When metrics become targets they fail to be metrics any more

VMix popularity exploded during the pandemic. A lot of conferences became a blend of teams/zoom/Google and VMix.

Might be hardware based like a multi-m/e video mixer (blackmagic make cheap ones), or maybe more of a screen manager (like barco e2, analog way livecore). But, unless there are production requirements, vmix is much more likely. It’s (now) proven, and much cheaper!

OBS can absolutely do it. There are other open source softwares that can do it.
I’ve seen people bastardise Resolume into something that looks decent.
There are some online studio systems so everything you do is virtualized. Streamyard used to be like this, till it was bought by hopin (I think it was hopin)

You can do reverse proxy on the VPS and use SNI routing (because the requested domain is in clear text over HTTPS), then use Proxy Protocol to attach the real source IP to the TCP packets.
This way, you don’t have to terminate HTTPS on the VPS, and you can load balance between a couple wireguard peers so you have redundancy (or direct them to different reverse proxies or whatever).
On your home servers, you will need an additional frontend(s) that accepts Proxy Protocol from the VPS (as Proxy Protocol packets aren’t standard HTTP/S packets, so standard HTTPS reverse proxies will drop them as unknown/broken/etc).
This way, your home reverse proxy knows the original IP and can attach it to the decrypted http requests as x-forward-for. Or you can do ACLs based on original client IP. Or whatever.

I haven’t found a way to get a firewall that pays attention to Proxy Protocol TCP headers, but I haven’t found that to really be an issue. I don’t really have a use case

Tests is the industry name for the automated paging when production breaks

DRM = Direct Render Manager

I had no idea, was confused, and the article never de-acronyms/initialisms the term

Oh, no kidding.
I always thought immutable required the declarative installs.
I guess, immutable is more “containerised userland”?

Yeh, immutable distros… You can install software, it’s just you have to declaratively define what software you want, then apply that as a patch.
You don’t just apt install cowsay, you have to create a file that defines the installation of cowsay.
This way, if you have to change how cowsay is installed, you tweak that patch file and reapply it.
If you have to wipe & reinstall (or get a new computer or whatever) you just apply all your patches, and the system is the same again.

It’s the SATA cable

I think that’s how themes are distributed for VSCode, right?
With VSCode, everything is an extension.
But the vscode marketplace seems to have filters for themes, so there must be some way to differentiate them.

I think extensions need a permissions system

What makes this even more sneaky is that JetBrains has a theme called “Darcula”.

So, with a wider generic theme called Dracula and themes that duplicate JetBrains Darcula theme, it is no surprise that “Darcula Official” is being installed.
It’s more than just a typosquat

Edit:
But why can a theme make web requests?!

When learning c++ you hate c++. Then suddenly you get it, and love c++. Then you learn more c++, and you end up merely liking c++

Sure, but what you are describing is the problem that k8s solves.
I’ve run plenty of production things from docker compose. Auto scaling hasn’t been a requirement, and HA was built into the application (so 2 separate VMs running the compose stack). Docker was perfect for it, and k8s would’ve been a sledgehammer.

It’s not a workaround.
In the old days, if you had 2 services that were hard coded to use the same network port, you would need virtualization or a different server and make sure the networking for those is correct.

Network ports allow multiple services to use the same network adapter as a port is like a “sub” address.
Docker being able to remap host network ports to containers ports is a huge feature.
If a container doesn’t need to be accessed outside of the docker network, you don’t need to expose the port.

The only way to have multiple services on the same port is to use either a load balancer (for multiple instances of the same service) or an application-aware reverse proxy (like nginx, haproxy, caddy etc for web things, I’m sure there are other application-aware reverse proxies).

Invalidating creds sent over http is a great point!

Surely you want to enable 802.1q? Like, that is vlan aware switching and routing. Or is that on the nas?

Edit:
Some troubleshooting:

Connect a laptop into the same subnet as your Nas (so same vlan and IP range/subnet) and connect to the nas. This either eliminates the NAS or the router from the equation

That whole “shortest path” has caught me out before (tho in a different way)!
And firewall logs of “state violation” aren’t always helpful when that’s pretty much the default log message

If they are on the same subnet, why are they going via the router? Surely the NIC/OS will know it’s a local address within its subnet, and will send it directly; as opposed to not knowing where to send the packet, so letting the router deal with it.

I’m assuming you are using a standard 24 bit subnet mask, because you haven’t provided anything that indicates otherwise and the issue you present would be indicative of a local link being used - this possible

For me, after looking over the docs, it’s close enough to JavaScript that it might as well adopt more of the syntax (for example, conditionals and loops don’t use parenthesis). It also has some similarities to python, but again not enough to be python.

Feels like an in-between language that has enough similarities to seem easy, but some gotchas that will regularly catch you out.
And then some extra features like the if chaining, which doesn’t have the keyword if or switch in it. So you have to know that that structure implies an if or switch conditional.

Especially for something like bash scripting, which devs probably don’t spend as much time doing compared to python or js. So, it would probably take them longer (and break their brain more) than just scripting it in python/js directly or dealing with bash directly.

It’s an improvement over bash, and it’s nice that it transpiles to bash.
I might have to play around with it and see how it actually feels to use

So, is public accessibility actually required?
Does it need to be exposed to the public internet?

Why not use wireguard (or another VPN)? Even easier is tailscale.
If you are hand selecting users (IE, doesn’t actually need to be publicly accessible), then VPN is the most secure and just run a reverse proxy for ease & certs.
Or set up client certificate authentication, so only users that install a certificate issued by you can connect to the service (dunno how that works for 3rd party apps to immich)

Like I asked, what is your actual threat model?
What are your requirements?
Is public accessibility actually required?

That got a bit long.
Reading more into bunkerweb.

Things like the “limit” feature are going to doink people on cgnat or large corporate networks. I’ve had security stuff tripped by a company using my software, and it’s a PITA cause all the requests from legit users come from only a few IP addresses.

Antibot isn’t going to be helpful for things like JS requests, because cookies aren’t included by default with fetch requests - so the application needs to be specifically built for this (at which point, do it at an application level so it can scale easier?).
And captcha. For whatever that is worth these days.

Reverse Scan is going to slow down every request (as it scans the remote client for suspicious open ports, so a 500ms delay as default).

Country is just geo-ip.

Bad Behaviour is just rate limiting (although with a 24h ban). Sucks if a few corporate/cgnat users all hit a 404 and suddenly that entire company/ISP’s IP is blocked for a day.

This seems like something to use when running a TOR server or something, where security is more important than user experience. Like, every feature seems to punish legit users