Pika

this right here. If you have immich setup behind a reverse proxy, just route any requests that use the /share/ and /s/ (the custom link version) on the proxy manager to route to the immich instance, and have it 403 on anything else when the request is not via the vpn

Just be aware that immich uses links like share-* as well so be sure to have that trailing / to make it so only shared links and albums can be.

edit: Actually looking into this route further, it looks like immich as a whole needs more than just the /share/ and the /s/ endpoints exposed to function correctly. I will update this in a little when i figured out more on what is actually needed

update: So it seems immich will not support this style setup without quite a bit of hands on. You need to give at minimum /share/, /s/, /_app/ and /api/ in order to actually go this route. and at that point since you’ve given /api/ you’ve essentially publicly opened the instance anyway. While you can go through and individually do each endpoint. It requires access to /api/albums /api/assets and a few other endpoints, these endpoints do seem to need auth or some form of verification tho

for anyone wanting to still go through with it. You can reverse proxy it by allowing the endpoints

• _app/ a bunch of immich internal files for serving content
• api/
  • server/
    • config: shows basic infomation about the server
    • media-types: shows what media types the server supports
    • features: discloses what features the server supports
  • shared-links/me: 401, 403’s or shows what links the user account can sign into
  • albums/: 403’s on any album endpoint that doesn’t also include the album’s public slug in the URL
  • timeline/
    • buckets: displays timeline buckets. 401 or 403’s on no auth
    • bucket/: displays timeline info on the requested resource. 401 or 403’s on info unless info is provided about what its trying to access
  • assets/: 401 or 403’s on any request that doesn’t contain a public slug in the url

The nginx location regex I used for my testing(although not very read friendly) was

location ~ /(api/(server/(config|media-types|features)|shared-links/me|albums/|timeline/(bucket|buckets)|assets/)|(share|s)|_app/){
  proxy_pass *immich instance*;
}

note: this was found just by basic testing using NPM on my environment, I may have missed some more specific calls especially regarding videos as I don’t really do any video photography to allow for testing.

Additional note: You may end up confusing your users with the UI though, as since lets you click on the immich banner to get to login, but everything would be blocked. You may just want to use the immich public project that was linked later in this discussion…

If it’s running as root anyway, then I change my statement. No I don’t see any security risk with it. Patchmon is running as root anyway, so no matter what your permissions are on the links or the original sock, as long as it’s smart enough to follow the link it should be fine. Generally symlinks follow the same permission as their target, with the exception of changing its owner with chown or removing it. I.E they are going to almost always just be whatever the permission of the target is. So your /var/run/docker.sock is going to be whatever permissions your /run/user/{userid}/docker.sock is normally and since patchmon is running as the root user, it’s not going to care what permissions are present as root overrides all restrictions/permissions anyway.

I have my concerns that patchmon might try to change docker files while as the root user, which could create files that docker couldn’t read but since it seems to be using the docker sock anyway, I expect it’s just going to operate over the sock which means it would be using dockers built in system which would be using its docker user.

I’m not fully understanding here, are you saying that the symlink is root because root is required to access /var/run or that its root because its required by patchmon.

If its root because the rest of the /var/run is root, is it not on the table to just chown the /var/run/docker.sock symlink to be the userid? since I would assume that patchmon would be running as the docker user anyway since you are running in a rootless environment? I might be misunderstanding.

As long as your permissions to the symlink are in line with the permissions on the original sock, I wouldn’t expect there would be too much risk there. Of course a malicious vector /could/ see that a /var/run/docker.sock exists and try to manipulate it, but, since docker itself isn’t root which means that user executing the symlink isn’t root, I don’t think it would allow for escalation.

Heavy agree with this, and that the source is shown in three locations(duplicate info is all over the page) as well as the heavy push into how fast deploying the software is, when that’s not usually a metric anyone actually cares about as its a one and done setup

Yea but a tag system will allow it to be seen from outside the community. a general requirement in the body of the post of disclosing if AI was used and how I think would go a long way better in the long run, and requires the person to have entered the post and read it first.

I think I’m leaning more towards that style instead. if something interests me I can join it read it and if its AI and I don’t want to see it I can go elsewhere, that requires people to put bare amount of effort instead of just seeing a [AI] tag from all[/active/hot] (idk what the actual lemmy endpoint is I use tess) and being like “oh ai downvote”

the only way they could prevent that was to mandate that disclosure had to be in the post body somewhere and not the title, that way it only appears once someone opens the post. Mostly because some posts are visible from feeds other than subscribed which means that members would see it that are outside of the normal/average visitors here.

Honestly I think i would prefer that. Instead of requiring a tag, require AI disclosure on the project somewhere in the post body.

That way a certain subset of members could just drive-by downvote without getting themselves dirty.

Honestly. I was fully on board with this until you brought that up. Yea that just 180’d my opinion on if it should be tagged significantly.

I don’t want something to be tagged to be able to allow people to mass downvote it or hide it from sight, that’s not productive to anyone. I wanted the tag to be able to filter it out when I didn’t want to see it, but be able to see it if I felt I wanted to. Allowing for mass downvote on it will significantly hinder that.

As others have stated, if your model is able to have the battery removed and have it still run off power, no problem, do so.

You should be using a dedicated UPS for something like that if you’re concerned about power going out , For a power input that a laptop requires, you could very easily find a $30 or $40 one at your closest big box retail store.

If you must keep the battery in it be careful to monitor it. I ran a laptop as a server for almost four years. It does work really nice. But depending on model, they may be prone to having the battery expand if it’s on 24-7. And even if it doesn’t, that battery is going to be shot after two or three years of constant use anyway.

You can mitigate the battery health issue by making sure you have some form of battery management software running where it stops charging the battery once it hits like 80-85%. and allows it to discharge on its own. But realistically using a laptop battery as a backup power source isn’t super recommended.

Plus with a UPS, you could also hook your router and modem/ONT up to it, which means that not only is your laptop going to remain on, but usually your network will remain up as well since communication lines are quite a bit more durable and generally stay alive even if the power goes down

I don’t use IPv6 on my lab. They been screaming to the bleachers since like 2010 that IPv6 is right around the corner due to lack of addresses, and I’ve still seen no real reason to want to adopt for it.

My current provider doesn’t even support it… so why should I?