overview for ftbd

Supermarket rule in c/196@lemmy.blahaj.zone

[–] ftbd@feddit.org 1 points 8 hours ago

You picked the wrong Aldi, fool!

GFF beginnt mit der Arbeit an einem Gutachten – ist die AfD verfassungswidrig? in c/deutschland@feddit.org

[–] ftbd@feddit.org 3 points 8 hours ago (1 children)

Das ist doch erstmal vollkommen egal. Gerade für eine 'law and order'-Partei wie die CDU müsste doch an erster Stelle das stehen, was das Gesetz vorschreibt: Nicht ein Bundesamt, sondern das Verfassungsgericht hat zu klären, ob die AfD verboten werden muss. Dafür muss folglich der Antrag gestellt werden, als ganz normaler Teil des vorgeschriebenen Prozesses. An andere Stelle wird doch auch erstmal automatisch z.B ein Strafantrag gestellt. Wenn die Ermittlungen dann nichts ergeben, ist das eben so – aber Spekulationen diesbezüglichen dürfen doch nicht herangezogen werden, um darüber zu entscheiden ob überhaupt mit Ermittlungen begonnen wird.

Chinese hackers are persistent players in cyber espionage landscape, with a special emphasis on European governmental and industrial entities, report says in c/europe@feddit.org

[–] ftbd@feddit.org 2 points 8 hours ago

About to apt get me some malware

Happened to me today in c/memes@lemmy.world

[–] ftbd@feddit.org 3 points 8 hours ago

I always feel like reflections in a window make me look better than the mirror does. Maybe it's just the lighting

Google's WebP in c/memes@lemmy.world

[–] ftbd@feddit.org 15 points 14 hours ago

The only ones reading the changelog are nerds anyway

By Default, Signal Doesn't Recall in c/technology@lemmy.world

[–] ftbd@feddit.org 2 points 17 hours ago

That's true, but nothing does. Once someone receives a message, you have no control over what they do with it (regardless of communication channel, encryption, etc.). I read the comment above more like "instead of jumping through hoops to get around the spyware in your operating system, use an operating system that does not come with built-in spyware instead".

Wifi adapter linux issue pls help (joke) in c/linuxmemes@lemmy.world

[–] ftbd@feddit.org 3 points 1 day ago (1 children)

Why not just 2.749?

Nominative Determinism is my middle name in c/science_memes@mander.xyz

[–] ftbd@feddit.org 2 points 1 day ago (1 children)

I'm pretty sure it's pronounced mü, not mew

Why Balcony Solar Panels Haven’t Taken Off in the US in c/technology@lemmy.world

[–] ftbd@feddit.org 2 points 1 day ago

There are special 3-phase connectors, but usually only in the kitchen (for an electric range)

Why Balcony Solar Panels Haven’t Taken Off in the US in c/technology@lemmy.world

[–] ftbd@feddit.org 1 points 1 day ago (2 children)

People only see what their outlet provides. If you ask someone about the european voltage, they'll probably say "220-230V", not " 3-phase 400V".

Urteil zu Versammlungsfreiheit: Plastikfolie ist keine Schutzbewaffnung in c/deutschland@feddit.org

[–] ftbd@feddit.org 0 points 1 day ago (1 children)

Vorallem wenn man sieht wie die Bullen idR bei Demos auftauchen. Wofür brauchen die denn die Schutzausrüstung, wenn sie keine Gewalt provozieren wollen?

Row major huh in c/memes@lemmy.world

[–] ftbd@feddit.org 1 points 1 day ago (1 children)

How would that work? Determinants are calculated recursively

28

Containers in NixOS (feddit.org)

submitted 5 days ago by ftbd@feddit.org to c/selfhosted@lemmy.world

6 comments fedilink

Hi everyone!

I'm in the process of finally doing containers right in my NixOS installation. This is my 'wishlist':

podman containers should be run by users with minimal permissions
separate user per container
containers managed by systemd services for easier management

My current work-in-progress setup looks like this:

For each service (called $name), I have:

a user and corresponding group (referred to as $uid in the following)
a directory /srv/$name owned by $uid, in which mounted volumes are located

My containers are declared like this:

virtualisation.oci-containers.containers = {
    $name = {
        image = ...;
        ports = [ ... ];
        volumes = [
            "/srv/${name}/config:/config"
            ...
        ];
        user = $uid:$gid;
        extraOptions = [
            "--security-opt=no-new-privileges:true"
        ];
    };
};

Now for the parts I don't fully understand yet:

some images allow setting environment.PUID to specify a user. Does setting this option (and not setting user=$uid in the container declaration itself) mean that the container will be run as root, and the program inside will merely use PUID when e.g. creating files? This would still allow a malicious container to run commands as root on the host, right?
virtualisation.oci-containers.containers creates a systemd service. Since this is not a user-service for my user $uid, I need sudo to start/stop the container. Does that mean that the systemd service is run with root permissions, but it executes the command to spawn the container as $uid? If whatever is running inside the container was malicious, is there a functional difference between the container being started 'by root as $uid' and it being started by me (after logging in as $uid)?
Is it feasible to make these systemd services user-services owned by $uid instead?
Are there further hardening steps I forgot about?

Thanks for your input!