ShortN0te
@ShortN0te@lemmy.ml
- Comment on Why do so many services require email configuration? 1 day ago:
Brother we have the opposite problem. You are not putting yourself in my shoes, or other people like me.
Bold claim. But no i am putting myself in your shoes and yes there was also a time were i tried to work around to host mail myself. But its easy and no headache to set up.
- Comment on Why do so many services require email configuration? 1 day ago:
None of those things are necessary. Like I don’t even have email configured on my server because I don’t need it at all except when the developer unnecessarily integrates it to the extent that it breaks it.
Depending on the view, a functioning service something like password reset is necessary. To design the software that it can ship without functioning password can or cannot make sense, depening on the design choices. Depending on what else got send via e-mail designing the software around that can be challenging and burdening for the future of developing.
If the setup required you to setup e-mail, the software and then also the developer can always assume there is a communication path to the individual user.
As i said, it can and cannot make sense, but saying
That makes no sense.
and not even trying to put yourself into other shoes just does not make sense.
- Comment on Why do so many services require email configuration? 1 day ago:
Why wouldn’t you give users the option to not use it?
Since then you would need to have another way to achive the goals e-mail does. Like password resets, user invitations etc. Thats all software burden for that one user that does not want it.
Setting up email is a pain in the ass, costs money, is dependent on 3rd parties, violates privacy, and is just completely unnecessary.
None of these i would actually say. To work around it you can just simply set up local reachable postfix. Done. You can setup a complete local mail server, with a few clicks.
Choose the software you want to use wisely and dont jump to the first solution you find when you are that licky about your requirements. If you are ao reluctant about e-mail and the service requires it, then maybe the design goals of the software do not fit your goals.
- Comment on How often do you update software on your servers? 2 weeks ago:
And for containers auto updates once every day.
- Comment on How often do you update software on your servers? 2 weeks ago:
Got apticron set up on my servers or similar solutions to get notified when updates are available. Then usually, from time of notification +1 or 2 days.
- Comment on Have you tried self-hosting your own email recently? 1 month ago:
I host my mail with mailcow and it is almost set and forget. I only had a couple issues with some mail providers, but a small email exchange with the admins cleared that up.
Have a handful of users, that have not complained about anything not working or spam or whatever 🤷♂️
- Comment on Important Notice of Security Incident 2 months ago:
Besides that, security by obscurity is the worst possible form and barely qualifies as security at all.
In fact security by obscurity is not security at all. In this case it should be authenticated or to the very least to actually use a random string like a uuid. But, changing the root path does prevent it from exploiting. Not perfect but a temporary solution.
It’s also another place where the Jellyfin devs leave their users to their own devices when it comes to securing the server against malicious actors.
Another place? What else? You mean setting up you own server? That is in fact your responsibility.
- Comment on The Future is NOT Self-Hosted 3 months ago:
End-to-end encryption means the service provider can’t see your data even if they wanted to
Not necessarily. All it means is that intermediaries can’t see the data in transit. You need to trust that the data is handled properly at either end, and most service providers also make the apps that you run at either end.
This is incorrect. End-to-End is defined as from “User to User” and not “User to Service provider”. That would be just transport encryption.
- Comment on set up local DNS using Pi-hole + nginx + audiobookshelf 3 months ago:
I switched to adguard, yes. But you can just give pi-hole a dnsmasq config file. The underlying dns server Pi-Hole uses does support those.
Just mount the file via a docker volume. I will have to look up the exact paths. Config would look like
address=/domain.tld/192.168.0.1 - Comment on set up local DNS using Pi-hole + nginx + audiobookshelf 3 months ago:
Based on you screenshot from the NPM Dashboard there seems to be something wrong. In the setup window you show that you forward the traffic with http and port 80, in the dashboard screenshot you forward the traffic with https and port 80.
Just skip http and self signed certificates all together. Modern Browsers make it a pain to use non https sites. A simple domain setup with dns acme challenge is a little bit of a hassle but worth the hour(s) of invested time. Especially with npm were it is a set and forget option.
Does pihole support wildcard dns entries yet? To my knowledge the gui only supports single entries so that you have to enter every subdomain manually in pihole that you want to have forwarded. Workaround would be to use a dnsmasq config file or use something else like addguard.
- Comment on PSA: If the first Smart Search in Immich takes a while 4 months ago:
It usually is the directory where you execute the docker compose command.
- Comment on Jellyfin over the internet 4 months ago:
And which one of those are actually vulnerabilities that are exploitable? First, yes ofc unauthenticated endpoints should be fixed, but with those there is no real damage to be done.
If you know the media path then you can request a playback, and if you get the user ids then you can get all users. That’s more or less it.
Good? No. But far from making it a poor choice exposing it.
- Comment on Jellyfin 10.11.0 RC2 now available 4 months ago:
Performance is not the goal, but cleaner code and more manageable code. But both will ultimately lead to better performance. As of now it was basically impossible to change something in the database structure since it was hard to estimate the impact of it.
- Comment on Jellyfin 10.11 RC1 Released 5 months ago:
… and may also break compatibility with previous 10.Y releases if required for later cleanup work.
If you read through the whole paragraph, it is clear that they mean the compatibility of previous jellyfin versions.
Also, again:
Note however that the 10.Y.Z release chain represents the “cleanup” of the codebase, so it should be accepted that 10.Y.Z breaks all compatibility,
That means that the code is not cleaned up with that release.
If you would release 11 before the code is considered cleaned up, you would basically break your own defined versioning convention. That is best decided by the active maintainers.
- Comment on Jellyfin 10.11 RC1 Released 5 months ago:
Consider the 10.y.z simply to be 0.y.z and everything works out.
Jellyfin inherited a lot of shitty code and architecture from emby. They simply cannot guarantee anything across patches until it is sorted out.
imho much better then releasing major version after major version because the break stuff regularly.
- Comment on Jellyfin 10.11 RC1 Released 5 months ago:
Also for internal use. The original emby source used not within the code base standardized database access.
Basically changes to the database were not possible since finding references across the code base which part uses which values was impossible.
- Comment on Jellyfin 10.11 RC1 Released 5 months ago:
Note however that the 10.Y.Z release chain represents the “cleanup” of the codebase, so it should be accepted that 10.Y.Z breaks all compatibility,
Its right there at the link you posted.
- Comment on Friendly reminder that Tailscale is VC-funded and driving towards IPO 5 months ago:
Tailscale offers way more then just wireguard. ACLs, NAT traversal etc. etc.
While some use cases can be replaced with traditional wireguard, others not.
- Comment on Syncthing alternatives 5 months ago:
Really surprised about this. I am using syncthing now for many years on various devices and never encountered issues with it. And also, file sync is not a backup solution.
- Comment on What OS should I use for self-hosting that doesn't require extensive terminal knowledge? 6 months ago:
Still the same but afaik they now somewhat support running zfs
- Comment on How to harden against SSH brute-forcing? 7 months ago:
Do you want to prevent brute forcing or do you want to prevent the attack getting in?
If you want to prevent brute forcing then software like fail2ban helps a little, but this is only a IP based block, so with IPv6 this is not really helpfull against a real attack, since rotating IP addresses is trivial. But still can slow down the attacker. Also limiting the amount of sessions and auth tries does significantly slow down the attacker.
If you just want to not worry about it set strong passwords, and when it is a multi user system where other ppl might access it, configure Public Key Auth so you can be sure the other users have strong passwords (or keys in this case) to authenticate.
With strong passwords or keys it is basically impossible to brute force your way in with ssh.
- Comment on Do I really need a firewall for my server? 7 months ago:
You do not even need a port based firewall when the server is open in the internet.
When you configure the software to not have unnecessary open ports over the internet connected interface then a port based firewall is providing zero additional security.
A port based firewall has the benefit that you can lock everything down to the few ports you actually need, and do not have to worry about misconfigured software.
For example, something like docker circumvents ufw anyway. And i know ppl that had open ports even tho they had ufw running.
- Comment on Plex is locking remote streaming behind a subscription in April 7 months ago:
I can see where they are comming from, but i do not understand it. Remote streaming was free and is now only available via a subscription or the lifetime pass. So it is locked behind a subscription. Ofc it is more nuanced, but the title expresses really cleanly what the topic is.
- Comment on Plex is locking remote streaming behind a subscription in April 7 months ago:
Clickbait (also known as link bait or linkbait) is a text or a thumbnail link that is designed to attract attention and to entice users to follow (“click”) that link and view, read, stream or listen to the linked piece of online content, being typically deceptive, sensationalized, or otherwise misleading.
en.wikipedia.org/wiki/Clickbait
Title is not really deceptive or misleading.
- Comment on Plex is locking remote streaming behind a subscription in April 7 months ago:
That is not really covering the topic for everyone, this only covers the article for ppl who are paying already for the pass.
Not seeing how this is clickbait. The title sums it up on point.
- Comment on Enshitification of CrowdSec 7 months ago:
At the same time crowdsec heavily benefits of the big free userbase since they ‘crowdsource’ their thread detection.
- Comment on Disposing of failed HDDs 7 months ago:
Just a simple hole renders them useless. The only method to reconstruct them from there would be any kind of SEM or AFM which would still take weeks to months to years depending on the size/density of the drives.
Even just opening them up and smacking the disks would be sufficient
Next time just encrypt them.
- Comment on How do you keep track of vulnerabilities? 8 months ago:
Most critical infrastructure like my mail i subscribe to the release and blog rss feed. My OSs send me Update notifications via Mail (apticron), those i handle manual. Everything else auto updates daily.
You still need to check if the software you use is still maintained and receives security updates. This is mostly done by choosing popular and community drive options, since those are less likely to get abandoned.
- Comment on Encrypted backups to the cloud 8 months ago:
You have basically two options.
-
Symmetric Encryption. That means you use the same password/key for writing the Backup and for reading the backup. Here you have to write the password somewhere, depending on the OS there are options like keychains or similar that can hold the password so that the password is only available once you are loged in or have unlocked the keychain.
-
Asymmetric Encryption. That means you have different passwords/keys to read and write the backup. PGP is an example here. Here you can just simply use one key to write the backup, this key can become public and you do not have to worry about your backup since it will only be readable with the 2. key.
I personally use Restic with a password that is only readable by the system root user stored on the filesystem. Since I use Full Disk Encryption i do not have to worry too much about when the secret is available in clear text at runtime.
-
- Comment on Good mail server for selfhosting 8 months ago:
Yes thats why i said in theory. I doubt that many residential IPs are blacklisted, but still not optimal.
IPv6 only works but there are probably many Mail Servers that are IPv4 only, so you will not receive mails from them.
If you are serious about it, rent a VPS or get a static IP on your residential connection.