If you’re running an email server for more than a handful of persistent users, I’d probably agree. However, there are self-host solutions that do a decent job of being ‘all-in-one’ (MailU, Mailcow, Docker-Mailserver) that can help perform a lot of input filtering.

If your small org just needs automation emails (summaries, password resets), it’s definitely feasible to do actually, as long as you have port 25 available in addition to 465, 587 and you can assign PTR records on reverse DNS. Optionally you should use a common TLD for your domain as it will be less likely to be flagged via SpamAssassin. MXToolbox and Mail-Tester together offer free services to help test the reliability of your email functionality.

I’m currently going through a similar situation at the moment (OPNSense firewall, Traefik reverse proxy). For my solution, I’m going to be trial running the Crowdsec bouncer as a Traefik middleware, but that shouldn’t discourage you from using Fail2Ban.

Fail2Ban: you set policies (or use presets) to tempban IPs that match certain heuristic or basic checks.

Crowdsec Bouncer: does fail2ban checks if allowed. Sends anonymous bad behavior reports to their servers and will also ban/captcha check IPs that are found in the aggregate list of current bad actors. Claims to be able to perform more advanced behavior checks and blacklists locally.

If you can help it, I don’t necessarily recommend having OPNSense apply the firewall rules via API access from your server. It is technically a vulnerability vector unless you can only allow for creating a certain subset of deny rules. The solution you choose probably shouldn’t be allowed to create allow rules on WAN for instance. In most cases, let the reverse proxy perform the traffic filtering if possible.

It doesn’t.

Ocis/OpenCloud can integrate with Collabora, OnlyOffice but don’t currently have things like CalDAV, CardDAV, E2EE, Forms, Kanban boards, or other extensible features installable as plugins in Nextcloud.

If you desire a snappy and responsive cloud storage experience and don’t particularly need those things integrated into your cloud storage service, then Ocis or OpenCloud might be something to look into.

This is the same for Intel variant Framework boards.

Authentik has blueprints, which while not as simple as Authelia’s config, do provide a functional way to have version-controlled configuration.

What repos do you have enabled for your system? The recommended way to install the NVidia proprietary drivers (akmod-nvidia for classic proprietary drivers or akmod-nvidia-open for nvidia-open drivers (closed source driver, open source kernel module for attachment)) assumes you have the RPMFusion repos (free, nonfree) enabled in your system. There is also xorg-x11-drv-nvidia-cuda for CUDA support.

I am curious what repo you are pulling the package nvidia-driver from as it doesn’t appear in either Fedora repos nor RPMFusion. dnf info nvidia-driver will find this quickly if you don’t know what repo the package is coming from. More than likely, installing from sources other than RPMFusion will lead to a poor experience in terms of NVidia drivers. Additionally, ensure you don’t have secure boot enabled with NVidia, at least initially. If you really desire or need secure boot, you can follow this guide to register your own MOK.

Additionally (based on recent testing on RTX 4000-series hardware), NVidia may have problems with being stable on Wayland environments other than GNOME. Your mileage may vary, but I had observed severe issues in KDE under Wayland in the past few months.

Ah yes, did mess up looking at the specs table for display modes. Correcting root comment for anyone else who views this thread.

You will need either an Intel discrete GPU or NVidia GPU if you want to use HDMI 2.1 to render at 8k@60. The Intel discrete GPUs have physical hardware that convert to HDMI and Nvidia uses proprietary drivers. If you can use displayport, any GPU (AMD, Intel, Nvidia) supporting displayport 1.4 is suitable for up to 8k@31 (limited to 8bpc). A displayport 2.0-capable card with a cable suitable for UHBR 13.5 should be able to handle 60 hz (8bpc) or a UHBR 20-rated cable capable of 60 hz at 10bpc.

It depends a bit on perspective and use-case, really. A flatpak’d application can be a fully-featured (all dependencies bundled) package in order to be portable. However, most flatpaks you might commonly encounter don’t quite do this. A good portion of the libraries may be distributed in common runtime packages. This will be the case if you use flatpaks from Flathub or Fedora. There still can be bundled libraries with vulnerabilities, but in many cases, there are basic dependencies from external, common library sets.

As far as varying dependency versions, a developer may be on a host with either newer or older dependencies than expected by the user, but as long as the developer’s application (and any unique libraries) are compiled against a common runtime as previously mentioned, it does make distribution to a wide variety of distros (LTS, 6-month, and rolling alike) relatively easy.

In comparison to OCI images (the kind of images that make up Docker, Podman, and a good portion of Kubernetes container images), flatpaks are a bit less extreme. Flatpaks contain much the same kind of files and structure that a standard distro package would, but simply get sandboxed into their own environment (via bubblewrap). Additionally, flatpaks don’t necessarily need system-level access for installation and usage (full userland confinement). It heavily depends on host environment and configuration, but typically OCI containers are a full, minimal, immutable filesystem structure run in a virtual environment. Not quite a virtual machine, as (in Linux anyway) they are run on the host (almost always in a sandbox) without extensive virtualization capabilities being needed. The general difference in security capabilities depends on the differences in sandboxing between a flatpak behind bubblewrap and an OCI container’s runtime sandboxing. There is also the notion with OCI containers being able to run as virtualized users, including root. With OCI containers that can obtain root access and a flaw in the sandboxing of say Docker in its standard rootful mode could allow for root level processes in the sandbox to act upon the host.

From what I can think of in comparison, there is the big problem with Flatpak in that it really isn’t suitable for packaging command-line applications: only GUI applications and libraries. OCI container images are often tailored for running web apps and other persistent CLI applications

KDE has had ICC support implemented for a while now in Wayland. The necessary protocol for ICC support/color management in Wayland recently got merged, so the next release of many popular compositors (plasma 6.3 for KDE) will be protocol-compliant.

You’re not referring to this satire article by chance?

I can only guess the previous BIOS wasn’t enabling every virtualization extension necessary for some applications for some reason then, given that GNOME Boxes did work. Glad you’ve found a solution.

I did accidentally type the relevant command incorrectly, forgetting that sudo swaps the user before subcommands like whoami will resolve. So that command attempted to add the kvm group to ‘root’ rather to your user. I have fixed the command in the relevant comment for anyone else reading this thread. You can try sudo adduser "<username>" kvm, manually substituting <username> for your username. As normal, restart after adding the group to your user. Additionally, I have added a warning to the solution in the original comment of why you may not want to keep this solution enabled forever as well as a way to disable it later if desired.

Based on using a local installation without elevated permissions (outside of /usr/(local)), I can only guess of two things happening:

The first is GNOME Boxes asks for elevated permissions when running or otherwise uses Polkit to gain those permissions. Your user by default likely isn’t granted access to /dev/kvm and running userland software without additional permissions will inherently not allow KVM access.

To allow this sanely, you can add your user to the KVM group to allow userland KVM access. It can be done via sudo adduser "<username>" kvm and then restarting your computer. To note, this is something that can allow any application to access virtualization without special permissions. If you don’t want this change to remain forever, the command sudo usermod -r -G kvm "<username>" followed by a restart can revert this change.

Alternatively, installing Android Studio via the Flathub Flatpak may handle permissions without needing to modify user groups in this case.

The second (unlikely, but possible) problem is the AppArmor profile blocking KVM access for userland. I don’t have particularly any experience with creating modified profiles for AppArmor, if this is the cause. I could only offer terrible advice for AppArmor (disabling AppArmor or switching to warn-only, both things I do not recommend doing). Again, it might be worth trying to install Android Studio via flatpak to see if things work better if this is the cause.

I am testing this currently to ensure correctness, but if you’re using Android Studio via Flatpak, you may need to enable kvm permissions for the application to have hardware-accelerated VMs. This can be done using Flatseal. The relevant permission (device=kvm) is under the Device section labeled as Virtualization.

Additionally, if problems are occurring outside of Flatpak, you might need to enable certain hardware virtualization technologies from your computer’s BIOS (AMD-V, VT-x, VT-d, Intel VT, Virtualization, or some other similar term depending on CPU and motherboard).

EDIT: Doing testing, it seems the default permissions provided for Android Studio’s Flathub Flatpak includes device=all. No permissions edits are necessary by default. If there are problems with the /dev/kvm device not being reachable, it is almost certainly due to the necessary extensions not being enabled in the BIOS, or your CPU doesn’t support virtualization. Pop! OS 22.04 has the necessary components in software for KVM to function pre-installed, so nothing should be wrong on the OS side.

Superior over what exactly? Most workstation/desktop distros have a graphical software manager and handle drivers in a similar manner.

On my mobile Lemmy client (Eternity), I already keep a multicommunity group for finding tech support posts in case I have something to offer in response. As it stands with !linux@lemmy.ml, there aren’t too many posts that are pure conjecture or information and thus doesn’t really clog my feed. If this community grows to have more of these kinds of posts showing up, it may be worth having a split. As it stands currently though, I feel it would mostly serve to significantly lessen what gets posted to this community.

Systemd is both in a lot more large distros than just Fedora, RHEL and has limited viable alternatives (OpenRC as a partial replacement, no others I can think of that come close). While it has its issues particularly with the extra bundled services of mixed quality, SystemD is generally a flexible and suitable option for service management on Linux.

Not to mention how inflammatory the parent comment is.

For what it’s worth, I do think OCIS is worthy of switching to if you don’t make use of all of the various apps Nextcloud can do. OCIS can hook into an online office provider, but doesn’t do much more than just the cloud storage as of right now.

That said, the cloud storage and UX performance is night and day between Nextcloud/Owncloud and OCIS. If you’re using a S3 provider as a storage backend, then you only need to ensure backups for the S3 objects and the small metadata volume the OCIS container needs in order to ensure file integrity.

Another thing to note about OCIS: it provides no at-rest encryption module unlike Nextcloud. If that’s important to your use case, either stick with Nextcloud or you will need to figure out how to roll your own.

I know that OCIS does intend to bring more features into the stack eventually (CalDAV, CardDAV, etc.). As it stands currently though, OCIS isn’t a behemoth that Nextcloud/Owncloud are, and the architecture, maintenance is more straightforward overall.

As for open-source: OCIS released and has still remained under Apache 2.0 for its entire lifespan thus far. If you don’t trust Owncloud over the drama that created Nextcloud, then I guess remain wary? Otherwise OCIS looks fine to use.