Which is a pretty good advertisement for the fediverse actually. I’d love to know how many of those thousand blocked communities are still active, but not enough to bother working it out.

This is a meta package, rather than directly an emulator, but retrodeck (Linux, steamdeck) is such an excellent experience I have to give it a shoutout

I was trying to finalize a backup device to gift to my dad over Christmas. We’re planning to use each other for offsite backup, and save on the cloud costs, while providing a bridge to each other’s networks to get access to services we don’t want to advertise publicly.

It is a Beelink ME Mini running arch, btrfs on luks for the os on the emmc storage and the fTPM handling the decryption automatically.

I have built a few similar boxes since and migrated the build over to ansible, but this one was the proving ground and template for them. It was missing some of the other improvements I had built in to the deployed boxes, notably:

• zfs on luks on the NVMe drives
• the linux-lts kernel (zfs compatibility)
• UKI for the secureboot setup

I don’t know what possessed me, but I decided that the question marks and tasks I had in my original build documentation should be investigated as I did it up, I was hoping to export some more specific configuration to ansible to the other boxes once done. I was going to migrate manually to learn some lessons.

I wasn’t sure about bothering with UKI. I wanted zfs running, and that meant moving to the linux-lts kernel package for arch.

Given systemd-boot’s superior (at current time) support for owner keys, boot time unlocking and direct efi boot, I’ve been using that. However, it works differently if you use plain kernels, compared to if you use UKI. Plain kernels use a loader file to point to the correct locations for the initramfs and the kernel, which existed on this box.

I installed the linux-lts package, all good. I removed the linux kernel package, and something in the pacman hooks failed. The autosigning process for the secure-boot setup couldn’t find the old kernel files when it regenerated my initramfs, but happily signed the new lts ones. Cool, I thought, I’ll remove the old ones from the database, and re-enroll my os drive with systemd-cryotenroll after booting on the new kernel (the PCRs I’m using would be different on a new kernel, so auto-decrypt wouldn’t work anyway.)

So, just to be sure, I regenerated my initram and kernel with mkinitcpio -p linux-lts, everything worked fine, and rebooted. I was greeted with:

Reboot to firmware settings

as my only boot option. Sigh.

Still, I was determined to learn something from this. After a good long while of reading the arch wiki and mucking about with bootctl (PITA in a live CD booted system) I thought about checking my other machines. I was hoping to find a bootctl loader entry that matched the lts kernel I had on other machines, and copy it to this machine to at least prove to myself that I had sussed the problem.

After checking, I realised no other newer machine had a loader configuration actually specifying where the kernel and initram were. I was so lost. How the fuck is any of this working?

Well, it turns out, if you have UKI set up, as described, it bundles all the major bits together like the kernel, microcode, initram and boot config options in to one direct efi-bootable file. Which is automatically detected by bootctl when installed correctly. All my other machines had UKI set up and I’d forgotten. That was how it was working. Unfortunately, I had used archinstall for setting up UKI, and I had no idea how it was doing it. There was a line in my docs literally telling me to go check this out before it bit me in the ass…

…

• [x] figure out what makes uki from archinstall work ✅ 2025-09-19
• It was systemd-ukify

…

So, after that sidetrack, I did actually prove that the kernel could be described in that bootctl loader entry, then I was able to figure out how I’d done the UKI piece in the other machines, and applied it to this one, so it matched and updated my docs…

…

• IT WASN’T ukify

UKI configuration is in mkinitcpio default configs, but needs changing to make it work.

vim /etc/mkinitcpio.d/linux-lts.preset 

…

Turns out my Christmas wish came true, I learned I need to keep better notes.

HHHHhsk Jeeves!

Get rid of the tool bars. All of them. Menu, navigation, window decoration, cookie consent, status, tab and start.

They suck. We live in a 16:9-21:9 world, where it’s bad enough in landscape. When it’s in portrait, where half of the real estate is taken up by a keyboard, and that space really matters, it’s almost worse. Letterboxing is dumb when it’s black bars on a movie, I don’t need its cluttered cousin on every application and webpage I’m on.

Vertical overlays or context menus can be enabled by default if you must, but give me shortcuts to do the even the most esoteric operation and I’ll gladly learn them.

I don’t know how this is an unpopular opinion after a half centuary of dealing with increasingly multileveled toolbars, but it must be because toolbars are not going anywhere.

If you have to have a toolbar, at least make it go away when you scroll.

That is 500Mb+ because the ‘designer’ just stuffed the highest quality image in they could as a background on the whole thing

You are right to be afraid. I had a similar story, and am still recovering and sorting what data is recoverable. Nearly lost age 0.5-1.5 years of media of my daughters life this way.

As others have said, don’t replicate your existing backup. Do two backups. Preferably on different mediums, spinning disk/ssd eg.

If one backup is corrupted or something nasty is introduced, you will lose both. This is one of the times it is appropriate to do the work twice.

I’ve built two backup mini PCs, and I replicate to them pretty continuously. Otherwise, look at something like Borg base/alternatives.

Remember, 3-2-1 and restore testing. It’s not a backup unless you can restore it.

Everything’s a trade off, as you already know. I still use lets encrypt, despite the fact that I know attackers watch CT logs, and they’ll know as soon as I mint a cert.

Fair enough, I did assume the target audience was selfhosters based on the question.

As for provider backups - well, you’d hope. But M$ doesn’t do user available backups, so I’d be surprised if that was bundled by the average SaaS provider.

And if you don’t know what database you’re running, how are you backing it up?

If you don’t know what database you’re running, are you bothering to do a full shutdown before backups? Are you doing backups at all…

Don’t worry about him, he’s just an anti-Lemmite

I thought that I was the same as you, but actually I realise I ‘tell myself’ things all the time.

Mostly it feels like I’m bullshitting myself with things I ‘know to be true’ to drown out irrational things I feel.

Do you never have irrational monkeybrain chatter? Like, “I don’t feel like I’m ever going to be good at X”; only to reassure yourself that you’ll get better as you practice? If I ever feel disheartened, I often ‘tell myself’ that I’m not special enough to be uniquely incapable of learning whatever it is.

I put ‘tell myself’ in quotes because none of this actually happens in slow full language sentences in my head. It can, but bothering to sound out the whole thought seems silly and inefficient somehow. Mostly it happens in fragmented feelings and flashes of remembered sensations.

Have you tried ErsatzTV? It’s selfhostable, pretty extensible, can be integrated into on-demand solutions like Jellyfin…

All I need is for them to fix the public collection RSS feed bug where they embed “https,http” in the feed xml if you’re behind a reverse proxy - which breaks parsing

and has integration for Oxidized, smokeping, greylog and more

Desktop Toys!

Only leftists bother to separate communist and Marxist

And bleaching the reefs

Yes. But also, despite having done it literally thousands of times, I still can’t tell you which way round to put the target and the link name for a softlink on the first go.

My first guess is always

ln -s $NAME $TARGET

No amount of repetition will fix this.

Sounds like you have reason to bump it up the list now - two birds with one stone.

I need to do this too. I know I have stuff deployed that has plaintext secrets in .env or even the compose. I’ll never get time to audit everything. So the more I make the baseline deployment safe, the better.