I'm trying to see how active a project is, but dependabot spam makes it annoying to find actual commits and to know if those commits are relevant.

There's no need for me to know chai was updated from 5.1.1 to 5.1.2, I want to see what were the most recent actual features implemented.

So, I'm selfhosting immich, the issue is we tend to take a lot of pictures of the same scene/thing to later pick the best, and well, we can have 5~10 photos which are basically duplicates but not quite.
Some duplicate finding programs put those images at 95% or more similarity.

I'm wondering if there's any way, probably at file system level, for the same images to be compressed together.
Maybe deduplication?
Have any of you guys handled a similar situation?

I'm trying to configure some NFC tags to automatically open an app, which is easy, just have to type the package name.
But I'm wondering how I can launch the app in a specific activity.

Specifically when I search for FitoTrack in my phone I get the option to launch the app directly into the workout I want to track, so I don't have to launch the app, click the FAB, click "Record workout" and then select the workout.
So I want to have a tag which will automatically launch this app into a specific workout.

How can I know what's the data I need to put into the tag to do this?

Probably looking at the code will give me the answer, but this won't apply to closed source apps, so is there a way to get all the ways all my installed apps can be launched?

I'm using https://github.com/rhasspy/piper mostly to create some audiobooks and read some posts/news, but the voices available are not always comfortable to listen to.

Do you guys have any recommendation for a voice changer to process these audio files?
Preferably it'll have a CLI so I can include it in my pipeline to process RSS feeds, but I don't mind having to work through an UI.
Bonus points if it can process the audio streams.

I've only used ufw and just now I had to run this command to fix an issue with docker.
sudo iptables -I INPUT -i docker0 -j ACCEPT
I don't know why I had to run this to make curl work.

So, what did I exactly just do?
This is behind my house router which already has reject input from wan, so I'm guessing it's fine, right?

I'm asking since the image I'm running at home I was previously running it in a VPS which has a public IP and this makes me wonder if I have something open there without knowing :/

ufw is configured to deny all incoming, but I learnt docker by passes this if you configure the ports like 8080:8080 instead of 127.0.0.1:8080:8080. And I confirmed it by accessing the ip and port.

I mean, the price of the product is the same, I'm taking a loan for the duration of the credit but paying no interest?
What's the catch?
I can keep my money making a bit of interest instead of giving it right away and without increasing the price of what I was already planning to buy. When or why wouldn't I choose 0% credits?

cross-posted from: https://lemmy.pe1uca.dev/post/1137911

I need to help auditing a project from another team.
I got the pointers on what's expected to be checked, but I don't have like templates for documents for what's expected from an audit report which also means I'm not sure what's the usual process to conduct an internal audit.
I mean I might as well read the whole repo, but maybe that's too much?

Any help or pointers on what I need to investigate to get started would be great!

I'm checking this mini pc https://www.acemagic.com/products/acemagic-ad08-intel-core-i9-11900h-mini-pc

It says the M2 and SATA ports are limited to 2TB, but I can't imagine why that's the case.
Could there be a limit on the motherboard? On the CPU?
If most likely this is done in software (windows) probably it won't matter since I'm planning to switch to linux.

What I want to avoid is buying it and being unable to use an 8TB drive.

I started tinkering with frigate and saw the option to use a coral ai device to process the video feeds for object recognition.

So, I started checking a bit more what else could be done with the device, and everything listed in the site is related to human recognition (poses, faces, parts) or voice recognition.

In some part I read stable diffusion or LLMs are not an option since they require a lot of ram which these kind of devices lack.

What other good/interesting uses can these devices have? What are some of your deployed services using these devices for?

I have a few servers running some services using a custom domain I bought some time ago.
Each server has its own instance of caddy to handle a reverse proxy.
Only one of those servers can actually do the DNS challenge to generate the certificates, so I was manually copying the certificates to each other caddy instance that needed them and using the tls directive for that domain to read the files.

Just found there are two ways to automate this: shared storage, and on demand certificates.
So here's what I did to make it work with each one, hope someone finds it useful.

Shared storage

This one is in theory straight forward, you just mount a folder which all caddy instances will use.
I went through the route of using sshfs, so I created a user and added acls to allow the local caddy user and the new remote user to write the storage.

setfacl -Rdm u:caddy:rwx,d:u:caddy:rwX,o:--- ./
setfacl -Rdm u:remote_user:rwx,d:u:remote_user:rwX,o:--- ./
setfacl -Rm u:remote_user:rwx,d:u:remote_user:rwX,o:--- ./

Then on the server which will use the data I just mounted it

remote_user@<main_caddy_host>:/path/to/caddy/storage /path/to/local/storage fuse.sshfs noauto,x-systemd.automount,_netdev,reconnect,identityfile=/home/remote_user/.ssh/id_ed25519,allow_other,default_permissions,uid=caddy,gid=caddy 0 0

And included the mount as the caddy storage

{
	storage file_system /path/to/local/storage
}

On demand

This one requires a separate service since caddy can't properly serve the file needed to the get_certificate directive

We could run a service which reads the key and crt files and combines them directly from the main caddy instance, but I went to serve the files and combine them in the server which needs them.

So, in my main caddy instance I have this:
I restrict the access by my tailscale IP, and include the /ask endpoint required by the on demand configuration.

@certificate host cert.localhost
handle @certificate {
	@blocked not remote_ip <requester_ip>
	respond @blocked "Denied" 403

	@ask {
		path /ask*
		query domain=my.domain domain=jellyfin.my.domain
	}
	respond @ask "" 200

	@askDenied `path('/ask*')`
	respond @askDenied "" 404

	root * /path/to/certs
	@crt {
		path /cert.crt
	}
	handle @crt {
		rewrite * /wildcard_.my.domain.crt
		file_server
	}

	@key {
		path /cert.key
	}
	handle @key {
		rewrite * /wildcard_.my.domain.key
		file_server
	}
}

Then on the server which will use the certs I run a service for caddy to make the http request.
This also includes another way to handle the /ask endpoint since wildcard certificates are not handled with *, caddy actually asks for each subdomain individually and the example above can't handle wildcard like domain=*.my.domain.

package main

import (
	"io"
	"net/http"
	"strings"

	"github.com/labstack/echo/v4"
)

func main() {
	e := echo.New()

	e.GET("/ask", func(c echo.Context) error {
		if domain := c.QueryParam("domain"); strings.HasSuffix(domain, "my.domain") {
			return c.String(http.StatusOK, domain)
		}
		return c.String(http.StatusNotFound, "")
	})

	e.GET("/cert.pem", func(c echo.Context) error {
		crtResponse, err := http.Get("https://cert.localhost/cert.crt")
		if err != nil {
			return c.String(http.StatusInternalServerError, "")
		}
		crtBody, err := io.ReadAll(crtResponse.Body)
		if err != nil {
			return c.String(http.StatusInternalServerError, "")
		}
		defer crtResponse.Body.Close()
		keyResponse, err := http.Get("https://cert.localhost/cert.key")
		if err != nil {
			return c.String(http.StatusInternalServerError, "")
		}
		keyBody, err := io.ReadAll(keyResponse.Body)
		if err != nil {
			return c.String(http.StatusInternalServerError, "")
		}

		return c.String(http.StatusOK, string(crtBody)+string(keyBody))
	})

	e.Logger.Fatal(e.Start(":1323"))
}

And in the CaddyFile request the certificate to this service

{
	on_demand_tls {
		ask http://localhost:1323/ask
	}
}

*.my.domain {
	tls {
		get_certificate http http://localhost:1323/cert.pem
	}
}

I started fiddling with my alias service and started wondering what approach other people might take.
Not necessarily the best option but what do you prefer? What are the pros and cons you see with each option?

Currently I'm using anonaddy and proton, so I have a few options to create aliases.

• The limited shared domain aliases (from my current subscription level)
  Probably the only option to not be tracked if it would be unlimited, I'd just have to pay more for the service.
• Unlimited aliases with a subdomain of the shared domain
  For example: baked6863.addy.io
• Unlimited aliases with custom domain.
• Unlimited aliases with subdomain in custom domain.
  This is different from the one above since the domain could be used for different things, not dedicated to email.
• Catch-all with addy.
  The downside I've read is people could spam any random word, and if then disabled the people that had an incorrect alias wouldn't be able to communicate anymore.
• Catch-all with proton.
  Since proton has a limit on how many email addresses you actually have, so when you receive an email to an alias and want to replay to it you'll be doing it from the catch-all address instead of the alias.

What do you think?
What option would you choose?

I have an old android tablet (and several phones) that I want to use for small applications in my home automation.
For the most part just to show a web page to quickly click something to activate or read the status.

My issue is the OS installed is very old and of course there are no official updates.
Looking for custom roms they are also somewhat old because the age of the devices, and everyone says "don't use the rom of one device into another even if the models are very similar".

So, my question is, what are my options if I can't use a pre-built rom?
Could I keep the same OS and just restrict access to only my internal network?
Not sure if I'm being too paranoid about security risks using these devices to just connect to my services.