@Simon-RedditAccount

Simon-RedditAccount@alien.top · 10 months ago

Can’t you just install this type of app to your phone or pc?

For one instance of app, it’s possible to install it onto a single machine.

Things get tricky when you want to access the data from multiple devices. Even trickier, when several people want to access it. After a certain point, it’s easier to have a “cloud” solution. And since “cloud” is just somebody’s else computer, why not make this a computer YOU own?

Simon-RedditAccount@alien.top · 10 months ago

Lack of time or interest (or both) in: managing local DNS, using .home.arpa and running own CA.

It’s tricky (especially running your own CA in a proper way), and not everyone wants to do it. Also, running it in a proper way it requires knowledge, and some people don’t have it…

Actually, distribution of your root CA certificate is not that difficult.

NOTE: this addresses strictly OP’s question about LAN-only access. External access or varying devices used to access is a completely different story.

Simon-RedditAccount@alien.top · 10 months ago

Google Workspace. Not the cheapest, and also by Google (although they claim they don’t mine as much data from business accounts)
Zoho, $1.25/mo
iCloud+, $0.99/mo, but a bit limited (don’t remember whether they have catch-all etc).

Simon-RedditAccount@alien.top · 10 months ago

In theory, yes. That’s why most devices have those FCC / CE / etc stamps - these seals show that they have undergone EM compatibility testing and are most likely OK.

In this case, however, this looks like a kernel panic (as already said).

Simon-RedditAccount@alien.top · 10 months ago

Do you monitor network traffic?

Generally, no. But I seriously restrict container networking, most of my containers are unable to reach internet, unless absolutely necessary. Also, my firewall is not super-restrictive, but it is different from defaults :)

Sometimes I do some monitoring though.

Simon-RedditAccount@alien.top · 10 months ago

Privacy, Education, Being Cool. Also, there are some services that are not available commercially.

Simon-RedditAccount@alien.top · 10 months ago

Possible - yes.

Do you want it? Probably, no. Especially, SMTP. Better use something like Zeptomail (cheapest) for delivery.

You can still self-host the receiver.

Mandatory do-not-self-host-at-home notice: custom domain at skiff.com is free, iCloud+ Mail is $0.99 and Zoho is $1.25/mo.

Simon-RedditAccount@alien.top · 10 months ago

Yes, there are risks:

First, updates can break things. Already explained here.
Second, exposing Docker socket to Watchtower means you have to trust it ultimately. Any vulnerability in WT can lead to whole system compromise.

Personally, I use DIUN. It just sends me notifications about available updates. I update things manually later. My system is pretty well isolated from outside world, so no need to hurry.
On a VPS, I would prefer a different approach though.

Simon-RedditAccount@alien.top · 10 months ago

good-looking domains instead of IPs
tons of subdomains instead of ports
universally recognized TLS certs via Let’s Encrypt. DNS challenges are the way to go - you don’t even have to expose your HTTP server
dynamic DNS, again available via API
inbox@yourdomain.com (better not to self-host, but to use an email provider)

Simon-RedditAccount@alien.top · 10 months ago

Consider adding couple of screenshots or even a small sped-up GIF to the GitHub, right at the top. Also, GDrive video is loading extremely slow, better host it YouTube/Vimeo.

Congrats!

Simon-RedditAccount@alien.top · 11 months ago

T_JUNCTION for N5105 is 105 C.

You don’t need to cool it at least until it hits 80.

Simon-RedditAccount@alien.top · 11 months ago

Knowledgebase + OIDplus + scripts/configs in git repo.

I chose local instance of Wordpress for my knowledgebase a decade ago. Today I’d probably use Bookstack.

Simon-RedditAccount@alien.top · 11 months ago

As for your question itself - you probably want a reverse proxy. Almost any web server can act as a reverse proxy; nevertheless Caddy, Traefik and nginx do it better than others.

Caddy is extremely user-friendly. Take a look.

omv.home.arpa {
  reverse_proxy 10.0.0.2
} 
proxmox.home.arpa { 
  reverse_proxy 10.0.0.3 
} 
serviio.home.arpa { 
  reverse_proxy 10.0.0.4:23423 
} 
portainer.home.arpa { 
  reverse_proxy 10.0.0.4:9000 
}

All DNS “A” records for your domains should point to IP of machine where your Caddy is.

I personally use nginx.

Simon-RedditAccount@alien.top · 11 months ago

Not exactly a NUC - a fanless MSI Cubi N with Celeron N4000.

Bare metal Ubuntu Server running nginx + docker-compose for everything other.

Simon-RedditAccount@alien.top · 11 months ago

I asked EODdoUbleU on the parent comment here, but could you please reply to that question as well?

Simon-RedditAccount@alien.top · 11 months ago

Planning to use Yubikey for one of my subCAs. Do you know a good writeup on OpenSSL+Yubikeys?

Also, which Yubikey slot do you use for storing the cert/pkey?

Simon-RedditAccount@alien.top · 11 months ago

Finally! A ~~worth opponent~~ fellow who also cares about having proper OIDs and AIA :)

Simon-RedditAccount@alien.top · 11 months ago

This is the way

Simon-RedditAccount@alien.top · 11 months ago

Everything in my LAN is TLS-protected. Primarily because of convenience (no ‘unsafe’ warnings), unification (all I do everywhere is TLS). Also for learning purposes (I like challenges). Security is on the last place here (but is still important to me).

Probably your main threat is not people, but malware. Especially since they are not tech-savy. Remember how $35M of crypto assets were recently stolen: in the beginning it was a LastPass engineer who did not update his Plex instance.

Simon-RedditAccount@alien.top · 11 months ago

Probably not your case, but that’s what I use for my homelab:

OIDplus for keeping OIDs, IPs, .home.arpa subdomains etc
local-only Wordpress as a knowledgebase. Today I’d probably chose Bookstack, but it did not exist 11 years ago…