- cross-posted to:
- agitprop@lemmygrad.ml
- genzedong@lemmygrad.ml
- cross-posted to:
- agitprop@lemmygrad.ml
- genzedong@lemmygrad.ml
TankieTube is out of "beta" and everyone's invited!
Definitions:
- TT = TankieTube
- PT = PeerTube
- YT = YouTube
OpSec
-
Email - Make sure to register using an email detached from your legal identity (remember Stonetoss?).
The software requires an email address, however, I've disabled the verification requirement. This means you can register using something like cum@fart.com and it will totally work—unless the address is already taken (in which case you should get better material!).
You would need a real address, of course, to have the option of resetting your password. The only other thing I use email for is explaining and notifying users of any moderator actions I take against them, as a courtesy.
-
P2P - The peer-to-peer feature allows the software to scale tremendously well when serving the same viral video to many people at the same time (supposedly at least 1000 concurrent viewers, easily, with a wimpier server than ours).
A downside of the feature is that it can reveal your IP to a subset of people watching the same video at the same time as you. [Read more]. Therefore, it is recommended to either:
- Use a VPN. Or,
- Deselect the P2P participation feature in the user settings menu.
Federation
TT users can search and view any videos from instances on the subscriptions list, and the instances following TT can view our vids. I occasionally browse the public index and look for new instances to follow (sometimes they're a bust). LMK if you find any cool ones.
Mirroring vids, as in multiple copies on multiple servers, is done when instances implement something called redundancy, but I haven't looked into that much yet.
Fifty Channels!
The major difference from YT is that TT users can create up to fifty (50) channels (the default is 20 but I bumped it up). Channels are analogous to Lemmy communities, except that PT doesn't yet support shared channels with more than one author/user (I believe it's a planned feature). Create a channel for every weird niche topic that you want!
I'll eventually create a style guide. If you want to sync or archive a YT channel, then I'd prefer that you create a unique TT channel that corresponds to it for better organization.
PT has an automatic channel syncing feature, but I have it turned off right now because it was overloading the transcoding queue.
The TankieTube Homepage
The YT homepage is built by a sinister algorithm customized to distract and exploit you. The TT homepage contains whatever-the-fuck HTML I choose to type with my paws. Determining what to put on it will be a big and ongoing decision. If you've made a channel relevant to the site's theme, send me a message and I'll probably pin it!
About the Outro
The music is La Danse Des Bombes, a great song about the ecstasy of armed combat in defense of the Paris Commune of 1871, which I discovered thanks to comrade exotiquematter@tankie.tube. PT is French software, so I think that's neat.
The sound effects are sampled from a video of the Al-Qassam Brigade resistance fighters in live armed combat against Israeli occupation forces. The sound effects correspond to a :hamas-red-triangle: scene in the video.
Underneath it all is a 140bpm beat by "K1 The Producer".
History & Goals
I started out with a $15/mo VPS (run by Nazis, as it turned out) and have migrated/upgraded the server twice since then. It's now using the most powerful dedicated server available from Freakhosting at ~$230/mo💰🥴, because I wanted it to not suck. It has a Ryzen 9 7950x3D, which is ~32 times as fast as the first server. It still doesn't have the transcoding throughput to keep up with YT syncing without creating a double-digit hour backlog.
The transcoding power can be boosted by renting additional servers for use as remote runners. It all depends on the amount of support the project can get...
Donation Link 🥺👉👈
I'm afraid to add it up, but I'm sure I've sunk at least $600 into various TT expenses since I registered the domain on 2023-10-27 and started playing around. I didn't want to ask for donations until I was sure I knew what I was doing.
Another goal: making the PT vids embed properly in Lemmy!
Oh, great job comrade!
Having a dedicated leftist tube is great for the whole Commie-self-sufficiency thing we've got going on
you can register using something like cum@fart.com
why would you dox me
please stop sending me spam to my real email address
cum@fart.com
thank you"This is my business email address and I expect people to treat it with the seriousness and respect that it deserves! 😤"
Curiously, the other time I've seen HexReplyBot freak out like this was in a different thread by TankieTanuki, so I think the bot's just racist against tanukis.
Love the video, the site, and the logo! Thank you, Comrade!
to be clear, you don't need to sign up for an account to disable p2p, at least on the site directly, embeds (like into cytube) might be different.
In that case the preferences just get stored in your browser with a cookie or something (so if you wipe those regularly it will get wiped out and go back to defaults)
Also godspeed in combatting bots tanuki, hopefully they aren't too much of an issue, but with open reg and no email verification it might become one
you don't need to sign up for an account to disable p2p
Oh, hey, I didn't know that! Neat.
I can always close registration if shit happens. I'll cross that bridge if and when.
FWIW I've been getting one or two a day on matapacos.dog. It seems manageable as long as you... actually visit the site you're administrating from time to time :)
yeah that's for sure an issue. If you're online enough and there aren't less-visible corners for the spammers to hide in then it shouldn't be bad
Also, a kind, certified security expert contacted me by email and offered me a FREE assessment of my private keys and he said they meet "top standards"!
Please tell me this is a joke and you didn't send some rando your private keys.
Okay, yeah, maybe I shouldn't joke about this stuff (I love jokes though).
The only person or thing that ever "sees" my decrypted private keys is my ssh agent (his name is Stanely---kidding!---it's OpenSSH), and only for brief moments. I use ed25519 and they never leave the home Linux PC that generated them.
I've hardened the server's
/etc/ssh/sshd_config
by disabling password login and root login. It only accepts PubkeyAuthentication and MACs sha2-256 and sha-2-512.Only one user is on the allowList to use SSH, and I've double-checked the file permissions of/in the corresponding
~/.ssh
directory:authorized_keys
has a chmod of 0600.nftables
blocks all inbound traffic except for the obviously necessary ports 80 and 443, 51820 for WireGuard, and my super secret, random port for my ssh logins (I know that doesn't do that much but, meh). The standard SSH port 22 is blocked.Exposing SSH to the public internet, key authentication only or not, is kind of scary. I'd really recommend only allowing SSH connections through a private VPN.
Ignore the double post, website broken for a second and threw an error so I reposted
OH!
nftables
also drops any incoming ssh connection unless the IP matches the two or three VPN endpoints I use. They are public (paid) VPN endpoints though.I have another, smaller webserver where I plan to create a private WireGuard endpoint. Then incoming ssh could be restricted to the local 10.x.x.x whatever subnet used. Is that closer to what you had in mind?
Then incoming ssh could be restricted to the local 10.x.x.x whatever subnet used. Is that closer to what you had in mind?
Something of that nature, you could instead bind SSH to that subnet so you don't have to worry about the firewall shenanigans.
Firewalling always seems so finicky. I'd say binding SSH to the wireguard interface is a better bet. I don't let anything route outside wireguard unless I'm explicitly hosting it for the public.
Highly, highly recommend containerizing your setup.
Keeps your runtime environment nice and consistent:
- Execution environment defined entirely in the container image
- Networking confined to only the container interface
- Data persists on only the very specific paths you mount into the container
No need to fuck with root privileges because it's all stateless. Just SSH as a user in the docker group to talk to the docker socket, and bind that to your wireguard interface. And if shit gets owned, you can nuke everything since it all comes from images and just restore a backup.
This is good practice for something like a desktop machine.
Servers, especially explicitly communist peer-to-peer filesharing servers, require a degree of bulletproofing beyond this. Every chud or lib who can use the command line is gonna want to own your box, let alone more capable people or entities. All it takes is one CVE, and a PeerTube instance, nftables, and openssh is a lot of exposed surface area.
Idk, maybe I'm more paranoid than most, but I'd at least look into containerizing this setup. There's a lot of hardening that can be done, but containers probably give you the most bang-for-buck effort-wise.
Why do you think it is that the PT docs recommend a direct installation over Docker? [Top left of page]
Earnest question; I'm not being glib or rhetorical.
Not sure why, but I'd assume it's because the devs don't use docker in the development process, so it's less tested. Also might be WebTorrent having networking quirks, but idk. Docs also say something about not being able to handle changing hosts, which might be relevant, but that wording is ambiguous, so I'd normally think they mean "hostname"
They don't (officially) support changing the instance domain name or object storage providers. It was probably trying to say that. The developers are French so the English translations are sometimes a little off.
i didn’t say i wrote the dang Active Pube API, i just said i’m using it
230$/mo
You should downgrade, it will get a fraction of hexbear users and hexbear probably costs half as much in upkeep
It really benefits from the CPU. It means you can publish an hour-long video in minutes instead of hours. I have one user on the site who uploads a lot of topical content daily, and he really appreciates the prompt processing. About three dozen people from his country have registered in the past couple weeks, presumably from word-of-mouth or casual discovery. I hope I don't have to downgrade. I'm also on the public list of PT instances, so random people have registered too.
You may want to look into a bare metal server with a GPU. It may actually cost less for better performance. I would expect transcoding, storage, and bandwidth to be the major costs.
Hetzner (I don't know if they are the Nazi hosts sorry) is a trusted bare metal provider if you still want cloud convenience. If you route traffic through a bastion you can probably operate without Hetzner having any idea what you are doing, either, which could be nice for longevity - if your bastion (the public IP seen by the world) cracks down on you, just get another and update DNS records.
Anyways this is awesome, thank you for doing this. Let me know if you need or want any technical assistance!
No, it wasn't Hetzner.
Yes, transcoding and storage are the major costs. The storage is practically infinitely scaleable. Bandwidth isn't too much of an issue at this size. The real challenge is the CPU. The server has 128GB RAM and it only uses like 2GB.
I haven't played much with GPUs. I thought they were just for bitcoin, AI, and vidya. Tell me more.
Hetzner recently started removing mastodon instances for having queer content on them. I wouldn't go with them.
- ∞ 🏳️⚧️Edie [it/its, she/her, fae/faer, love/loves, ze/hir, des/pair, none/use name, undecided]·3 months ago
They have? I've been thinking about getting a vps with them, maybe I should look for some other.
https://woem.men/notes/9ragjwecxwul3nis
So it looks like they basically have to follow German law, so if some nazi troll or (or in this case your ex) files an unverified report, the company will just give you 24hrs to delete your server. I can imagine hosting a bunch of tankie content won't go over well in Germany.
- ∞ 🏳️⚧️Edie [it/its, she/her, fae/faer, love/loves, ze/hir, des/pair, none/use name, undecided]·3 months ago
I guess if I went with them anyways, I should make sure to keep backups. Luckily since I plan on using nixos, setting up a new instance would be rather easy.
Thanks for pointing this out! I'm glad I don't actually use Hetzner.
As a heads up, the user Ideology has pointed out that Hetzner has been taking down queer Mastodon servers so it's one to avoid.
Transcoding is often the main computational work of video streaming and GPUs can make this much faster because many of them have hardware transcoding built-in. For example, the basic GPUs built into consumer intel chips (and not server chips) often have H.264 hardware transcoding capabilities. If you make the right interfaces available to the software that wants to transcode, it will transcode a h.264 video 5-10X faster without really hitting the CPU.
If the card supports it, it will show up as a direct rendering interface under /dev. Something like /dev/dri/card0.
Its presence, name, and capabilities will depend on:
-
The GPU itself
-
Whether the kernel modules are loaded
-
Whether those kernel modules support the device in this way.
The first step I would recommend is doing
lspci
to see what GPUs are available.I see two VGA entries.
spoiler
$ lspci 00:00.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 14d8 00:00.2 IOMMU: Advanced Micro Devices, Inc. [AMD] Device 14d9 00:01.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 14da 00:01.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Device 14db 00:02.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 14da 00:02.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Device 14db 00:02.2 PCI bridge: Advanced Micro Devices, Inc. [AMD] Device 14db 00:03.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 14da 00:04.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 14da 00:08.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 14da 00:08.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Device 14dd 00:08.3 PCI bridge: Advanced Micro Devices, Inc. [AMD] Device 14dd 00:14.0 SMBus: Advanced Micro Devices, Inc. [AMD] FCH SMBus Controller (rev 71) 00:14.3 ISA bridge: Advanced Micro Devices, Inc. [AMD] FCH LPC Bridge (rev 51) 00:18.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 14e0 00:18.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 14e1 00:18.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 14e2 00:18.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 14e3 00:18.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 14e4 00:18.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 14e5 00:18.6 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 14e6 00:18.7 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 14e7 01:00.0 Non-Volatile memory controller: Samsung Electronics Co Ltd NVMe SSD Controller PM9A1/PM9A3/980PRO 02:00.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 600 Series Chipset PCIe Switch Upstream Port (rev 01) 03:00.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 600 Series Chipset PCIe Switch Downstream Port (rev 01) 03:01.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 600 Series Chipset PCIe Switch Downstream Port (rev 01) 03:02.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 600 Series Chipset PCIe Switch Downstream Port (rev 01) 03:03.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 600 Series Chipset PCIe Switch Downstream Port (rev 01) 03:04.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 600 Series Chipset PCIe Switch Downstream Port (rev 01) 03:08.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 600 Series Chipset PCIe Switch Downstream Port (rev 01) 03:0c.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 600 Series Chipset PCIe Switch Downstream Port (rev 01) 03:0d.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 600 Series Chipset PCIe Switch Downstream Port (rev 01) 05:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network Connection (rev 03) 06:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network Connection (rev 03) 07:00.0 PCI bridge: ASPEED Technology, Inc. AST1150 PCI-to-PCI Bridge (rev 06) 08:00.0 VGA compatible controller: ASPEED Technology, Inc. ASPEED Graphics Family (rev 52) 0b:00.0 USB controller: Advanced Micro Devices, Inc. [AMD] 600 Series Chipset USB 3.2 Controller (rev 01) 0c:00.0 SATA controller: Advanced Micro Devices, Inc. [AMD] 600 Series Chipset SATA Controller (rev 01) 0d:00.0 Non-Volatile memory controller: Samsung Electronics Co Ltd NVMe SSD Controller PM9A1/PM9A3/980PRO 0e:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Raphael (rev c9) 0e:00.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Rembrandt Radeon High Definition Audio Controller 0e:00.2 Encryption controller: Advanced Micro Devices, Inc. [AMD] VanGogh PSP/CCP 0e:00.3 USB controller: Advanced Micro Devices, Inc. [AMD] Device 15b6 0e:00.4 USB controller: Advanced Micro Devices, Inc. [AMD] Device 15b7 0e:00.5 Multimedia controller: Advanced Micro Devices, Inc. [AMD] ACP/ACP3X/ACP6x Audio Coprocessor (rev 62) 0e:00.6 Audio device: Advanced Micro Devices, Inc. [AMD] Family 17h/19h HD Audio Controller 0f:00.0 USB controller: Advanced Micro Devices, Inc. [AMD] Device 15b8
-
https://trac.ffmpeg.org/wiki/HWAccelIntro would seem to indicate that the AMF encoder provides amd gpu support. https://github.com/Chocobozzz/PeerTube/issues/938 https://docs.joinpeertube.org/contribute/plugins#add-new-transcoding-profiles
Jorropo commented Aug 31, 2020
@karibuTW it's also that ffmpeg is CPU focused, don't except any huge improvement by GPU acceleration.
Is that true?
Hardware encoders typically generate output of significantly lower quality than good software encoders like x264, but are generally faster and do not use much CPU resource. (That is, they require a higher bitrate to make output with the same perceptual quality, or they make output with a lower perceptual quality at the same bitrate.)
I'm not sure. I peered through peertube docs and they surprisingly do not tell specifically what kind of hardware you need for transcoding. All they talk about is offloading intensive tasks like transcoding to runners but again don't talk about the the hardware requirement.
uhh yeah thats what gpus are built for essentially. its probably like 1000x faster than an equivalent cpu.