L’Amministrazione Autonoma dichiara la mobilitazione @anarchia L’Amministrazione autonoma democratica della Siria settentrionale e orientale ha dichiarato la mobilitazione. L’Amministrazione autonoma democratica della Siria settentrionale e orientale (DAANES) ha dichiarato la mobilitazione in seguito agli attacchi di Hayat Tahrir al-Sham (HTS) e di gruppi paramilitari affiliati alla...
Eine Nahaufnahme einer Metallpfanne, die eine dicke, kräftige Mischung aus dunklen grünen Blattsalaten und kleinen, hellen kleinen Teilen (vielleicht Knoblauch oder Körner), mit sichtbarer Flüssigkeit oder Sauce enthält. Ein Holzlöffel liegt teilweise im oberen Bereich der Pfanne, teilweise unter der Mischung versunken. Die Pfanne erscheint metallisch und keine Textur ist im Bild vorhanden.
Bereitgestellt von @altbot, privat und lokal generiert mit Qwen3-Vl:30b
A consent driven live stream of indie music videos and animation from artists across the Fediverse. See Now Playing info at https://mastodon.social/@tibtvnowplayingbot - Fediwall at https://shorturl.
Flying into Austin and into the storm for Texas Data Day. Packing cold weather gear and a woobie, in case I get stuck at the airport trying to fly out on Sunday.
An Ontario Superior Court judge has released a 36-year-old man convicted of sex-trafficking eight vulnerable women over nearly a decade after he was found to have endured torturous conditions while in custody at Maplehurst jail.
An Ontario Superior Court judge has released a 36-year-old man convicted of sex-trafficking eight vulnerable women over nearly a decade after he was found to have endured torturous conditions while in custody at Maplehurst jail.
Profitez des vidéos et de la musique que vous aimez, mettez en ligne des contenus originaux, et partagez-les avec vos amis, vos proches et le monde entier.
Найбільший французький виробник автомобілів Renault офіційно підтвердив, що вже домовився про співпрацю з оборонною компанією Turgis Gaillard щодо виробництва безпілотників для України.
Найбільший французький виробник автомобілів Renault офіційно підтвердив, що вже домовився про співпрацю з оборонною компанією Turgis Gaillard щодо виробництва безпілотників для України.
While neither the regime nor SpaceX likes to reveal their cards, hackers and journalists are not deterred by this, and the laws of physics apply to everyone.
WIRED talks to a postal worker, a teacher, two US citizens detained by federal agents, and six more Minnesota residents about life in an occupied American city.
The second version of Nikon’s Z5 brings improved autofocus, faster burst rates, and impressive video specs, making it one of the best “entry-level” full-frame cameras on the market.
Some asteroids aren't rocks. They are rubble heaps. This makes sense when you think about it. These asteroids may have never been a part of a large terrestrial like body with gravity like earth. They are just loosely held together by their own modest mass.
For some reason I find this revelation creepy. I suppose I think about trying to land on the surface and just sinking ...
this might be very beneficial for some sci-fi level asteroid mining, you don't have to do actual drilling but "just" turn the whole thing inside out somehow™ until you can scoop up the good parts
@theDuesentrieb Quite a while ago now; I was involved with a NASA mission plan called the Asteroid Redirect Mission, which would have demonstrated gravity tractor asteroid deflection as well as space resource utilization.
The plan was to pick up either an entire small asteroid or a boulder from a larger asteroid. To deal with even what looked like a single block potentially being only loosely held together, it would have been enclosed in a large bag to contain all the shed bits.
When the OSIRIS-REx spacecraft collected samples from the asteroid Bennu; the sample collection arm on the spacecraft sank about half a meter down before automatic lift-off was triggered: link.springer.com/chapter/10.1…
The primary science objective of the Origins, Spectral Interpretation, Resource Identification, and Security–Regolith Explorer (OSIRIS-REx) mission is to collect a regolith sample from the surface of asteroid Bennu and return the sample to Earth.
I've always had the mental model that these things are rocks, and always found it incomprehensible that a comet's tail is hundreds of kms in length. But if they're rubble heaps, maybe not so surprising.
just listened to a rather old episode of the Planetary Society's podcast where they discussed less solid bodies in space and mentioned the Osiris Rex mission to Bennu
Made me think of frozen quick sand in zero G and the scene Mel Brooks needs to write 😀
US envoy Steve Witkoff and Jared Kushner will meet Putin in Moscow on Thursday for talks reportedly focused on Ukraine. The visit was requested by Russia, Witkoff told CNBC. #Ukraine
Chinese AI startup Zhipu says it is limiting GLM Coding Plan access after strong demand, taking only 20% of its current daily new subscriptions from January 23 (Bloomberg)
Entführung Maduros: Chinas stille, harte Antwort auf Washington de.rt.com/international/267700… China reagiert auf die Entführung des venezolanischen Präsidenten Maduro nicht mit Worten, sondern mit Macht: Finanz-, Energie- und Lieferketten werden binnen Stunden neu justiert. Der Schlag trifft die USA wirtschaftlich – und markiert einen Wendepunkt auf dem Weg zur multipolaren Weltordnung. #news #press
Frustpost: Alle mit einem Onlineshop tröten ja immer davon, was deren #Bestseller sind. Ich glaube ich muss heute mal vom Gegenteil erzählen, dass unsere beiden BUNTEN Modelle noch nie bestellt wurden🫤 . Wäre das nicht ein schönes Mitbringsel für Ostern? Der Feger kostet aktuell nur 2,87 €!
(Heute ist der Post nur für mich... bitte um Verzeihung ... denn ich kann meine zwei bunten Handfeger auch erst kaufen, wenn diese produziert werden - und nur wegen mir wird der nicht hergestellt 🥹)
Keine Info nur am Rand, ehe ich in den Feierabend gehe - es sind tatsächlich vier Bestellungen eingegangen und dafür möchte ich euch ganz ❤️lich danken! Die Handfeger wird es jetzt also wirklich geben und nicht nur in der Vitrine als "Muster". Bald also auf Lager und dann innerhalb von 3-4 Tagen lieferbar! Und ... ich kann meine dann auch bestellen 😀 Viele liebe Grüße an alle die mitgeholfen haben ... ist echt sowas wie Crowdfunding, oder? 😅
Ich habe auch gerade zwei bestellt. 😉 Und Ihr habt Kehrschaufeln aus Metall statt Kunststoff! 💖 Aber eine Bitte für die Zukunft: GLS als einzigen Logistiker? Das hab ich jetzt nur für das Feger-Crowd-Ordering gemacht, Leute! Bitte, bitte DHL, ich zahl auch dafür, aber nehmt einen zuverlässigen Versender.
@Linkshaender Lieber Armin, ich kann Dich gut verstehen. Bisher lief hier alles nur über Spedition und der Shop generiert jetzt die ersten Pakete - wenn die Stückzahlen wachsen, nehmen wir sicher auch noch DHL dazu, aber die kommen nicht wenn wir "vielleicht" ein Paket am Tag haben, das ist das Problem dabei. Über 90% sehen nur auf den Preis, so sehr ich das auch lieber geändert hätte. Viele Grüße auch an Chicco ❤️ 😉
@Linkshaender Ich bin auch gern bereit ne Woche (oder zwei) zu warten, bis genügend DHL-Päckchen zusammen sind, damit die das holen kommen. Aber Armin hat schon recht, GLS ist einfach ne mittelprächtige Katastrophe.
Meine Konfetti-Bestellung kommt btw auch noch, aber ich wollte in Ruhe am PC gucken, was man noch so gebrauchen kann, aktuell häng ich krank im Bett und ich hasse Handyshopping. :'D
@ashyda @Linkshaender Omg, dann wünsche ich Dir erstmal gute Besserung 💐 ja DHL ist leider nicht so flexibel. Die wünschen sich mindestens jeden Tag ein paar Pakete, sonst kommen sie nicht - also garnicht. WIr liebäugeln derzeit noch mit DPD ... mal sehen, aber in nächster Zeit wohl nicht. Wobei ... ich hätte auch nicht gedacht, dass das Posting von gestern solche Veränderungen hier mit sich gebracht hätte 🍀
Ich stimme @ashyda zu, lieber warte ich bis ihr einmal in der Woche für den „DHL-Tag“ genug beisammen habt als GLS oder DPD zu nehmen. Das kostet mich nämlich trotz eurem schnellen Versand mehr Zeit, weil die Typen an uns vorbeifahren und dann eine „Du warst ned da“-Mail schreiben. Dann kann ich zu irgendeiner Filiale fahren zu Zeiten, in denen ich auch arbeiten muss…. 😆🤪😝
Eure Preise sind eh unschlagbar günstig! Ob GLS oder DHL ist mir erstmal egal, bei mir haben alle eine Abstellerlaubnis und das klappt auch gut. Ich freue mich jedenfalls auf die Lieferung und zukünftige Bestellungen sind euch sicher 😀 @Linkshaender
@jwildeboer @Linkshaender Danke Jan, das freut mich sehr. Und wenn man als Unternehmen etwas kleiner ist, kann man ja vielleicht auch noch etwas besser kalkulieren ❤️
@jwildeboer Congrats zu Deiner Arbeit hier: mittlerweile habt ihr über 850 Leute, die es bunt und sauber lieben! 👍🏼💖 Das ist gekonntes und trotzdem unaufdringliches Marketing.
@Linkshaender @jwildeboer Danke mein Lieber ❤️ Ich habe schon etwas Angst, sollte es mal eine 1000 werden ... hier landen schon Vorschläge, was ich dann veranstalten soll 😅
konfetti: Handfeger, 285 mm, "Konfetti", PET - Farbmix, unlackiert - Saalbesen, 400 mm, "Konfetti", PET-Farbmix, Universalstielhalter mit Überwurfmutter Ø 24 mm
@Impertinenzija @padeluun wenn @buersten jetzt noch das Mastodon-Profil auf ihrer homepage verlinken...dann drücke ich sofort auf "bestellen&bezahlen". faebook, instragram und linkedin sind so oldschool ;)
@mc @Impertinenzija @padeluun Hallo und guten Morgen 😀 Mastodon ist tatsächlich schon verlinkt ❤️ allerdings mit dem Bild von Twitter hihi - ich hab noch ein Ticket beim Shopservice offen und die wollen kein extra Logo machen. Darum hab ich erstmal so verlinkt und tausche das sobald ich mal kann (muss mich da erst reinfuchsen) aus 😅
@MonaApp ive been getting 'Failed to translate. Tap to try again DeepL bad response: 403 forbidden' - my api keys and usage are fine, ive changed api keys also but no luck
I need some help if anyone could take the time and has the knowledge:
I'm basically new to podman and namespaces, relatively new to linux and a noob at networking. So figuring this out and getting it to work took many more hours than I would like to admit, but I still have a few problems. I have all my current Quadlets below in the spoiler (seperated by "---", assume user123 = UID 1000). I am on Bazzite, rootless Podman, which probably makes this even harder.
::: spoiler Spoiler with the Quadlets
[Unit]
Description=Arr-stack pod
[Pod]
PodName=arr-stack
# Network
# Network=vpn-only
# User mapping / I don't fully understand this yet, but the pod does not work without this (maps user id to specified ID inside the containers? So the containers have UID:GID 1000:1000?)
UserNS=keep-id:uid=1000,gid=1000
#
# Homepage Port Mapping
PublishPort=3000:3000
# Jellyfin Port Mapping
PublishPort=8096:8096/tcp
# qBittorrent Port Mapping
PublishPort=8080:8080
\#PublishPort=6881:6881
\#PublishPort=6881:6881/udp
# Prowlarr Port Mapping
PublishPort=9696:9696
# Flaresolverr Port Mapping
PublishPort=8191:8191
# Radarr Port Mapping
PublishPort=7878:7878
# Sonarr Port Mapping
PublishPort=8989:8989
# Jellyseerr Port Mapping
\#PublishPort=8055:5055
\#[Install]
# WantedBy=default.target
---
[Unit]
Description=Gluetun Container
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
[Container]
ContainerName=gluetun
Pod=arr-stack.pod
Image=docker.io/qmcgaw/gluetun:v3
AutoUpdate=registry
# Network
# Network=vpn-only
# UID/GID permissions / root + privileged for networking?
PodmanArgs=--privileged
User=0
Group=0
# Equivalent to cap_add: - NET_ADMIN # one wrong?
AddCapability=NET_ADMIN
AddCapability=CAP_NET_ADMIN
# Required for Gluetun to delete the bridge's default route, but does not work
AddCapability=NET_RAW
AddCapability=CAP_NET_RAW
# Equivalent to "devices: - /dev/net/tun:/dev/net/tun"
AddDevice=/dev/net/tun:/dev/net/tun
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvironmentFile=gluetun.env
# Environment=FIREWALL_OUTBOUND_SUBNETS=10.90.0.0/24 / test from a specific podman network
Environment=FIREWALL_INPUT_PORTS=8080
#
Environment=VPN_SERVICE_PROVIDER= <123>
Environment=VPN_TYPE=wireguard
Environment=WIREGUARD_PRIVATE_KEY= <key>
Environment=SERVER_COUNTRIES= <country>
# for now:
Environment=VPN_PORT_FORWARDING=off
\#Secret=openvpn_user,type=env,target=OPENVPN_USER
\#Secret=openvpn_password,type=env,target=OPENVPN_PASSWORD
\#Volume
Volume=/var/home/user123/.config/arr-configs/gluetun:/gluetun:Z
# SecurityLabel=disable
[Service]
Restart=always
\#[Install]
\#WantedBy=default.target
---
[Unit]
Description=qBittorrent Container
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
# gluetun
Wants=gluetun.service
After=gluetun.service
Requires=gluetun.service
BindsTo=gluetun.service
# .container is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=gluetun.container
After=gluetun.container
Requires=gluetun.container
BindsTo=gluetun.container
[Container]
ContainerName=qbittorrent
Pod=arr-stack.pod
Image=lscr.io/linuxserver/qbittorrent:latest
AutoUpdate=registry
# Network
Network=container:gluetun
# UID/GID permissions / linuxserver images require UID:GID 0:0 at the start; they won't start without it
User=0
Group=0
Environment=PUID=1000
Environment=PGID=1000
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvironmentFile=qbittorrent.env
Environment=WEBUI_PORT=8080
# Environtment=TORRENTING_PORT=6881
# Volume :Z (> :z) probably works as well and is saver for configs?
Volume=/var/home/user123/.config/arr-configs/qbittorrent:/config:z
Volume=/var/home/user123/Videos/Downloads:/downloads:z
# Volume=/var/home/user123/Videos/Downloads/completed:/downloads:z,U
# Volume=/var/home/user123/Videos/Downloads/incomplete:/incomplete:z,U
# Volume=/var/home/user123/Videos/Downloads/torrents:/torrents:z,U
[Service]
Restart=always
\#[Install]
\#WantedBy=default.target
---
[Unit]
Description=Prowlarr Container
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
# gluetun
Wants=gluetun.service
After=gluetun.service
Requires=gluetun.service
BindsTo=gluetun.service
# .container is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=gluetun.container
After=gluetun.container
Requires=gluetun.container
BindsTo=gluetun.container
[Container]
ContainerName=prowlarr
Pod=arr-stack.pod
Image=lscr.io/linuxserver/prowlarr:latest
AutoUpdate=registry
# Network
Network=container:gluetun
# UID/GID permissions / linuxserver images require UID:GID 0:0 at the start; they won't start without it
User=0
Group=0
Environment=PUID=1000
Environment=PGID=1000
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvironmentFile=prowlarr.env
Environment=WEBUI_PORT=9696
# Volume
Volume=/var/home/user123/.config/arr-configs/prowlarr:/config:z,U
[Service]
Restart=always
\#[Install]
\#WantedBy=default.target
---
[Unit]
Description=Sonarr Container
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
# gluetun
Wants=gluetun.service
After=gluetun.service
Requires=gluetun.service
BindsTo=gluetun.service
# .container is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=gluetun.container
After=gluetun.container
Requires=gluetun.container
BindsTo=gluetun.container
[Container]
ContainerName=sonarr
Pod=arr-stack.pod
Image=lscr.io/linuxserver/sonarr:latest
AutoUpdate=registry
# Network
Network=container:gluetun
# UID/GID permissions / linuxserver images require UID:GID 0:0 at the start; they won't start without it
User=0
Group=0
Environment=PUID=1000
Environment=PGID=1000
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvironmentFile=sonarr.env
Environment=WEBUI_PORT=8989
# Volume / Disable SecurityLabels due to SMB share, need to look this up
SecurityLabelDisable=true
Volume=/var/home/user123/.config/arr-configs/sonarr:/config:z
Volume=/var/home/user123/Videos/Shows:/tv:z
Volume=/var/home/user123/Videos/Downloads:/downloads:z
[Service]
Restart=always
\#[Install]
\#WantedBy=default.target
---
[Unit]
Description=Radarr Container
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
# gluetun
Wants=gluetun.service
After=gluetun.service
Requires=gluetun.service
BindsTo=gluetun.service
# .container is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=gluetun.container
After=gluetun.container
Requires=gluetun.container
BindsTo=gluetun.container
[Container]
ContainerName=radarr
Pod=arr-stack.pod
Image=lscr.io/linuxserver/radarr:latest
AutoUpdate=registry
# Network
Network=container:gluetun
# UID/GID permissions / linuxserver images require UID:GID 0:0 at the start; they won't start without it
User=0
Group=0
Environment=PUID=1000
Environment=PGID=1000
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvironmentFile=radarr.env
Environment=WEBUI_PORT=7878
# Volume / Disable SecurityLabels due to SMB share
SecurityLabelDisable=true
Volume=/var/home/user123/.config/arr-configs/radarr:/config:z
Volume=/var/home/user123/Videos/Movies:/movies:z
Volume=/var/home/user123/Videos/Downloads:/downloads:z
[Service]
Restart=always
\#[Install]
\#WantedBy=default.target
---
[Unit]
Description=Flaresolverr Container
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
# gluetun
Wants=gluetun.service
After=gluetun.service
Requires=gluetun.service
BindsTo=gluetun.service
# .container is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=gluetun.container
After=gluetun.container
Requires=gluetun.container
BindsTo=gluetun.container
[Container]
ContainerName=flaresolverr
Pod=arr-stack.pod
Image=ghcr.io/flaresolverr/flaresolverr:latest
AutoUpdate=registry
# Network
Network=container:gluetun
# UID/GID permissions
User=0
Group=0
Environment=PUID=1000
Environment=PGID=1000
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvironmentFile=flaresolverr.env
Environment=WEBUI_PORT=8191
Environment=LOG_LEVEL=info
Environment=LOG_HTML=false
Environment=CAPTCHA_SOLVER=none
# Volume=flaresolverr:/app/
[Service]
Restart=always
\#[Install]
\#WantedBy=default.target
---
[Unit]
Description=Podman - Jellyfin
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
# gluetun
Wants=gluetun.service
After=gluetun.service
Requires=gluetun.service
BindsTo=gluetun.service
# .container is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=gluetun.container
After=gluetun.container
Requires=gluetun.container
BindsTo=gluetun.container
[Container]
ContainerName=jellyfin
Pod=arr-stack.pod
Image=ghcr.io/jellyfin/jellyfin
AutoUpdate=registry
# Network
Network=container:gluetun
# UID/GID permissions / 1000:1000 might work?
User=0
Group=0
Environment=PUID=1000
Environment=PGID=1000
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvironmentFile=jellyfin.env
Environment=WEBUI_PORT=8096:8096/tcp
\#PublishPort=8096:8096/tcp
\#PublishPort=8920:8920
\#PublishPort=7359:7359/udp
\#PublishPort=1900:1900/udp
# Volume
Volume=/var/home/user123/.config/arr-configs/jellyfin:/config:z
Volume=/var/home/user123/Videos/jellyfin-cache:/cache:z
Volume=/var/home/user123/Videos/Movies:/data/movies:z
Volume=/var/home/user123/Videos/Shows:/data/shows:z
[Service]
# Inform systemd of additional exit status
# SuccessExitStatus=0 143a
Restart=always
TimeoutStartSec=900
\#[Install]
# Start by default on boot
\#WantedBy=default.target
---
[Unit]
Description=Homepage Dashboard
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
# gluetun
Wants=gluetun.service
After=gluetun.service
Requires=gluetun.service
BindsTo=gluetun.service
# .container is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=gluetun.container
After=gluetun.container
Requires=gluetun.container
BindsTo=gluetun.container
# idk about this?:
After=network-online.target
Wants=network-online.target
# Socket
Wants=podman.socket
After=podman.socket
Requires=podman.socket
[Container]
ContainerName=homepage
Pod=arr-stack.pod
Image=ghcr.io/gethomepage/homepage:latest
AutoUpdate=registry
# Network
Network=container:gluetun
# UID/GID permissions
User=1000
Group=1000
Environment=PUID=1000
Environment=PGID=1000
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvirontmentFile=homepage.env
\#Environment=LOG_LEVEL=debug
Environment=HOMEPAGE_ALLOWED_HOSTS=gethomepage.dev
\#PublishPort=3000:3000
# Podman socket (recommended on Bazzite)
Volume=%t/podman/podman.sock:/var/run/docker.sock:ro
\#Volume=/var/run/docker.sock:/run/user/1000/podman/podman.sock:ro
\#Volume=/%t/podman/podman.sock:/run/user/1000/podman/podman.sock:ro
# Volume / Config directory
SecurityLabelDisable=true
Volume=%h/apps/homepage:/app/config:Z
Volume=%h/apps/homepage/icons:/app/public/icons:Z
[Service]
Restart=on-failure
TimeoutStartSec=300
\#[Install]
\#WantedBy=default.target
:::
Questions: - 1. If I use "podman exec ip route" (on e.g. qbittorrent) the default route goes through my actual network interface (actual ip adress) which I very much do not want (or through my killswitch dummy network from my VPN if on, which is better but still not ideal). Is there a way to completely remove my actual network from a container's eyes? "podman exec ip addr" shows 1 lo (local), 2 my actual network, 4 tun0 from gluetun. The traffic does go through gluetun correctly, but I don't trust it 100%. Having the containers separated and NOT inside a pod gives the same result, since the containers share the network namespaces from the gluetun container when I do "Network=container:gluetun" (same as just having them in a pod as far as I understand). I tried to also create a podman network without a default gateway, but then gluetun cannot connect to the VPN in the first place.
EDIT: A few notes: I thought gluetun was supposed to set the default route (but it seems it either doesn’t or can’t). My goal was to only have gluetun see my computer’s network and have the containers only see local network and gluetun’s tun0 network (with default routing through tun0). AFAIK pods share network namespaces, though, so that might not be possible? (even without pods?)
My setup works but is quite convoluted and probably has many unnecessary lines, so please give me any improvements you see
Is User=1000, Group=1000, even sensible? For example in the homepage container those lines result in the container showing User "1000:1000" (from podman inspect). Would User=0, Group=0 (or no lines since I use UserNS=keep-id in the pod?), which shows as User=root (podman inspect) mean that it has actual root access or just that it is root INSIDE the container?
Thank you in advance for the answers, in case I don't reply to your comment specifically.
I don't know much about ip routing, but userns=keep-id id determined based on what podman is run as. For example, I run podman as user 1000 on the host, so if I do keep-id the user in the container will map to the same id. This often messes with things as the container require it is root inside it's own context. It seems you are running podman as root, meaning that keep-id will map the container user to the actual root id, givintthe container essentially root access. Normally the container user is mapped to a random id on the host, like 653477, not 0. It's unsafe to map the containers id to root as they would be unbounded if they managed to escape. I would recommend doing systemctl cat on the different services to see what the .container file expands to.
When it comes to the networking I think that you need to create a podman network with internal set to true. I believe that this restricts internet access. Then you would need to only let these services communicate with gluetun.
I don't know if this was any help, but it's all I've managed to learn from doing it myself.
remember that: cats are always right. Signs can be wrong. don't trust a sign. and if someone trusts every sign please tell me so i can make a sign that says they have to give me headpats.
Jede zweite Semmel ist Importware: Bablers Mehrwertsteuer-Märchen exxpress.at/politik/jede-zweit… Vizekanzler Andreas Babler (SPÖ) verspricht: Seine MwSt-Senkung auf 4,9 % fördere „heimische Lebensmittel“. Nur: EU-Recht verbietet Steuerprivilegien nach Herkunft – und in den begünstigten Produktgruppen dominiert im Supermarkt Importware. Unterm Strich entlastet der Plan vor allem ausländische Produkte. #news #press
![L’application se distingue par son orientation éditoriale, centrée sur les cultures africaines et caribéennes, tout en revendiquant une ouverture à tous les publics. L’ambition n’est pas de s’adresser à un public spécifique, mais d’enrichir l’offre jeunesse existante en donnant accès à des récits encore peu présents dans les catalogues traditionnels.
Le choix de l’audio répond à une double logique : limiter le temps d’écran tout en favorisant l’imaginaire, l’écoute et la transmission orale, dans une continuité avec les pratiques du #livre et du #conte.
[intertitre] Un premier cap économique dans un marché en structuration
À la croisée de l’édition jeunesse, du #podcast et de l’éducation, l’audio éducatif s’impose progressivement comme un segment en structuration, porté par l’évolution des usages familiaux et la montée en puissance des #plateformes audio.](https://poliverso.org/photo/preview/640/71902572 "L’application se distingue par son orientation éditoriale, centrée sur les cultures africaines et caribéennes, tout en revendiquant une ouverture à tous les publics. L’ambition n’est pas de s’adresser à un public spécifique, mais d’enrichir l’offre jeunesse existante en donnant accès à des récits encore peu présents dans les catalogues traditionnels.
Le choix de l’audio répond à une double logique : limiter le temps d’écran tout en favorisant l’imaginaire, l’écoute et la transmission orale, dans une continuité avec les pratiques du #livre et du #conte.
[intertitre] Un premier cap économique dans un marché en structuration
À la croisée de l’édition jeunesse, du #podcast et de l’éducation, l’audio éducatif s’impose progressivement comme un segment en structuration, porté par l’évolution des usages familiaux et la montée en puissance des #plateformes audio.")
Tracking Token Disrespector
in reply to POLITICO Europe • • •🤖 Tracking strings detected and removed!
🔗 Clean URL(s):
politico.eu/article/denmark-ir…
❌ Removed parts:
?utm_source=flipboard&utm_medium=activitypub
Denmark is ‘irrelevant’, says Scott Bessent
Ferdinand Knapp (POLITICO)