Nice. I run a very similar setup, but opted for a stack of OpenLDAP / MIT Kerberos / PowerDNS on my "domain controllers."
OpenLDAP does multimaster replication and is the backend for DNS records and the Kerberos database.
The hardest part was figuring out OpenLDAPs configuration syntax, especially the correct ldif incantations for things like nested group memberOf= queries, schemas, and ACLs. It's somewhat inscrutable... Nowadays an LLM could do it for you at least.
At $job we use Linux / sssd, and I always found it super bloated and rather unreliable. It's nice coming home to FreeBSD and old boring stuff like pam_krb5 and nslcd. It just works.
The "ipa" command provided by FreeIPA for managing users/groups/etc is super convenient though.
> The hardest part was figuring out OpenLDAPs configuration syntax, especially the correct ldif incantations ..
As a long time Linux user on personal machines, I found myself for the first time a couple of years ago needing to support a small team and given them all login access to our small cluster. I figured, hey it's annoying to coordinate user ids over these machines, I should just set up OpenLDAP.. little did I know.. honestly I'm pretty handy at dealing with Linux but I was shocked to discover how complicated and annoying it was to set up and use OpenLDAP with NFS automounting home directories.
For the first time in my life I was like, "oh this is why people spend years studying system administration.."
I did get it working eventually but it was hard to trust it and the configuration GUI was not very good and I never fully got passwd working properly so I had to intervene to help people change their passwords.. in the end we ended up just using manually coordinated local accounts.
The whole time I'm just thinking, I must be missing something, it can't be this bad.. I'm still a bit flabbergasted by the experience.
I don't think it's exactly the same thing as sssd is primarily a cache. You can use pam_krb5 on Linux too. But can you disconnect your FreeBSD laptop and work as normal from cache? I agree that sssd is quite finicky however, and I'd love a simpler alternative.
You are correct, sssd has a ton of features (like basically replicating the entire domain locally and caching passwords so you can roam away from your corp network). If you need those things, you need sssd.
PowerDNS is an open-source DNS server that lets you store your DNS configuration in a variety of different backends, one of which is LDAP.
For each of my "domain controllers, I run: OpenLDAP, an MIT Kerberos KDC, and a PowerDNS server. The KDC and PowerDNS both get their data from LDAP on 127.0.0.1, and LDAP changes are synchronized between all the nodes.
This is convenient because you don't have to synchronize zone files on multiple hosts.
I use custom /bin/sh-based config management system, but you can probably get the gist of it here:
I highly recommend this approach. I run ~all of my digital footprint on FreeBSD jails. After surveying how many jail managers have come and go in the last decade, I decided to just roll my own using a single shell script called jailctl [0].
Nothing fancy, just VNET jails based on ZFS templates (vanilla FreeBSD rootfs) and epair interfaces (which I truck to various VLANs on the host's egress interface).
One pattern that I've found useful is to give each jail a persistently delegated ZFS dataset called "data." This lets me reprovision the OS image for the jail without having to backup and restore its application data (such as a Postgres DB). It also allows each jail to manage its own ZFS snapshots.
The only thing that was a bit hairy was generating unique interface names and MAC addresses for each jail's VNET interface. My first instinct was to derive the interface name from the jail name, but interface names on FreeBSD are limited to 15 characters, and occasionally I'd hit this limit.
In the end I did some dark magic using md5 sums of the jail name / host interface MAC address. Kind of ugly but I really didn't want to introduce any dependencies besides /bin/sh.
I've run my own mail for 10 years (postfix/dovecot/rspamd), no issues. Reverse DNS, SPF, and DKIM records need to be in place, but that's a small lift.
Well, one time I was unable to send mail to a guy with an ancient @att.com email address from his ISP. I got a nice bounce message back with instructions to contact their sysadmins to get unblocked.
To my surprise, they unblocked the IP of my mail server in a matter of hours.
Private email will have no problems. I also ran my own mail server for personal use and had almost zero problem (and this was on an AWS IP!).
Where people will absolutely have problems is trying to run a marketing campaign through their own IP. You absolutely will (and should) get blocked. This is why these mixer companies exist and why you pay for an intermediary to delivery your mail.
Still running everything from my basement using FreeBSD jails and shell scripts.
Sacrificing some convenience? Probably. But POSIX shell and coreutils is the last truly stable interface. After ~12 years of doing this I got sick of tool churn.
I've been using strawberry since moving to linux since there was no good foobar2000 replacement but I just discovered fooyin these past couple of days and this is so convincingly close that I can pretend it's just foobar2000.
That's not to throw any shade on strawberry, it's also incredibly good, but foobar2000 will always have it's claws in me.
couple years ago, i did try but after hours of attempts, i just couldn't install working version of Eole-foobar-theme, is it possible to run these days?
I've never heard of that. It looks like it packages some dodgy components, notably foo_spider_monkey_panel. I only know that fb2k with its official components work reliably.
Unfortunately, the theme is written in javascript, so this is basically a middleware
It was the first and last time i was able to perfectly customize my player to what i wanted though
vim with zenburn theme. grep/find when I need to look for something.
I've been programming professionally for about a decade, and the basic Unix tools have always "just worked." They're available everywhere, my dotfiles are easily portable, and there's no licensing or procurement to worry about with corporate beancounters.
I'm sure I'm giving up some marginal level of efficiency, but I've watched so many fads come and go that I'm OK with the tradeoffs of "old reliable."
There is a small segment of parents who completely prevent their children from accessing these brainrot platforms. Usually these kids are in homeschool groups with other like-minded families, with no phones or screen time.
I often wonder if this cohort will be the future elite class, or if they will be so incompatible with their peers that they'll end up forming insular communities amongst themselves (like the Amish).
> I often wonder if this cohort will be the future elite class, or if they will be so incompatible with their peers that they'll end up forming insular communities amongst themselves (like the Amish).
There's also a third option: They might just turn out normal.
I'm fairly certain (having been homeschooled for a while) that they'll just grow up pretty normal, possibly advanced in some areas but have some part of themselves that feels out of touch since they never participated in the usual social rituals. Socialization is hugely important, and a lot of success is just being a relatable person that's easy to work with. (Once you have grit, education, etc)
No, social media is not like anything else before it. Algorithmic informational hoses are not like television and the harm they do is not like whatever Socrates complained 2500 or so years ago.
Can we try to at least have a normal discussion without repeating the same tired platitudes over and over again
We could, but you're just repeating what everyone from a previous generation said about the next generations preferred entertainment medium.
Also Socrates wasn't the one complaining, he was the one killed by those doing the complaining. A simple mistake to make when one is looking for reasons to do the same.
American TikTok is literally a hyper addictive platform purpose built by the CCP to devour attention, waste time and sow division. It is not the same as television. Its widespread influence is a complete disaster for a healthy republic.
This fees like when our parents were worried about 'maymays' because that's what all the kids were talking about. I could easily see the same panic about how kids are now learning history through these images, and how teachers are assigning homework to make your own meme about a scientific fact.
Ultimately, these formats are passing entertainment and I doub they're going to have too much of an impact.
My family uses a self-hosted Prosody instance with the Conversations app on Android and Dino/Gajim on the desktop. It works great.
Combined with JMP.chat, we even get SMS and voice calls from the telephone network to all our different XMPP apps. Truly feels like the future.
The technology of yesteryear seems to have more staying power. The protocols churned out by my generation seem destined for either VC/advertisement capture or death by CADT [0]. Maybe with the exception of Signal (so far...)
OpenLDAP does multimaster replication and is the backend for DNS records and the Kerberos database.
The hardest part was figuring out OpenLDAPs configuration syntax, especially the correct ldif incantations for things like nested group memberOf= queries, schemas, and ACLs. It's somewhat inscrutable... Nowadays an LLM could do it for you at least.
At $job we use Linux / sssd, and I always found it super bloated and rather unreliable. It's nice coming home to FreeBSD and old boring stuff like pam_krb5 and nslcd. It just works.
The "ipa" command provided by FreeIPA for managing users/groups/etc is super convenient though.