Below is a script that can be used to convert all files in the directory to AV1 #!/bin/bash set -e find * -type f -iname '*.mkv' | grep -v av1 | while read -r mkv; do file=${mkv%.*} av1="${file}-av1.mkv" if [ -f "${av1}" ]; then echo "${av1} already there" # echo "${file} -> ${av1}" else echo "converting ${file} --> ${av1}" ffmpeg -i "${mkv}" -c:v libsvtav1 -crf 35 "${av1}" < /dev/null && echo "${av1}" >> completed.

After updating gitea I was unable to create a repo in an organization as an owner. To fix this I had to run the following in mysql mysql update team set can_create_org_repo = 1 where lower_name = "owners" and can_create_org_repo = 0; It should show at least one item was updating and now it will work as inteneded.

----------------------------- | | | internet | | | ----------------------------- || || || || \/ ----------------------------- | | | NGINX | |===========| 80 => 443 |==================| || | 443/tcp SSL http2 | || || | | || || ----------------------------- || 4430/tcp 5000/tcp || || || || \/ \/ ------------------------------ --------------------------------- | | | | | meshcentral | | remotely | | http://127.0.0.1:4430 | | http://127.0.0.1:5000/ | | | | | ------------------------------ ---------------------------------

First we need to find the iGPU type lspci | grep VGA This should return something like 00:02.0 VGA compatible controller: Intel Corporation Device 4e55 (rev 01) Add the following to /etc/modprobe.d/i915.conf, replace 4e55 with your type options i915 enable_guc=3 options i915 force_probe=4e55 Now to we need to rebuild the initramfs to add the above update-initramfs -u Install the required firmware files You need to enable the non-free source apt install -y firmware-misc-nonfree intel-media-va-driver-non-free

I don’t like IPv6 since all it does is cause issues, here is how to disable it for APT, you could do it system wide as well if you wanted echo 'Acquire::ForceIPv4 "true";' | sudo tee /etc/apt/apt.conf.d/99force-ipv4 How to install stuff with apt, but exclude some items, all you need to do is add a - to the end of the package for example apt install -t bullseye-backports cockpit cockpit-networkmanager-

Looks like the config recommendation for native ping causes issue with sudo Changing this [Service] CapabilityBoundingSet=CAP_NET_RAW AmbientCapabilities=CAP_NET_RAW to this [Service] AmbientCapabilities=CAP_NET_RAW and it fixes the issues

This send a NTFY on bootup and shutdown nano /etc/systemd/system/ntfy-notify.service [Unit] Description=Sends NTFY on bootup/shutdown After=multi-user.target [Service] Type=oneshot ExecStart=/usr/bin/curl -d "%H booted up" 'http://ntfy.sh/topic' ExecStop=/usr/bin/curl -d "%H shutting down" 'http://ntfy.sh/topic' RemainAfterExit=yes [Install] WantedBy=multi-user.target systemctl daemon-reload systemctl enable ntfy-notify.service

A few fun tips for Proxmox How to migrate VM to new host not in cluster Create NFS share on a system Add NFS share as backup endpoint on new and old server Run a backup of the system you want to migrate, I shut the VM down, but it’s no needed On new host go to the NFS storage in the GUI and go to backups You will see the backed up data

By default mergerfs appears to try and mount before ZFS is mounted which causes the mergerfs filesytem to fail. To fix this we just need to add x-systemd.requires=zfs-mount.service to the /etc/fstab entry For example my /etc/fstab entry is below: /hdd*/mergerfs /data fuse.mergerfs splice_read,threads=4,allow_other,cache.readdir=true,cache.files=off,fsname=mergerfs,use_ino,dropcacheonclose=true,link_cow=true,category.create=mfs,cache.entry=120,cache.attr=120,x-systemd.requires=zfs-mount.service 0 0

Only copy specific file extentions in folder rsync -a --include '*/' --include '*.mp3' --exclude '*' source/ target/ Speed up rsync over SSH without needed to change any configs. arcfour is faster, but no longer enabled by default meanwhile aes128-ctr is rsync -avhP -e "ssh -c aes128-ctr" /src/ user@ip:/dst/ rsync ssh with non standard port rsync -avhP -e "ssh -p number" /src/ user@ip:/dst/ rsync ssh with non standard port and show full progress

I based this post on HERE Just for reference, the things I did to make it work: git clone https://github.com/tailscale/tailscale-android.git nano tailscale-android/cmd/tailscale/backend.go change: func (b *backend) Start(notify func(n ipn.Notify)) error { b.backend.SetNotifyCallback(notify) return b.backend.Start(ipn.Options{ StateKey: "ipn-android", }) } to: func (b *backend) Start(notify func(n ipn.Notify)) error { b.backend.SetNotifyCallback(notify) prefs := ipn.NewPrefs() prefs.ControlURL = "https://myheadscale.domain.com" opts := ipn.Options{ StateKey: "ipn-android", UpdatePrefs: prefs, } return b.backend.Start(opts) } nano Dockerfile Add the below to the file:

Install resolvconf sudo apt install resolvconf Edit the base file with what you want to always be in the file sudo nano /etc/resolvconf/resolv.conf.d/base Have resolvconf rebuild the base sudo resolvconf -u

Show logs from when systemd service last restarted. (This needs systemd > v232) journalctl _SYSTEMD_INVOCATION_ID=$(systemctl show -p InvocationID --value SERVICE_NAME.service) | head -n15 NFS Mount with NFS and /etc/fstab From all of my reading over the years it’s always been said to add _netdev to the /etc/fstab mount, but that never worked for me. After more reading it appears that was for SystemV which is dead. I figured it out after much Googleing.

Here are the commands to get S1 working on Linux sentinelctl management token set SITE_TOKEN sentinelctl control enable sentinelctl control start

Connect via SSH client with a different user by default nano ~/.ssh/config Add the following to the file above: Host * User DEFAULT_USER Force Password auth ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host

For UFW and Docker I use a program called UFW-Docker To use it do the following: wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker chmod +x /usr/local/bin/ufw-docker ufw-docker install Allow tailscale VPN to all docker containers This is based on the issue HERE ufw route allow from 100.64.0.0/10 to any You should now be good to accept anything from the tailscale network

This is how to get the Windows client with headscale. I’m happy to finaly get it working. Headscales docs are HERE, but I’m adding some more info since I wasn’t able to get it to work the first time If you’ve already installed tailscale on the machine make sure to delete the C:\Users\<USERNAME>\AppData\Local\Tailscale directory Download the Official Windows Client HERE and install it. You can either do option A or B Option A Manually edit the registry

Install wp-cli curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar php wp-cli.phar --info chmod +x wp-cli.phar mv wp-cli.phar /usr/local/bin/wp Install new wordpress domain using wp-cli Make sure directory has permisisons for web user cd "WEB_DIRECTORY" sudo -u www-data wp core download sudo -u www-data wp config create --dbname=DATABASE_NAME --dbuser=DATABASE_USER --dbpass=DATABASE_PASSWORD --dbhost=DATABASE_HOST sudo -u www-data wp core install --url=URL_INCLUDING_HTTPS --title=SITE_TITLE --admin_user=ADMIN_USERNAME --admin_password=ADMIN_PASSWORD --admin_email=ADMIN_EMAIL --skip-email sudo -u www-data wp plugin delete 'hello' sudo -u www-data wp plugin delete 'akismet'

If you’re wanting to stream HDHomeRun channel to your own OwnCast server I’m using Debian like everything else I do apt install -y ffmpeg ffmpeg -i "http://IP_OF_HDHR:5004/auto/vCH.N" -c:v libx264 -c:a aac -b:v 512K -maxrate 512K -bufsize 1M -f flv rtmps://OWNCAST_URL:PORT/live/STREAM_KEY You can now go to your owncast URL and it should be streaming SystemD Service nano /etc/systemd/system/hdhomerun-stream.service [Unit] Description=HDHR Daemon After=network.target [Service] User=plex EnvironmentFile=-/etc/default/hdhomerun Group=plex Type=simple wExecStart=/usr/bin/ffmpeg -i "${CHANNEL}" -c:v libx264 -c:a aac -b:v 512K -maxrate 512K -bufsize 1M -f flv "${URL}:${PORT}/live/${KEY}" Restart=on-failure [Install] WantedBy=multi-user.

By default the prefix is Ctrl+B for tmux How to save pane to file Use prefix + : We need to puts those lines into a buffer by typing in capture-pane -S -150 | Replace -150 with however many lines you’d like to save, or - for all lines. Hit return (enter) Now we have to save the buffer to a file by doing the following prefix + : Type in save-buffer filename.

Install autorestic with the below curl https://raw.githubusercontent.com/cupcakearmy/autorestic/master/install.sh | bash Now we install the config with the below cat <<EOF > /root/.autorestic.yml version: 2 global: forget: keep-daily: 5 keep-weekly: 15 keep-monthly: 15 backends: storj: type: s3 path: https://gateway.us1.storjshare.io/bucket.name.here env: aws_access_key_id: aws_secret_access_key: backblaze: type: s3 path: https://s3.us-west-002.backblazeb2.com/bucket-name-here env: aws_access_key_id: aws_secret_access_key: locations: root: from: - / to: - storj - backblaze options: backup: exclude: - /dev - /media - /mnt - /proc - /run - /sys - /tmp - /var/tmp - /var/lib/mysql - /swap* EOF Now autorestic is installed

Here is a bash script I use to update DDNS with CloudFlare, I could use ddclient, but I like this it works for me apt -y install dnsutils jq curl #!/usr/bin/env bash # A bash script to update a Cloudflare DNS A record with the external IP of the source machine # Used to provide DDNS service for my home # Needs the DNS record pre-creating on Cloudflare ## Based on https://gist.

Watchtower fun with gotify for notifications mkdir -p /opt/watchtower && cd /opt/watchtower version: "3" services: watchtower: image: containrrr/watchtower volumes: - /var/run/docker.sock:/var/run/docker.sock environment: - WATCHTOWER_CLEANUP=true #- WATCHTOWER_LABEL_ENABLE=true - WATCHTOWER_INCLUDE_RESTARTING=true - WATCHTOWER_NOTIFICATIONS=gotify - WATCHTOWER_NOTIFICATION_GOTIFY_URL=https://push.domain.com - WATCHTOWER_NOTIFICATION_GOTIFY_TOKEN= - TZ=America/New_York #- WATCHTOWER_POLL_INTERVAL=86400 - WATCHTOWER_HTTP_API_METRICS=true - WATCHTOWER_HTTP_API_TOKEN= - WATCHTOWER_SCHEDULE=0 0 0 * * * restart: unless-stopped

RIGHT NOW GITEA KEEPS LOGGED IN AS FIRST USER SO IT’S NOT PERFECT, THERE’S A KNOWN ISSUE We need to update the logout button to the authentik logout URL: wget -O /var/lib/gitea/custom/templates/base/head_navbar.tmpl https://raw.githubusercontent.com/go-gitea/gitea/main/templates/base/head_navbar.tmpl Replace the old logout URL with the new: sed -i 's#/user/logout#/akprox/sign_out#g' /var/lib/gitea/custom/templates/base/head_navbar.tmpl I did notice when replacing the URL to logout it doesn’t directly log you out, but will be logged out next time you try to do anything Now it’s time to config gitea; nano /etc/gitea/app.

nano /etc/grafana/grafana.ini [auth.proxy] # Defaults to false, but set to true to enable this feature enabled = true # HTTP Header name that will contain the username or email header_name = X-authentik-username # HTTP Header property, defaults to `username` but can also be `email` header_property = username # Set to `true` to enable auto sign up of users who do not exist in Grafana DB. Defaults to `true`. auto_sign_up = false # Define cache time to live in minutes # If combined with Grafana LDAP integration it is also the sync interval sync_ttl = 60 # Limit where auth proxy requests come from by configuring a list of IP addresses.