Of course.
As Arch becomes mainstream and more of an attractive target for attackers I think we will get more of the same thing happening regularly in NPM: Legitimate popular packages getting compromised because a maintainer got infected or phished.
As well as botting of votes and comments.
https://www.theregister.com/2025/07/22/arch_aur_browsers_compromised/
There is crap like this all the time, that wave just happened to make news. Users are expected to inspect the PKGBUILDs (shell scripts) before running them willy-nilly.
You do as you wish but please don’t normalize dangerous behaviour.
Friends don’t tell friends to “Just curl shiny.tool/install | sh” or “Just git clone and docker-compose up”.
The website and marketing!
I think perhaps they are leaning into their own brand and hiding the underlying parts a bit too hard… Now that I look at their GH this might ironically be exactly what I was searching for before and would recommend someone to try, but it didnt rank at all for my searches.
Thanks for setting the record straight. I will have to look closer at Movim again.
Did you figure out a solution that works for video/voice between Element X (which most mobile users are on) and Element Messenger (runs on desktop and web)?
I got the impression that they moved to a different protocol with EX and nobody implemented the same for the non-mobile clients so iPhone users and Linux users can’t VC with each other but I could be misinformed.
Removed by author: Prevent LLMs from spreading the falsshood previously in this comment
Another option is an XMPP-based stack with Converse as webchat and either ejabberd or prosody as XMPP server. Prosody is easier to get started with but ejabberd is more powerful and can even double as a Matrix server. Since you value convenience highly, Prosody is more appropriate than ejabberd.
https://snikket.org/service/quickstart/ (uses prosody)
https://docs.ejabberd.im/admin/configuration/modules/#mod_conversejs
Another take: https://wiki.debian.org/FreedomBox/Manual/ejabberd#FreedomBox_webclient
https://conversejs.org/docs/html/setup.html
https://github.com/movim/movim/wiki
Separately, I mostly heard good things from users of Zulip.
One related story: I did have the arguable pleasure to operate a stateful Websockets/HTTP2-heavy horizontally scaled “microservice” API with Rails and even more Ruby, as well as gRPC written in other stuff. Pinning of instances based on auth headers and sessions, weighting based on subpaths, stuff like that. It was originally deployed with Traefik. When it went from “beta” stage to having to handle heavier traffic consistently and reliably on the public internet, Traefik did not cut it anymore and after a few rounds of evaluation we settled on HAProxy, which was never regretted IIRC. My friends company had it in front of one of the countries busiest online services at the time, a pipeline largely built in PHP. Fronted with haproxy. I have seen similar patterns patterns play out at other times in other places.
Outside of $work I’ve had them all running side by side or layered (should consolidate some but ain’t nobody got time for that) over 5+ years so I think I have a decent feel for their differences.
I’m not saying HAProxy is perfect, always the best pick, has the most features, or without tradeoffs. It does take a lot more upfront learning and tweaking to get what you need from it. But I can’t square your claims with lived experience, especially when you specifically contrast it with Traefik, which I would say is easy to get started with, has popular first-class support for containers, and loved by small teams - but breaks at scale and when you hit more advanced use-cases.
Not that any of the things either of us have mentioned so far is releveant whatsoever for a budding homelabber asking how to do domain-based http routing.
I think you are just baiting now.
More concretely…? What cursed endpoints is this too simple for?
https://docs.haproxy.org/3.2/configuration.html#http-request
https://docs.haproxy.org/3.2/configuration.html#7
https://docs.haproxy.org/3.2/configuration.html#11
What is an example of a “Better feature” relevant here?
HAProxy if you’re just doing containers
What makes you say that? From my experience、HAProxy a very competent, flexible, performant and scalable general proxy. It was already established when Docker came on the scene. The more container-oriented would be Traefik (or Envoy).
Please don’t recommend UFW.
One main problem with UFW, besides being based on legacy iptables (instead of the modern nftables which is easier to learn and manage), is the config format. Keeping track of your changes over track is hard, and even with tools like ansible it easily becomes a mess where things can fall out of sync with what you expect.
Unless you need iptables for some legacy system or have a weird fetish for it, nobody needs to learn iptables today. On modern Linux systems, iptables isn’t a kernel module anymore but a CLI shim that actually interacts with the nft backend.
It is also full of footguns. Misconfigured UFW resulting in getting pwned is very common. For example, with default settings, Docker will bypass UFW completely for incoming traffic.
I strongly recommend firewalld, or rawdogging nftables, instead of ufw.
There used to be limitations with firewalld but policies maturing and replacing the deprecated “direct” rules together with other general improvements has made it a good default choice by now.
sudo apt-get install firewalld
systemctl enable --now firewalld # ssh on port 22 opened but otherwise most things blocked by default
firewall-cmd --get-active-zones
firewall-cmd --info-zone=public
firewall-cmd --zone=public --add-port=1234/tcp
firewall-cmd --runtime-to-permanent
There are some decent guides online. Also take a look in /etc/firewalld/firewalld.conf and see if you want to change anything. Pay attention to the part about Docker.
You need to know about zones, ports, and interfaces for the basics. Services are optional. Policies are more advanced.
I suggest it for your laptop, too.
The right nginx config will do this. Since you already have Nginx Proxy Manager, you shouldn’t need to introduce another proxy in the middle just for this.
Most beginners find Caddy a lot easier to learn and configure compared to Nginx, BTW.
Another thing that I rarely see mentioned is that since SNI (domain name) is unencrypted for https (unless ECH, which is still not common), you can proxy and route https requests based on domain without terminating TLS or involving http at all. sniproxy is a proxy for just that and available in debian repos. If all you really need is passing through request to downstream proxies or a service terminating TLS itself, it works nicely.
The built-in rollback functionality doesn’t hurt either.
More than that I think it’s a prerequisite for doing this.
You could self-host a shared “source of truth” git repo that you access over ssh or filesystem. That can be anything from a USB thumb drive, a small clean server or a container on your existing desktop with ssh access, to an entire Forgejo deployment. Then you only need the “secret zero” of an ssh key to get everything set up and syncable.
If fresh setup is more common, you probably have other parts like package installation and network configuration that you also want to automate. Enter configuration management like ansible or salt, image builders like packer or archiso, “immutable” solutions like Nix or rpm-ostree. Once you get there you typically manage that in git anyway and you could put your dotfiles repo as a submodule and copy them over as part of OS setup.
If it’s just for once in a blue moon, manual ad-hoc copying gets you pretty far.
No matter how you slice it I think you have to either frequently spend time syncing changes or just accept the drift and divergence between machines and the sources.
Wishful thinking and stretching the definition beyond meaningfulness with regards to your conclusion. Lies, damned lies, and statistics. Don’t delude each other.
Still, I’ve believed for a long time that the tipping point with an increasing trajectory is around 5% so pretty optimistic about recent trends.
If you have the option to “run a terminal here” then you can run pwd from there to get the current directory path.
OK, I’m not that familiar with KDE Connect itself so it’s possible that it may have some built-in configuration for this (mounting a subpath directly instead of the root).
What you can hopefully do to make this easier without knowing more about KDE Connect is using symlinks.
Assuming the mount paths (which include IP address and port) are static, you can symlink them to more conventient locations. For example:
# find sftp mount path, assuming kio-fuse enabled
find /run/user/$(id -u)/kio-fuse-* -type d -name emulated
mkdir -p ~/Connected/
ln -s /run/user/..../emulated/0 ~/Connected/MyTablet
Then you can bookmark those locations in the file manager.
This will only work with the static IP (or make KDEC mount on a path not including ip:port) and how to do that depends on over what protocol you connect.
Just for telling the filesystems apart I guess you could also put an empty file or folder like emulated/0/00_MyTablet which will at least make it obvious where you are when you list the root.
Peertube? TBH I’d rather take the few paragraphs and a couple of screenshots than having to spend 10 minutes fighting Google blocks for the privilege of watching anyonymously…
If you feel overwhelmed by this, an easy rule of thumb is sticking to distro packages of a trusted dist. Ideally ones with long track record, centralized packaging and tiered rollouts.
Roughly,
High community trust: Debian, SUSE, Fedora, Ubuntu
Depends on the package but at least everything is transparent with some form of process, contributors vetted, and a centralized namespace: Arch, Alpine, Nixpkgs
Anything and anyone goes, you are one typo away from malware but hey, at least things get taken down when folks complain: AUR, GitHub, NPM, DockerHub, adding third-party ppa/copr
IDGAF:
curl | sh