Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)S

stratself

@ stratself @lemdro.id

Posts
4
Comments
88
Joined
6 mo. ago

  • How do I migrate my VPS out of Cloudflare?

    Jump

  • For the DNS provider I recommend https://desec.io/. It's a nonprofit running worldwide DNS servers, supports DNSSEC, and has a plugin for Lego. If your registrar supports DNSSEC as well, I'd recommend enabling it to protect from DNS forgery.

    For the DDoS protection I don't have a recommendation as they're all "just another SaaS", but maybe you could limit many more selfhosted things behind auth as to not expose more surface to potential scrapers.

  • NAT vs firewall at home

    Jump

  • If NAT already obfuscates my private addresses through translation, how would a potential adversary connect to anything beyond it?

    Not an expert but they can try compromising another device on your LAN as a proxy to your rig. Maybe pawn your router and have it open up random ports too. So per-device firewall is defense in depth.

    What "good" would my public IP do for a hacker if I have no ports forwarded?

    Is a firewall a second line of defense just in case I execute malware that starts forwarding ports?

    Malware doesn't need forwarded ports to the internet to function. It can just download a script to a compromised device and wreck havoc on LAN. So if you properly segment your devices and utilize endpoint firewalls it can limit the blast radius and does some detection stuff

    Edit: Don't think of NAT as proper firewall, it's just an easy way to share addresses via your router/modem. Your ISP's devices often block inbound connections from the internet by default but that's a firewall configuration, not a NAT

  • Question about accessing my services from corporate Network

    Jump

  • Beat me to it. This is likely the best way as 443 is ubiquitously unblocked on most networks

  • Self-hosting with an old laptop

    Jump

  • That doesn't seem to be too old of a laptop at all. One thing I'd say is to use an SSD as the main partition you run your apps on, as HDDs might be quite slow.

    If you wanna keep the VPS, you can use it as a public inbound gateway + outbound proxy for your homeserver, so traffic looks like it comes in and out of your VPS. I wrote some notes on setting up Tailscale in such a manner, but there's plenty of other options.

    If you don't wanna keep the VPS, you can front your inbound traffic with Cloudflare Tunnels, and use a commercial VPN to act as a proxy for outbounds. If you don't have any apps that make frequent network requests (e.g. a Matrix server), then a VPN may not be necessary

    You should leave SSH on, especially if if you wanna run it without a monitor, but use key auth and limit it to your LAN only

  • Unintended Proxy or Intermediary ('Confused Deputy') and Improper Input Validation in Conduit-derived homeservers

    Jump

  • Thanks for posting here. I'll update to continuwuity v0.5.0 immediately when I come back to Matrix

  • Suggestions for Community Organizing

    Jump

  • Non-federated Matrix server with rooms bridged to Discord/Whatsapp/Slack/whatever, so everyone can join.

    Use standard webapps for other stuff like polls, surveys, events etc and send the URL to an announcement channel. Not sure of exact solutions but if one app can do it all and send email reminders for them, thatd be great. Same can be done for VoIP with Jitsi links, or even Z**m links.

    Backup the databases if you need the chat logs. All of this should be doable with a small VPS, but a mini PCs cluster could be better

  • Router VPN? Express put to rest

    Jump

  • How did you exactly install Express on the router? Did you use an app or something of that kind?

    If the VPN provider has WireGuard support, you may wanna use a wireguard client software to connect to it. Flash OpenWRT on the router, install and configure a wireguard interface that connects to Express, then forward packets from behind LAN to that interface so they go through the VPN tunnel. A bit tricky for beginners, but I hope you can make it.

    Since OpenVPN protocol seems to become unsupported in the future, Wireguard should be the way to go. Mullvad/IVPN should also support it, and once you know how to set it up it should be usable across many services and devices.

    Do you recommend installing VPN apps on separate devices instead of the router?

    For flexibility I'd do this. In case I'd wanna switch upstream servers for a single device without affecting others.

  • What's the "proper" way to share a single Wireguard connection for all devices on the local network?

    Jump

  • If you can run WireGuard on all your devices, you may wanna set up a multihop node that forward outbound traffic to the VPN tunnel via that hub

  • Recommendations to replace AWS DNS?

    Jump

  • Desec.io is a solid option - it allows for various types of records like TLSA and SRV. It can also generate scoped API tokens e.g. for "only TXT records of the _acme-challenge subdomain of example.com" to use in automated cert renewals, so pretty good for granularity. It's also a nonprofit.

    I think selfhosting DNS is beneficial when you wanna control your own DNSSEC keys, but you'd need to account for high availability and safety. With that, you could do what's called a "hidden primary + public secondary" setup to protect your master DNS data from the public prying. You can even use 3rd-party services like ns-global.zone as your secondaries for redundancy and to reduce load on your infra, too. I recommend Technitium and their guidance if you wanna get started

  • Recommendations to replace AWS DNS?

    Jump

  • Those are not authoritative DNS providers where you can publish records...

  • Decreasing Certificate Lifetimes to 45 Days

    Jump

  • Technically something like DANE can allow you to present DNSSEC-backed self-signed certs and even allow multi-domain matching that removes the need for SNI and Encrypted Client Hello... but until the browsers say it is supported, it's not

  • How should I properly document my homelab?

    Jump

  • I write homelab docs mostly for user guidance like onboarding, login, and service-specific stuff. This helps me better design for people by putting myself in their shoes, and should act as a reference document for any member to come back to.

    Previously I built an Mkdocs-Material website with a nice subdomain for it, but since the project went on maintenance mode, I'm gonna migrate all docs back to a Forgejo wiki since it's just Markdown anyways. I also run an issue tracker there, to manage the homelab's roadmaps and features since it's still evolving.

    I find this approach benefiting compared to just documenting code. I'm not an IaC person yet, but I hope when I am, the playbooks should describe themselves for the nitty-gritty stuff anyways. I do write some infra notes for myself and perhaps to onboard maintainers, but most homelab developments happen in the issue tracker itself. The rest I try to keep it simple enough for an individual to understand

  • The ChromeOS of Linux: Basic use cases, impossible to break, ~1,000 happy(?) users, Nix based. Nixbook OS.

    Jump

  • Panasonic Let's Note, SV7 or SZ7 I think. Japanese domestic notebook for enterprises

  • Self hosted Onedrive alternative

    Jump

  • Nextcloud forked from the old PHP-based ownCloud stack, while Opencloud forked from the Infinite Scale Go-based stack. It also by default preserves the filesystem hierarchy on your server without needing a database, using a storage driver called PosixFS.

    The Windows clients currently do support selective syncing so it is on-par with OneDrive. Android client looks to be forked from old Owncloud, and has offline availability too.

  • How to bi-directionally sync KeePassXC DB between Android and Manjaro without propagating deletions?

    Jump

  • Try Syncthing with IgnoreDelete but note that it's unrecommended. Maybe use Syncthing as an append-only store

  • Looking for a selfhostable chat service that people on phone and computers can log onto

    Jump

  • due to it missing ideal features

    what features do you want? kindly elaborate

    XMPP with Snikket could be an easy solution. If you don't want to talk to the wider web make sure to disable federation.

  • Can Traefik be layered?

    Jump

  • It's entirely possible. If the 2 domains are different, you should look into SNI routing using the TCP router instead of HTTP. With the tls.passthrough flag, encryption is kept intact until it reaches the second proxy.

  • Local DNS on Pihole

    Jump

  • Pihole runs on dnsmasq right? Maybe you could create a cronjob to copy the underlying dnsmasq.conf to other Piholes

  • Technitium DNS v14 is released with support for clustering

    Jump

  • Ah, I see. Well I'm glad you found PiHole useful and stick to using it anyhow!