nitrolife

It all depends on the greed of the campaign. I worked in a campaign where it was considered normal to keep a degraded raid without repair. Of course, data loss is a normal story in such companies. The raid guarantees data security only when one disk is being pulled (except for some raids), so it also needs to be monitored and replaced. On the other hand, with proper operation, you probably won’t lose any data.

P.S. RAID0 - raid that can’t be restored when degraded any disk in RAID. This is exactly worse choice for data save. STRIPE also writes blocks one at a time to the first disk and to the second, so that you would definitely lose exactly 50% of data blocks. Best choice raid10 for performance and raid5 if you need save money.

Yes. Sorry, I still don’t speak English well, so I use Google Translate.

Well, I can only write from my own experience. I’ve worked for several major campaigns in my life. In banks, in telecom operators. And it’s almost always been like this. And where there was none, the campaign collapsed. Not in a moment, of course, because campaigns, like people, do not die instantly, but age and degrade. But as a result, it was.

The job of people around the CEO is primarily to make decisions. All this huge chain of managers is needed only to aggregate information so that the CEO can make an informed decision. This is how many large companies operate. I would even say that there is a direct correlation between the size of the campaign and the number of monitors at the bottom.

The flip side of sitting behind a huge monitor is that you won’t stay outside with a huge number of your employees if you make the wrong decision. It’s just a different job.

ISC DHCP switched to KEA DHCP, They don’t have package in Debian repo, but you can add repo and install: https://cloudsmith.io/~isc/repos/kea-3-0/packages/

ISC really deprecated… =( You can install dnsmasq of course, but he is much more slow. But nice for small networks.

Firewalld is much worse for small sustems. Who is really need mark ports? But in difficult cases you need write iptables rich rules anyway. So, as result I love old school with clean iptables without any upperlevel daemons.

Enable packet forwarding via interfaces:

# cat /etc/sysctl.d/01-forward.conf  

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1

Then install isc-dhcp-server and configure ipv4 and ipv6 dhcp server. (only on local ports or you internet prowider will be angry)

short example:

# cat /etc/dhcpd.conf  
ddns-update-style interim;
ddns-updates on;
ddns-domainname "my.local";
ddns-rev-domainname "in-addr.arpa";
allow client-updates;
update-conflict-detection true;
update-optimization true;
authoritative;
default-lease-time 86400;
preferred-lifetime 80000;
max-lease-time 86400;
allow leasequery;
option domain-name "my.local";
option domain-name-servers 192.168.1.1;
lease-file-name "/var/lib/dhcp/dhcpd.leases";

# cat /etc/dhcpd6.conf  
ddns-update-style interim;
ddns-updates on;
ddns-domainname "my.local";
ddns-rev-domainname "ip6.arpa";
allow client-updates;
update-conflict-detection true;
update-optimization true;
authoritative;
default-lease-time 86400;
preferred-lifetime 80000;
max-lease-time 86400;
allow leasequery;
option domain-name "my.local";
option dhcp6.name-servers fd00:1::1;
option dhcp6.domain-search "my.local";
option dhcp6.preference 255;
dhcpv6-lease-file-name "/var/lib/dhcp/dhcpd6.leases";

don’t forget start dhcpd@lan and dhcpd6@lan

Then install radvd and configure RA ipv6 broadcasting. (only on local ports or you internet prowider will be angry)

# cat /etc/radvd.conf

interface br0
{
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
        AdvDefaultPreference low;
        AdvHomeAgentFlag off;

        prefix fd00:1::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        };

        RDNSS fd00:1::1
        {
                AdvRDNSSLifetime 30;
        };

        DNSSL my.local
        {
                AdvDNSSLLifetime 30;
        };

};

Then install iptables-persistent and configure ipv4 and ipv6 rules in /etc/iptables/ . Change lan and internet to you real interfaces.

# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.1 on Mon Dec 30 18:53:43 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] 
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o internet -j MASQUERADE
COMMIT
# Completed on Mon Dec 30 18:53:43 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#UNBRICK IF YOU WANT ACCESS FROM INTERNET
-A INPUT -s x.x.x.x -j ACCEPT
-A INPUT -s y.y.y.y -j ACCEPT
#BASE
-A INPUT -i lo -j ACCEPT
-A INPUT -i lan -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lan -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

# cat /etc/iptables/rules.v6
# Generated by ip6tables-save v1.6.0 on Thu Sep  8 13:29:11 2016
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o internet -j MASQUERADE
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#BASE INPUT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lan -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lan -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Then install dns relay. I user bind, but that some overkill. But anyway:

install named / bind9

# cat /etc/named.conf

...
acl "lan" {
           192.168.1.0/24;
           127.0.0.1;
           fd00:1::/64;
           ::1/128;
};

tls google-DoT {
    ca-file "/var/named/google.crt"; //SET google cert path here
    remote-hostname "dns.google";
};

tls local-cert { //if you want local SSL requests
    cert-file "/etc/letsencrypt/live/local/cert.pem";
    key-file "/etc/letsencrypt/live/local/privkey.pem";
};


options {
    directory "/var/named";
    pid-file "/run/named/named.pid";

    forwarders port 853 tls google-DoT {
      8.8.8.8;
      8.8.4.4;
    };

    // Uncomment these to enable IPv6 connections support
    // IPv4 will still work:
    //listen-on-v6 { any; };
    // Add this for no IPv4:
    //listen-on { any; };

    listen-on-v6 { fd00:1::1; ::1; };
    listen-on { 192.168.1.1; 127.0.0.1; };

    listen-on-v6 tls local-cert { fd00:1::1; ::1; }; //if you want local SSL requests
    listen-on    tls local-cert { 192.168.1.1; 127.0.0.1; }; //if you want local SSL requests

    allow-recursion { lan; };
    allow-recursion-on { 192.168.1.1; fd00:1::1; 127.0.0.1; ::1; };
    allow-transfer { none; };
    allow-update { none; };
    allow-query { lan; };
    allow-query-cache { lan; };
    allow-query-cache-on { 192.168.1.1; fd00:1::1; 127.0.0.1; ::1; };

    version "DNS Server 1";
    hostname "interesting server";
    server-id "realy interesting server";

    dnssec-validation auto;
    empty-zones-enable no;
    minimal-responses yes;
    http-port 8888;

    listen-on http local tls none { any; };
    listen-on-v6 http local tls none { any; };

    auth-nxdomain no;    # conform to RFC1035
};
...

All done.

archlinux + podman / libvirtd + nomad (libvirt and docker plugins) + ansible / terraform + vault / consul sometimes

UPD:

archlinux - base os. You never need change major version and that is great. I update core systems every weekend.

podman / libvirtd - 2 types of core abstractions. podman - docker containers management, libvirtd - VM management.

nomad - Hashicorp orcestrator. You can run exec, java application, container or virtual machine on one way with that. Can integrate with podman and libvirtd.

ansible - VM configuration playbooks + core system updates

terraform - engine for deploy nomad jobs (docker containers. VMs. execs or something else)

Vault - K/V storage. I save here secrets for containers and VMs

consul - service networking solution if you need realy hard network layer

As a result, I’m not really sure if it’s a simple level or a complex one, but it’s very flexible and convenient for me.

UPD2: As a result, I described the applications level, but in fact it is 1 very thick server on AMD Epic with archlinux. XD By the way, the lemmy node from which I write is just on it. =) And yes, it’s still selfhosted.

The only way to connect the SIM number directly is to hack the VoWiFi protocol, but this is not trivial and you still need to install the SIM in the server.

Option 2 - Buy a home SIP2GSM gateway. But it’s quite expensive (by the standards of my region anyway). SMS work with SMPP, calls work too. For goIP I wrote telegram SMS gateway if you interesting: https://github.com/lifespirit/telegram-smpp-bot

Or use SIP providers from your region/operators that support SIP connectivity and then enable full calls redirection. For calls ok.

UPD: or just use VoWiFi from mobile phone. But you need sim slot in phone.

Anyway in all another way you need install asterisk/freeswitch and write config fot it. And linphone client.

I think you Just need nginx with one module: https://nginx.org/en/docs/http/ngx_http_dav_module.html That is filestorage only. WebDAV client exists for all platforms.

UPD: if you need web client you can use something like https://github.com/mgoltzsche/file-service/

At the beginning of the article, it is mentioned that only the use of uranium-238, which is now not used, will expand the reserves of nuclear fuel by about 200 times.

UPD: also in another article I read that not all uranium is completely destroyed in the reactor cycle, the rest turns into radioactive waste, which in a few years can be cooled and recycled into new rods for the reactor. in France, for example, they have been doing this for a long time. Here: https://habr.com/ru/articles/588877/

Oh, if only the reactors worked exclusively on uranium. Of course, I can quote Rosatom’s articles, but unfortunately they are only in Russian. A closed fuel cycle was developed there back in 2015. If you want you can use Google translate: https://habr.com/ru/articles/388533/

P.S. It is very specific to get scientific knowledge from a book called GREEN POLITICAL THOUGHT

Some countries successfully dismantle the remnants of the rods. Residues are extracted from spent nuclear fuel and rods are made not on uranium but on plutonium. The remmans of this rods is even more enriched than before reaktor starting work. as a result, it is possible to burn unenriched uranium and other heavy nuclei, so that the fuel will definitely last for a long time.

I think that in order to solve such a question, we first need to consider something else. Why, if votes are so important to you, can’t you just create a bunch of accounts and vote honestly on any server?

As soon as we are really sure that 1 person is 1 vote, and not 10, 100, 10000 or any other number, then it is already possible to build trust checks between servers. Although it seems that this has not been solved even by large social networks.

The answer to your question in general is this: store the votes by servers and then double-check the result randomly.

S returns: 50 votes for a post from server A, 30 for a post from server B, 10 for a post from server C, etc. Then you can randomly check on these servers whether the amount is correct. However, there is no way to check the voices of server S, so they either have to be thrown out or still trust the server at its word. It is possible to fully verify server S only if registration on all servers goes through a trusted intermediary.

the transfer of the island does not make you a vassal. especially if before that you unilaterally selected an entire region. this piece of land was a free region even under the tsar. then Russia took it for itself, which of course China did not like under any pretext. and now, 100 years later, the border has been agreed, albeit at the cost of one or two islands.

The full map of the Russian-Chinese border appeared only 15 years ago. I mean, approved by both sides. Surprisingly that claims were limited to just one island. the neighboring island has already been given to China just at the signing of the border. if China asks hard, I think this one will be given.

Show all instances subscribers technically impossible. Or all instanses must go to all another instances (with banned too) and calculate total number. See local subscribers better then nothing.

That number show local subscribers. I think that not a bug.

I didn’t mean that 30 million people would go to the front in a single rush. I suspect that at least half of them will hide from the army in all possible ways. Nevertheless, I cannot imagine a situation where slow replenishment of the reserve will not help. If only for months there will be hot battles every day with thousands of dead.

I think not. the regime is very slow to advance its interests, and you don’t have time to look back, because 7 years have passed, and everyone has served at least a year in a hot spot.

For example. Mobilization has begun. People were outraged. Everyone was shown on TV how Putin promises that they will not demand more. What we really have: no one has canceled the mobilization on paper. Mobilization orders are coming in, only slowly, so as not to cause unrest. Contractors cannot quit after the contract expires, as mobilization and military operations seem to be continuing. For greater security, they began to send out mobilization orders through state websites, so as not to run after those who are runs away from the military commissariat. And if he did not show up, then he is deprived of his driver’s license and credit rating. But I don’t see any dissatisfaction.

And so it is everywhere.