glizzyguzzler
@glizzyguzzler@piefed.blahaj.zone
- Comment on Self-hosting paradox: Windows for specifically MS word 2 days ago:
King, simply neg your collaborators into using overleaf
- Comment on How do I become one with the botnet 1 week ago:
SSH lets you remotely control a computer
It runs on port 22
If you forward port 22 to your computer, you will allow anyone on the internet to SSH to your computerYou can do that pretty safely by disabling root login and disabling password logins - only using keys to SSH in.
You can join the borg botnet by enabling root login, setting a simple password (maybe even password as recommended!), and waiting.
- Comment on How do I become one with the botnet 1 week ago:
King, all you must do is set up root ssh access with a short password and port forward port 22 to it. Super easy, super quick!
For extra spice, I’d recommend also hitting your hard drives with a hammer once or twice a day. They just don’t like vibrations; you’ve gotta weed out the weak ones. Only the strong data will survive.
- Comment on How do I avoid becoming one with the botnet? 1 week ago:
The only thing that can get hacked is something that responds on the World Wide Web.
So you limit the scope of what talks to the WWW:
Wireguard VPN will not respond unless the magic keys are correct, it’s ideal security and obscurity. Put everything you can behind it.
For things I want on the WWW without a VPN, I split out two options otherwise.
1) Caddy checking mTLS certificates that basically allows a device access without extra steps - relying on Caddy to be strong and mTLS to be strong.
2) Authentik’s proxy check, I think Authelia has this too, but to access a site you hit an Authentik login first.
For both of those, you rely on those services not having 0-day hacks. More likely for these services to stay ahead of the game and/or fix quick than something that doesn’t exist just to do authentication. I run them in containers that are run by independent users and are read-only with capabilities limited, in a VM.
I’d say the Caddy route is more secure than Authentik, but it needs more effort to setup the certificate stuff. Authentik route needs a web browser to log in with. Obviously the WG VPN is primo.
- Comment on Is there a self hosted mTLS manager? 4 weeks ago:
Gotchya, so at the reverse proxy stage you have a pathway for “if they have the mTLS certificate, allow in” to let you access your stuff from outside your local network?
- Comment on Is there a self hosted mTLS manager? 4 weeks ago:
I’ve found Authentik’s proxy will break things that don’t support it (like a Jellyfin app; afaik no app supports hitting an Authentik proxy login first). Do you have a way around that? Or are the friends/fam web-browser only unless they get around to the certificate?
- Comment on Is there a self hosted mTLS manager? 4 weeks ago:
If you feel up for answering, what is your use case for wanting to manage your own mTLS?
- Comment on Tuvix - Self-Hosted RSS Aggregator 2 months ago:
I am loving OIDC giving a single login for all the things I’ve got going, I see it as a near-essential for adding new services!
Read-only is easy! You just need to confine where the writes happen. You use volumes for stuff you want to remember were written and tmpfs for stuff you don’t want to remember. Tmpfs for /tmp if needed, volume for the DB, good to go. It is super useful for security since only what is included in the container can be executed greatly reducing the attack area. No way to introduce a new excutable to the container! (you set noexec for tmpfs/volumes)
I’ve seen difficult setups like a “work directory” where key files, executables, and temp files go. That structure can’t be secured, avoid that. Basically the temp files go in somewhere that’s not a big pile of a “work directory” - like /tmp - and then that structure once again works!
Of course I wouldn’t say no to an LCARS theme either…
- Comment on Tuvix - Self-Hosted RSS Aggregator 2 months ago:
Any plans for OIDC and read-only/non-root/no-cap container running?
- Comment on [deleted] 2 months ago:
I have a USB drive with the key on it. The primary purpose for LUKS for me is so that drives I replace don’t need to be wiped, so I just leave the USB drive in all the time. Makes it so it boots automatically.
If I lived in a place I owned, I’d stash a rpi somewhere deep and have it do network dropbear automatic unlock to protect the data if the server is nicked. Till then it’s yolo
- Comment on Home Assistant Connect ZBT-2 - A USB adapter that plugs into your Home Assistant system and opens up a world of smart device options 2 months ago:
The smlight slzb-mr2 does both and is PoE - makes it more robust. HA comp goes down? Restarts? USB port change and now the passthrough fails? With an independent LAN coordinator the zigbee network is fine. I don’t have threads stuff (yet) but I assume the same applies.
I’ve had no issues, the Ukrainians already got this solved. Get from Ali express (Ukrainians don’t produce them, they’re busy being bombed)
- Comment on [deleted] 4 months ago:
Arch’s design is key for user devices - it gets you the fixes you need now with good enough guard rails that usually it’s all good!
But that’s not the design you want for a 24/7 server that’s likely headless. You want that server to have the security updates and to get them installed asap without worry about stability. Literally for years now I’ve never had unattended upgrades cause any issue, and I’ve taken that system from 11 to 13 now. And I’ll look at in a month (maybe) while it continues to do DNS and serve up vidz
Debian on a laptop would be akin to a skeleton waiting on food/water; you’ll get that fix for sleep in 14 (maybe). It’s workable - just like Arch is workable for a server - but it’s just not the ideal role.
Both designs exist for a reason though, and that’s cause they both have their strengths!
- Comment on [deleted] 4 months ago:
Reading that is wild
Why are you doing Arch on a server? You want to tinker forever and read the update notes like a hawk lest the server implode forever?
Arch isn’t gonna be noticeably leaner than Debian.
Get Debian, install docker and/or podman, set unattended upgrades, and then install Incus if you need VMs or containers down the line. You can stick on ZFS and it’ll be fine, you already have BTRFS for basic mirrors. Install Cockpit and you’ll have a nice GUI. Try not to think you have to fiddle with settings, the maintainers for each package/service have set it so it works for most people (and we’re most people!); you’ll only need to intervene on an handful of package configs. All set and it’s not proprietary.
- Comment on How do you secure your home lab? Like, physically? From thieves? 4 months ago:
One of the best uses of encryption is that you can pull drives that die and not have to try to wipe them as they die or smash them. They’re encrypted so it’s just gibberish. Mostly the reason to encrypt.
I auto-unlock with two things: a USB drive I put in the computer that it looks for and another computer on the network that hosts an unlock file. I’m not defending against nation-states or the Gestapo, regular rubes won’t notice the pi zero hidden that hosts the network file. USB drive is for just-in-case so I don’t have to type that long ass password ever.
I didn’t try hard, but I’m not sure how to make auto-unlocking more secure.
- Comment on How do you secure your home lab? Like, physically? From thieves? 4 months ago:
I put a tiny NAS in my parents’ house (cheapest ARM synology 2-bay). It backs up their computers (a first, of course, but the photos are safe now!) and my server sends its TBs to there too. Upfront is large because you need to put in two big drives plus a lil NAS. But no $/mo, thanks parents.
For over a few TB Hetzner and the like really hit hard (€21/mo for 10TB at Hetzner storage box). Depends how much disposable income you have/want to ensure data is good. Now-a-days €21/mo is like 1 Disney/Hulu/bullshit, that price is obviously over inflated but it makes you feel less bad about spending it on cold, hard, remote backups of your big ass data.
- Comment on Best practice for connecting lots of HDD to motherboards with few SATA ports? 4 months ago:
Ignore the peeps saying not to use a regular pci-e card. Old recc, ASmedia ones are ideal good for 4-6 ports. 8+ you need to dabble in LSI shenanigans. The ASmedia ones use way less power and are worth it if you don’t need 8+ ports. You get all the features you want, they look and act like real SATA ports.
Check these guides (not just applicable to unraid, I don’t use unraid, but they cater towards a “ez straightforward” crowd so they make relatively concise and vetted info dumps):
https://forums.unraid.net/topic/102010-recommended-controllers-for-unraid/
- Comment on Chhoto URL v6.3.0 is out now: A simple, blazingly fast, selfhosted URL shortener with no unnecessary features; written in Rust. 5 months ago:
Yes that tracks with how OIDC setup works with my other services (you give the container the OIDC links and shared secrets so it knows how to talk to the OIDC and trust it).
- Comment on Chhoto URL v6.3.0 is out now: A simple, blazingly fast, selfhosted URL shortener with no unnecessary features; written in Rust. 5 months ago:
I am digging this, thanks for keeping it updated and improving it!
I see that you say it's feature complete / no user stuff; but it'd really mesh well if it took OIDC authentication. Don't need it to make users or anything, just instead of the password popup the OIDC provider is asked for confirmation that whatever user registered with the OIDC is logged in. That'd let me leverage extra 2FA protection from the OIDC provider and juice on that one-login life.
Now I have no experience making OIDC crap work nor how it even works behind the scenes, so I can't help :( sorry; just wishful thinking.
Also saw on your github - hope our newly shit-out gestapo don't bother you!
- Comment on Linkwarden v2.12 - open-source collaborative bookmark manager to collect, read, annotate, and fully preserve what matters (tons of new features!) 🚀 5 months ago:
Not if you annotate your data volume with said ‘noexec’ which prevents execution from anything in the data volume. It looks like this, you can slam it on any volume you like - no volumes should have executables in them anyways.
Also I’m pretty sure ‘noexec’ is the default, so that’s by default protected. But I can’t confirm that from a quick search so not 100% on that.
‘/mnt/data:/container/place/it/wants:rw,noexec,nosuid,nodev,Z’
‘rw’ means read/write. You can change it to ‘ro’ for read-only if the volume shouldn’t write to it (maybe a config file).
Z is for selinux that means “only one program can read/write tho this”. You can change it to ‘z’ lowercase in case more than one needs to read/write. Only case I’ve found for little z is crowdsec needing to watch Caddy’s log for blocking.
- Comment on Linkwarden v2.12 - open-source collaborative bookmark manager to collect, read, annotate, and fully preserve what matters (tons of new features!) 🚀 5 months ago:
As always you store data you want to keep in the volumes section.
With read-only you prevent new binaries from being added in the image space. You can add ‘noexec’ to your volumes/tmpfs preventing binaries to the areas that are writable. Then ideally you are using an image with minimal surface area (e.g., only sh and the exact binaries needed to make it go) and it’s very secure! It’s still plenty secure without a minimal image.
- Comment on Linkwarden v2.12 - open-source collaborative bookmark manager to collect, read, annotate, and fully preserve what matters (tons of new features!) 🚀 5 months ago:
Thanks! This’ll def help me get tooled up for podman :)
- Comment on Linkwarden v2.12 - open-source collaborative bookmark manager to collect, read, annotate, and fully preserve what matters (tons of new features!) 🚀 5 months ago:
Care to share your quartet? I’m just getting into the quads with trixie out - and I haven’t gotten this working yet…
- Comment on Linkwarden v2.12 - open-source collaborative bookmark manager to collect, read, annotate, and fully preserve what matters (tons of new features!) 🚀 5 months ago:
Great to hear! It’s seriously slick and “just works”. With those security features up you can tout them on the cloud offering too :)
- Comment on Linkwarden v2.12 - open-source collaborative bookmark manager to collect, read, annotate, and fully preserve what matters (tons of new features!) 🚀 5 months ago:
No what I said isn't about user registration; it's about adding these to the
docker-compose.yml:read_only: true user: 6969:6969to prevent running as root and making the file system read-only. The API needs to be exposed without a VPN or other proxy login since my parents' can't handle that, so if I was able to implement these recommended security steps I'd feel like I could open up the container to the internet at large without too much risk.
Per this issue https://github.com/linkwarden/linkwarden/issues/799 it seems like there's a lot of steps to take to get these settings to work.
It would be also ideal if I didn't have to give the container (but not a deal-breaker):
cap_add: - CAP_SYS_ADMIN - CAP_SYS_CHROOTas the issue also states is required for the headless chrome scraper browser.
I am using it internally now and it's really good, but to open it up for my parents (which I think they'd dig) I'd definitely want these security settings on without major issues. Linkwarden is an internet-facing application so these recommended security practicies are in its wheel-house, feature-wise, as well.
Hope that helps clear up my comment!
- Comment on Linkwarden v2.12 - open-source collaborative bookmark manager to collect, read, annotate, and fully preserve what matters (tons of new features!) 🚀 5 months ago:
This is a fantastic tool, but I’d love to confidently expose the API to the internet for the shortcut. To do that you need read-only and running as a user; I saw that that’s not a thing that works from the issues.
Any thoughts on getting those security features working? Cause the app itself is so smooth I’d let my parents use it and be confident they wouldn’t need to be herded constantly.
- Comment on Your fav guide/method for securing Jellyfin? 5 months ago:
I’ve been thinking about using client-side certificates that are validated by Caddy to bypass the Authentik wall (proxy provider) I use. I’ll give it a shot some time, it’s a good idea
- Comment on Your fav guide/method for securing Jellyfin? 5 months ago:
Other user summarized very well.
No I have accrued knowledge of those things over time, no one stop shop that I know of. But knowing these things exist and their general use are half the battle!
I was lazy with the “Authentik wall” because I couldn’t remember what they called it. It is the “proxy” option in their “provider” section https://docs.goauthentik.io/add-secure-apps/providers/proxy/ . There are many guides for Authentik at least, it’s complicated but you only need to do specific things for it to work - and most tell you and the rest are applicable via matching similar looking things.
OIDC is an open login protocol many things support. I think jellyfin can use it with a plugin, but keep in mind that regular user creation still exists so it’s not a security and convenience feature like for most things, it’s just a convenience feature.
DMZ is de militarized zone. I used the acronym to mean a gap between your system and a system that deals directly with the outside Internet. That gap is the VM separation. LXC containers and docker containers do not have that separation, I deploy Internet-facing stuff in a VM as extra insurance in case they get zero-day-hacked; it means the rest of my server will hopefully not get ransomwared.
Incus is an alternative to proxmox, but less needy since it doesn’t require its own Linux kernel. Zabbly is a package source (vs built-in Debian sources) that has the web ui in it. See their documentation for installation, it tells you how to add the Zabbly package; use the “stable” version if you do use incus.
“In the compose” means in the docker-compose.yml file.
‘Cap-drop: all’ is an entry you can make in the docker-compose file. It increases security. All of the ones I listed are entries you can add to the docker-compose file. You’ll likely need a
tmpfs:
/tmpIn the compose file you use read only.
Podman is the superior alternative to docker, and Podman quadlets are a way to deploy containers (they have a couple ways, like docker does - you don’t need a docker-compose.yml file to run docker containers). But it’s new and doesn’t have the community knowledge support via searching like docker does.
Hope that helps!
- Comment on Docker or Proxmox? Something else entirely? 5 months ago:
Thanks for the links! I had no idea there were special settings needed
- Comment on Your fav guide/method for securing Jellyfin? 5 months ago:
I am not familiar with deploying client side certificates unfortunately. I hope it works, if the certificate is at the OS level and the application will use it, I feel it will work… not sure, in-browser feels straight forward at least
- Comment on Your fav guide/method for securing Jellyfin? 5 months ago:
Reading jellyfin’s issues it’s clear it’s web ui and API cannot be allowed to talk to the general internet.
I’d push for a VPN solution first. Tailscale or wireguard. If you’re happy with cloudflare sniffing all traffic and that they make take it away suddenly someday use their tunnel with authentication.
The only other novel solution I’d suggest is putting jellyfin behind an Authentik wall (not OIDC, though you can use OIDC for users after the wall). That puts security on Authentik, and that’s their only job so hopefully that works. I’d use that if VPN (tailscale or wireguard) are problematic for access. The downside is that jellyfin apps will not be able to connect, only web browsers that can log into the Authentik web ui wall.
Flow would go caddy/other reverse proxy -> Authentik wall for jellyfin -> jellyfin
I’d put everything in docker, I’d put caddy and Authentik in a VM for a DMZ (incus + Zabbly repo web ui to manage the VM), I’d set all 3 in the compose to read-only, user:####:####, cap-drop all, no new privileges, limited named networks.
Podman quadlets would be even better security than docker, but there’s less help for that (for now). Do docker and get something working to start, then grow from there