Blaster M

When you put your server’s tailscale IP in the dns, anything that looks up that dns gets the tailscale IP. You only need to connect the devices you want to have connect to the server to the same tailscale network, and your system will handle the routing.

On your DNS provider, make an A record with your IP address, AAAA record with your IPv6 address. If these addresses change often, either setup a dyndns (your DNS provider needs to support this) or pay for a Static IP from your ISP. Firewall the hell out of your network, have a default deny (drop) new inbound rule, and only open ports for your service. Use an nginx reverse proxy if possible to keep direct connections out of your service, and use containers (docker?) for your service(s). Don’t forget to setup certbot and fail2ban. You need certbot to auto update your certs, and you need fail2ban to keep the automated login hacker bots from getting in.

That’s the minimum. You can do more with ip region blocking and such, as well as more advanced firewalling and isolation. Also possible to use Tailscale and point the DNS A record to the Tailscale IP, which will eliminate exposing your public IP to the internet.

Used DELL 5310. Intel 10th-gen, 60Whr battery (goes 8+ working hours on a charge) often 16GB RAM and at least a 256GB SSD at that price range. Upgradeable (DDR4, NVMe) too.

Privacy =/= Security. Windows XP might have good privacy (I would argue Windows 2000 is better for that, as it doesn’t have Product Activation), but security is nonexistant in 2025 in either case. For malware, it’s free real estate.

Graphene isn’t dead. They just have slowed down a bit. They’ve already released their first Alpha for 16

VoLTE isn’t yet supported in Linux because no one has yet completed writing an open source implementation. Unfortunately, phone manufacturers, chip manufacturers, and cell carriers all hold these cards very close to their chests, so drivers have to be written from scratch by reverse engineering the protocols, which are encrypted on top of being completely nebulous. Support is coming, eventually, but it takes an extraordinary amount of time and effort to do this, which nobody has time to do.

https://grapheneos.org/

Only for Google Pixel phones. The install process is right there. You just need a chromium-based browser (chrome, edge, vivaldi, opera, brave, etc.), an Unlocked Pixel, and the usb cable.

Also, back up your stuff. Flash Unlocking your phone to install a different OS erases everything on it (for security reasons).

Phone carriers don’t want people “churning” (leaving their network for another) so they enforce the phone’s locking, especially if you buy the phone from the cell carrier, as they often advertise free phone or cheap phone on a payment plan, and use that to enforce people staying on their network.

Depends. Do you want the possibility of an AI model being able to fork over some private details in your convos? The potential for someone that doesn’t like what you believe in to subpoena google for this data?

As for bricking, it won’t, and the whole process is on the website, using a chrome-based browser and usb cable (it detects which pixel you have and does all the hard stuff) but you do have to back up your stuff as it will erase when it gets graphened.

If you don’t want this stuff on your phone, lemme point you to:

GrapheneOS (Pixels only, has Most Security at Tinfoil Hat level while also providing compatibility for Google Play (optional, sandboxed) and SafetyNet)

CalyxOS (Pixels, Some Moto G 5G, Fairphone 5, 4, SHIFTphone 8, less Security than GrapheneOS but has Security)

LineageOS (Many older devices, runs unlocked boot so least Security but still can run sans google)

latest release on 10/2023?

Fedora KDE

Thunder, Android

Every system I can run headscale on I need to do it via an nginx reverse proxy

I have yet to get headscale to work with my system. No turnkey setup, instructions that lack clarity, and in the end… idk how it’s supposed to do the thing.

One diamond might give conflicting or incorrect info if there’s several things that would react to logically correct answers when firefighting. Last thing you need is to start a reaction when everything is already on fire because while it lists one reactant, it supercedes another reactant that would have been displayed on a secondary diamond.

While I run straight Fedora on some of my systems now, I do agree the Atomic versions are a boon for stability.

Used to use Ubuntu and Mint for desktops, but they are a bit too vintage with the kernel and package versions, and everything is moving very fast with Wayland replacing X11 and lots of kernel driver improvements for modern hardware (especially AMD hardware), so being on Fedora is the next best thing to the bleedingest edge Arch when it comes to uptodateness.

So in that building there’s a nonflammable reactant that’s super dangerous to life and reacts with water, and a flammable chemical that is quite toxic.

Leave it as is. Some people go tin foil hat about Secure Boot being insecure, but that’s like saying “don’t lock the bottom lock on your door because someone can use a lockpock in 2 seconds”.

Fedora works fine and automatically with Secure Boot, and that is an important defense against on-boot malware injection.

fail2ban