• 0 Posts
  • 14 Comments
Joined 1 year ago
cake
Cake day: June 22nd, 2023

help-circle




  • Passwords will be brute forced if it can be done offline.

    Set a good high entropy password, you can even tie it to your login password with ssh-agent usually

    Private SSH keys should never leave a machine.

    If this actually matters, put your SSH key on a yubikey or something

    If a key gets compromised without you knowing, in worst case you will revoke the access it has once the machine’s lifespan is over.

    People generally don’t sit on keys, this is worthless. Also knowing people I’ve worked with… no, they won’t think to revoke it unless forced to

    and you will never revoke the access it has.

    Just replace the key in authorized_keys and resync

    And you may not want to give all systems the same access everywhere

    One of the few reasons to do this, though this tends to not match “one key per machine” and more like “one key per process that needs it”

    Like yeah, it’s decent standard advice… for corporate environments with many users. For a handful of single-user systems, it essentially doesn’t matter (do you have a different boot and login key for each computer lol, the SSH keys are not the weak point)








  • I use Caddy as a reverse proxy, but most of this should carry over to nginx. I used to use basic_auth at the proxy level, which worked fine(-ish) though it broke Kavita (because websockets don’t work with basic auth, go figure). I’ve since migrated to putting everything behind forward_auth/Authelia which is even more secure in some ways (2FA!) and even more painless, especially on my phone/tablet.

    Sadly reverse proxy authentication doesn’t work with most apps (though it works with PWAs, even if they’re awkward about it sometimes), so I have an exception that allows Jellyfin through if it’s on a VPN/local network (I don’t have it installed on my phone anyway):

    @notapp {
      not {
        header User-Agent *Jellyfin*
        remote_ip 192.160.0.0/24 192.168.1.0/24
      }
    }
    forward_auth @notapp authelia:9091 {
      uri /api/verify?rd=https://authelia.example
    }
    

    It’s nice being able to access everything from everywhere without needing to deal with VPNs on Android^ and not having to worry too much about security patching everything timely (just have to worry about Caddy + Authelia basically). Single sign on for those apps that support it is also a really nice touch.

    ^You can’t run multiple VPN tunnels at once without jailbreaking/rooting Android



  • An RSS reader (I use Miniflux), ended up being extremely useful

    • Almost every piece of software worth selfhosting has an RSS feed for updates (e.g., every GitHub releases page has an RSS feed). I started selfhosting a good deal more after setting up Miniflux.
    • Like omg there is this whole internet out there outside of Reddit/Twitter/etc that does RSS. The vast majority of blogs have RSS (e.g., Wordpress and Substack). I wish I had discovered RSS decades ago, so many websites I’ve forgotten because I would check updates manually and eventually just forget. I even host a personal Nitter instance so I can follow Twitter people in Miniflux.