Nyfure

As far as i understood tailscale funnel its just a TCP-tunnel.
So you handle TLS on your own system, which makes sure tailscale cannot really interfere.

If you already trust them this far, might aswell do the same with a VPS and gain much more flexibility and independence (you can easily switch VPS provider, you cannot really switch tailscale funnel provider, you vendor-locked yourself in that regard)

I’d connect the VPS and your home system via VPN (you can probably also use tailscale for this) and then you can use a tcp-tunnel (e.g. haproxy), or straight up forward the whole traffic via firewall-rules (a bit more tricky, but more flexible… though not that easy with tailscale… probably best to use TCP-tunnel with PROXY-Protocol).
This way you can use all ports, all protocols, incoming and outgoing traffic with the IP-Address of the VPS.

Tailscale might even already have something that can configure this for you… but i dont really know tailscale, so idk…

And as you terminate TLS on your home-system, traffic flowing through the VPS is always encrypted.

If you want to go overboard, you can block attackers on the server before it even hits your home-system (i think crowdsec can do it, the detector runs on your home-system and detects attacks and can issue bans which blocks the attacker on the VPS)

And yes, its a bit paranoid… but its your choice.
My internet connection here isnt good enough to do major stuff like what i am doing (handling media, backups and other data) so i rent some dedicated machines (okay, i guess a bit more secure than a VPS, but in the end its not 100% in your control either)

Many systems dont support subpaths as it can cause some really weird problems.
As you use tailscale funnels, you really want incoming traffic from the internet. I am not sure thats a good idea for e.g. homeassistant that is limited in access anyways.
Might aswell use tailscale and access the system over VPN.

And for anything serious i wouldnt use something like funnel anyways. Rent a VPS and use that as your reverse-proxy, you can then also do some caching or host some services there. Much simpler to deal with and full support for such things as you then have an actual public IPv4/IPv6 address to use.
Heck, dont even have to pay for it with the Oracle Always-Free system.

In an more ideal world, getting less money because people tip less, would push you to reconsider the job choice and ultimately switch to something more lucrative.
With less workers, the company would be forced to pay more to even get employes.

Problem with this idealised scenario is, it doesnt work in the US, because workers are getting screwed so much and have so little choices at those low paying jobs, they’d be the ones loosing massively in the short-term.
And with little support structures my the states and federal government, they would fail… and the 2 party system would fail them even harder, noone cares about them in the government… too much invested in fighting imaginary culture wars.

But then again, using less services of the business leads to the same outcome in the end, so even that wouldnt work well.
The business will always win in the short-term.
So as it is ineviteable, maybe its better to think long term anyways.

And everyone wants tips these days, no longer just a gratitude or paying low wage workers, but now also a ‘bid’… (sure not every worker might like relying on tips, but specially well paid servers prefer it as they make bank)
I dont see you getting iut of tipping either way very well without government intervention… which i dont see happening, but you have orher big issues too…

You can not only use that information for e.g. blackmail, but also to build material to manipulate you to do things without you knowing.
Information is a powerful tool.

Yes, you need an organization which signs your certificate, so it is trusted by default. This is our trust-anchor so we know the certificate presented was validated and it was given only to the website owner.
There are numerous around the world for that.
And if that is no longer offered, you can just not have your certificate signed, which means browsers will complain about it.
But you can trust your own certificate yourself. Or create your own certificate authority which can then sign other certificates for the community as their new trust anchor.
I think we would very quickly build the web-of-trust, but for certificates.

You can even not have certificates, but keep an weak form of TLS (no idea if browsers support TLS_DH_anon_*), but its still encrypted and can only be broken by an active Man-in-the-Middle-attack. (which is theoretically detectable later on)
Diffie-Hellman is an awesome key-exchange.

How much time do you have? Because even small models will take alot of time on that kind of hardware to spit out a long text…
And the small models arent that great. I think the current best and economic model would be a mistral, mixtral or dolphin.
If you got the power, nous-capybara is very good and “only” 34B parameters (loading alone needs like 40GB of memory).

I dont see how e.g. arch would be super hard to maintain.
There is a nice GUI program for installing programs and updates. (like many modern distros)
If you dont want to set everything up, go with Endeavour or Garuda.

I find rolling release to be easier to maintain and keep up to date than non-rolling.
Specially if you want up to date packages for desktop use.

Windows has a request assistance function? wtf… where is that found?
I only know Remote desktop tools and most of these work perfectly fine on linux as the client or even under Wine.

[Edit: woah, i did some rambling below here… not related to your specific case here, but some nice information maybe]

Linux as host is where it gets funny… bigger ones support X11, pretty much none support Wayland.
To be fair, its impossible to control mouse and keyboard under Wayland without root.
I think we now have some new desktop packages for gnome and kde which can do that, so now they need to be implemented.

But i dont see an effort being made for Wayland by the bigger providers in the near future… the market just isnt there and there is lots of uncertainty with the featureset.

Switched to Rustdesk a while back, works nicely as client, but only picture output with wayland as host.l as of now.
And i cannot copy&paste under wayland as client… even though it worked before…

The question then is, how much can you actually do in the shell.
Good luck setting up many programs that way when they soley rely on the GUI and documentation about configs or their database structure is nonexistant.

Works with something like Gouda and Emmentaler too, sure not as runny, but i guess less of a mess to eat :)

To be fair, windows development also included UI changes beneficial for users, so its not necessarily bad to copy those.
Of course there are many which are… questionable, we of course shouldnt copy those :D

Async is good because threads are expensive, might aswell do something else when you need to wait for something anyways.
But only having async and no other thread when you need some computation is obviously awful… (or when starting anothe rthread is not easily manageable)

Thats why i like go, you just tell it you want to run something in parallel and he will manage the rest… computational work, shift current work to new thread… just waiting for IO, async.

I am actually kinda ok with DDG, but the results are… not always very great and the second page is filled with weird websites related to my location…
Maybe i should try both Kagi and Searx

No, then they only handle your DNS setup, which is still okay in my eyes.
Its certainly far away from scanning all HTTP traffic. Not to forget the juicy metadata they get about the users across a big chunk of the internet, perfect tracking machine in a neat package with easy access by the government.

Convenience will kill the cat

I won’t be able to browse suggested videos

Whats funny, you do get recommendations on videos, so would be quite easy to grab the last 30 or so videos of your subscriptions and display some of those on the home-page.
But at that point… might aswell switch to Freetube/Piped

If its only you and you want best security, setup a VPN system. (Tailscale, Netbird, or others are quite easy)
If someone else should also, and you dont want everyone to have to use a VPN, then you can expose some services directly. Of course behind CGNat you need some third-party system to allow this (e.g. cloudflare or a rented server).

I am not a big fan of cloudflare, they are a huge centralized company, easily allowing tracking across websites with clear-text access and kinda discouraging learning how to secure things yourself (which you have to do anyways, because you are a service provider and only cloudflare is not enough if its still publicly accessible though them)
But in the end its your choice. They easily allow you as service provider to protect yourself from DDoS attacks or allowing IPv4 access when you are behind CGNat, things you just cannot easily do yourself, certainly not without costs.

i had arr in one stack and media in another.
Now in my kubernetes cluster everything is separated, but arr + torrent is in vpn and automatically uses the vpn-sidecar. And media (jellyfin + jellyseer) is separate.

Find the escapees, put them on the list or find a list including them for your particular use-case.
I dont have much things getting through, mostly small sites displaying things, so i just add a filter myself.

Afaik Ghostery was bought and started tracking its users… or was that another popular extension? Happened to alot of these… pretty sure it was Ghostery?

You can add lists in ublock…