Hey everyone, we've made a new theme for our instance. It's set as the default instance theme at the moment so if the theme setting in your profile is set to 'Browser Default' then you should already be seeing it.

Folded is a theme based on another custom theme, Lemonberry, which made things a lot easier to figure out so shout out to [email protected] for the base theme.

It's currently only a 'dark mode' and hasn't had much testing so please let us know if you see any glaring issues that we missed. Also, constructive criticism is more than welcome with this being a first attempt.

Also, if you wish to opt out of this theme all you need to do is click on your username on the top right -> Settings -> Theme and select a different one. The old instance default should be 'darkly' if you just want to revert to that.

Otherwise, you can set it to 'folded-v4' or 'Browser Default' to check out the new theme.

Here are some pics of the theme:

Hope you like it

Edit: RC version of lemmy-ui has been released to fix this issue for emojis, which has been applied to lemmy.zip.

Hello all,

Around 5 hours ago Lemmy.world and lemmy.blahaj.zone experienced a "hack" targeting admin accounts, which then altered the sites and spread spam etc.

Thankfully the attack vector was figured out quite quickly and mitigations were put in place. Sami was very quick to act and defederated us from those instances to prevent their exploit spilling over into our site.

The attack vector is custom emojis, which allowed attackers to exploit weaknesses via cross site scripting. More info is available here for those interested: https://github.com/LemmyNet/lemmy-ui/issues/1895

This attack gives attackers access to your "session". They won't know your password as they did not have access to the database or the server. Attackers would have had access to your user settings page, so they could potentially see your email address.

Lemmy.zip had a custom emoji in place from testing a few weeks ago, so as an extra precaution we've reset the secrets table in the database which should have logged everyone out (sorry!). This would prevent attackers still having access to any accounts on our site.

Its important to add that at this stage I don't believe any of our users have been compromised, due to Sami's quick action to defederate and remove the custom emoji once this was known as the attack vector. No accounts on this instance were involved in the posting of spam and none of our admin accounts were compromised either.

If we find out any more information we'll add it here. We'll continue to implement all security fixes as they become available.

Defederating from Lemmy.world and lemmy.blahaj.zone until they have their shit back together as they seem to have been compromised (extent is not fully known at the moment). Beehaw took their servers down preemptively too.

Rogue admin accounts can do harm to other instances too this is a precautionary measure until we have a better idea of what we're dealing with.

Reminder not to click on sketchy links!

Should be down for a short time while the update is applied.

You may need to do a hard refresh on your browser to refresh your cache - Shift + F5 on chromium browsers, Ctrl + F5 on Firefox.

As always you can check status.lemmy.zip for updates if you can't access the site.

Just a heads up that the latest version of the Lemmy server has been released. I'll be applying the update shortly. I don't expect too many issues but you might lose connection temporarily.

Edit: Honest to god pictures are broken again. FFS. I know what the issue is though, it lies with the change in the internal nginx proxy method - attempting a fix now> BE

Edit 2: images are back, more info here: https://github.com/LemmyNet/lemmy-ansible/issues/96

Originally I was trying to put Lemmy.zip behind a CDN (cloudflare) to reduce costs, however suddenly images stopped loading. Cue mild panic attack.

You may notice that there are no images on the local instances.

Turns out this is because Backblaze has gone down, who host all our storage.

https://status.backblaze.com/

When they come back up, pictures should automatically load again.

(I'm using us-east for image storage and this is the server thats gone down while the others still work, talk about bad luck!)

Hello All,

So today a few Lemmy instances have been hit by a spam bot. We had 80 new accounts created in a matter of minutes, but thankfully due to email verification being required, none have been able to actually complete the sign up process.

Because of this, I've had to enable further measures to ensure sign ups are real people. Anyone signing up will now need to explain that they're human AND verify their email address. This seems to have stopped the bots for now.

Because manual approval is required for each account, I'm looking to appoint a community member to help moderate and admin the instance.

If you're interested, please send me a message (click on my profile and click send message) and give me a quick.overview of yourself and why you want to admin the instance.

To be eligible you must:

• be a member of Lemmy.zip
• account must be suitably old (minimum 3 days)
• must be active on Lemmy

If you think this is something you'd be interested in then please send me a message.

On the eve on Lemmy.zip turning one week old, and following requests from members of the community, I'm putting together a post to show how Lemmy.zip is being run, the resources taken up in the back-end and the general day to day issues I've come across and resolved.

Hardware

Firstly, the setting up of Lemmy.zip.
Lemmy.zip (the domain) was purchased on Google Domains (apparently now sold off to squarespace?), and I have the domain for two years.

Secondly, the cloud platform is Hetzner Cloud. The server is based in Falkenstein, Germany. The server "name" is CX21 - Its an intel CPU, with 2x vcpus, 4GB of RAM, a 40GB SSD and 20TB of outgoing traffic.

After setting up SSH, I followed the Ansible guide to set up Lemmy, which got the instance set up pretty much instantly. Great success.. or so I thought!

Setup

The first thing I did was try federating with some other instances, which appeared to work straight away. Great. I tried some of the settings, added a logo, turned on user registration and email validation, added a site bio etc. Then I tried logging in and out. Oh no. I couldn't log back in with the Admin account, because email verification was turned on and I hadn't verified my email! Now, I know how to fix this via SQL commands, but at the time I had no clue. I also wasn't receiving any emails from Lemmy.zip. After some googling, it turns out Hetzner blocks port 25, which is the default postfix port (postfix is the piece of software that handles emails). So now I was locked out with seemingly no way to get back in. Whoops. So I went and deleted the server and started from scratch. I reinstalled Lemmy, set up the instance again and made sure email verification was off this time. I posted in a few places about the server, and suddenly people were joining!

The next step was to get email working. I did try SendGrid for emails first, who immediately refused to verify me and still, a week later, have not replied to my support request.

Next I tried Mailersend, who had quite a complex validation but did finally approve me. Then I had to figure out how to get the server to send emails using the Mailersend details.

After a couple of hours of testing, it turns out you only need to add the details to the lemmy config.hjson file, and you don't need to alter anything in the postfix container. I re-uploaded Lemmy, set email validation to true, and created a test account - boom! Email received.

For the most part, that was the first 24 hours done. I think by the end of the first day we had ~20 users, which I was really excited about.

Stats

As I'm typing this, we have 369 (nice) users, which is incredible. At one point, we even made it onto the recommended servers list however we've since been knocked off the list due to the uptime dropping after I've had to restart the server a few times. Still, another moment I was really proud of.

Most of the week has been quite smooth in all honesty, until today when I had a few reports that users couldn't register or log in to their accounts. It took quite a while to track down the issue, as the logs were not really giving anything away. Finally, I saw a line in the log which said api_routes_websocket: email_send_failed: Connection error: timed out (this literally took me 3 hours to find this one line - tip, set logging level to warn and not the default info if you want any chance of finding errors in a busy instance!)

With a bit of googling, I was able to check my connection to the Mailersend smtp server and noticed that the telnet connection was timing out, which indicates that port 587 is being blocked somewhere in the chain. I have emailed Mailersend support but being a Saturday i'm not expecting a response for a while.

Before Mailersend stopped working, here is what the email stats look like:

You can see the expected tail off as Reddit opened back up, but then you can see emails drop to 0.

So with some frantic googling, I've switched (hopefully temporarily) to another provider, and emails are working again. Phew.

In terms of server performance, have some fancy graphs:

Server performance over the last week. The three big spikes relate to me doing something intensive on the server, rather than anything Lemmy is doing. Usage is mostly around 50% which is great, and gives us lots of growing room still.

Here are some other graphs to look at:

Live server usage as I'm writing this

Live network usage

Storage space used:

Storage used out of the 40gb - 36% used. There was an issue with the pictrs container (the software that uploads/manages photos) writing a log that was about 7gb in size before I noticed. That has been fixed with a rotating log file rather than one big file.

Other stuff

Thought I'd add some stuff I've liked from the last week. Firstly, if you haven't already subscribed to the Starfield community and have an interest in the game, I urge you to do so.

A community I've quite enjoyed too is Dad jokes - definitely worth checking out if you want a laugh.

End

Hopefully thats been interesting for people - if there is anything you'd like to see more on, let me know. Happy to add more detail (where I can!)

Anyone is welcome to send me a message on here, I have no issues talking more privately. I have also set up an email address ([email protected]) for anyone who is locked out of an account or needs to share personal details and isn't comfortable using this platform to do so.

Edit: appears to be fixed.

Lemmy.zip may be up and down all day - emails have stopped working (no discernible reason why) and so registrations are closed, but you should be able to login without having a registered email to stop current users from being locked out. I'll update when I know further information.

Edit: for anyone that is interested, I can't telnet port 587 on the mail sending platform. I can do it fine for other smtp providers so I assume it is a current provider issue. I'm looking at switching providers to see if this helps.

Edit 2: I've switched email providers and it appears we're back up and running again - email resets appear to work. I'll switch email verifcation back on and allow new users.

If anyone is having any issues, please email me at [email protected] if you can't access your account, and I will look into it.