How can I share/store sensitive data for family
I need to start making plans for when I am gone, much sooner than I thought, and I realized our finances are pretty opaque to my spouse. Our bank account is shared, but there are other sites that only I have access to.
The easiest solution would be to physically write down logins and what needs done, put it in an envelope, and tell my family where that envelope is. I'm not thrilled about that, because I would have to shred and rewrite it every time I update a password or a URL changes, and it'd be vulnerable to nosy guests.
Putting it in a shared Google Doc would be easiest for everyone. But then Google has that data. Even supposing I trust a cloud SaaS provider not to misuse the data (which is a big 'if') I do not trust them to never have a data breach.
Self-hosting seems like the next step, except I expect my home server to be the first thing to collapse once I'm gone. Filing login info with an estate attorney would still require frequent updates. Putting a document on a flash drive risks data loss, but is what I'm leaning towards.
Is there a solution I'm missing?
like this
Can LLMs Do Accounting? Evaluating LLMs on Real Long-Horizon Business Tasks
Can LLMs Do Accounting? | Penrose
An experiment exploring whether frontier models can close the books for a real SaaS company.accounting.penrose.com
I quit my job in public accounting for many reasons, but the primary one was the forceful adoption of LLMs to replace associates.
I told the dimwits at the top that it was a mistake, because LLMs are incompetent even when the information fed to it was perfect, and that was rarely the case in practice.
Our ultra wealthy clients were notorious for giving us the most incomplete and asinine information, and it often took someone with decades of experience to decipher what the fuck their personal assistants are even talking about.
They went ahead anyway because of the high cost of wages, of course, and I made my exit because I did not wish to be complicit in such a monumental mistake.
Lmfao the LLM they laid associates off and paid half a million dollars for made up fake ledger accounts when accounts didn't reconcile, and none of the dumbasses left noticed in time because they hadn't done associate-level work in decades.
It also lied all the time, even when you asked it not to.
The damage was done and the biggest clients started leaving, so they begged us all to come back but I got obsessed with baking bread and I ain't about to neglect my sourdough starters to help a group of people who would lose a battle of wits against yeast.
reshared this
like this
Technology reshared this.
But then he would have been a good human, and one who worried about the right things.
You can’t just swap suicide like that.
UN Statements Undercut New Israeli Report on 10/7 Sexual Violence
Major news organizations, most prominently the New York Times, have promoted the idea of systematic sexual violence at opportune moments to justify Israel’s ongoing genocide in Gaza. The first major salacious headlines and assertions emerged in late 2023, when Israel was campaigning to restart its killing during a brief ceasefire. The latest effort to revive this narrative follows the same pattern as its predecessors—and, indeed, is more overtly political, with the report spending less airtime on the well-being of women than on reasons we should roll back what is left of international law.
The UN, however, has stated multiple times that it does not have evidence of systematic sexual abuse by Hamas or any other militant group on October 7, 2023. A top United Nations official issued a statement last week that stands in direct contradiction to the new Israeli report.
Reem Alsalem, the UN Special Rapporteur on violence against women and girls, affirmed in her statement this week that though the UN had not found “systematic” sexual violence: "It is my understanding that neither the Commission nor any other independent human rights mechanism established that sexual or gender-based violence was committed against Israelis on or since the 7th of October as a systematic tool of war or as a tool of genocide," Alsalem wrote in the statement, first reported by NBC News.
In a move that is highly unusual, the Dinah Project report is now hosted on the UN’s website among its own reports on sexual violence and global conflict. Drop Site News asked Patten why she was hosting the report, but she did not respond. The UN fact-finding mission led by Patten and so dearly held by the Dinah Project, at times, directly contradicts what the Dinah Project argues.
UN Statements Undercut New Israeli Report on 10/7 Sexual Violence
The Dinah Project had to come up with an entirely new standard for evidence to continue to claim sexual violence perpetrated by Hamas on October 7, 2023.Ryan Grim (Drop Site News)
basically every Jubilee video - Man Carrying Thing
- YouTube
Profitez des vidéos et de la musique que vous aimez, mettez en ligne des contenus originaux, et partagez-les avec vos amis, vos proches et le monde entier.www.youtube.com
KI-Tool versteckt Inkompetenz
Ein Vibe-Coder schreibt ohne es zu merken auf X, wie kaputt Vibe-Coding ist: Ein Staging-System greift direkt auf die Produktionsdatenbank zu. Keine Versionskontrolle mit Git. Tests funktionieren laut den Posts nur auf dem Produktionssystem. Und der Höhepunkt: Ein KI-Tool warnt explizit „I can not be trusted, I will violate the rules“ und „hire human developers you can trust“ – trotzdem verwendet der Typ das Tool weiter.
Da hab ich schon Meinung zu.
jascha.wtf/ki-tool-versteckt-i…
#Claude #Inkompetenz #KITools #MonsterEnergy #Softwareentwicklung #VibeCoding
KI-Tool versteckt Inkompetenz
Ein Vibe-Coder schreibt ohne es zu merken auf X, wie kaputt Vibe-Coding ist: Ein Staging-System greift direkt auf die Produktionsdatenbank zu. Keine Versionskontrolle mit Git. Tests funktionieren laut den Posts nur auf dem Produktionssystem.jascha.wtf
Larry Johnson: West Doubles Down on Failed Wars in Ukraine & Middle East
- YouTube
Profitez des vidéos et de la musique que vous aimez, mettez en ligne des contenus originaux, et partagez-les avec vos amis, vos proches et le monde entier.www.youtube.com
Larry Johnson: West Doubles Down on Failed Wars in Ukraine & Middle East
- YouTube
Profitez des vidéos et de la musique que vous aimez, mettez en ligne des contenus originaux, et partagez-les avec vos amis, vos proches et le monde entier.www.youtube.com
ChatGPT advises women to ask for lower salaries, study finds
ChatGPT advises women to ask for lower salaries, study finds
New research has found that large language models (LLMs) such as ChatGPT consistently advise women to ask for lower salaries than men, even when both have identical qualifications. The ...Siôn Geschwindt (The Next Web)
Feddit Un'istanza italiana Lemmy reshared this.
AI chatbots may reinforce real-world discrimination
You mean, something trained on real world data, reflects the biases of that data!
Quanto costa un funerale oggi in Italia?
ChatGPT advises women to ask for lower salaries, study finds
ChatGPT advises women to ask for lower salaries, study finds
New research has found that large language models (LLMs) such as ChatGPT consistently advise women to ask for lower salaries than men, even when both have identical qualifications. The ...Siôn Geschwindt (The Next Web)
like this
reshared this
Chatgpt can also be convinced that unicorns exist and help you plan a trip to Fae to hunt them with magic crossbows
Not that......
ChatGPT advises women to ask for lower salaries, study finds
ChatGPT advises women to ask for lower salaries, study finds
New research has found that large language models (LLMs) such as ChatGPT consistently advise women to ask for lower salaries than men, even when both have identical qualifications. The ...Siôn Geschwindt (The Next Web)
like this
reshared this
How do I get its family to accept me as their ruler ?
more questions about yt-dlp arguments on debian (excluding av1, aborting an active download not shutting the terminal down)
debian 12.11, yt-dlp stable@2025.07.21
aim: to download the best video available with the largest height but no better than 1080p, excluding av1 as well.
What works:
yt-dlp -f bv*[ext=mp4]+ba[ext=m4a]/b[ext=mp4] -S height:1080 --all-subs
but this command downloads, if possible, av1, which target hardware doesn't support for longer than 5 minutes.
Argument I don't know to add correctly:
[vcodec!*=av01]
I tried:
yt-dlp -f bv[ext=mp4]+ba[ext=m4a]/b[ext=mp4][vcodec!=av01] -S height:1080 --all-subs
and other variations, but it didn't work.
second question, aborting an active download not shutting the terminal down: neither ctrl+c nor ctrl+q work and opening htop to kill the process seems overkill. What I now do is to simply shut the active tab, but there must be a faster way.
like this
second question, aborting an active download not shutting the terminal down: neither ctrl+z nor ctrl+q work and opening htop to kill the process seems overkill. What I now do is to simply shut the active tab, but there must be a faster way.
Ctrl+C.
neither ctrl+z nor ctrl+q work
Ctrl + z will send the task to the background. You can use jobs to see all active background work. Fg will bring background work to the foreground. Ctrl + q is not a valid shortcut as far as I know. Looks a bit like a mac thing (command + q).
thank you for pointing that out, corrected.
what happens on my computer: on a terminal, I press ctrl+c but the process keeps working, yt-dlp keeps downloading. As said, the only way to stop it is to shut the tab down (or htop and kill)
reshared this
Purtroppo me l'hanno regalato, quindi l'autore è stato pagato e non posso fare resi
16.50€ per questa porcheria!
All'interno altre gemme "ai slop" come fette di banana con il picciolo, petti di pollo con ossa, forchette dai denti storti, ecc
Ofcom (British Watchdog): Public service TV should work 'urgently' with YouTube.
Ofcom warns traditional public-service TV is endangered
Recommendation for prominence on third-party platforms part of six-point action plan
Urgent clarity needed from Government on how TV will be distributed to reach audiences in future
Broadcasters must work more together, and with global tech firms, to surviveUrgent steps must be taken to ensure that public service media content is easy to find and discover on third-party platforms, under new Ofcom recommendations to secure the system’s survival.
OpenAI signs deal with United Kingdom to find government uses for its models
OpenAI signs deal with UK to find government uses for its models
Wide-ranging agreement with artificial intelligence firm behind ChatGPT comes after similar UK deal with GoogleRobert Booth (The Guardian)
like this
Technology reshared this.
If openai can find a use for the government that'll be swell.
They tend to get it under everybody's feet otherwise.
Smoking avatars and online games: how big tobacco targets young people in the metaverse
Smoking avatars and online games: how big tobacco targets young people in the metaverse
Cigarettes and vapes are being smuggled into virtual spaces beyond the reach of regulation, creating a new battleground for health campaignersKat Lay (The Guardian)
like this
Technology reshared this.
Most doctors in most Gaza hospitals involved in ‘terrorist activities’ says Israel Special Envoy
Most doctors in most Gaza hospitals involved in ‘terrorist activities’ says Israel Special Envoy
We spoke to Fleur Hassan-Nahoum, who's Israel’s Special Envoy for Trade and Innovation.Channel 4 News
like this
British government to ban public bodies from paying ransoms to hackers
UK government to ban public bodies from paying ransoms to hackers
Measure intended to send message to international cybercriminals ‘that the UK is united in fight against ransomware’Robert Booth (The Guardian)
like this
Technology reshared this.
Though this is a good idea it's kind of important to also work on the other side, you know, ensuring IT has enough resources to make backups and do their job so that this shit doesn't happen in the first place.
Ransomware mostly happens when your systems are badly protected
You know that they only are prepared to offer cyber security experts minimum wage.
I was literally looking at this yesterday, if they doubled what they are offering it would still be well short of an entry-level wage in the private sector. Up to a point you can get away with it and rely on "patriotism" to fill the difference but not to this extent.
Can you help me arrange these video formats from better to worst?
Tinkering with yt-dlp -F
I know av1 is even better than h.265, h.265 being better than h.264
However, I don’t know where to put vpP09, vp9 and avc1
Audio formats: what’s better? m4a or webm?
like this
Pirate Service 'MagisTV' Fails to Secure U.S. Trademark, Faces Malware Backlash
MagisTV, a leading pirate streaming brand in Latin America, finds itself caught between a legal storm and a mounting malware backlash. This week, the service saw its U.S. trademark application abandoned amidst growing scrutiny from authorities and rightsholders worldwide. At the same time, a barrage of local news reports warn consumers that using MagisTV's software could lead to identity theft and expose them to viruses.
Pirate Service 'MagisTV' Fails to Secure U.S. Trademark, Faces Malware Backlash * TorrentFreak
MagisTV, a leading pirate streaming brand popular in Latin America, finds itself caught between a legal storm and a mounting malware backlash.Ernesto Van der Sar (TF Publishing)
Laura Santi è morta dopo aver avuto accesso al suicidio assistito, infine
Laura Santi è morta dopo aver avuto accesso al suicidio assistito, infine
Dopo un lungo e complesso iter giudiziario, civile e penale, per vedersi riconosciuto questo diritto: è la nona persona in Italia e la prima in UmbriaIl Post
Combining TLS and MLS: An experiment
Combining TLS and MLS: An experiment
We did a thing. We combined TLS and MLS into a hybrid protocol. Of course, when things get serious, full names are in order: We combined the Transport Layer Security protocol and the Messaging Layer Security protocol.Julian Mair (Phoenix R&D)
like this
Technology reshared this.
Nintendo can disable your Switch 2 for piracy in the U.S., but not in Europe, as confirmed by its EULA
Nintendo can disable your Switch 2 for piracy in the U.S., but not in Europe, as confirmed by its EULA
The significant legal differences between the United States and Europe cause Nintendo to punish piracy differently depending on the territory.Rubén Martínez (Meristation)
like this
And Nintendo JP says that “Nintendo Switch and Nintendo Switch 2 cannot be remotely located, their users remotely identified nor disabled over the Internet” (tweet in Japanese warning people against accidentally losing or getting their consoles stolen over summer vacation)
But I bet it is more like “Nintendo won’t disable them remotely even if people report ones stolen to them with serial numbers and police reports”, but they’ll happily do so if they caught you using the console in an unapproved manner in their eyes.
like this
Twitter link with an archive link or screenshot. We don't allow direct Twitter links on our instance. Thanks.
This is by definition "we are just assholes"
Someone play for 5 minutes with a mig switch a legit dump of their own, legally purchased game, just for convenience, to have multiple games on the same cart? The console is now almost useless. You can't play any digital games that you purchased with real money, and physical games can't get any update. Game requires a 20gb day one patch to be playable? Though luck buddy, go to buy a new console!
They stole your console? Oh no! Yes, we absolutely could do the same, as it's bound to your Nintendo account and we could add a button "report as stolen and ban it from internet" in your profile. But we won't, go to buy a new console!
- YouTube
Profitez des vidéos et de la musique que vous aimez, mettez en ligne des contenus originaux, et partagez-les avec vos amis, vos proches et le monde entier.www.youtube.com
Nvidia's CUDA platform now supports RISC-V — support brings open source instruction set to AI platforms, joining x86 and Arm
At the 2025 RISC-V Summit in China, Nvidia announced that its CUDA software platform will be made compatible with the RISC-V instruction set architecture (ISA) on the CPU side of things. The news was confirmed during a presentation during a RISC-V event. This is a major step in enabling the RISC-V ISA-based CPUs in performance demanding applications.
The announcement makes it clear that RISC-V can now serve as the main processor for CUDA-based systems, a role traditionally filled by x86 or Arm cores. While nobody even barely expects RISC-V in hyperscale datacenters any time soon, RISC-V can be used on CUDA-enabled edge devices, such as Nvidia's Jetson modules. However, it looks like Nvidia does indeed expect RISC-V to be in the datacenter.
Technology reshared this.
MEGA launches new large file transfer service Transfer.it (without end-to-end encryption) as WeTransfer competitor with no file size limit.
For over a decade, MEGA has been the trusted choice for secure, encrypted file sharing. But not every file transfer needs end-to-end encryption. Sometimes, simplicity and speed matter more, especially when dealing with large files or recipients unfamiliar with the limitations around their browsers having to decrypt their downloads.That’s why we created Transfer.it, a new service from MEGA designed for effortless file transfers, without end-to-end encryption.
Introducing Transfer.it – effortless file sharing, powered by MEGA - MEGA Blog
Transfer.it for fast, simple, and secure file transfers - Effortless file sharing, powered by MEGA.Team MEGA (MEGA)
dflemstr likes this.
Google removes nearly 11,000 YouTube propaganda channels linked to China, Russia in global disinformation purge.
TAG Bulletin: Q2 2025
Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q2 2025.Billy Leonard (Google)
like this
Lyle Lovett - Release Me (2012)
La sorte toccata da tempo ad altri colleghi è giunta anche per Lyle Lovett: il musicista texano scioglie il quasi trentennale rapporto con il colosso country della Curb records (seppure in anni recenti passato per le maglie della Lost Highway) per affrontare una inevitabile indipendenza... Leggi e ascolta...
Lyle Lovett - Release Me (2012)
La sorte toccata da tempo ad altri colleghi è giunta anche per Lyle Lovett: il musicista texano scioglie il quasi trentennale rapporto con il colosso country della Curb records (seppure in anni recenti passato per le maglie della Lost Highway) per affrontare una inevitabile indipendenza. Questione già affrontata e d'altronde dirimente in quest'epoca: come John Hiatt, Steve Earle e altri campioni dell'Americana il ruolo di Lovett non è più quello di capofila, né evidentemente le vendite e l'appeal dell'artista possono convincere un baraccone discografico a mantenere in piedi contratti che nella loro logica non fruttano i risultati di un tempo... rootshighway.it/recensioni/lov…
Ascolta: album.link/i/507810558
Home – Identità DigitaleSono su: Mastodon.uno - Pixelfed - Feddit
Release Me by Lyle Lovett
Listen now on your favorite streaming service. Powered by Songlink/Odesli, an on-demand, customizable smart link service to help you share songs, albums, podcasts and more.Songlink/Odesli
A Self-hosted, BSD-native Gemini Protocol Server Stack
For those who are adventurous enough to explore the non-http corners of the Internet, the Gemini protocol is a delightful experience to use. It has been around a number of years, making the biggest bang around the time when discontent with the web’s general demise started to reach current heights (so maybe around 2022).
My “capsule”, Vigilia, is self-hosted, and has been since its inception. It used to run on a disused Macbook Pro running Fedora Server, under our TV at home, but since then I have become much more confident in using OpenBSD. It used to run on a little Python CGI script I wrote, which also started to feel too bloated and complex, with too many bells and whistles that I frankly had no need for. It was time to make a change, so I replaced the old Macbook with a Raspberry Pi, and Fedora with OpenBSD, and then took my time to figure out a new “status quo”.
0. Philosophy
I wished to create a more Unix-minded stack. The more I have been using OpenBSD and Unix systems the more I have been sold on the “everything is a file” philosophy, as well as opting to use internal tools as much as possible rather than reinvent the wheel on my own. That is to say, I’d much rather work with simple scripts and shell commands than write complicated and buggy code.
So with that in mind, here’s the stack that I settled on after a some trial and error:
1. Hardware
I have absolutely no intention to expose our home IP address via DynDNS or similar. However, I like to be in control of my data as much as possible: ideally as little of my data should be hosted on “someone else’s computer”. If I can’t unplug the hard disk and put it in a drawer, I can’t guarantee it’s security from a hack.
So Vigilia is actually two servers. The server with the actual data is at home, in running on a Raspberry Pi 4B. But as a “public front” vigilia runs a reverse-proxying gemini server on a standard VPS over at OpenBSD.amsterdam.
2. Network setup
I will not go into the intricacies of the dual-wan setup in this post I have at home; but to keep things connected to each other I am using Tailscale to tie the servers together in a Virtual LAN. This is incredibly handy because they get to have easy to remember static IP addresses, all over an encrypted channel.
So here’s the rough idea:
- Vigilia.cc’s DNS records resolve to the OpenBSD.Amsterdam VPS running
gmid - VPS and home server both run
tailscale - VPS reverse-proxies incoming gemini connections to home server
3. Gemini server config
Both the VPS and the local server run [url=https://gmid.omarpolo.com]gmid[/url]. It’s a fast and simple gemini server that mirrors OpenBSD’s httpd; which means it is very easy to configure, it is stable and secure. It can run in chrooted environments, and as its own user, so it’s just a Good Thing all over. Most importantly, it can relay and reverse-proxy TCP connections with sni fields intact, which is something for example OpenBSD’s relayd, built primarily for HTTP, does not do.
My gmid config files look something like this:
### REMOTE_SERVER:/etc/gmid.conf#user "_gmid" # running it as its own user to achieve privilege separationchroot "/var/gemini" # and in a chroot so it can't just access random bits of the file systemlog { syslog # log to /var/log/messages}vigilia_pem = "/etc/ssl/PUBLICKEY.pem"vigilia_key = "/etc/ssl/private/PRIVATEKEY.key"public_ip = "46.23.93.41" # OpenBSD Amsterdam VPS' public addresshomeserver = "100.REDACTED.REDACTED.101" # TailScale IP of the home machine public_port = "1965"homeserver_port = "2965"server "vigilia.cc" { listen on $public_ip port $public_port cert $vigilia_pem key $vigilia_key proxy { proxy-v1 # this directive enables some advanced features like forwarding IP Addresses of visitors verifyname off # I found I need to specify this somehow, maybe because of self-signed certs sni "vigilia.cc" relay-to $homeserver $homeserver_port }}
This above allows to listen for connections to vigilia.cc:1965 and forward them to HOME_SERVER:2965. So thus the homeserver has the following configuration:
### HOME_SERVER:/etc/gmid.conf#user "_gmid" chroot "/var/gemini" log { syslog }internal_address = "100.REDACTED.REDACTED.101" # TailScale IP of the home machine internal_port = "2965"# The below are the same certificates that are in use on the VPSvigilia_pem = "/etc/ssl/PUBLICKEY.pem"vigilia_key = "/etc/ssl/private/PRIVATEKEY.key"server "vigilia.cc" { listen on $internal_address port $internal_port proxy-v1 # add proxy-v1 support for relayed connections cert $vigilia_pem key $vigilia_key log on location "*" { auto index on # enables directory listing }}
4. Getting the files to the Server
Because I am lazy I want to edit files locally and I want them to magically appear on my capsule. So I am using [url=https://syncthing.net/]syncthing[/url] to copy things over automagically from DESKTOP:~/public_gemini to HOME_SERVER:/var/gemini.
Syncthing runs most reliably as my own user, I found. To do this it is best to follow the documentation for the Syncthing OpenBSD package — but basically it involves starting it via the user’s crontab with the “@reboot” directive. But as it runs as my own user, I need to set the permissions properly. HOME_SERVER:/var/gemini is owned by the _gmid user in the _gmid group so I also added MYUSER on both machines to the same _gmid group, and made sure MYUSER has write access:
#!/bin/sh# HOME_SERVERusermod -G _gmid MUYSERchown -r _gmid /var/geminichmod -r ug=rwx,o=r /var/gemini
Then I set up syncthing on HOME_SERVER. As it is running headless, I needed to access the web interface, which I achieved via SSH tunneling:
$ ssh -L 9999:localhost:8384 HOME_SERVER
This way I could open a browser on DESKTOP and access the server’s Syncthing settings.
So here are the settings:
On the DESKTOP:
- Syncthing web interface -> Add folder
- Folder path:
~/public_gemini - Folder label: Gemini files (or something)
- Ignore patterns: “
*.sock” (Unix sockets might confuse the poor thing) - Sharing: HOME_SERVER
- Pause syncing for now
On HOME_SERVER:
- Establish ssh tunnel to HOME_SERVER as described above
- Open remote Syncthing webinterface on DESKTOP: localhost:9999
- Accept the incoming share request for “Gemini files” from DESKTOP; but point it to /var/gemini
- Folder path:
/var/gemini - Folder label Gemini files
- Advanced: UNTICK “Wach for changes” because OpenBSD doesn’t seem to allow Syncthing to poke around in
/varwith those various Go modules and you’d just get errors, like I did - Check the Ignore patterns — if it didn’t synchronise “
*.sock” then specify it manually
On DESKTOP:
- Unpause syncing
Now any file you write into DESKTOP:~/public_gemini will sync across to HOME_SERVER:/var/gemini. Yay!
6. Setting up automatic static site generation
Now if you are content to maintain your capsule manually, you are done. As I said I am lazy so I want my little “ssg” script, Lumen, to create index pages for each directory for me. Lumen, I promise, will be made available once I tidy it up.
Lumen basically lists all files recursively and generates an index.gmi for each directory. This means that Lumen has to be re-run each time the folder changes. OpenBSD is acquiring some degree of file watching natively.1 However [url=https://openports.pl/path/sysutils/entr]entr[/url] already exists in ports.
It took a bit of tweaking but basically here’s the command I ended up using, adapted from one of the examples provided in the entr manpage:
$ while sleep 0.1; do find /var/gemini/vigilia.cc/* | entr -nd python3 /var/gemini/cgi/lumen.py -d /var/gemini/vigilia.cc; done
What it does is, in a loop it recursively lists all files every 0.1 seconds in /var/gemini/vigilia.cc, and feeds the output to entr. Then entr runs with -n to specify a non-interactive session (in interactive sessions it also responds to e.g. keystrokes and tty changes – so to be safe, I don’t want that); and with -d to specify it should be looking for changes in the parent folder of any changing files. The looping and the -d directive were added because sometimes I ran into issues when a file got deleted: entr just quit because it could not find the removed file in a “stale” file list it was provided on launch. Lumen needs a -d argument as well to specifiy which directory it needs to work on.
7. System config
Because there are a few other servers like “auld.vigilia.cc” also running on the home machine (the configs for wich aren’t reproduced above for brevity’s sake) and because those rely on a number of CGI scripts I have to start them on launch. I ended up using supervisord for these. Supervisor is a cool little daemon for launching things. I could use rc but supervisord allows me to specify a few extra bits more easily, like redirecting output to syslog and other things.
So for HOME_SERVER, here is my supervisord configuration:
#### HOME_SERVER:/etc/supervisord.conf## [... snip ...][program:gmid]command=/usr/local/bin/gmid -f ; the program (relative uses PATH, can take args)process_name=%(program_name)s ; process_name expr (default %(program_name)s)directory=/var/gemini/ ; directory to cwd to before exec (def no cwd)priority=100 ; the relative start priority (default 999)autostart=true ; start at supervisord start (default: true)startretries=3 ; max # of serial start failures when starting (default 3)autorestart=true ; when to restart if exited after running (def: unexpected)killasgroup=true ; SIGKILL the UNIX process group (def false)stdout_syslog=true ; send stdout to syslog with process name (default false)stderr_syslog=true ; send stderr to syslog with process name (default false)[program:lumen-vigilia_cc]command=/bin/ksh -c 'while sleep 0.1; do find /var/gemini/vigilia.cc/* | entr -nd python3 /var/gemini/cgi/lumen.py -d /var/gemini/vigilia.cc; done'process_name=%(program_name)sdirectory=/var/gemini/priority=102autostart=truestartretries=3autorestart=trueuser=MYUSERNAMEstderr_syslog=truestdout_syslog=true
There are other directives that start the CGI scripts for “auld.vigilia.cc” in the config, omitted here.
Note that you can specify “priority” to control in what order you want the scripts to run. I first want the gemini server to run (100); then I want it to run the CGI scripts (101 — left out of the above example); then I want to run the static site generator’s watcher (102). Notice I am telling explicitly it to run /bin/ksh with a command specified in -c; this is because simply feeding it a complex command confuses supervisord, as I discovered.
One nice feature of supervisord is that it can redirect both stderr and stdout to syslog, so any commands and processes supervisord runs will have their output sent to /var/log/messages, neatly tagged and organised.
Conclusion
So there you have it — my Gemini stack from start to finish. It was a really fun experiment to start to use OpenBSD, instead of reinventing the wheel, or relying on some monolithic CGI scripts. You can do quite a lot with just system internals and a few packages.
- The
watchutility was added to 7.7-current on 2025-05-19; it will make its way into 7.8 hopefully. ↩︎
Adapted from the original article “Vigilia’s New Gemini Stack” published via Gemini at vigilia.cc on 21 July 2025.
Trying Guix: A Nixer's Impressions
One aspect of Guix I found to be really fascinating: That there is basically no conceptual difference between defining a package as a private build script, and using a package as part of the system.
Let me explain: Say you wrote a little program in Python which uses a C library (or a Rust library with C ABI) which is in the distribution. Then, in Guix you would put that librarie's name and needed version into a manifest.scm file which lists your dependency, and makes it available if you run guix shell in that folder. It does not matter whether you run the full Guix System, or just use Guix as s package manager.
Now, if you want to install your little python program as part of your system, you'll write an install script or package definition, which is nothing else than a litle piece of Scheme code which contains the name of your program, your dependency, and the information needed to call python's build tool.
The point I am making is now that the only thing which is different between your local package and a distributed package in Guix is that distributed packages are package definitions hosted in public git repos, called 'channels'. So, if you put your package's source into a github or codeberg repo, and the package definition into another repo, you now have published a package which is a part of Guix (in your own channel). Anybody who wants to install and run your package just needs your channel's URL and the packages name. It is a fully decentral system.
In short, in Guix you have built-in something like Arch's AUR, just in a much more elegant and clean manner - and in a fully decentralized way.
like this
I had a go at using guix as a package manager on top of an existing distro (first an immutable fedora, which went terribly, then OpenSUSE). Gave up for a few reasons:
- As mentioned in the article,
guix pullis sloow. - Packages were very out of date, even Emacs. If I understand correctly, 30.1 was only added last month, despite having been available since February. I get that this isn't the longest wait, but for the piece of software you can expect most guix users to be running, it doesn't bode well.
- The project I was interested in trying out (Gypsum) had a completely broken manifest. Seems like it worked on the dev's machine though, which made me concerned about how well guix profiles actually isolate Dev environments. This was probably an error on the dev's part, but I'd argue such errors should be hard to make by design.
All in all I love the idea of guix, but I think it needs a bigger community behind it. Of course I'm part of the problem by walking away, but 🤷
- As mentioned in the article,
guix pullis sloow.
This one has beem discussed on several forums discussing the original blog post, like here or also here on lobste.rs
Part of the reason for slow pulls is that the GNU projects savannah server, which Guix was using so far, is not fast, especially with git repos. Luckily, this is already being improved because Guix is moving to codeberg.org, a FOSS nonprofit org which is hosted in Europe. So if one changes the configured server URL, it is faster. (On top of that interested people might use the opportunity to directly take influence, and donate to codeberg so that they can afford even better hardware 😉).
OpenAI and UK sign deal to use AI in public services
OpenAI and UK sign deal to use AI in public services
The US tech firm behind ChatGPT say it will work with the UK government to "deliver prosperity for all".Mitchell Labiak (BBC News)
thisisbutaname likes this.
Fedora Must (Carefully) Embrace Flathub
Fedora Must (Carefully) Embrace Flathub
Motivation Opportunity is upon us! For the past few years, the desktop Linux user base has been growing at a historically high rate. StatCounter currently has us at 4.14% desktop OS market share...Michael Catanzaro (Michael Catanzaro's Blog)
like this
L'enorme braccio reclutato per agevolare la rinascita del nucleare in Gran Bretagna - Il blog di Jacopo Ranieri
L'enorme braccio reclutato per agevolare la rinascita del nucleare in Gran Bretagna - Il blog di Jacopo Ranieri
Affermò la profezia: “E quando il destino dovrà compiersi, il giorno si trasformerà in notte, e il normale ciclo diurno sembrerà finire prima dell’ora del tramonto.Jacopo (Il blog di Jacopo Ranieri)
deegeese
in reply to adhocfungus • • •like this
adhocfungus likes this.
owenfromcanada
in reply to adhocfungus • • •like this
adhocfungus likes this.
SheeEttin
in reply to adhocfungus • • •like this
adhocfungus likes this.
MangoPenguin
in reply to adhocfungus • • •Password manager such as Bitwarden, you can store your passwords, and sensitive info as notes or attachments. It's all encrypted client side.
Then you just need to have a note with the master password and instructions on how to access it.
like this
adhocfungus likes this.
dave@hal9000
in reply to MangoPenguin • • •like this
giantpaper likes this.
MangoPenguin
in reply to dave@hal9000 • • •0x0
in reply to adhocfungus • • •Use a password manager. KeePassXC stores stuff in a file, so it's easier to synchronize. You can selfhost BitWarden too.
Syncthing is great to synchronize stuff across devices.
Cryptomator creates encrypted volumes (looks like a folder with gibberish inside) for you, which you can sync with whatever commercial cloud.
Data loss might come from bitrot, yes. Regardless, you should always have multiple backups.
Self-host Bitwarden | Bitwarden
Bitwardenlike this
adhocfungus likes this.
haulyard
in reply to adhocfungus • • •This is the one reason I’ve paid for 1Password. My wife has access and can get what is needed without figuring out how to revive a self hosted password solution. I realize this isn’t about self hosting, and that you can pay for Bitwarden too. It just struck a chord.
OP wishing you all the best.
like this
adhocfungus e giantpaper like this.
shortwavesurfer
in reply to adhocfungus • • •Why not just put logins in a database such as keepass and then have the password for that written down in like a lock box or something?
You could also store a flash drive with the password in the lock box and update it, say, every six months with the most current database version.
like this
adhocfungus e giantpaper like this.
𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍
in reply to adhocfungus • • •No solution I've found, but I've been working on this myself. As I see it, there are two situations, and four categories of data:
I. My wife survives me
II. We both die, e.g. in a car
I've been thinking about getting an M-Disk writer for media, because ultimately, backing up to B2 is fine until I'm gone. Family members will need physical media for the photos and stuff.
For secrets, I'm planning using SSSS. Keys will be given to members on each side of my wife's and my families. If we both die, they'll have to get together, put their keys together, and decrypt the KeePass DB.
The online accounts are almost all financial; those are in a KeePass DB. My wife already has access to all of that through power is attorney, and if we both go, it's SSSS for the family.
The third data category are accounts and services that will be to be stopped. I don't subscribe to much, but the VPS provider and B2 will have to be terminated, and a document with instructions and with the credentials is in the SSSS archive.
The final category are assets: home, mortgage info, where and what the M-Disks are, a copy of the will that deals with all of the valuables, and any notes about anything not covered in the will. That's in documents in the SSSS archive.
I still have to put the archive together. I've been working toward a state where all of the secrets are in a cryptfs that's shared on the LAN and automatically encrypted with SSSS and synced to a share. Once I have that automated, I'll communicate out the SSSS keys and a how-to document.
In some ways, it was easier when you just died and your kids fought over the china. But I have a plan.
ssss: Shamir's Secret Sharing Scheme
point-at-infinity.orgBertramDitore
in reply to adhocfungus • • •My mother died recently, and she was the breadwinner and was in charge of everything financial, because my surviving father is a toxic narcissist with zero financial literacy who refuses help from anyone. So I just have to say kudos to you for thinking about this difficult stuff. Your family will appreciate it more than you can imagine.
Other commenters have already given you solid advice, and I don’t have anything to add there, but more people need to have these difficult conversations and make real practical preparations, as soon as possible. Speaking from experience, not having clear guidance about where things are and what should be done with them, makes an already emotional situation even harder to deal with. Everybody dies, but in death you can make your family’s grieving process slightly easier by thinking ahead like this.
I’m sorry for whatever you’re going through, but props for thinking about other people while you go through it.
like this
giantpaper e adhocfungus like this.
mustard57
in reply to adhocfungus • • •adhocfungus likes this.
rumba
in reply to adhocfungus • • •"In this envelope is the password for my keepass password vault. The entry for "In case of emergency" contains everything you should need to know in the event of my incapacitation or worse.
There are two USB keys with this vault on them, they are synchronized for redundancy. When I pass, get the password out of this envelope, plug in a USB key, open keypass and enter the password. "
You: Use the primary key as your password storage, keep the backup key plugged into a raspberry pi, run syncthing on both devices.
Have a spare test key set up, do a dry run with the family members you entrust to have this data.
like this
adhocfungus likes this.
railcar
in reply to adhocfungus • • •like this
adhocfungus likes this.
hexagonwin
in reply to adhocfungus • • •adhocfungus likes this.
Zerush
in reply to adhocfungus • • •Filen – Next Generation End-To-End Encrypted Cloud Storage
filen.ioadhocfungus likes this.
lemming741
in reply to adhocfungus • • •You kinda only need the email credentials. Shouldn't the rest be resettable from that point?
Is there anything that needs MFA that they won't have?
like this
adhocfungus likes this.
adhocfungus doesn't like this.
irotsoma
in reply to adhocfungus • • •oeuf
in reply to adhocfungus • • •I would use Keepass. You would have a single file, opened with a single password, that you could share with them however you want.
Wishing you the best
adhocfungus likes this.
adhocfungus doesn't like this.