FYI: I moved the allow rule for DNS to the top of the chain, so that should fix problems with DNS providers not being able to reach the authoritative name servers.

Ugh. Thanks. It’s quite possible, though maybe just a regional one? I did inadvertently block one of the IPs Let’s Encrypt uses for secondary validation, so this may be another case of that.

I get a shitload of bad traffic from the southeast Asia area (mostly Philippines/Singapore AWS) and have taken to blanket blocking their whole routes rather than constantly playing whack-a-mole. Fail2ban only goes so far for case-by-case.

Here’s the image from the meme from an alternate source:

Your IP may unfortunately be inside a CIDR block that largely does nothing but spam my infrastructure with script kiddie tomfoolery. Firewall rules apply to my authoritative DNS servers as well.

Edit: If you would like me to whitelist it, DM me your IP and I’ll add a narrow exception.

Atkinson Hyperlegible is my new jam. I’m dyslexic and it helps tremendously even though that’s not its primary goal. It also looks a lot better than OpenDyslexic which I used to use.

Loaded “Hyperlegible” onto my Kobo, the reader app on my phone, and set it as the default font on my desktop environment.

Also added it as an option in Tesseract UI (which I swear I’ll be releasing “soon”).

Kinda like in recent Trek series where, when an episode begins with a day in the limelight of a non-main character, it’s basically their eulogy.

• DIS: Lt. Miriam Airiam. Stupid autocorrect.
• SNW: Ensign Gamble

I made my own smart outlets with an ESP-01, dual relay board, and ESPHome. Also made some temp/humidity sensors as well as a 20x4 text display. All powered by a bunch of ESP-01s I bought cheap and in-bulk from Ali and programming using ESPHome which handles most of the work interfacing with the components as well as the HomeAssistant integration.

https://esphome.io/

When some rich, Walt Disney-type buys an island and fills it with supercomputers in order to clone a park full of extinct Amy Winehouses?

Find a USB stick in the parking lot? Don’t plug it into your PC and probably destroy it with fire.

Find a USB stick while digging in the park? Plug that baby in, jam to some Back to Black, and watch some vintage porn.

Basically the only thing you want to present with a challenge is the paths/virtual hosts for the web frontends.

Anything /api/v3/ is client-to-server API (i.e. how your client talk to your instance) and needs to be obstruction-free. Otherwise, clients/apps won’t be able to use the API. Same for /pictrs since that proxies through Lemmy and is a de-facto API endpoint (even though it’s a separate component).

Federation traffic also needs to be exempt, but it’s not based on routes but by the HTTP Accept request header and request method.

Looking at the Nginx proxy config, there’s this mapping which tells Nginx how to route inbound requests:

nginx_internal.conf: https://raw.githubusercontent.com/LemmyNet/lemmy-ansible/main/templates/nginx_internal.conf

    map "$request_method:$http_accept" $proxpass {
        # If no explicit matches exists below, send traffic to lemmy-ui
        default "http://lemmy-ui:1234/";

        # GET/HEAD requests that accepts ActivityPub or Linked Data JSON should go to lemmy.
        #
        # These requests are used by Mastodon and other fediverse instances to look up profile information,
        # discover site information and so on.
        "~^(?:GET|HEAD):.*?application\/(?:activity|ld)\+json" "http://lemmy:8536/";

        # All non-GET/HEAD requests should go to lemmy
        #
        # Rather than calling out POST, PUT, DELETE, PATCH, CONNECT and all the verbs manually
        # we simply negate the GET|HEAD pattern from above and accept all possibly $http_accept values
        "~^(?!(GET|HEAD)).*:" "http://lemmy:8536/";

Probably “copying” Apple’s iNoun naming convention?

Ran into a hiccup while trying to reproduce (there seems to be considerable lag between adding a domain to the filter list and the federation processes handling it), but now that I was able to reproduce it successfully, I made a bug report: https://github.com/LemmyNet/lemmy/issues/6320

Granted, I don’t think the instance level URL filters were meant to be used for the domains of other instances like I was doing here. They’re more for blocking spam domains, etc.

e.g. I also have those spam sites you see in c/News every so often in that block list (e.g. dvdfab [dot] cn, digital-escape-tools [dot] phi [dot] vercel [dot] app, etc) , so I never see/report them because they’re rejected immediately.

During one of the many, many spam storms here, it was desired by admins for those filters to stop anything that matched them from federating-in instead of just changing the text to removed on the frontend. So it is a good feature to have. Just maybe applied too widely.

Though I think if a user edited their own description to include a widely-blocked URL (no URLs are blocked by default), they’d just be soft-banning themselves from everywhere that has that domain blocked.

If a malicious community mod edited their communities’ descriptions to a include a widely-blocked URL, then yeah, that could cut off new posts coming in to any instance that has that domain blocked (old posts and the community itself would still be available).

All of those would require instances to have certain URLs blocked. The list of blocked URLs for an instance is publicly available from the info in getSite API call, so it wouldn’t be hard to game if someone really wanted to. Fortunately, most people are too busy gaming the “delete account” feature right now 🙄.

The person who cross-posted it was probably definitely from your local instance.

You only ever interact with your local instance’s copy of any community, even remote ones. If the community is to a remote instance that is either offline or since de-federated, there’s nothing that prohibits you from interacting with it*. Because lemm.ee is no longer there to federate out the post/comments to any of the community’s subscribers, only people local to your instance will see it.

*Admins can remove the community and, prior to it going offline, mods can lock it. But if an instance just disappears, you can still locally interact with any of its communities on your instance; the content just won’t federate outside your instance.

I haven’t looked. Just noticed it earlier today and haven’t had time.

Lol. I guess now I gotta decide which is more annoying: Not having content from c/Books or having to deal with unwanted spillover from .ml. I don’t have the chutzpah to ask the mods to change the community description lol

Just figured this might catch other people off guard like it did me. I never would have expected the community description to be evaluated for the URL filter (only posts/comments).

I wouldn’t recommend it to anyone in real life. There are parts that are just way too jarring.

Ugh, this. And I hate that it’s like that.

Like, I used to have my instance open to whoever to sign up. My guiding principle was to have a place that wasn’t overrun with [parts that are just way too jarring]. Holy shit was that an impossible goal to do alone so I shuttered it up and now it’s just a private instance / testbed for Tesseract.

My friends knew I was active on Reddit, and that was fine. But I wouldn’t tell them I spend any amount of time here because what they would see going to almost any random instance will probably definitely not look good on me by association despite that I’m nowhere near that.

So if anyone shares this desire, I am open to un-mothballing my instance, rebranding, and taking on new admins and re-opening to users who also want a place like that.

I’ve seen that and my best guess has always been the initial/self upvote got “lost in the mail” during federation. AFAIK, the post creation and the initial upvote are separate activities that need to federate. Someone correct me if I’m wrong.

If your instance is resolving a post manually that it doesn’t already know about (and it it’s not coming in from being subscribed) then it will not get the initial upvote, but I don’t think that’s what you’re referring to here.

Not sure. I’m in unincorporated suburbia so it might just require signage?

Regardless, there definitely (okay, probably) isn’t an ordinance about detecting someone touching it and making it make a “bzzzztttt” sound lol.

Ain’t that the truth. But so does, like, good parenting.

I did just buy this sign to put on it:

Like someone else said: Block the news and politics communities if you like to browse /all. You can always unblock them later.

It was with heavy heart but I also blocked silence7@slrpnk.net. Nothing against them, and they post nothing but quality material in what I fully believe to be good faith, but they’re just…too much. The only reason I had to block them individually is they post in more than just news/politics communities but never goes off-brand and only posts news/politics/“everything is a bummer” things. There’s probably a few other people like that, but shouldn’t be many.

That should just leave you with the few oddball posts where it’s just the people that don’t follow the no news/politics rules.