on bluesky, that app.bsky.graph.follow record will be crawled by the relay, and recieved by the AppView. bsky.app/ is an Appview. Appviews don't always have to use the relays, whtwnd.com/ connects to PDSes directly.
This is different to ActivityPub, where if I follow someone, my server sends that information directly to the other person's server.
Common misconceptions
An atproto relay is too expensive to run.
atproto.africa/ is a second full-network relay run by the blacksky team. We already have a second relay, and they're not even that expensive to run anymore, a lot of people run non-archival (meaning it doesn't backfill every post) relays for less than $40 a month.
There is no instances available except for bsky.social
bsky.social isn't actually an instance, its just the domain name assigned to users by default. This is explained here: app.wafrn.net/fediverse/post/f…
Wafrn has (opt-in) bluesky support, they act as a PDS and AppView, so if bluesky disappears tomorrow they can switch to the atproto.africa relay. (There is DID:PLC which is a problem, but I'll get to that later.)
You can't defederate bsky.social, this proves atproto is centralised!
While you could ignore records from a specific PDS on the App layer, its pretty pointless, since atproto is portable/content addressed, meaning a user could seamlessly move to another PDS. (AP does support moving, but its pretty seamful.)
Bluesky can censor people in turkey, this proves they're centralised!
Those posts weren't removed, people on third party bluesky apps in turkey could still see them. People in Turkey are automatically subscribed to a Moderation Service which hides those posts, as the government requires it. If a person unsubscribes, or uses a third party app/server the posts are still there.
Bluesky isn't decentralised as someone was banned for pointing out the head of T&S liked jailbait porn.
That person came back on a different PDS. They literally are still on bluesky because they joined a different server.
Bluesky went down due to a DDoS, this proves they are centralised!
The DDoS only crashed the Bluesky PDSes. People self hosting were fine.
Wafrn
Wafrn is a federated tumblr alternative. It started off as a tumblr clone, the dev added AP support, and eventually, Atproto support. Its a great example of how bluesky can be built on. If bluesky disappeared tomorrow, Wafrn could switch relays to atproto.africa, and still interact with people on other PDSes.
The main reason I made this post is because so many people are blindly anti-atproto, without fully understanding how it works and how it can be improved.
There is obviously problems with it, but it does a lot right. (There's a lot ActivityPub should do, like content addressing, DIDs and composable moderation).
I also think we could do with a better bridge. bridgy isn't really cutting it right now.
Note on did:plc, its the only centralised part of the network as of now, its essentially the underlying ID every account has. It is possible to use a did:web id instead, which is tied to a website name.
Well to answer that we must first look at how bsky.social is just the auto-assigned domains for new users
the underlying servers are all hosted at subdomains of .bsky.network, luckily mary-ext / mary.my.id has a neat lil' GitHub repo that collects them all in one place: github.com/mary-ext/atproto-sc…
Now if we wanna specifically exclude content from the PDS that JD Vance is on, all I'd have to do is look up which one of these PDS instances vance's account is, nuke it from our database and stop ingesting content from that PDS through the firehose
For reference, we can use pdsls.dev to look up JD's server and determine it to be https://woodear.us-west.host.bsky.network/
problem is, unlike how fedi tends to work, the underlying PDS instances are assigned automatically; Vance didn't choose that PDS, it was chosen for him. As such straight up blocking this PDS from being indexed has about the same impact as blocking a large Mastodon instance like mastodon.social or something along those lines would have: We would hit lots of people that have nothing to do with vance, or are even actively blocking and shaming him
Now you are right in the observation that Bluesky PBLLC is choosing to platform vance, jesse singal and others; Their moderation is very akin to centrist beliefs, and as such quite weak in protecting especially those most vulnerable.
It's just that from a technical standpoint with how ATProto works, it doesn't quite make as much sense to block the server vance is currently on, it makes much more sense to block the account and associated did:plc identity ← This makes sure that even IF vance moves his account (although I'd doubt it) to another PDS, he will stay blocked on our infra.
Good post, bookmarked. A lot of fediverse people who react almost reactionary against bluesky are well meaning, but don’t really understand how it works. This is good content, thanks.
I hope I am not adding to the problem here as well. It seems that obviously Bluesky is neither fully centralized nor fully decentralized. Is there a statement about just how much of either it is?
Although that might be complicated - like someone could say that Lemmy is fairly centralized, bc if you block Lemmy.World then you lose half the users and perhaps half the communities (and PieFed even more so, with PieFed.social representing an even higher fraction of users and communities on it).
So there is a distinction between Bluesky the service as it currently is implemented and Bluesky the protocol, the former of which is fairly centralized but the latter is more expandable?
~99.96% of all Bluesky users and content is on Bluesky servers.
Bluesky is decentralised in theory, but in reality it is not. Until one entity doesn't own over 90% of the users and content, I really can't see how it can be seen as decentralised.
It's not a matter of how many users, but whether those users have the option to switch servers. By the former standard, mastodon would be considered centralized simply because of mastodon.social.
How the ICE Raids Are Warping Latino Life in Los Angeles
Visuals and Text by Isabel Castro, who is a Mexican American filmmaker based in LA. June 22, 2025
In Boyle Heights, a predominantly Latino neighborhood in East Los Angeles, the streets were unusually quiet. In the early afternoon, a time when the neighborhood is typically bustling with activity, the sidewalks and stores were empty.
I met Ceasar Sanchez, standing at the entrance of a barbershop on Cesar Chavez Avenue, one of the area’s main thoroughfares. Inside, every chair sat empty.
Mr. Sanchez, who works at the shop, hasn’t had a single client this week. “They’re just afraid to go anywhere — shopping, stores, even work,” he explained.
Fear and Quiet Resistance Amid a Los Angeles in Turmoil
How the ICE Raids Are Warping Latino Life in Los Angeles
Visuals and Text by Isabel Castro, who is a Mexican American filmmaker based in LA. June 22, 2025
In Boyle Heights, a predominantly Latino neighborhood in East Los Angeles, the streets were unusually quiet. In the early afternoon, a time when the neighborhood is typically bustling with activity, the sidewalks and stores were empty.
I met Ceasar Sanchez, standing at the entrance of a barbershop on Cesar Chavez Avenue, one of the area’s main thoroughfares. Inside, every chair sat empty.
Mr. Sanchez, who works at the shop, hasn’t had a single client this week. “They’re just afraid to go anywhere — shopping, stores, even work,” he explained.
How the ICE Raids Are Warping Latino Life in Los Angeles
Visuals and Text by Isabel Castro, who is a Mexican American filmmaker based in LA. June 22, 2025
In Boyle Heights, a predominantly Latino neighborhood in East Los Angeles, the streets were unusually quiet. In the early afternoon, a time when the neighborhood is typically bustling with activity, the sidewalks and stores were empty.
I met Ceasar Sanchez, standing at the entrance of a barbershop on Cesar Chavez Avenue, one of the area’s main thoroughfares. Inside, every chair sat empty.
Mr. Sanchez, who works at the shop, hasn’t had a single client this week. “They’re just afraid to go anywhere — shopping, stores, even work,” he explained.
I was reading the comments about Iris scanning and Reddit, and came to the conclusion that they want to be able to present to investors and advertisers that it isn't just LLMs talking to each other. Therefore they want to verify their users' identity.
I would never give over biometric data like this due to privacy/security/anonymity concerns. However, I was curious if people could describe what the alternative would or could look like? I think Switzerland is working on something like this. Is there a safe and private way to verify that I am in fact a real human on the internet? Thanks for your wisdom.
The Netherlands has officially handed back 119 ancient sculptures stolen from the former Nigerian kingdom of Benin more than 120 years ago during the colonial era.
Olugbile Holloway, director-general of Nigeria’s National Commission for Museums and Monuments, said on Saturday that the artefacts were the “embodiments of the spirit and identity of the people from which they were taken from”.
It’s a shame they aren’t returned to maybe be displayed in a museum or atleast be part of national archives, instead they are given to a rich collector.. 🙁
Subscribe to my second channel ➡️ @Hamzah1948 Every Order Plants 1 Olive Tree and Donates Meals To Palestine! Palestinian Merch: → https://www.allthingspalestine.com ← Free Palestine 🇵🇸 Follow Me: In...
It's insulting how hard the Democrats are pushing a sex pest who killed people during Covid just because his primary opponent is a dem-soc. How can anyone make progress with 'allies' like these?
EDIT: tldr - I was having issues creating a VM using Virtual Machine Manager on Bazzite Linux. Several responders chimed in that it's likely because I'm using the flatpak version of VMM. I probably still could make it work on Bazzite somehow, perhaps w/ the help of distrobox, but instead I've fired up a VM on an old laptop running Linux Mint and everything is smooth sailing. Thanks to all who took some time to help me find a solution.
Original body:
Background: I'm looking to set up a virtual Debian server using Virtual Machine Manager, but I'm stuck on creating my first VM. I'm running Bazzite on my host machine if that makes any difference.
Steps to Reproduce the Issue:
Launch Virtual Machine Manager.
Click File > New Virtual Machine, which opens the "New VM - Step 1" window.
Select "Local install media" and click Forward, which brings me to "New VM - Step 2."
Click "Browse..." which opens the "Locate ISO media volume" window:
Click "Browse Local," which opens the file browser.
Choose ISO file (in my case, I'm using debian-12.11.0-amd64-netinst.iso) and click Select, which returns me to the "New VM - Step 2" window.
Because the OS is not detected automatically, I uncheck the "Automatically detect from the installation media / source" checkbox, start typing the word "debian" in the text box above it, and select Debian 12 from the pop-up selection menu.
Click Forward.
Actual behavior:
Input Error - Error setting installer parameters. Validating install media '/run/user/1000/doc/c0a3c3fc/debian-12.11.0-amd64-netinst.iso' failed. Could not start storage pool: cannot open directory '/run/usr/1000/doc/c0a3c3fc': Permission denied.
Expected behavior: Create the VM and boot into the ISO that I selected in previous steps.
I copied the ISO file to my home directory but got the same result. Any other ideas?
EDIT: I got past this issue by opening up Flatseal and granting access to all system files for Virtual Machine Manager; however, now I'm getting stuck on another permission issue after I choose how much RAM, CPU, and disk space to allocate. Reference my response to @ormith@lemmy.world's comment.
Might check the file permissions then. Who owns the file? Does VMM have read permissions to the file? UUID 1000 is root, so it sounds like VMM is being run as your user, but the ISO is owned by root. You could try chown'ing that file to your user.
That /run/user/1000/doc/... path suggests it's getting the .iso through the documents portal. So virt-manager is a flatpak? Sounds bad! Try using flatseal to give it direct access to all files.
Thanks - this got me past the original issue. What I did is I opened up Flatseal and granted access to all system files for Virtual Machine Manager.
However, now I'm stuck at a different point. I can get past where I choose how much memory, CPU, and disk storage to allocate, but when I get to Step 5 and click Finish,
This happens:
Unable to complete install: 'internal error: process exited while connecting to monitor: 2025-06-22T17:16:36.091623Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/run/media/myusername/path/to/installers/debian-12.11.0-amd64-netinst.iso","node-name":"libvirt-1-storage","read-only":true}: Could not open '/run/media/myusername/path/to/installers/debian-12.11.0-amd64-netinst.iso': Permission denied'
Traceback (most recent call last):
File "/app/share/virt-manager/virtManager/asyncjob.py", line 71, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File "/app/share/virt-manager/virtManager/createvm.py", line 2008, in _do_async_install
installer.start_install(guest, meter=meter)
File "/app/share/virt-manager/virtinst/install/installer.py", line 726, in start_install
domain = self._create_guest(
^^^^^^^^^^^^^^^^^^^
File "/app/share/virt-manager/virtinst/install/installer.py", line 667, in _create_guest
domain = self.conn.createXML(initial_xml or final_xml, 0)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/lib/python3.12/site-packages/libvirt.py", line 4590, in createXML
raise libvirtError('virDomainCreateXML() failed')
libvirt.libvirtError: internal error: process exited while connecting to monitor: 2025-06-22T17:16:36.091623Z qemu-system-x86_64: -blockdev {"driver":"file","filename":"/run/media/myusername/path/to/installers/debian-12.11.0-amd64-netinst.iso","node-name":"libvirt-1-storage","read-only":true}: Could not open '/run/media/myusername/path/to/installers/debian-12.11.0-amd64-netinst.iso': Permission denied
This message is talking about permission denied, so I checked the file permissions, and I saw that the ISO file is owned by the qemu user:
myusername@fedora:~$ ls -la /run/media/myusername/path/to/installers
total 101472336
drwxr-xr-x. 2 myusername myusername 4096 Jun 16 14:47 .
drwxr-xr-x. 6 myusername myusername 12288 Jul 29 2024 ..
-rw-r--r--. 1 myusername myusername 7547453440 Oct 17 2024 bazzite-gnome-stable.iso
-rw-r--r--. 1 qemu qemu 702545920 Jun 12 17:00 debian-12.11.0-amd64-netinst.iso
No idea. Since the path is a /run/media one, what's the filesystem used there? Perhaps it's incompatible. Have you tried putting the iso in your home directory and going from there instead?
But perhaps it would work best if you just do what the documentation tells you not to do and rpm-ostree install virt-manager (and libvirt and friends, if needed)
Here are the results of some commands that I believe answer your questions. When I run the ls command against that directory, it says no such file or directory. Could this have something to do w/ the fact that Virtual Machine Manager is running as a flatpak? (as the other commenter @ormith@lemmy.world has hinted)
Here's what I tried:
what are the permissions of /run/usr/1000/doc/c0a3c3fc
myusername@fedora:~$ ls -la /run/usr/1000/doc
ls: cannot access '/run/usr/1000/doc': No such file or directory
EDIT: I got past this issue by opening up Flatseal and granting access to all system files for Virtual Machine Manager; however, now I'm getting stuck on another permission issue after I choose how much RAM, CPU, and disk space to allocate. Reference my response to @ormith@lemmy.world's comment.
WOW, yes, your problem is almost certainly Flatpak-related. I'm surprised you even got as far as you did. Flatpak is often great but does not tend to play well with applications that need less common capabilities.
I'd recommend installing VMM in a different way if that's an option for you; I expect that will likely make your problem go away.
Virtual Machine Manager's GitHub page for its flatpak includes the following lines:
NOTE: By default, this Flatpak only includes the Virtual Machine Manager client application and does not include the libvirt daemon or QEMU. Depending on your use case, you may have to install other applications or extensions:
Connecting to a remote libvirt instance: nothing else needed
Connecting to a libvirt system instance: make sure that libvirtd is installed on the host, either via your package manager or using a system extension on image based systems for example
Connecting to a libvirt user instance: install the QEMU extension using flatpak install org.virt_manager.virt_manager.Extension.Qemu
So, in this case, have you either installed libvirtd on the host^[Technically, you could also install libvirtd as a sysext.] (i.e. have you installed it with rpm-ostree) OR have you installed the QEMU extension as per its own instruction?
If neither, then you should at least do one of them and report back.
EDIT: While what's written above remains relevant beyond Bazzite, Bazzite's ujust scripts do provide handholds for a myriad of situations including this one:
(Step 0: Uninstall^[The ujust script will likely install another instance of VM Manager. As such, the flatpak is no longer needed and would only cause confusion.] the flatpak of Virtual Machine Manager)
Step 1: Install Virtual Machine Manager with ujust, i.e. invoke the ujust setup-virtualization command
I suppose the ujust way handles a bunch of gotchas you'd otherwise have to tackle yourself. And, thus, is most likely preferred over all other methods.
As a side note, please consider consulting Bazzite's excellent documentation first. We'll be more than happy to help out regardless, but I'm sure there are a bunch of gems you'll be missing out on otherwise.
Iranian state TV confirmed strikes on the Fordow, Natanz and Isfahan nuclear sites. An adviser to Khamenei said Fordow was evacuated in advance, while the foreign minister warned that Iran reserves all options to defend its sovereignty
Profitez des vidéos et de la musique que vous aimez, mettez en ligne des contenus originaux, et partagez-les avec vos amis, vos proches et le monde entier.
I know you just copied the headline of the article, but that headline is doing some serious heavy lifting in terms of saying the US has no control over its actions.
"Oh no, we bumbled our way into a war again! Couldn't be helped, not our faults. Whatever are we to do?"
De fem stora IT-företagen är Alphabet (Chrome, Google, Google Mail, Youtube)), Meta (Facebook, Instagram, WhatsApp), Amazon (VPN, fillagring, Goodreads) , Microsoft (Teams, Edge, Office) och Apple. Det är ganska lätt att lämna många av deras tjänster.
Hi, please kindly direct me to the right community to ask this:
Plasma 6 is my favorite DE and i use KDE neon. The screen brightness adapts automatically to the windows i focus on, which is a good idea. But it does that the wrong way IMO. Dark windows are dimmed and bright windows are lit up. Why? Now i have both extremes switching back and forth all the time. Can we turn that the other way around or turn it off please?
I like that the screens hardware brightness setting is used now from the desktop. Great! But now i have no control over it anymore, since when i open a bright window, the brightness setting goes up too. I hate that at night.
Usually adjusting the brightness for me has one purpose: - bright room: max display brightness (day) - dark room: min display brightness (night)
...maybe something in between for transition. All the other features are nice to have but please only work on them when this main feature is secured.
If both monitors are messing with your sensors, you may just want to disable adaptive brightness and manually control it. They don't seem to have a workaround for it as of yet.
Whoops, it's already been months since I last blogged. I've been actively involved with Plasma and especially its power management service PowerDevil for over a year now. I'm still learning about how everything fits together.
That's probably the new Extended Dynamic Range setting from Plasma 6.4. You can find it in the display settings. It is meant to adjust the display's brightness to emulate an HDR display.
The screen brightness adapts automatically to the windows i focus on, which is a good idea.
That's definitely not something Plasma is doing... Sounds like your monitor is dumb with "adaptive contrast" or just terribly implemented local dimming.
As anyone who has ever seen anything I have created knows: I am not a designer. So take my reasoning and thinking here with a grain of salt. I do have many designers amongst my friends and I do think that a lot of software engineering falls within the domain of design to a certain degree. Let me explain.
To me design is the process of exploring, potentially formalizing a problem space and possible solutions for that problem culminating in a solution based on that exploration. Design (to me) is about creating artefacts that do certain specific things for specific target audiences/users. The specific thing can be evoking an emotion or an abstract thought process or just doing a certain task really well. Beauty is a quality of good design because things being pleasant can help with their use, acceptance, but anyone who has ever had to sit on a chair designed mostly to look good knows that beauty only gets you so far.
So using that understanding of design I keep thinking about the current trend of everything being turned into chatbots or “conversational systems”. And I can’t shake the feeling that these paradigms are – for most cases – just bad design.
Broken promises
A chat/conversational interface implies a whole lot of things: We chat with other people, a chat implies a level of social experience, of a shared space for people to meet. Which is great if you want to tell your users “this part of the app is where you talk to people”. But what happens when that “promise” the design made is broken?
We’ve all been forced to interact with chatbots for support. There’s an issue with your phone contract, the underpants they sent you don’t fit or some other thing and you need to talk to someone to sort things out. Enter the chatbot who keeps answering your questions with useless links or other strategies to keep you away from the “expensive” humans to talk to. The company wants to save on support so they try to distract you with a bot which either accidentally helps you find a solution or makes you think “it’s not worth it, I’ll just have to live with my crotch being strangled”. It’s a distraction to avoid investing in you and the relationship. How does that make you feel?
This is not just a support question: Onlyfans recently had issues where people realized that they were not actually chatting to the adult performers they paid for but someone or something else. Now the other side of the chat might have been underpaid staff but the dynamic is the same: Chat interfaces make a promise of social experience and trust that LLM Chatbot can never fulfill. It’s a deception. And good design should not deceive.
Guideless
A good interface guides you to solving the problem you have, good design makes it easy for you to do what the thing is supposed to do. Think of a program you really like to use: It probably shows you the steps you need to take in a structured way asks you the few things it needs from you and then does the thing you want it to do. Because that is what good design does.
What does a chatbot guide you to do? Maybe it asks you a question but for many chatbots it’s just “how can I help you?” or “Ask me anything”. Does that help you use it? Does that structure your path towards solving your problem? The huge number of people whose whole identity has become telling others how to write prompts begs to differ.
I have already argued before that “AI” systems are not tools. Because they don’t contain clear and specific descriptions of problems and corresponding strategies for solving said problem. But let’s pretend that we have a system that can solve a certain problem really well and efficiently: Is a chatbot a better interface than a structured form or UI that let’s you just go through the required steps and then get the result? Chatbots don’t narrow down the path towards a solution, they leave everything open. Which might be great for engagement and keeping people hooked but is that an efficient use of your time?
Outsourcing of work
Let’s talk about your time a bit. I am very protective of mine, I hate it when objects or processes mindlessly waste mine. I do of course waste my time on weird shit, thankyouverymuch, but I want to make that call.
A bad design that forces me to waste time or do a lot of unnecessary busywork is bad because it didn’t do its job: It didn’t make the process easier and more structured for me, it leaves me to do that labor. And I have a similar feeling towards this as I have towards self-checkout terminals at stores: Why do I have to do unpaid work for you and still pay the same? Why should I make it easier for you to employ fewer people getting a worse service while paying the same? That feels dumb. And wrong.
Chatbots don’t make my work easier. Instead of getting a predictable, understandable result based on my needs in a specific situation I get extra work assigned: I need to phrase my query the right way in order to get the machine to lie maybe a bit less. Need to add magic words to the input to stop it from going off the rails. That is my labor I have to put in to make a bad design work. Feels like I am not just doing my job but also the work the operator of the service or product I am having to use through chat should have paid professionals to do. And I’m not getting paid for it.
Like, why should companies get away with refusing to do the work of designing their products in a meaningful way and still get paid?
I want solutions
I do not need the one magic machine that claims to solve all my issues and then makes me jump through conversational hoops to get a mediocre result. That is actually the opposite of what I need.
I want people who know their shit to externalize all they know into tools I can use to benefit off of all that embodied knowledge. And chatbots do not help me with that at all (regardless of the capabilities or lack thereof of LLMs).
I want simple tools that do specific things build by people who were paid fairly and go home on time.
Customers dismayed by Broadcom's move to selling costly bundles such as VMware Cloud Foundation (VCF) will realize its value if they'd just use more of the components, the company's CTO says.
VMware, now a Broadcom subsidiary, is shifting away from selling perpetual licenses for individual products. It instead offers subscription bundles of software and support, such as its flagship VCF private cloud platform – version 9 of which was released this week.
The largest enterprise users seem content with this. Broadcom chief Hock Tan told investors this month that 87 percent of VMware's top 10,000 customers have signed up for VCF.
However some smaller and middle sized customers reacted negatively to the licensing changes, claiming their costs have increased by eight to 15 times since the Broadcom acquisition, and there are many stories of firms planning to migrate their workloads from VMware to an alternative platform in future because of this.
"A lot of those stories around cost don't play out when we actually get to sit down with the customer and talk to them about their situation, what they need, and what we're going to do with them," said Broadcom's EMEA chief technology officer, Joe Baguley.
"Initially people might go 'all the prices have gone up,' but those 87 percent of people that have renewed with us have renewed because they've chosen VCF as their strategy going forward," he claimed.
I picked up an old optiplex I'm trying to use as a NAS and do other things with. Initially I put Debian on there but felt like I was running into too many problems with things like power management, remot desktop, Docker, and mounting drives.
So I put Openmediavault on there and it's working now. But what are some of the best ways to get the most out of it?
Can I do most things through the browser interface, or should I remote into it to install things?
How easily can I mount it as a network drive to other computers? I still have a Windows PC so I'd like to access it from there too if possible.
And what's the best way to get other services running on it? I'm thinking of how it's possible to set up torrenting software and control it with a remote app from your phone. (For managing and sharing my distros, of course).
Happy to hear any feedback on what people do with OMV, or their setups for a NAS in general. This is more of a tinkering computer to get me more familiar with networks and Linux.
I don't use OMV, but I have a nas server I built and here is my .02
set up an smb share in OMV for windows. Mounting that in windows should be trivial (don't hold me. Haven't used windows in years now, but last I used win10 smb was super easy to mount)
look into docker on OMV for deploying stuff. I run docker on my NAS and host a bunch of stuff including:
jellyfin for all the rips of my DVDs
navidrome for all the rips of my CDs
nextcloud to replace google stuff
radicale for my calendars
Joplin server for my notes
mealie for recipes
more stuff I can't think of right now
with docker, if you want a GUI for creating, managing and interacting with your stuff, look at Dockge and Portainer
Portainer is your container management software to deploy, troubleshoot, and secure applications across cloud, datacenter, and Industrial IoT use cases.
Thank you. This is what I've wanted to do with this PC for over half a year now. It's good to de-Google in general, but drive not working well on Linux has been ruining my writing workflow on my laptop so I've been looking for a way to sync files between my computers.
📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance. - nextcloud/all-in-one
Profitez des vidéos et de la musique que vous aimez, mettez en ligne des contenus originaux, et partagez-les avec vos amis, vos proches et le monde entier.
So DNS Black-holing is not new obviously, and what stands out as the go to solution? Pihole probably... and yeah thats what im using because hey its a popular choice. Though I am running it in docker. Combining that with Unbound (also in docker), and configuring outbound DNS to use DNS over TLS, with a few additional minor tweaks, but otherwise mostly standard configuration on both.
Wondering what you guys might be using, and if you are using Pihole and/or Unbound if you have any tips on configuration.
I use cloudflared to translate DNS into DNS over TLS instead of Unbound to make it into recursive DNS. Just never really seen the need to switch it. I'm happy with nextDNS + Cloudflare resolving DNS upstream.
The main thing I wanted to note is port 53 outbound is blocked at the router to prevent devices from using external/unencrypted DNS. If a LAN device wants DNS resolution they MUST use the LAN DNS servers they were given via DHCP, or use their own DoT config, as plain DNS won't make it out of the network.
It's because of this block/enforcement that I run two local DNS servers: pihole on an RPI and a mirror on my main server tower, with Galaxy-Sync keeping them identical. If I tinker with/update one, the other picks up the slack so connectivity/resolution isn't disrupted.
Yeah, I am pretty close to that, the pihole to unbound, unbound DoT to cloudflare. What I am doing at this point is bypassing the DNS to ISP, but as I stated in my response above, not yet blocking everything on the net from using the regular stuff. Just feasibility testing at the moment.
Love the dual setup for DNS. I set my primary to this and my secondary to just cloudflare at them moment for when I bork my primary DNS will fidgeting with it, haha.
I have an n100 box that I put opnsense on for routing, firewall, DHCP, DNS and IDS. It uses unbound for DNS and so I'm leveraging the blocklist functionality in unbound. And then I use unbound to resolve instead of using DoT forwarding.
Dnsbl is only a small component of effective network security. Arguably the firewall is most important and so I have a default deny all for any device on my LAN trying to reach the Internet.
All applications need specific allows. Thus internally no device can use dns over tls because 853 is blocked by default. Then I use a DNSBL to catch known DoH by domain since the cert is provided by domain name.
"Dnsbl is only a small component of effective network security. Arguably the firewall is most important and so I have a default deny all for any device on my LAN trying to reach the Internet." 100%, I decided to break up my posts into sub components of the total stack, but to your point currently im enforcing a deny all inbound and outbound at the host level, as the network is shared with the fam and they are not ready for that level of learning (pain, lol)
I just learned about unbound, didnt realize it had a blocklist capability so thats great to know. Gotta dig into it.
I like that last bit, blocking DoT except for the one approved path. Much like TLS 1.3 it offers insider threat protection against inspection. So with that in mind when you said you are using unbound instead of using DoT forwarding, you mean instead of allowing clients to DoT forward, right? Thats what I am doing now as well, though I am not actively blocking it yet. Just currently enabling and testing feasibility on a single host to see the performance and operational impacts of privacy/security implementations.
Curious to your IDS solution, I gotta dig into opnsense. I know about it, its been around a long time, but havent touched it in so long I cant remember its capabilities.
Wrt lan deny all for the fam, it's mostly hard on gamers cuz games tend to use wide port ranges and outbound IPs are potentially home isp networks not the game servers. But yeah it takes some time and research to really lock it down.
Most stuff is running through web protocols though. So right off the bat you create allow rules for any LAN device to hit ports: 80, 8080, 443, 8443 which are your common http and https ports. That's gonna get most ppl what they need.
I do ASN based allows for certain applications like Google, Facebook, etc.
For consoles they're pretty locked down so just give them full allow to the Internet. I don't do that actually but it's probably the better way.
IOT devices get only the ports they need to the IPs they need.
when you said you are using unbound instead of using DoT forwarding, you mean instead of allowing clients to DoT forward, right?
No I mean my unbound resolves DNS for something like microsoft.com all by itself. It calls up the root name servers, finds the com nameservers, then asks the com nameservers for Microsoft. And for any subdomains it asks the MS name servers. This is instead of relying on external forwarding services like 8.8.8.8 or 1.1.1.1 or quad 9 or whatever. At least the former two are sure to be aggregating this data.
Additionally I do not allow devices on my network to reach out to external port 53, or 853 to circumvent lookups on my unbound by reaching out directly, which would then bypass the DNSBL. Anything for port 53 gets NAT'd to the unbound server. You can't redirect TLS attempts so those get hard blocked.
Curious to your IDS solution
Securicata is what opnsense uses. Pretty easy to set up.
Unbound on the router which connects upstream with DNS over TLS. Ports 53 and 853 are NATed to the piole and several other DNS servers like Google's are blocked so devices can't bypass the pinhole very easily. This is only on my primary VLAN. Other VLANs are given the Unbound DNS by default but are allowed to bypass if they insist. I have one VLAN for guests and one for trusted devices in addition to the primary one.
In my particular setup, I have an additional constraint and that is that my network has to be designed for portability and travel. Not that it affects your design per say. Thank you for the response. Just something that occurred to me that I hadnt mentioned.
I am living a transient life at the moment. So lots of virtualization and lack of control concerning the WAP and such.
totally arbitrary, lol. Im used to DNSSEC, saw DoT and DoH about the same time, think I saw a write up that used DoT and just went for it. Havent even compared DoT vs DoH, but DoH reminds me of Homer Simpson cuz im old XD
I'm using a service called Control D, which has 4 levels of free DNS. One is no blocking at all. One is only blocking malware. One is blocking malware and ads, and the other one is blocking malware, ads, and social media, like Facebook.
I got two PiHoles running on my network via Docker Compose, I tried setting up Unbound in Docker-Compose and that fell flat, from my understanding DNSSEC was preventing DNS resolution outright.
Also tried OpenSense + Unbound which led to the same thing.
Eventually got tired of having my network cutting in and out over minor changes so I just stuck with Quad9 for my upstream needs.
happy to share my docker-compose with pihole and unbound. im not the original author its a compilation of a few peoples. no issues. normal DNS inside the house DoT outside.
If you don't mind DM'ing me or dropping it in a comment here it would be greatly appreciated! The docker engine isn't something entirely new to me so i'm a bit skeptical into thinking that i missed something but always happy to compare with others, actually Docker is what pushed me to switch fully to Linux on my personal computers.
Snippet from my docker-compose.yml:
pihole:
container_name: pihole
hostname: pihole
image: pihole/pihole:latest
networks:
main:
ipv4_address: 172.18.0.25
# For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
ports:
- "53:53/tcp"
- "53:53/udp"
- "127.0.0.1:67:67/udp" # Only required if you are using Pi-hole as your DHCP server
- "127.0.0.1:85:80/tcp"
- "127.0.0.1:7643:443"
environment:
TZ: 'America/Vancouver'
FTLCONF_webserver_api_password: 'insert-password-here'
FTLCONF_dns_listeningMode: 'all'
# Volumes store your data between container upgrades
volumes:
- './config/pihole/etc-pihole:/etc/pihole'
- './config/pihole/etc-dnsmasq.d:/etc/dnsmasq.d'
- '/etc/hosts:/etc/hosts:ro'
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
- CAP_SYS_TIME
- CAP_SYS_NICE
- CAP_CHOWN
- CAP_NET_BIND_SERVICE
- CAP_NET_RAW
- CAP_NET_ADMIN
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.pihole.rule=Host(`pihole.my.domain`)"
- "traefik.http.routers.pihole.entrypoints=https"
- "traefik.http.routers.pihole.tls=true"
- "traefik.http.services.pihole.loadbalancer.server.port=80"
- "traefik.http.routers.pihole.middlewares=fail2ban@file"
unbound:
image: alpinelinux/unbound
container_name: unbound
hostname: unbound
networks:
main:
ipv4_address: 172.18.0.26
ports:
- "127.0.0.1:5334:5335"
volumes:
- ./config/unbound/:/var/lib/unbound/
- ./config/unbound/unbound.conf:/etc/unbound/unbound.conf
- ./config/unbound/unbound.conf.d/:/etc/unbound/unbound.conf.d/
- ./config/unbound/log/unbound.log:/var/log/unbound/unbound.log
restart: unless-stopped
Edit: After re-reading the Unbound github and their documentation it seems i may have missed some volume mounts that are key to the function of Unbound, i'll definitely have to dive deeper into it.
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
ports:
# DNS Ports
- "53:53/tcp"
- "53:53/udp"
# Default HTTP Port
- "8082:80/tcp"
# Default HTTPs Port. FTL will generate a self-signed certificate
- "8443:443/tcp"
# Uncomment the below if using Pi-hole as your DHCP Server
#- "67:67/udp"
# Uncomment the line below if you are using Pi-hole as your NTP server
#- "123:123/udp"
environment:
# Set the appropriate timezone for your location from
# https://en.wikipedia.org/wiki/List_of_tz_database_time_zones, e.g:
TZ: 'America/New_York'
# Set a password to access the web interface. Not setting one will result in a random password being assigned
FTLCONF_webserver_api_password: 'false cat call cup'
# If using Docker's default `bridge` network setting the dns listening mode should be set to 'all'
FTLCONF_dns_listeningMode: 'all'
FTLCONF_dns_upstreams: '127.0.0.1#5335' # Unbound
# Volumes store your data between container upgrades
volumes:
# For persisting Pi-hole's databases and common configuration file
- './etc-pihole:/etc/pihole'
# Uncomment the below if you have custom dnsmasq config files that you want to persist. Not needed for most starting fresh with Pi-hole v6. If you're upgrading from v5 you and have used this directory before, you should keep it enabled for the first v6 container start to allow for a complete migration. It can be removed afterwards. Needs environment variable FTLCONF_misc_etc_dnsmasq_d: 'true'
#- './etc-dnsmasq.d:/etc/dnsmasq.d'
cap_add:
# See https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
# Required if you are using Pi-hole as your DHCP server, else not needed
- NET_ADMIN
# Required if you are using Pi-hole as your NTP client to be able to set the host's system time
- SYS_TIME
# Optional, if Pi-hole should get some more processing time
- SYS_NICE
restart: unless-stopped
unbound:
container_name: unbound
image: mvance/unbound:latest # Change to use 'mvance/unbound-rpi:latest' on raspberry pi
# use pihole network stack
network_mode: service:pihole
volumes:
# main config
- ./unbound-config/unbound.conf:/opt/unbound/etc/unbound/unbound.conf:ro
# custom config (unbound.conf.d/your-config.conf). unbound.conf includes these via wilcard include
- ./unbound-config/unbound.conf.d:/opt/unbound/etc/unbound/unbound.conf.d:ro
# log file
- /srv/docker/pihole-unbound/unbound/etc-unbound/unbound.log:/opt/unbound/etc/unbound/unbound.log
restart: unless-stopped
I am relatively new to docker as well tbh. I did a lot with virtualization and a lot with linux and never bothered, but I totally get the use case now ha. just an FYI, if you use docker on Windows it runs slower as it has to leverage the Windows subsystem Linux (WSL) and a slightly different docker engine (forget which one). So linux is your best bet. If you do want to use a full VM I found Qemu to be the best option for least resource usage.
Codilingus
in reply to Kelp • • •like this
Mordikan likes this.
51dusty
in reply to Codilingus • • •Codilingus
in reply to 51dusty • • •Ohhh, I think I understand now, they can't connect to jellyfin because that computer has the VPN on. I thought their question was turning on a VPN to connect to Jellyfin outside their house.
Then yea split tunneling would be a good solution. Set up so only the torrent application uses the VPN. Or that Jellyfin is excluded from the tunnel.
Unfortunately I'm not too up to date on VPNs and which offer that. Perhaps their network equipment could apply the VPN to only the torrent traffic, and then they match the port number used inside the torrent application's settings?
Cris16228
in reply to Kelp • • •:/web
Computer IP is the internal one, usually like 192.168.1.56
Port is... Uh check docs, I don't remember or the one you set
rudyharrelson
in reply to Kelp • • •I haven't had to deal with this specific kind of use case before (accessing the local Jellyfin service while the laptop is connected to a VPN), but after some cursory research, one of these approaches may work for you:
Easy Option (only available on some VPN software):
There may be an option in your VPN client that lets you access local network addresses like your Jellyfin server. Check your settings and see if there are any options like "allow local network traffic" and then try opening up your Jellyfin server in a browser (e.g.: 192.168.1.100:8096/)
Less Easy Option:
If your VPN client doesn't have an option for allowing local traffic, you can open up the command prompt on your macbook and run a command like this:
sudo route add -net 192.168.1.0/24 192.168.1.1Where
192.168.1.0/24is the local network you want to connect to (where the Jellyfin server is located), and192.168.1.1is your local gateway (probably your wifi router's address). Change both of these depending on how your network's local IPs are formatted.This should update your routing table to handle local network addresses without the VPN and this should persist between reboots.
Hope this helps.
like this
Mordikan likes this.
markinov
in reply to Kelp • • •plantsmakemehappy
in reply to Kelp • • •hotio.dev
hotio.devlike this
Mordikan likes this.
Kelp
in reply to Kelp • • •Well, for starters thanks to everyone who replied so far. I really appreciate you taking time out of your day to try and help me.
Unfortunately while waiting I was playing around with my files and I noticed that I could no longer add, move, or edit folders on my external hdd(the one with the library content for Jellyfin). While initially setting up the server I could not find my external hdd in the files section of Jellyfin despite knowing the path. I looked it up and someone said it was to do with mounting and I needed to go into disks>mount options> and uncheck "User session Defaults" and check "Mount at system startup". After doing such the path changed but I was able to get jellyfin to access the files. (Unfortunately this meant that my qbit no longer knew where said file were for seeding so I had to go through and point them to the drive....again). So i put 2 and 2 together and figured I did not have read write permission for the dive anymore. I did not know how to change such so I reverted my change in disks and now, obviously, jellyfin cant access the files but I cant change, move, and add my files again.
I also noticed while Jellyfin was actually working, On the server pc Jellyfin was extremely slow and laggy. And Many of my files were changed into random pieces of media that I did not own. I have my files separated into Eastern and Western. With further file groups in each like Anime>Scifi>Gundam>TurnA Gundam. I thought intuitive but maybe I'm the one at fault. It changed the data for Scifi into a single series called Scifi Harry with all my other files being episodes or seasons. It also did this with the entire parent file of Western, changing it into Western Line with a crazy image that I'm guessing is from the show/movie it is confusing my media with.
Overall I'm pretty frustrated and I might have to walk away from this project for a little. If anyone wants to add any info of tell me some obvious mistakes I made please do, I appreciate all the knowledge being passed around here. I'm still reading it all but I'm going to go build some Gunpla to take my mind off this for a few.
Codilingus
in reply to Kelp • • •Don't get too crazy into categorizing your media. Keep it simple with your folders, so Jellyfin can know what the file is then scrape the internet for meta-data.
Media -> Movies -> Example Movie (year) -> Example.movie.file
Media -> Shows -> Example Show (year) -> Season 1 -> Example.show.S01E01.file
Ideally your media downloads will have the name and release year in the folder name already. It knows to ignore or match things like x264, DD.5.1, and release group name.
51dusty
in reply to Codilingus • • •this.
jellyfin has a pretty strict format structure if you want everything to auto discover.