Overview

Replaced OpenLDAP with GLauth, because I was looking for minimalistic setup. I noticed a bit too late that lldap might have been a better match…

Files Created

/usr/local/bin/glauth              # Binary
/etc/glauth/glauth.cfg             # Configuration
/etc/systemd/system/glauth.service # Systemd service
/var/log/glauth/                   # Logs (optional)

Configuration Highlights

• Domain: dc=121013,dc=dpdns,dc=org
• LDAPS Port: 636
• Certificates: /etc/letsencrypt/live/mydomain/
  • cert: fullchain.pem
  • key: privkey.pem
• Users: admin, mikael, etc , observer
• Groups: parents (5001), kids (5002), services (5003)

DN Format

GLauth uses primary group as OU:

Overview

nasrepo automatically downloads .deb packages from builds.sr.ht and uses local-apt-repository to make them available via APT.

Architecture

Timer (daily 3 AM)
  ↓
pull-artifacts
  ↓
/srv/local-apt-repository/ (.deb files)
  ↓ (systemd path monitoring)
local-apt-repository (metadata generation)
  ↓
/var/lib/local-apt-repository/ (APT repository)
  ↓
apt install

Components

nasrepo package:

• /usr/lib/nasrepo/pull-artifacts - Downloads from builds.sr.ht
• /etc/nasrepo/.srht-token - OAuth token
• nasrepo-update.timer - Daily automation (3 AM)
• nasrepo-update.service - Runs pull-artifacts

local-apt-repository package:

• Monitors /srv/local-apt-repository/ for new .deb files
• Generates metadata in /var/lib/local-apt-repository/
• Configures APT source automatically

Key Locations

• Token: /etc/nasrepo/.srht-token
• Downloads: /srv/local-apt-repository/ (input)
• Repository: /var/lib/local-apt-repository/ (output)
• APT source: /etc/apt/sources.list.d/local-apt-repository.list

Manual Operations

Download latest packages:

After experiencing multiple complete system freezes over two months on Arch Linux, I traced the issue to OOM (Out of Memory) events. The system would become completely unresponsive - no mouse, no keyboard, forcing hard reboots.

Root Cause

Checking journalctl revealed the smoking gun:

journalctl -b -1 --no-pager | grep -i "oom"

The OOM killer had terminated systemd-journald and user processes. With 27GB RAM + 16GB swap, memory exhaustion shouldn’t happen often, but when it does, the kernel freezes everything before killing processes.

title: “Self-Hosting MyBibliotheca: A Family Reading Tracker Without Docker” date: 2025-08-09 description: “Complete guide to installing MyBibliotheca on a Debian NAS with systemd, nginx reverse proxy, and maximum security hardening - no Docker required.” tags: [“self-hosting”, “books”, “family”, “debian”, “nginx”, “systemd”] categories: [“tutorials”, “self-hosting”]

Warning : this post has been generated by claude llm, after installing it myself going through trial and errors.

Looking for a simple, privacy-focused way to track your family’s reading habits? MyBibliotheca is an excellent self-hosted alternative to Goodreads that’s perfect for families. Unlike most guides that rely on Docker, this tutorial shows you how to install it directly on Debian with some security hardening.

This memo is about running a systemd service isolated in a network namespace on linux, inside which a vlan interface has been moved.

Network setup

Create namespace

sudo ip netns add torrentns

Create the vlan interface

/etc/network/interfaces

auto enp5s0.33
iface enp5s0.33 inet manual
    post-up /root/bin/move-to-namespace enp5s0.33

helper script

#!/bin/bash
# Usage: move-to-namespace <iface>
set -e

iface="$1"
ns="torrentns"

# Create namespace if not exists
if ! ip netns list | grep -q "^$ns"; then
    ip netns add "$ns"
fi

# Move interface into namespace
ip link set "$iface" netns "$ns"

# Bring up interfaces inside namespace
ip netns exec "$ns" ip link set lo up
ip netns exec "$ns" ip link set "$iface" up

# Start DHCP client inside namespace
ip netns exec "$ns" dhclient -v "$iface"

# Optional: Set up DNS
mkdir -p /etc/netns/$ns
echo "nameserver 1.1.1.1" > /etc/netns/$ns/resolv.conf

Activation

run : sudo ifup enp5s0.33

My first vlan setup brought isolated networks for both wired and wireless clients, at the cost of having a dedicated ssid per vlan.

As each ssid takes a bit of bandwidth, this didn’t scale and as I renewed some of my equipment, I took the opportunity to try something else :

ssid1: 802.1x with mikrotik user-manager as radius server to authenticate and assign vlans

ssid2: wpa2-psk with mikrotik user-manager in the background to assign per mac address vlans