My Epyc 7702 does have onboard TPM, but my supermicro H11DSi-NT doesn’t pass it through to the OS, for some reason

Huh… That’s interesting. At my workplace we have Linux EPYC servers with working TPM (it’s mandated that all computers, both clients and servers, must have TPM 2.0), but I’m not a hardware person and don’t know exactly how they’re configured.

This is good to know. I haven’t had issues with using a USB drive though, since it doesn’t receive many reads or writes - the system is copied to a RAM drive on boot and runs off that rather than the USB.

I assume this means I’d need another drive to boot it from? My current setup is that I have 2 x 22TB drives in a ZFS mirror for data storage, and 2 x 2TB NVMe SSDs in a ZFS mirror for things like VMs, Docker containers, documents, etc.

I had to get a Supermicro AOM-TPM-9665V TPM chip for my motherboard

How old is your CPU that it doesn’t have onboard TPM? It’s been a standard feature for quite a while now

Unfortunately the search tooling is specific to our internal systems. It’s essentially just a cronjob that periodically indexes the entire repo and a backend service to do the search.

Claude is very good at figuring out how to work around limitations (which is probably one reason why it’s also good at finding security issues).

At work, the monorepo is enormous and files are loaded on-demand as needed. This isn’t uncommon with huge repos - Microsoft have VFS for Git (although I hear that’s deprecated now), Meta have EdenFS, and Google has some proprietary solution.

We have a hook that blocks find and grep because they can be extremely slow, and tells it to instead use some significantly faster MCP tools to search the codebase, powered by a search index with local changes overlaid.

GPT-5.5 has no problem with this. Claude Opus mostly does it, but sometimes it loves to find workarounds rather than following the instructions. Things like: Try alternative commands like egrep. Create a symlink to grep and run that to see if it bypasses the filtering. Run it with a different shell like zsh. Write a Python script that execs grep. Write a Python script to reimplement grep.

I’m trying Hermes Agent at home, but I have it in its own VM with restricted permissions.

The brothers have different surnames due to an error made by their parents when registering Lin’s birth certificate

I wonder how long it took them to discover the error… And how long it took them to decide to just live with it instead of fixing it. Interesting.

I never said anything about using the VPN as an ACL. All I said was to only expose the service over the VPN. That doesn’t necessarily mean that the app doesn’t have authentication or authorization.

I’m also only talking about residential use cases, where it’s a common practice (when not using a VPN) to just expose everything via port forwarding. Businesses aren’t setting up Jellyfin on their servers.

true, fun fact a VPN is also an application with an auth layer. dun dun dun!

Sure, but someone would have to first get on the VPN, and then find vulnerable apps once on the internal network, as opposed to just scanning the internet for public-facing vulnerable systems. Wireguard (and thus Tailscale) doesn’t respond to port scans at all - it only responds to packets that are signed with a known key.

Admittedly, networking and network security isn’t my specialty so I’m absolutely sure you’ve got more knowledge in this area.

If a service is publicly accessible, anyone can access it. Even if it’s secured, there can be security issues in the auth layer of the app, improperly secured endpoints, etc.

If a service is only available over VPN, nobody can access it unless they’re on the VPN. The service isn’t visible over the public internet and other people won’t even know it exists. You can require two factor auth to connect to the VPN.

I’m not sure why you seem to think that a private network isn’t more secure than a public network. There’s a reason why practically every company requires people working remotely to connect to a VPN to access company resources.

It’s a good practice to NOT expose services to the internet unless it’s really needed. If they’re only for your use, then the entire world doesn’t need access. This isn’t specific to Jellyfin.

All software has the potential to have security issues.

It’s not really a hassle though. It’s just a one time setup. Tailscale can stay connected all the time, since by default only Tailscale IPs are routed via it (so it won’t affect LAN or internet access)

If you want less hassle then use a Debrid service like Premiumize or Real-Debrid.

You can avoid most security issues (with any sort of server) by not exposing it publicly. Use a VPN like Tailscale to connect remotely. If you share the server with friends or family, share it with them over Tailscale and use an ACL to configure which services they can access on your server.

I’m still using it because I already have a lifetime license. I’m just using it for music and local TV though. I use the DVR feature with a HDHomeRun tuner to record the local news and a few other shows.

I think Jellyfin has some music apps, but last I checked they’re still not as good as Plexamp.

It’s because lifetime licenses aren’t sustainable. I’m surprised they still offer it.

Plex is an actual company that has an office and employees, so they have recurring costs every month. A lot of people already have lifetime licenses that they’re not likely to receive any more revenue from. It’s likely they’re increasing the price to help recoup costs or convince people to subscribe to a monthly subscription rather than get a lifetime license.

I do live in the USA at the moment, but in a state that pays waitstaff well (California).

There’s too many American people online that just assume everything is about the USA though. It gets to me sometimes :)

Does it use http or MQTT?

Home Assistant uses HTTP for this. Realistically, you won’t see much difference between HTTP and MQTT for this use case.

MQTT is harder to secure than HTTP, and has some limitations (eg it normally only supports username and password auth - no SSO, no 2FA) so I’d avoid it for anything public-facing unless you have a specific reason to use it. Using it via a VPN is fine, but you’d still need to configure a separate MQTT username and password per user.

iptables should still work, but these days it gets converted to nftables so you may as well just learn nftables.

Having said that, I find it a pain to manually configure iptables or nftables. There might be a better way to do what you want.

I assume this is for basic economy only, where you can’t select a seat? If I choose a seat when booking, I can’t imagine the airline allows someone else to choose the same seat?

Residential ISPs usually have a contention ratio somewhere around 30:1 to 50:1. That means that 30 to 50 customers that each have a 1Gbps connection all share 1Gbps of upstream bandwidth.

Business connections are closer to 10:1, and a leased line (dedicated circuit) is 1:1.

An interesting side effect is that the models coming out of China are very efficient. They don’t have access to all the high-end hardware the US has, so they have to make do with what they’ve got.

They no longer sell or include AP

That’s true only in the USA and Canada. You can still get autopilot in most of the world, especially in countries where FSD isn’t approved.