The ansible role I made does not cover this. If you make a server an exit node for a network, the server gets configured to forward everything that comes from the wireguard network. Since my use case does not need this, I don’t think I’ll add it, but the role could be expanded to support ACLs by taking inspiration from how it deals with port forwarding.

Do you have specific examples of the “different firewall requirements” ?

I have a custom made ansible role that does what you are asking for. I’ve wanted to clean it up a bit before putting it up on Github, and your post just gave me a motivation to stop procrastinating it :) This was initially made for my own use, and I’m not an Ansible expert so it can have some rough edges, but I tried my best to make it adhere to the Ansible way of doing things (applying the same role to a host twice should be idempotent).

Using this role, I’m able to quickly define wireguard networks, define which peer participates in which network, optionally configure a peer as a router (with NAT and port forwarding) for a given network. For Ansible-managed hosts, it installs wireguard, generates and deploys wireguard configurations, and enables IP forwarding on exit nodes. It can also generate ready-to-deploy wireguard configurations for externally managed hosts.

The repo is at https://github.com/pcouy/ansible-wireguard . I tried giving some instructions in the readme but they may not be detailed enough. If you try it, please open an issue for anything that’s not clear enough from the readme so I can improve it. (I tried making a “Quick start” section for people who never used ansible before)

As someone who teaches CS and grades assignments, the last few years have been really rough. Academic dishonesty has skyrocketed with models becoming smarter and students becoming more dependent on them. Any assignment that’s above average will make me suspicious, and when it appears to be 100% AI generated, the feeling that I spend more time grading than the student spent working on it is awful. Even when I’m almost sure a work is AI generated, unless there are some dumb leftovers such as “As an AI assistant […]”, I can never be 100% sure. This causes me a lot of headaches because the only thing worse than rewarding dishonesty would be not appropriately rewarding an outstanding assignment.

As much as I’d love to have à software tell me with 100% certainty which parts (if any) of an assignment are AI written, AI detectors are all snake oil, no exception. They exploit teachers’ helplessness to make false promises that we really want to believe in.

Moreover, I don’t think fully banning AI use is a sensible thing to do. LLMs are a thing, whether we like them or not, and using them in a sensible way is a useful skill to learn. There’s one big issue though : on one hand, assignments are made so that the problems students have to solve all have well-known solutions. This is required to make sure the assignment is doable in the first place, and that teachers will be able to help. On the other hand, LLMs are disproportionately good at classic assignment problems since there are so many published solutions online (which then end up in training datasets). Moreover, assignements are usually made to guide students through a larger problem by breaking it down into smaller problems, which is basically the perfect prompt for a LLM. This means students can get away with the laziest uses of LLMs (which usually won’t work with real world problems). In the worst cases, the only “skill” some students learn is to throw a PDF at whatever AI they paid for, ask it to solve the assignment, and copy paste the output without thoroughly reading it first.

Teachers clearly need to adapt. There will always be a few students who fail to learn in every class, but when so many students don’t learn, it’s the teacher who is failing to teach.

I did something similar for digitizing old camcorder family videos. I hooked up a VCR through a cheap elgato RCA -> USB capture card to my home server, and did something similar to you with a preview feed available on my LAN.

I even built a (really ugly) web UI which lets me pick an audio and video source, start the preview stream and display it in the browser without actually starting the capture, then start/stop the capture, edit the ffmpeg flags, and set the output file name. I can share it with you if you are interested

The fact that OP only ever posts or comments about this software bothers me a lot more than them using AI (which is usually a bad sign, but if they know what they are doing, it is possible that they used AI in a sensible way. I have not looked at the code though)

My point was never about the cost anyway. It was about VPNs (commercial or hosted on a cheap VPS) still needing you to trust a third party, and also that the P in VPN does not mean “privacy”

When I said I host my own, I mean on cheap VPS that cost me way less than 6$/month.

But yeah, mullvad is pretty much the only commercial VPN provider I’d trust more than my ISP

There’s absolutely no reason my ISP needs my browsing history.

Don’t know what ISP you have or what VPN you’re using, but it’s just a transfer of trust. Whoever your VPN provider is, they now see everything your ISP previously saw. I host my own VPN servers when I need one, and even then I still have to trust the datacenter operators to not snoop on my DNS requests (almost everything else tends to be encrypted with SSL/TLS by default nowadays)

Also, the “Private” in VPN is about it being for private use, not about privacy

I always love seeing “quirky” innovations

I say quirky as in “there’s already an established way of doing it that everyone is using, but I’m gonna build my own totally different thing”, similar to how Linus created Git because the established way was not good enough for his taste. Who knows, graph-based UIs for chats might be the next big thing !

Sadly, the network effect makes it hard to have people adopt a new messenger (I can’t even get relatives to move to Signal…). I wish Matrix wasn’t such a pain to make clients for. If your graph UI was able to show me all my conversations across all my matrix rooms and bridges, I’d be using it for sure

From the few instances I know about, I think insurance companies that cover ransomware attacks will decide on a per-case basis if they want to pay the ransom or cover the costs of recovering without paying the ransom

A few years ago I deleted my whole home folder by bind-mounting it inside a chroot. When I was done with the chroot, I rm -rf-ed it without unmounting my home first.

I’ve been in a similar situation, and I’m also blocking large ranges of IP addresses in addition to running Anubis in front of my most scraped services (Git/forgejo and Lemmy)

I came up with a hacky python script that watches my fail2ban logs, counts bans for IP ranges going from /28 to /8, applies some heuristics (based on range size n and how offending IPs are split between the 2 /(n+1) subranges) I came up with to detect ranges that should be blocked, the issues a log line that is picked up by fail2ban to manage bans of increasing length on récidive.

It’s quite contrived and I often fear it will be too agressive and block something I rely on, but it has been working really wellin my experience.

It will initially block a lot of small ranges, but over time the ranges will grow larger. Smaller ranges having a lower threshold helps it block only the narrowest ranges needed, which gives some time for larger ranges that contain them to drop out of fail2ban’s watchlist.

I should clean up this mess and make it a git repo, maybe even try to have it merged in fail2ban

I think your post is missing a link