glizzyguzzler

I do not know of Internet Comment Etiquette, sorry to disappoint! It’s a username that’s humorous to me and fits a core tenant of mine

Do remember (or put in the .env) the user/pass for your db’s, but they don’t matter much if you know them.

I’m talking about the process, the ‘user: 6969:6969’ in the docker.compose file. If it’s not there the container runs as the user running docker, and unless you’ve got non-root docker going it’ll run the containers as root. Which could be bad, so head that off if you can! Overall, I’d say it’s a low priority, but a real priority. Some naughty container could do bad things with root privilege and some docker vulnerabilities. I’ve never heard of it that kind of attack in the self hosted community, but as self hosting gains traction I worry a legit container will get an attack slipped in somehow and wreck (prob ransomware) root docker installations.

First priority is backup - then you can worry about removing root containers (if you haven’t already done so!).

You want your docker container’s persistent data mounted to real locations. I use the volumes for non-persistent stuff.

You want your real locations to have a file system that can snapshot (ZFS, BTRFS).

Then you can dump the superior Postgres databases and for all other databases and data, you stop the containers, snapshot, start the containers (limits downtime!), and then back up that snapshot. Thanks to snapshot, you don’t need to wait until the backup is done to bring the containers back up for data consistency. For backup I use restic, it does seem to work well, and has self-check functions so that’s nice. I chose restic instead of just sending snapshots because of its coupled encryption and checks, which allow for reliable data integrity on unreliable mediums (anyone, even giant providers, could blackhole bits of your backup!). I copy over the restic binary that made the backup using encrypted rclone, the encryption there prevents anyone (the baddies? Idk who’d target me but it doesn’t matter now!) from mucking with the binary if you did need that exact version to restore from for some reason.

Note I do not dump SQL or the like, they’re offline and get snapshotted in a stable state. The SQL dump scene was nasty, esp compared to Postgres’ amazingly straightforward way (while running!). I didn’t bother figuring out SQL dump or restore.

All of your containers should have specific users for them, specify the UID/GID so they’re easily recreatable in a restore scenario. (The database containers get their own users too)

Addendum for the specific users: Make an LXC container run by a specific user and put the docker container in it if the docker container is coded by F tier security peeps and hard requires root. Or use podman, it is competent and can successfully lie to those containers.

I don’t test my backups because the time to do so is stupid high thanks to my super low internet speeds. I tested restoring specific files with restic when setting it up and now I rely on the integrity checks (2GB check a day) to spot check everything is reliable. I have a local backup as well as a remote, the local is said snapshot used to make the restic remote backup. The snapshot is directly traversable and I don’t need to scrutinize it hard. If I had faster internet, I’d test restoring remote restic once a year probably. For now I try to restore a random file or small directory once a year.

Hope the rant helps

My gloriously unionized USPS workers are hella pissed that I continue to write “no longer at address” on mail for the umpteen people who have previously lived where I am now. I will occasionally get mail with “or current resident” underlined many, many times because it was misdelivered and that person sent it back, and they think I tried to “no longer address” it I guess.

I lived in a newer development a few years ago and they didn’t care about names there either. Sad to hear new-new is different.

Overall, if your USPS just wants to jettison mail at an address, using a fake name is great. I get spam for shit with a fake name and I can see who sold my info (and ditch them). I get emails like “Shitbob Jimbo, we stole your identity and hacked your email and computer and it’s joever for you, believe us because we know your name.” Little do they know I’m really Jimshit Bimbo and forever elusive

I’ve lived in several states and USPS doesn’t care about your name. They want your legal name written on the mailbox (and will usually write it down if you don’t when you move in), but they will deliver to any ass name. I’ve used fake names for everything ever for a long time now and only had a problem once with an international shipment. You can mail random ass name to random ass address and they’ll put it at the address.

If USPS fails to deliver an international item that requires a signature, you need to show ID if they don’t try to redeliver. And your name must match or they won’t give it to you.

In my case, it was something that didn’t require a signature and even had a “no signature required” sticker on it from the sender because they do that enough apparently. And the USPS didn’t try to deliver it cause I have a cam. So the USPS person just gave it to me and told me to not fuck up again on international shipments and that was that!

In short, fake name good at all times except on international orders that require a signature.