Comment on Securing a 'public' service for family
glizzyguzzler@piefed.blahaj.zone 1 week ago
Assuming you’re accessing the service (Peertube in this case) from a web browser and not an app - a thing I decided on “good enough” plus “easy enough” is Authentik sitting in front of the service.
Thought process is: Peertube or some other service’s first job is the purpose for the service, so security likely won’t be as good as a service who’s first job is security.
Authentik can also do stuff like OIDC if the service likes it - and you can chain them together. I’ve got services that hit Authentik 1st and then after you’re allowed to talk to service then you can log in with Authentik OIDC. Some services seem to do it seamlessly, some make you click a “log in with Authentik” again - either way painless enough. Everyone I know is haunted by the MS “remember this login y/n” page that pops up every time you log into some stupid MS thing and it never matters if you choose y or n, it’ll be back. So even 2 steps are chill in comparison for them.
Harden Authentik, and then you can apply it to any other service you want in the future too (maybe stirling PDF, don’t even need users for that). (Feel free to harden Peertube though too - just less important and likely not needed!)
IanTwenty@lemmy.world 1 week ago
Really good point. I see many selfhost instructions now that say ‘we don’t bother with HTTPS, just use a proxy to handle that’ and maybe auth should go the same way as in there’s good solutions that specialise in auth so it’s not worth each project doing it themselves.
Another good consideration. There is an early Peertube app but I doubt my users will be using it, web access is fine for this. Perhaps apps for things like Lemmy/Mastodon/Peertube etc will need to work better with these auth frontends in future.