You say you have a wildcard cert but just to make sure: I don’t suppose you’ve used ACME for Letsencrypt or some other publicly trusted CA to issue a cert including the affected name? If so it will be public in Certificate Transparency Logs.
If not I’d do it again and closely log and monitor every packet leaving the box.
In this case they are apparently fine with a personal computer being used
Where? Looks ambiguous. From all we know this is a work computer provided by the employer. It’s more likely to be an oversight or deprioritized/neglected.
which makes RDP actually a slightly more secure solution
I do not see how that folllows.
If both the company and employee are indeed fine with the RDP, it should be no problem to get that confimed from IT in writing.
Separate your personal and work computer
nods enthusiastically
Important for security of both the employee and the company. Don’t mix business and pleasure. It’s the only thing that makes sense!
Put Windows and all work related software on a separate work laptop and use remote desktop from your Linux PC to do your job.
What? No! Keep them separate! This is how people get pwned. Don’t backdoor your employers machine from your personal PC or vice versa!
deleted by creator
What is the reason you are not considering running chromium or firefox in kiosk mode and just opening the slideshow view in a fullscreen web browser without the chrome?
dnf --cacheonly
If anyone else is seeing high resource use from seeding: There’s quite some spam and griefing happening to at least Debian and Arch trackers and DHT.
Blocking malicious peers can cut down that by a lot. PeerBanHelper is like a spam filter for torrent clients.
https://github.com/PBH-BTN/PeerBanHelper/blob/dev/README.EN.md
On 1: Autoseeding ISOs over bittorrent is pretty easy, helps strengthening and decentralize community distribution, and makes sure you already have the latest stable locally when you need it.
While a bit more resource intensive (several 100GB), running a full distribution package mirror is very nice if you can justify it. No more waiting for registry sync and package downloads on installs and upgrades. apt-mirror if you are curious.
Otherwise, apt-cacher-ng will at least get you a seamless shared package cache on the local network. Not as resilient but still very helpful in outage scenarios if you have more than one machine with the same dist. Set one to autoupgrade with unattended-upgrades and the packages should be available for the rest, too.
Yes, Home Assistant has this.
https://rhasspy.readthedocs.io/en/latest/
Works great. My biggest challenge was finding a decent microphone setup and ended up like many do with old Playstation 3 webcams. That was a while back and I would guess it’s easier to find something more appropriate today.
I am currently trying to transition from docker-compose to podman-compose before trying out podman quadlets eventually.
Just FYI and not related to your problem, you can run docker-compose with podman engine. You don’t need docker engine installed for this. If podman-compose is set up properly, this is what it does for you anyway. If not, it falls back to an incomplete Python hack. Might as well cut out the middle-man.
systemctl --user enable --now podman
DOCKER_HOST=unix://${XDG_RUNTIME_DIR}/podman/podman.sock docker-compose up
I think Mora is on the ball but we’d need their questions answered to know.
One possibility is that you have SELinux enabled. Check by sudo getenforce. The podman manpage explains a bit about labels and shares for mounts. Read up on :z and :Z and see if appending either to the volumes in your compose file unlocks it.
If running rootless, your host user also obviously needs be able to access it.
How about using sieve rules? A nice plus is that if you ever move to self-hosted in the future, you can bring it with you.
I know at least Fastmail supports user-configured sieve. I don’t have experience with Fastmail myself but in general mostly heard good things.
https://www.cstrahan.com/blog/taming-email-with-fastmail-rules/
You don’t interact much with lawyers and government in your work, I take it?
It sounds like notmuch is your bag. While it has its own CLI, it also works great with neomutt, aerc, and others.
https://youtube.com/watch?v=pBs_P_1--Os
You can also do very powerful presorting with sieve if your server supports it.
Auhorities in other European countries are known to MitM SSL certs at VPS providers for years already. Switzerland is moving their legislation towards the EU direction. Proton themselves have been vocal about their concerns about this.
How long until someone realizes they can demand Proton to inject some extra JS into the webmail for desired targets? Folks in a sensitive situation should follow the established best-practice of not relying on remotely served JS for client-side encryption. To be safe against this vecor, handle your encryption and signing outside of the webmail; either in your own client or copy/pasting.
slock
https://discuss.privacyguides.net/t/proton-mail-discloses-user-data-leading-to-arrest-in-spain/18191
Before that: https://www.wired.com/story/protonmail-amends-policy-after-giving-up-activists-data/
There are many, many more cases we don’t hear about in media.
If you consistently connect to Proton via I2P or tor and don’t link a phone number or tracable recovery mail, you’re covering up at least some of the juicy metadata.
I really hope the X11 session stays maintained.
Otherwise, KDE will finally have a reason to get get its MATE/Cinnamon equivalent
What should the fork be called? Surely someone can do better than “Plaxma DE”.
The first one I think is a fundamental limitation in that display preferences by default is per-user. Maybe this makes it work for you? https://feddit.online/post/1350756/comment/6636228
The 24h clock might be similar - check your system-wide locale.
My next suspicion from what you’ve shared so far apart from what others suggested would be something out of the http server loop.
Have you used some free public DNS server and inadvertently queried it with the name from a container or something? Developer tooling building some app with analytics not disabled? Any locally connected AI agents having access to it?