deepdive

@deepdive@lemmy.world

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Kiteworks acquires ownCloud & Dracoon - Nextcloud⁩ ⁨⁨10⁩ ⁨months⁩ ago⁩:
As long as they continue to maintain the github repository and keep it free without any hidden ads/spyware or restrictions, I will continue to use their service.
⁨Comment⁩ on ⁨Do you run a private CA? Could you tell me about your certificate setup if you do?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Hey don’t worry :)

Yeah, this could be a time saver in case you should/need to revoke certificates in your homelab setup ! Imagine changing the rootCA store on 20 devices … Ugh !

Happy reading/tweaking ! Have fun !
⁨Comment⁩ on ⁨Do you run a private CA? Could you tell me about your certificate setup if you do?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:

Certificate chain of trust: I assume you’re talking about PKI infrastructure and using root CAs + Derivative CAs? If yes, then I must note that I’m not planning to run derivative CAs because it’s just for my lab and I don’t need that much of infrastructure.

An intermediate CA could potentially be useful, but isn’t really needed in self-signed CA. But in case you have to revoke your rootCA, you have to replace that certificate on all your devices, which can become a lot of hassle if you share that trusted root CA with family/friends. By having a intermediate CA and hiding your root CAs private key somewhere offline, you could take away that overheat by just revoking the intermediate CA and updating the server certificate with the newly signed Intermediate bundle and serving that new certificate through the proxy. (Hope that makes sense? :|)

I do not know what X.509 extensions are and why I need them. Could you tell me more?

This will probably give you some better explanation than I could :| I have everything written in a markdown file, and reading through my notes I remember I had to put some basic constraints TRUE in my certificates to make them work on my android root store ! Some a necessary to make your root CA work properly (like CA:True)

’m also considering client certificates as an alternative to SSO, am I right in considering them this way?

Ohhh, I don’t know… I haven’t installed or used any SSO service and thinking of MFA/SSO with authelia in the future ! My guess would be that those are 2 different technologies and could work together? Having self-signed CA with a 2FA could possible work in a homelab but I have no idea how because I haven’t tested it out. But thinks to consider if you want clients certificates for your family/friends is to have a intermediate CA in case of revocation, you don’t have to replace the certificate in their root store every time you sign a new Intermediate CA.

I’ll mention that I plan to run an instance of HAProxy per podman pod so that I terminate my encrypted traffic inside the pod and exclusively route unencrypted traffic through local host inside the pod.

I have no idea about HAProxy and podman and how they work to encrypt traffic. All my traffic passes through a wireguard tunnel to my docker containers/proxy which I consider safe enough? Listening to all my traffic with wireshark seamed to do exactly what I’m expecting but I’m not an expert :L So I cannot help you further on that topic. But I will keep your idea in my notes to see If there could be further improvement in my setup with HAProxy and podman compared to docker and traefik through wireguard tunnel.

Of course, that means that every pod on my network (hosting an HAProxy instance) will be given a distinct subdomain, and I will be producing certificates for specific subdomains, instead of using a wildcard.

Openssl SAN certificates are going to be a life/time saver in your setup ! One certificat with multidomian !

I’m just a hobby homelaber/tinkerer so take everything with caution and always double check with other sources ! :) Hope it help !
⁨Comment⁩ on ⁨Average Lemmy Active Users by Month⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Yeah… and sometimes you find some uttery shitty people who use multiple account to comment shame you or think they are better than you while having a self conversation on your post ! Uhhhg !
⁨Comment⁩ on ⁨Do you run a private CA? Could you tell me about your certificate setup if you do?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
If you want to run your own pki with self-signed certificate in your homelab I really encourage you to read through this tutorial. There is a lot to process and read and it will take you some time to set everything up and understand every terminology but after that:
- Own self-signed certificate with SAN wildcards (https://*.home.lab)
- Certificate chain of trust
- CSR with your own configuration
- CRL and certificate revocation
- X509 extensions
Put everything behind your reverse proxy of choice (traefik in my case) and serve all your docker services with your own self-signed wildcard certificates ! It’s complex but if you have spare time and are willing to learn something new, it’s worth the effort !

Keep in mind to never expose such certificates on the wild wild west ! Keep those certificate in a closed homelab you access through a secure tunnel on your LAN !
⁨Comment⁩ on ⁨Do you run a private CA? Could you tell me about your certificate setup if you do?⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Step CA is really nice if you want to learn more about how a real CA works. Had some fun playing with it but yeah it’s a bit overkill for home lab xD.

You can achieve the same result with openssl with less complexity !
⁨Comment⁩ on ⁨Disclosure of sensitive credentials and configuration in containerized deployments - ownCloud⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
That’s way exposing your home services to the internet is a bad idea. Accessing it through a secure tunnel is the way to go.

Also, they already “fixed” the docker image with an update, something todo with phpinfo…
⁨Comment⁩ on ⁨ownCloud becomes part of Kiteworks⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
I used nextcloud for a year or so, but found the web GUI/apps slow, bloated and sometimes way to buggy ! Switch to owncloud for the simplicity of only having a cloud system without to much bloat.

I just read through the seafile documentation and yeah this is also not going to happen. Maybe I should switch to a simple webdav server…
⁨Comment⁩ on ⁨ownCloud becomes part of Kiteworks⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Hummm… This kinda sucks ! Moving to seafile then ! Hope their native apps are as good as owncloud’s !
⁨Comment⁩ on ⁨Need help: accessing all my containers by name⁩ ⁨⁨11⁩ ⁨months⁩ ago⁩:
Yeah, nginx is way to overcomplicated if you aren’t familiar with it and using it on a daily basis in a coporate environment.

Traefik is elegant and simple when you get the basics, but lacks serious documentation for more complicated stuff.

Haven’t tried other proxies, but why should I, traefik works great and never had any relevant issues that would make me wanna change ! P
⁨Comment⁩ on ⁨Searching for a self-hostable podcast manager⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Have you managed to selfhost it ? Funkwhale looks great, but the installation process with another proxy than nginx in a container setup is far from ready and accessible to hobby selfhosters.

If you have no idea about proxies and headers forwarder… just don’t waste your time and go straight to audiobookshelf !
⁨Comment⁩ on ⁨Cosmos 0.12 major update⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
I tried it 3 months ago. It looked nice had some cool features, but It didn’t fit into my personal selfhosted Home server.

This is more or like to help non-tech savy people to secure their infrastructure, which is a good point, but can’t replace a complex wireguard, VPN, opnsense, 2FA , self-signed CA, docker installation.

It’s a bit like Nginx proxy manager, it’s good enough, does what it is suposed to do with minimal user inputs. Less prone to error, security issues…
⁨Comment⁩ on ⁨Scientists Are Researching a Device That Can Induce Lucid Dreams on Demand⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Wait until you experience your first astral projection ! But yeah, when I tried it a second time I’m also fell into sleep paralysis… Scary shit !
⁨Comment⁩ on ⁨Hey selfhosters, what are you selfhosting?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Here you go !
- Vaultwarden
- Searxng
- Nextcloud
- Smallstep (own CA for self-signed full chain certificates)
- Linkding
- Gotify + watchtower
- Adguardhome
- Traefik
- Wireguard
Took me to much time to make everything work perfectly together, but learned alot along the road ! Everything hosted on a old spare laptopt with docker containers.
⁨Comment⁩ on ⁨Data privacy: how to counter the "I have nothing to hide" argument?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
I has some degree of privacy. A better way to look at it is to say: It’s less worst ! But full privacy is to shut down all your connected electric aplliances, never connect to the web, sell your house and go living of the grid.
⁨Comment⁩ on ⁨Data privacy: how to counter the "I have nothing to hide" argument?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
You’re not weird ! Quite the contrary, we are on the right path to fight those greedy corporation !! To bad we’re the minority ://!
⁨Comment⁩ on ⁨Data privacy: how to counter the "I have nothing to hide" argument?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Just self-host your toilet 😎