nitrolife

Yes. Sorry, I still don’t speak English well, so I use Google Translate.

Well, I can only write from my own experience. I’ve worked for several major campaigns in my life. In banks, in telecom operators. And it’s almost always been like this. And where there was none, the campaign collapsed. Not in a moment, of course, because campaigns, like people, do not die instantly, but age and degrade. But as a result, it was.

The job of people around the CEO is primarily to make decisions. All this huge chain of managers is needed only to aggregate information so that the CEO can make an informed decision. This is how many large companies operate. I would even say that there is a direct correlation between the size of the campaign and the number of monitors at the bottom.

The flip side of sitting behind a huge monitor is that you won’t stay outside with a huge number of your employees if you make the wrong decision. It’s just a different job.

ISC DHCP switched to KEA DHCP, They don’t have package in Debian repo, but you can add repo and install: https://cloudsmith.io/~isc/repos/kea-3-0/packages/

ISC really deprecated… =( You can install dnsmasq of course, but he is much more slow. But nice for small networks.

Firewalld is much worse for small sustems. Who is really need mark ports? But in difficult cases you need write iptables rich rules anyway. So, as result I love old school with clean iptables without any upperlevel daemons.

Enable packet forwarding via interfaces:

# cat /etc/sysctl.d/01-forward.conf  

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1

Then install isc-dhcp-server and configure ipv4 and ipv6 dhcp server. (only on local ports or you internet prowider will be angry)

short example:

# cat /etc/dhcpd.conf  
ddns-update-style interim;
ddns-updates on;
ddns-domainname "my.local";
ddns-rev-domainname "in-addr.arpa";
allow client-updates;
update-conflict-detection true;
update-optimization true;
authoritative;
default-lease-time 86400;
preferred-lifetime 80000;
max-lease-time 86400;
allow leasequery;
option domain-name "my.local";
option domain-name-servers 192.168.1.1;
lease-file-name "/var/lib/dhcp/dhcpd.leases";

# cat /etc/dhcpd6.conf  
ddns-update-style interim;
ddns-updates on;
ddns-domainname "my.local";
ddns-rev-domainname "ip6.arpa";
allow client-updates;
update-conflict-detection true;
update-optimization true;
authoritative;
default-lease-time 86400;
preferred-lifetime 80000;
max-lease-time 86400;
allow leasequery;
option domain-name "my.local";
option dhcp6.name-servers fd00:1::1;
option dhcp6.domain-search "my.local";
option dhcp6.preference 255;
dhcpv6-lease-file-name "/var/lib/dhcp/dhcpd6.leases";

don’t forget start dhcpd@lan and dhcpd6@lan

Then install radvd and configure RA ipv6 broadcasting. (only on local ports or you internet prowider will be angry)

# cat /etc/radvd.conf

interface br0
{
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
        AdvDefaultPreference low;
        AdvHomeAgentFlag off;

        prefix fd00:1::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        };

        RDNSS fd00:1::1
        {
                AdvRDNSSLifetime 30;
        };

        DNSSL my.local
        {
                AdvDNSSLLifetime 30;
        };

};

Then install iptables-persistent and configure ipv4 and ipv6 rules in /etc/iptables/ . Change lan and internet to you real interfaces.

# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.1 on Mon Dec 30 18:53:43 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] 
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o internet -j MASQUERADE
COMMIT
# Completed on Mon Dec 30 18:53:43 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#UNBRICK IF YOU WANT ACCESS FROM INTERNET
-A INPUT -s x.x.x.x -j ACCEPT
-A INPUT -s y.y.y.y -j ACCEPT
#BASE
-A INPUT -i lo -j ACCEPT
-A INPUT -i lan -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lan -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

# cat /etc/iptables/rules.v6
# Generated by ip6tables-save v1.6.0 on Thu Sep  8 13:29:11 2016
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o internet -j MASQUERADE
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#BASE INPUT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lan -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lan -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Then install dns relay. I user bind, but that some overkill. But anyway:

install named / bind9

# cat /etc/named.conf

...
acl "lan" {
           192.168.1.0/24;
           127.0.0.1;
           fd00:1::/64;
           ::1/128;
};

tls google-DoT {
    ca-file "/var/named/google.crt"; //SET google cert path here
    remote-hostname "dns.google";
};

tls local-cert { //if you want local SSL requests
    cert-file "/etc/letsencrypt/live/local/cert.pem";
    key-file "/etc/letsencrypt/live/local/privkey.pem";
};


options {
    directory "/var/named";
    pid-file "/run/named/named.pid";

    forwarders port 853 tls google-DoT {
      8.8.8.8;
      8.8.4.4;
    };

    // Uncomment these to enable IPv6 connections support
    // IPv4 will still work:
    //listen-on-v6 { any; };
    // Add this for no IPv4:
    //listen-on { any; };

    listen-on-v6 { fd00:1::1; ::1; };
    listen-on { 192.168.1.1; 127.0.0.1; };

    listen-on-v6 tls local-cert { fd00:1::1; ::1; }; //if you want local SSL requests
    listen-on    tls local-cert { 192.168.1.1; 127.0.0.1; }; //if you want local SSL requests

    allow-recursion { lan; };
    allow-recursion-on { 192.168.1.1; fd00:1::1; 127.0.0.1; ::1; };
    allow-transfer { none; };
    allow-update { none; };
    allow-query { lan; };
    allow-query-cache { lan; };
    allow-query-cache-on { 192.168.1.1; fd00:1::1; 127.0.0.1; ::1; };

    version "DNS Server 1";
    hostname "interesting server";
    server-id "realy interesting server";

    dnssec-validation auto;
    empty-zones-enable no;
    minimal-responses yes;
    http-port 8888;

    listen-on http local tls none { any; };
    listen-on-v6 http local tls none { any; };

    auth-nxdomain no;    # conform to RFC1035
};
...

All done.

archlinux + podman / libvirtd + nomad (libvirt and docker plugins) + ansible / terraform + vault / consul sometimes

UPD:

archlinux - base os. You never need change major version and that is great. I update core systems every weekend.

podman / libvirtd - 2 types of core abstractions. podman - docker containers management, libvirtd - VM management.

nomad - Hashicorp orcestrator. You can run exec, java application, container or virtual machine on one way with that. Can integrate with podman and libvirtd.

ansible - VM configuration playbooks + core system updates

terraform - engine for deploy nomad jobs (docker containers. VMs. execs or something else)

Vault - K/V storage. I save here secrets for containers and VMs

consul - service networking solution if you need realy hard network layer

As a result, I’m not really sure if it’s a simple level or a complex one, but it’s very flexible and convenient for me.

UPD2: As a result, I described the applications level, but in fact it is 1 very thick server on AMD Epic with archlinux. XD By the way, the lemmy node from which I write is just on it. =) And yes, it’s still selfhosted.

after testing a bunch of different apps, I settled on a notebook and a pen. There’s nothing more convenient than writing down your tasks and plans in two columns and then simply recording the results the next day.

Well, I’ve lived half my life without the Internet, because it wasn’t invented yet, and if things really go this way, I’ll live the rest of my life without the Internet. No digital sharing, no digital spying. And I recommend that you disconnect from the network for a couple of months and touch the grass too.

For most of human history, salt has corresponded to this definition. Have you ever wondered why it’s called a salary?

It’s very nice when your wallet is barely keeping afloat and you’re left without money because salt gone form wallet… Or do you mean super cheap rock salt?

Well, to be left without money because I got caught in the rain is not still a pleasure.

Tungsten is also one of the rarest minerals on Earth, despite its relative cheapness.

Good… At a time when gold was still a currency, tungsten was not yet able to be smelted. In addition, when heated, tungsten is reactively oxidized, unlike gold.

Well, what kind of items are these that are rare, they cannot be made as much as you want, they do not deteriorate over time And allow processing?

The value of gold, silver and platinum is determined by two factors: there is little of it in nature and you cannot take more at will and it does not oxidize, which ensures good storage.

I really don’t know about you, but in my country you can’t take gold out of the bank. You buy gold from a bank and it stays in the bank longer without the possibility of taking it out. What a joke. Guess what happens to the bank and the gold in it when the economy collapses.

And now look at Bitcoin. there is a little of it, you can’t increase it at will, and it’s convenient to store. Does it remind you of anything? And it’s always with you.

or they can simply inherit the UNIXTIME library, in which 0 has shifted from 1970 to 2038, and add one additional “time epoch” flag. Think about what’s easier - create your own time library or inherit from unixtime?

Bitcoin is a pyramid scheme because it only keeps its value as long as people are constantly buying it. If no one wants to buy it, the value of any amount of bitcoin is zero. This is why people who have bitcoin are trying to convince anyone else to keep buying.

any currency is initially a bank’s promissory notes, and then a promise to exchange the paper for some kind of labor. As a person who has experienced at least one default in his life and whose entire toilet is covered with USSR money, I can say that in this regard, no currency is different from bitcoin.

1 BTC for a pizza, or whatever

10 000 BTC for 1 pizza…

hyperinflation

Deflation . This is literally what happens to any volute that cannot be printed indefinitely. The situation is complicated by the fact that many wallets are simply lost and bitcoins will never be recovered from them.

After all, if people are willing to read what they’re given, why not? If they like to read books with the quality of neural networks, then there’s nothing you can do about it. All that remains is to be better than the neural network. In any aspect. And you will find your reader.

But yes, the human creativity of widespread consumption is slowly dying.

The same story was told when photography was invented. And yes, the portraits really died en masse. Did painting come to an end after that? Of course not.

Part of my last minig farm, if you interesting.

and yes, I also mined bitcoins on the CPU. back when you could get near 200 bitcoins per hour of work. After that I mined altcoins on video cards, mined through nicehash. what I have not mined. and I can say - it’s all thrown money. much, much more profitable just to buy cryptocurrency and hold on cold wallet.

if you don’t want to tell me that people are setting up mining farms in Somalia (because it’s pointless from a risk perspective), I don’t think electricity rates are particularly lower anywhere else.

In any case, you can make money from anything. It’s just that the risks associated with mining don’t justify the investment. That’s all.