Denis Churilov potat-dev

Collection of Useful Things

Docker One Line Install

curl -fsSL get.docker.com | sh

File structure

/root/traefik
├── .env
├── compose.yml
├── services
│   ├── common
│   │   ├── headers.yml
│   │   └── middlewares.yml

Here is the complete, professional deployment guide for the split-storage Immich architecture. This adheres strictly to the security principle of keeping the Proxmox host clean while isolating the database/thumbnails on the SSD and heavy media on the ZFS HDD array.

Phase 1: Proxmox Host Preparation (Storage & Security)

Run these commands directly on the Proxmox host shell.

1. Create a Dedicated Unprivileged User To prevent mapping the container to a privileged host user, create a "dead" user with no login access.

Since you are comfortable with the configuration and want a professional, proper systems administration approach, mitigating the security risk of idmap is straightforward.

The security risk exists only if you map the container to a privileged or shared host user (like your primary personal account, UID 1000, which might have sudo access or own sensitive host configurations). If a bad actor breaks out of the container via a Docker/LXC exploit, they land on the host with the permissions of that mapped UID.

To completely mitigate this risk, you create a "Black Hole" or "Empty Room" configuration. You punch a hole through the LXC isolation, but you make sure the hole leads to a user that has absolutely zero power on the host system.

Here are the exact methods to lock this down:

1. The "Dedicated Dead User" Strategy (Primary Mitigation)

Do not map the LXC container to UID 1000. Create a dedicated, unprivileged system account on the Proxmox host that exists solely to own this dataset.

As a Senior DevOps Engineer and Architect, I can tell you that you've hit one of the most common limitations of the GitLab CI YAML engine: GitLab does not natively support deep-merging dictionaries inside an array element (which is what workflow:rules is).

If you define a rule as a list item (e.g., - if: ...) and use !reference, GitLab treats that list item as a single block. You cannot easily inject or override variables inside it at the point of reference.

However, we can elegantly bypass this limitation by using what I call the "Nested Hash Extension" pattern.

Instead of defining your rules as an array in the common repo, we define them as a nested hash (dictionary). We then leverage GitLab's extends keyword (which does support deep-merging dictionaries, unlike arrays) to merge your custom variables in the child repository, and finally inject the resulting hash into workflow:rules using !reference.

	# Config
	$repo = 'Flowseal/zapret-discord-youtube'
	$installDir = Join-Path $env:LOCALAPPDATA 'zapret'

	# Fetch the latest GitHub release info
	Write-Host "Checking latest release..."
	$apiUrl = "https://api.github.com/repos/$repo/releases/latest"
	$release = Invoke-RestMethod -Uri $apiUrl -UseBasicParsing

	# Look for a .rar asset in the release

	/**
	* Catppuccin Macchiato Theme for MyAnimeList Modern
	* Created wuth ❤ by potatdev
	*/

	:root {
	--base: #24273a;
	--mantle: #1e2030;
	--crust: #181926;
	--text: #cad3f5;

	package main

	import (
	"context"
	"fmt"
	"os"
	"sync"
	"time"
	)

	import os
	import signal
	import argparse
	from PIL import Image
	from pathlib import Path
	from tqdm import tqdm
	from multiprocessing import Pool, cpu_count, current_process

	SUPPORTED_FORMATS = (
	".jpg",

	param(
	[string]$Path = ".",
	[switch]$Recursive
	)

	$currentDate = Get-Date
	$minDate = Get-Date "1980-01-01"
	$scriptPath = $MyInvocation.MyCommand.Path

	$params = @{