Nice. I’ve got the Anker version but it’s half the capacity at 1 KWh. It charges exclusively from 800W of PV input (though it can only handle 600W input) and can push out 2,000 W continuous and 3000 peak.

I’ve got a splitter from the PV that goes to both the Anker and a DC-DC converter which then goes to a few 12v -> USB power delivery adapters. Those can use the excess from the PV to charge power banks, phones, laptops, etc while the rest goes to the Anker (doesn’t seem to affect the MPPT unless there’s basically just no sunlight at all). Without the splitter, anything above 600W is wasted until I expand my setup later this spring.

All I can say for it is that it absolutely rocks! On sunny days, I run my entire homelab from it, my work-from-home office, charge all my devices, and run my refrigerator from it if I feel like running an extension cord). It’s setup downstairs, so I also plug my washing machine into it and can get a few loads of laundry done as well.

All from its solar input.

Solutions that work for a corporate application where all the staff know each other are unlikely to be feasible for a publicly available application with thousands of users all over the world

This is something of a hybrid. There will be both general public users as well as staff. So for staff, we could just call them or walk down the hall and verify them but the public accounts are what I’m trying to cover (and, ideally, the staff would just use the same method as the public).

Figure if an attacker attempts the ‘forgot password’ method, it’s assumed they have access to the users email.

Yep, that’s part of the current posture. If MFA is enabled on the account, then a valid TOTP code is required to complete the password reset after they use the one-time email token. The only threat vector there is if the attacker has full access to the user’s phone (and thus their email and auth app) but I’m not sure if there’s a sane way to account for that. It may also be overkill to try to account for that scenario in this project. So we’re assuming the user’s device is properly secured (PIN, biometrics, password, etc).

If you are offering TOTP only,

Presently, yes, but we’re looking to eventually support WebAuthn

or otherwise an OTP sent via SMS with a short expiration time

We’re trying to avoid 3rd party services, so something like Twilio isn’t really an option (nor Duo, etc). We’re also trying to store the minimum amount of personal info, and currently there is no reason for us to require the user’s phone number (though staff can add it if they want it to show up as a method of contact). OTP via SMS is also considered insecure, so that’s another reason I’m looking at other methods.

“backup codes” of valid OTPs that the user needs to keep safe and is obtained when first enrolling in MFA

I did consider adding that to the onboarding but I have my doubts if people will actually keep them safe or even keep them at all. It’s definitely an option, though I’d prefer to not rely on it.

So for technical, human, and logistical reasons, I’m down to the following options to reset the MFA:

1. User must contact a staff member during business hours to verify themselves. Most secure, least convenient.
2. Setup security questions/answers and require those after the user receives an email token (separate from the password reset token). Moderately secure, less convenient, and requires us to store more personal information than I’d prefer.
3. Similar to #2 except provide their current password and a short-term temporary token that was emailed to them when they click “Lost my MFA Device”. Most convenient, doesn’t require unnecessary personal info, possibly least secure of the 3. Note that password resets require both email token and valid TOTP token, so passwords cannot be reset without MFA.

I’m leaning toward #3 unless there’s a compelling reason not to.

I thought about generating a list of backup codes during the onboarding process but ruled it out because I know for a fact that people will not hold on to them.

That’s why I’m leaning more toward, and soliciting feedback for, some method of automated recovery (email token + TOTP for password resets, email token + password for MFA resets, etc). I’m trying to also avoid using security questions but haven’t closed that door entirely.

If you’re gonna repost stuff from ml at least re-upload it so I don’t have to connect to it.

To give perspective with a 3000 mah battery I am still lasting days.

Is that connected via bluetooth or just running the LoRA radio? Curious if the V4 is any less power hungry than the V3. I never did a rundown test with one of my 3,000 mah V3 units, but my daily driver had a 2000 mah battery and barely made it 14 hours before it was throwing the battery low warning. I kept it connected to my phone the whole time under most conditions.

Same conditions but with the nRF-based T1000e, it runs for about 2 days on a 700 mAh battery AND has GPS (I didn’t have GPS on my daily driver node). The difference is amazing.

Could be any or all of that, yeah. You can also set the level of precision for your reported location, but I don’t think even the lowest precision settings would put it 1,000 miles away.

I live near-ish to an airport, and I’ll occasionally see nodes that are 1 or 2 hops and 100-200+ miles away. Best I can tell, the airborne node is legit relaying those which I think is pretty cool. Not really useful, but cool.

LoRa is a proprietary radio interface, so I don’t how how FOSS you can go with it, but the Meshtastic firmware itself is FOSS.

What are your use-cases? Are you looking for something to use as an everyday carry? An outdoor solar node to relay messages in your area? A node to use as a base station? All of the above?

For everyday carry, I semi-recently bought the SenseCap T1000e and I love it. I did a post about it here: https://startrek.website/post/34105873

Seeed (the company that makes the T1000e) also makes a nice outdoor, solar powered node: https://www.seeedstudio.com/SenseCAP-Solar-Node-P1-Pro-for-Meshtastic-LoRa-p-6412.html

They’ve also got a lot of options for various other configurations as well: https://www.seeedstudio.com/LoRa-and-Meshtastic-and-4G-c-2423.html

Those are all “turnkey” devices, but I’ve heard good things about the Heltec V4 if you want to go a more DIY route and make your own case and add your own accessories (GPS, accelerometer, etc).

Yeah, I hadn’t even heard of PF keys and naively assumed that was a different term for the function keys I knew.

Personally, I love that layout.

I’m always at a loss for what to put up as wall decorations, and I hate rats nests of cables. Win-win!

which does not explain why this port or the others are blocked. I also lack the technical background to understand this decision.

Don’t take this the wrong way, but understanding the reason for that decision is pretty important if you’re planning to run your own email server. A misconfigured email server (which is very easy to do) becomes a problem for everyone else when it inevitably gets used to spam. There’s also a lot of ancillary things to configure correctly as well (DKIM, SPF, DMARC policies, spam filtering, etc) lest everything seems to work but no one is able to receive mail from you or it always ends up in their spam folder.

While I disagree with port 25 being permanently blocked on residential (and often even business-class) connections, I understand why in the grand scheme of things.

I don’t read Finnish, but here are the general reasons why:

1. Port 25 is for SMTP transport and typically only used for server-to-server (MTA) email traffic. This is unauthenticated between servers. Clients (MUAs) connect through a “submission” port which is pretty much expected to be authenticated/access-controlled. That’s why you can send emails to an email provider but you can’t be an email provider yourself. By blocking port 25, malicious people or people that have been compromised with malware cannot just blindly blast out spam email. This reduces spam considerably, though with a compromise of slightly restricting what a residential connection can be used for.

2. Most big email providers universally block emails that originate from an IP address that’s assigned to a residential IP/provider. Same reason as above. This means even if your ISP were to unblock port 25 for you, you likely wouldn’t be able to send email to any major email provider (Gmail, Outlook, Yahoo, AOL, etc) as they would just sinkhole any messages you send to users there.

That’s pretty much it in a nutshell.

Can you bypass that and host at home?

Yes, if you’re willing to work for it. You can setup a VPS (cloud server) and port-forward across a VPN connection to your home server. Your DNS records for your email server would point to the VPS’s IP, and the email server would need to be configured to use the VPS as its default route so all traffic goes in/out over the VPN connection. This is how my email server is configured.

Sounds easy enough, right? Well, good luck getting a VPS with a “clean” IP. Most VPSs you can get in public clouds are already on one or more public spam blocklists as well as many private/internal blocklists. You can clean up an IPs reputation and make it work with minimal to no delivery problems, but it’s a LOT of work and often requires finding hidden forms to submit the request (Microsoft/Outlook was a brute, and I only found the link to the form in a forum post). I’ve cleaned up two IPs like that, and it took 2-3 weeks of work before I was able to get reliable delivery.

Loops finally seems usable now. I tried the beta a while back and it was kinda “Meh” but it’s improved significantly since. And you can browse on the website now, too. I’m not into short form videos, but credit where it’s due.

Well, I do like short form videos, but I hate panning for the gems and just let my friends send me the ones that rise to top.

It’s so common for “anti-censorship” to be code for “Nazi-friendly” that I’m immediately suspicious of any platform that uses that as a selling point.

I’m similarly suspicious, but it’s not just code for “nazi-friendly” but also crackpots, maladaptives, etc. Rational people who read and say “anti-censorship” in this context know it means that it’s not beholden to corporate or government interests. But everyone else seems to want to interpret that as “I can say whatever I want! How dare you mod anything I say?! Freeze-peach, y’all!”

I wish they’d pick a different term for these non-corporate alternatives, but I don’t have a better suggestion to offer right now.

I asked similar a few weeks ago: https://startrek.website/post/33957879

The answers were all pretty much what you’ve already listed: FreeCAD/OpenSCAD for parametric parts and Blender for sculpted shapes.

The only one not covered in that post was OnShape because I was specifically asking for ones that weren’t SaaS/cloud based.

The irony of Lennart “let’s change everything about Linux because I know better” Poettering creating a company called Amutable is not lost on me.

But also, that tracks because now it’s “I know better so now you can’t change anything” which is pretty on brand.

It’s theoretically possible under ideal conditions but probably not practical.

There is a maximum hop count of 7 which means there can be, at absolute maximum, seven nodes between the sender and recipient. The default, though, is 3 hops.

While the radios may, in theory, be able to work at the range of “a few states over” as the crow flies, terrain, structures, and line of sight would likely prohibit them from working in practice at such distances. You’d also need a reliable series of hops to reach from you to them. Again, at those distances, you’d very likely exceed the maximum hop count pretty quickly.

From what I’ve seen, large meshes are generally regional.

There’s a way to join meshes over the internet via MQTT but I haven’t messed with setting that up and in some cases it can potentially overwhelm a local mesh.

Over half of USA’s population voted for this.

False. Just over half of the voting population voted for this guy (and not necessarily any of what he’s done for the last year).

The orange turd won with 77,302,580 votes. I don’t have the number of registered voters in 2024 handy, but using the population of 348,320,255, that’s 22% of the total population who supported this guy. And even some of that 22% is starting to sour because things have gone so far off the rails, so I’d further estimate that 19% of the population are the true die hards who will follow him to the end.

This isn’t even factoring in those who would have voted one way or the other but were ineligible to vote or didn’t bother to vote. It also doesn’t factor in the Electoral College or people who didn’t understand how the Electoral College works and threw their vote away on a 3rd party or abstained.

You’re judge and jurying us all over the actions/behavior of maybe 19% of the population. If discovered a new species of bird and 1 out of 5 were red while the other 4 were brown, we wouldn’t classify the species as red birds.

Clarification: The government/administration is stirring the pot, but most/nearly all of the population is not. People need to distinguish / recognize the difference between the actions of a country’s government and those of its everyday citizens who are often powerless.

That distinction is the difference between a valid opinion and xenophobia.

Edit: Removed the example since on a second read sounded like I was trying to “say something without saying it” which wasn’t my intent. I just don’t have time to wordsmith it better right now.

My knowledge is incomplete as to what powers and restrictions you get with an amateur license, but I think the only real reason you’d want to use HAM mode in the US is if you wanted to operate on US 433 or maybe the 868 MHz block. Not sure if HAMs have access to the latter one or not, though. The 915 block is pretty permissive here for unlicensed use, so that’s usually sufficient.

Also, if a node is operating in HAM mode, it may not be able to mesh with other nodes not in HAM mode due to encryption being disabled. I could be wrong about that as I haven’t read into that specifically, but to my knowledge it tracks.

lemmy.ml should just be blocked by default. World, eh, should at least be split up. And I wouldn’t be surprised that a lot of the ml and hexbear folks have alts on world just to stir the pot.