You don’t necessarily need QubesOS to get better isolation. You can package unsupported applications as Flatpaks yourself and run them with minimal permissions. The downside is the maintenance burden, and Flatpak sandboxing isn’t as strong as Qubes’ VM-based isolation. It’s a useful middle ground, but it doesn’t completely solve supply-chain risk. Qubes can be good, but it’s all about your friction budget.

Humans optimise for convenience eventually.

I wish I could sleep like that cat, that dream must be really something, whatever is going on up there!

That is the fluffiest Del Monte loaf I have ever seen.

Phishing actually is a core branch of hacking—specifically under Social Engineering. It’s not really like walking through an unlocked door; it’s more like a con artist dressing up as a locksmith and convincing the homeowner to hand over the keys.

Hacking applies to the entire attack surface, which includes the human element, further more there are whole phishing campaigns that are heavily automated and often deliver stealer malware, making them a full cyber attack.

This wasn’t a technical compromise of Signal itself, but phishing/social engineering is still a form of hacking.

He’s like:

“HOW DARE YOU INTERRUPT MY SLUMBER!”

Do a backup image of the partition first before you run these commands.

If you decide to use all free space: sudo lvextend -r -l +100%FREE /dev/ubuntu-vg/ubuntu-lv

Should suffice I’m pretty sure.

Please fix the wording of this post, I got confused, I thought you were talking about the age demographic you are targeting. I think you mean the amount of games you have.

I think the setup script that applies the config changes is documented here: https://codeberg.org/celenity/Phoenix/src/branch/dev/docs/install.md

Yeah, autocorrect got me on my phone — fixed now 👍

If you point Traefik’s forwardAuth at the internal service (e.g. http://<tinyauth-ip>:3000/api/auth/traefik), TinyAuth doesn’t see the correct X-Forwarded-* headers or original host, so it won’t return the auth headers properly.

if you switch to using the public URL instead, the headers should start working — but only once using the full endpoint:

https://tinyauth.domain.tld/api/auth/traefik

Not just the root URL.

That way:

• the request goes through Traefik
• forwarded headers are correct
• TinyAuth trusts the proxy
• and it returns the expected headers

Also worth double-checking that your header names match exactly (e.g. Remote-Groups vs Remote-Group).

So in short: don’t call TinyAuth directly by IP, go through the domain + correct path.

I run a modest Lemmy instance (lemmy.blehiscool.com). It’s not on the scale of lemmy.world or anything, but it’s been around long enough that I’ve had to deal with some real growth and scaling issues. I’ll try to focus on what actually matters in practice rather than theory.

Infrastructure

I’m running everything via Docker Compose on a single VPS (22GB RAM, 8 vCPU). That includes Postgres, Pictrs, and the Lemmy services.

This setup is great right up until it suddenly isn’t.

The main scaling issue I hit was federation backlog. At one point, the queue started piling up badly, and the fix was increasing federation worker threads (I’m currently at 128).

If you run into this, check your lemmy_federate logs—if you see:

“Waiting for X workers”

that’s your early warning sign.

What Actually Takes Time

Once your infrastructure is stable, the technical side becomes pretty low-effort.

The real time sink is moderation and community management. Easily 90% of the work.

On the technical side, my setup is pretty straightforward:

• Auto updates: Watchtower (with major versions pinned)
• Monitoring: Uptime Kuma
• Backups: Weekly pg_dump + VPS-level backups

Backups are boring right up until they aren’t. Test your restores. Seriously.

Where the Gaps Are

The main gaps I’ve run into:

• Pictrs storage growth Images from federated content add up fast. Keep an eye on disk usage.

• Postgres tuning As tables grow, default configs start to fall behind.

• Federation queue visibility There’s no great built-in “at a glance” view—you end up relying on logs.

My Actual Workflow

Nothing fancy, just consistent habits:

Daily (quick check):

• Check Uptime Kuma
• Skim logs for obvious errors

Weekly:

• Check disk usage (especially Pictrs)

Monthly:

• Update containers (after reading changelogs)
• Verify backups can actually be restored

As needed:

• Moderation decisions

What I’d Do Differently

If I were starting over:

• Set up proper log aggregation much earlier (still a weak spot for me)

TL;DR

• Infra is the easy part once stable
• Moderation is the real workload
• Backups matter more than you think (and need testing)
• Logs are your best friend—but painful without centralization

Happy to answer specifics if you’re planning a setup—there’s a lot of small gotchas that only show up once you’ve been running things for a while.

Not to mention the owner of simplex is a horrible person.

Something I’ve been thinking about: independent security projects often face pressure once corporate partnerships or funding enter the picture.

Does GrapheneOS have any structural safeguards to ensure development priorities remain community-driven if hardware vendors become more involved?

I’m not assuming there’s a problem — just interested in how projects like this avoid the “venture capital influence” problem that has affected other open source initiatives.

Me too.

Librewolf potentially? You don’t need to use multiple browsers if you can contain them to profiles, this could be a good set up for you potentially.

CounterSocial blocks entire IP ranges and most VPN/datacenter networks as part of its anti-abuse policy. It’s not really decentralised, so if you’re blocked at the network level there’s usually no workaround unless they manually allow you.