So based on what you’ve said in the comments, I am guessing you are managing all your users with Nixos, in the Nixos config, and want to share these users to other services?

Yeah, I don’t even know sharing Unix users is possible. EDIT: It seems to be based on comments below.

But what I do know is possible, is for Unix/Linux to get it’s users from LDAP. Even sudo is able to read from LDAP, and use LDAP groups to authorize users as being able to sudo.

Setting these up on Nixos is trivial. You can use the users.ldap set of options on Nixos to configure authentication against an external LDAP user. Then, you can configure sudo

After all of that, you could declaratively configure an LDAP server using Nixos, including setting up users. For example, it looks like you can configure users and groups fro the kanidm ldap server

Or you could have a config file for the openldap server

RE: Manage auth at the reverse proxy: If you use Authentik as your LDAP server, it can reverse proxy services and auth users at that step. A common setup I’ve seen is to run another reverse proxy in front of authentik, and then just point that reverse proxy at authentik, and then use authentik to reverse proxy just the services you want behind a login page.

OP is on OpenWRT (a router distro), and Alpine. Those distros don’t come with very much by default, and perl is not a core dependency for any of their default tools. Neither is python.

Based on the way the cosmo project has statically linked builds of python, but not perl, I’m guessing it’s more difficult to create a statically linked perl. This means that it’s more difficult to put perl on a system where it isn’t already there, and that system doesn’t have a package manager*, than python or other options.

*or the the user doesn’t want to use a package manager. OP said they just want to copy a binary around. Can you do that with perl?

Not quite a scripting language, but I highly recommend you check out cosmo for your usecase. Cosmopolitan, and/or Actually Portable Executable (APE for short) is a project to compile a single binary in such a way that is is extremely portable, and that single binary can be copied across multiple operating systems and it will still just run. It supports, windows, linux, mac, and a few BSD’s.

https://cosmo.zip/pub/cosmos/bin/ — this is where you can download precompiled binaries of certain things using cosmo.

From my testing, the APE version of python works great, and is only 34 megabytes, + 12 kilobytes for the ape elf interpreter.

In addition to python, cosmopolitan also has precompiled binaries of:

• Janet 2.5 MB
• Berry 4.0 MB
• Python 34 MB
• Php 11 MB
• Lua 2.1 MB
• Bash 5.1 MB

And a few more, like tclsh, zsh, dash or emacs (53 MB), which I’m pretty sure can be used as an emacs lisp intepreter.

And it should be noted these may require the ape elf interpeter, which is 12 kilobytes, or the ape assimilate program, which is 476 kilobytes.

EDIT: It also looks like there is an APE version of perl, and the full executable is 24 MB.

EDIT again: I found even more APE/cosmo binaries:

• quickjs (javascript) 2.5 MB
• lisp 20K

You might be able to run the latest KDE or gnome in a distrobox podman or docker container:

https://github.com/89luca89/distrobox/blob/main/docs/posts/run_latest_gnome_kde_on_distrobox.md

I want to like Plasma, really I do, but even when I haven’t chosen it as a DE it overheats my laptop because Baloo File Extractor just won’t fucking quit consuming a CPU core for what seems like hours a day.

I remember having this issue. Basically, it was a bug, where baloo file manager was stuck on a file. After some time (and maybe a reinstall?), and deleting the index, baloo worked fine.

Yes

https://moonpiedumplings.github.io/blog/kde-6/#drawing-tablets/

My understanding is that gnome also has support for drawing tablets built in, and there are also other apps to customize buttons.

https://wiki.archlinux.org/title/Graphics_tablet

The Arch Linux kernels include drivers by the linux-wacom and DIGImend projects. linuMLx-wacom supports Wacom devices, while DIGImend supports devices from other manufacturers. Both projects publish a list of supported devices: linux-wacom, DIGImend

Due to how many devices are supported, your best bet is to simply go to your nearest store that sells them and then checking if Linux supports it against those two lists, which there is an extremely high chance it does.

Then you should also check reviews, to make sure you get a good one.

I have a Wacom Intuos CTL-4100WL, and it’s served me well for math notes using Xournal++ (app for handwritten notetaking), but I truly have no idea how good it is for actual drawing related applications, as I don’t do it for that at all.

Probably not what you want, but rclone now has a simple web ui built in: https://rclone.org/gui/

This reminds me of kasmweb, but fully open source.

Dockers manipulation of nftables is pretty well defined in their documentation

Documentation people don’t read. People expect, that, like most other services, docker binds to ports/addresses behind the firewall. Literally no other container runtime/engine does this, including, notably, podman.

As to the usage of the docker socket that is widely advised against unless you really know what you’re doing.

Too bad people don’t read that advice. They just deploy the webtop docker compose, without understanding what any of it is. I like (hate?) linuxserver’s webtop, because it’s an example of the two of the worst footguns in docker in one

To include the rest of my comment that I linked to:

Do any of those poor saps on zoomeye expect that I can pwn them by literally opening a webpage?

No. They expect their firewall to protect them by not allowing remote traffic to those ports. You can argue semantics all you want, but not informing people of this gives them another footgun to shoot themselves with. Hence, docker “bypasses” the firewall.

On the other hand, podman respects your firewall rules. Yes, you have to edit the rules yourself. But that’s better than a footgun. The literal point of a firewall is to ensure that any services you accidentally have running aren’t exposed to the internet, and docker throws that out the window.

You originally stated:

I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

And I’m trying to say that even if that was true, it would still be better than a footgun where people expose stuff that’s not supposed to be exposed.

But that isn’t the case for podman. A quick look through the github issues for podman, and I don’t see it inundated with newbies asking “how to expose services?” because they assume the firewall port needs to be opened, probably. Instead, there are bug reports in the opposite direction, like this one, where services are being exposed despite the firewall being up.

(I don’t have anything against you, I just really hate the way docker does things.)

Yes it is a security risk, but if you don’t have all ports forwarded, someone would still have to breach your internal network IIRC, so you would have many many more problems than docker.

I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

My problem with this, is that when running a public facing server, this ends up with people exposing containers that really, really shouldn’t be exposed.

Excerpt from another comment of mine:

It’s only docker where you have to deal with something like this:

---
services:
  webtop:
    image: lscr.io/linuxserver/webtop:latest
    container_name: webtop
    security_opt:
      - seccomp:unconfined #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SUBFOLDER=/ #optional
      - TITLE=Webtop #optional
    volumes:
      - /path/to/data:/config
      - /var/run/docker.sock:/var/run/docker.sock #optional
    ports:
      - 3000:3000
      - 3001:3001
    restart: unless-stopped

Originally from here, edited for brevity.

Resulting in exposed services. Feel free to look at shodan or zoomeye, internet connected search engines, for exposed versions of this service. This service is highly dangerous to expose, as it gives people an in to your system via the docker socket.

(There is a learning curve to packaging stuff yourself.)

“Learning curve” is an understatement. Nix is one of the most poorly documented projects I’ve seen, next to openstack. Coming into it with no background in functional programming didn’t help.

Maybe I shouldn’t have tried to package openstack on nix.

But I’ve tried to package other stuff, like quarto, and that was a nightmare. Nixpkgs didn’t have an updated pandoc and I spent an eternity asking around for help, to try to package it. An updated version just got pushed to unstable a few days ago. The same matrix channels I joined to ask for help have been discussing this since then. Props on them for getting it working, but anyone who says that you can easily package anything, is capping. You need to have an understanding of the nix language, nix packaging (both of which are poorly documented), and a rudimentary packaging ecosystem of what you are trying to package.

Don’t even get me started on flakes vs nonflakes.

I still use nix-shell for all my development environments, because it’s the best way for reproducible environments I can share I’ve found.