TIL — Today I Learned

Short things I learned, discovered, or found interesting.

§GitHub is a CVE Numbering Authoritygithubsecurityopensource

GitHub can assign CVE IDs for any GitHub-hosted project. Most OSS projects don't need to become their own CNA.

The full flow stays within GitHub:

  1. Someone submits a Private Vulnerability Report (PVR)
  2. Accepting it creates a draft security advisory you own
  3. Create a private fork from the advisory for the fix
  4. Merge + publish is atomic: GHSA entry, CVE to MITRE/NVD, Dependabot alerts — all at once
Note

Private forks from advisories do not run GitHub Actions. Test locally or use a separate CI environment.

Tip

Request the CVE early (it stays "reserved"), develop the fix privately, then go public all at once: merge → publish advisory → tag release → announce.

§Fail2ban + push notifications = self-DoShomelabfail2bannixos

Push notification services (ntfy, Gotify) behind a reverse proxy with fail2ban create a self-DoS loop:

  1. Persistent subscribers maintain long-lived connections
  2. Any disruption (Caddy reload, auth blip) triggers reconnection bursts
  3. Fail2ban sees the burst → bans your IP
  4. Auto-unban → instant re-ban (subscriber retries immediately)
  5. bantime-increment makes each cycle worse

The fix: exclude the notification service from fail2ban entirely: 

# In caddy-auth filter
ignoreregex = ^.*"host":"ntfy\.sbr\.pm".*$
Warning

ignoreIP doesn't help if your IP changes (travel, mobile). The service itself must be excluded from the filter.

§USB autosuspend can cascade across shared xHCI controllerslinuxhardwarenixos

Intermittent network drops on my laptop's USB ethernet adapter (Realtek r8152) turned out to be caused by a webcam (Logitech C920) on the same USB controller. USB autosuspend on the webcam triggered controller resets that cascaded to the ethernet adapter.

Devices on different logical USB buses can still share a physical xHCI controller.

Fix via udev rule in NixOS: 

services.udev.extraRules = ''
  ACTION=="add", SUBSYSTEM=="usb", \
    ATTR{idVendor}=="046d", ATTR{idProduct}=="082d", \
    ATTR{power/control}="on"
'';
Tip

When debugging USB issues, check dmesg for xhci_hcd reset messages. The culprit device may be on a completely different logical bus than the affected one.

§Remote NixOS install: don't bind-mount over /nix/storenixosdisko

When installing NixOS from a live USB, /nix/store is an overlayfs with a tmpfs upper layer (RAM-backed). If the closure is too large, you might be tempted to bind-mount the target disk's store over /nix/store.

Don't. It hides all system binaries and breaks the installer.

Instead, resize the tmpfs: 

mount -o remount,size=28G /nix/.rw-store

Or better: build the closure on a remote machine and nix copy it over.

Note

The live USB's /nix/store has a read-only squashfs lower layer (.ro-store) and a tmpfs upper layer (.rw-store). Default tmpfs is ~50% of RAM.

§Paperless: let it auto-detect, don't "optimize"homelabpaperless

When migrating paperless-ngx to a more powerful machine (RK3588), I initially set restrictive "ARM64 optimizations" — fewer workers, single threads, OCR first page only.

This was wrong. The RK3588 has 8 cores and 32GB RAM. The defaults are already optimized: paperless auto-detects CPU count and sets workers/threads accordingly. 

# DON'T do this on capable hardware:
PAPERLESS_TASK_WORKERS = "2";        # Limiting!
PAPERLESS_THREADS_PER_WORKER = "1";  # Limiting!
PAPERLESS_OCR_PAGES = "1";           # Incomplete!

# DO this: just let paperless figure it out
# (remove all worker/thread overrides)

§Always use explicit refspecs for git pushgitsafety

Bare git push without a refspec uses the branch's tracking configuration, which can silently push to the wrong branch — especially with worktrees or branches created from unexpected bases.

Always use: 

git push origin branch:branch

Never: 

git push  # ← dangerous
Warning

With worktrees, tracking configs can diverge between the main repo and worktree checkouts. A bare git push in a worktree might push to a completely different remote branch than you expect.