TCB13

TCB13 , 5 months ago to programmerhumor in PHP Moment

Only if people actually tried to learn PHP.

TCB13 , 5 months ago to selfhosted in Can someone explain to me why NAT is not enough for security?

It actually kinda is. Is someone trying to sell you into a firewall?

TCB13 , 5 months ago to selfhosted in Now that vmware is over, what should I move to?

Well what I can say is that since my team migrated everything to LXD/Incus the amount of tickets that are somehow related to the virtualization solution we used dropped really fast. Side note: we started messing around with LXD from Snap (but running under Debian) and moved to Debian 12 version as soon as it was made available.

About the kernel things, my upstream fix comment was about how Canonical / Ubuntu does things. They usually come up with some “clever” ideia to hack something, implement it and then the upstream actually solves the issue after proper evaluation and Ubuntu just takes it and replaces their quick hack. This happens quite frequently and it’s not always a few lines of code, for instance, it happened with the mess that shiftfs was and then the kernel guys come up with a real solution (idmapped) and now you see Canonical is going for it. Proxmox inherits the typical Canonical mess.

TCB13 , 5 months ago to selfhosted in Up-to-date OpenSSL guide or tool for creating a certificate authority and self-signing TLS certificates?

Multi-level wildcards don’t exist at all - either don’t use wildcards or use a certificate with multiple wildcard names. Eg. *.xyz.example.org + *.abc.example.org.

TCB13 , 5 months ago to selfhosted in Now that vmware is over, what should I move to?

So you say it is “buggy as fuck” because there’s a bug that makes it so you can’t easily run it if your locate is different than English? 😂 Anyways you can create the bride yourself and get around that.

About the link, Proxmox kernel is based on Ubuntu, not Debian…

TCB13 , 5 months ago to selfhosted in Now that vmware is over, what should I move to?

You funny guy 😂😂

Now, I’m on my phone so I can’t write that much but I’ll say that the post I liked to isn’t about potential issue, it goes over specific situations where it failed, ZFS, OVPN, etc. but I won’t obviously provide anyone with crash logs and kernel panics.

About ESXi: Incus provides you with a CLI and Web interface to create, manage, migrate VMs. It also provides basic clustering features. It isn’t as feature complete as ESXi but it gets the job done for most people who just want a couple of VMs. At the end of the day it is more inline with what Proxmox than what ESXi offers BUT it’s effectively free so it won’t hold important updates from users running on free licenses.

If you list what you really need in terms of features I can point you into documentation or give my opinion how how they compare and what to expect.

TCB13 , 5 months ago to selfhosted in Up-to-date OpenSSL guide or tool for creating a certificate authority and self-signing TLS certificates?

I don’t get what’s the issue… you can ask them to issue a certificate that includes wildcard subdomains and the root domain. community.letsencrypt.org/t/…/133925

TCB13 , 5 months ago to selfhosted in Now that vmware is over, what should I move to?

DO NOT migrate / upgrade anything to the snap package that package is from Canonical and it’s after the Incus fork, this means if you do for it you may never be able to then migrate to Incus and/or you’ll become hostage of Canonical.

About the rest, if you don’t want to add repositories you should migrate into LXD LTS from Debian 12 repositories. That version is and will be compatible with Incus and both the Incus and Debian teams have said that multiple times and are working on a migration path. For instance the LXD from Debian will still be able to access the Incus image server while the Canonical one won’t.

TCB13 , 5 months ago to selfhosted in Up-to-date OpenSSL guide or tool for creating a certificate authority and self-signing TLS certificates?

“Big boy domains” on a network aren’t very easy to deal with. For instance sometimes you’ve devices in your network running DNS queries for your devices and they end up leaking to the outside because well… they’re FQDN… I also have experience mDNS issues due to some reason it seems to slow down a lot once you’re not using .local as your domain as well.

TCB13 , 5 months ago to selfhosted in Up-to-date OpenSSL guide or tool for creating a certificate authority and self-signing TLS certificates?

How are you dealing with mDNS and your custom domain? Isn’t it causing… issues and mismatches?

TCB13 , 5 months ago to selfhosted in Now that vmware is over, what should I move to?

LXD/Incus provides a management and automation layer that really makes things work smoothly essentially replacing Proxmox. With Incus you can create clusters, download, manage and create OS images, run backups and restores, bootstrap things with cloud-init, move containers and VMs between servers (even live sometimes) and those are just a few things you can do with it and not with pure KVM/libvirt. Also has a WebUI for those interested.

A big advantage of LXD is the fact that it provides a unified experience to deal with both containers and VMs, no need to learn two different tools / APIs as the same commands and options will be used to manage both. Even profiles defining storage, network resources and other policies can be shared and applied across both containers and VMs.

Incus isn’t about replacing existing virtualization techniques such as QEMU, KVM and libvirt, it is about augmenting them so they become easier to manage at scale and overall more efficient. It plays on the land of, let’s say, Proxmox and I can guarantee you that most people running it today will eventually move to Incus and never look back. It woks way better, true open-source, no bugs, no holding back critical fixes for paying users and way less overhead.

TCB13 , 5 months ago to selfhosted in Now that vmware is over, what should I move to?

Re incus: I don’t know for sure yet. I have an old LXD setup at work that I’d like to migrate to something else, but I figured that since both libvirt and proxmox support management of LXC containers, I might as well consolidate and use one of these instead.

Maybe you should consider consolidating into Incus. You’re already running on LXC containers why keep using and dragging all the Proxmox bloat and potential issues when you can use LXD/Incus made by the same people who made LXC that is WAY faster, stable, more integrated and free?

TCB13 , 5 months ago (edited 5 months ago) to selfhosted in Up-to-date OpenSSL guide or tool for creating a certificate authority and self-signing TLS certificates?

Does someone know a tool that creates a Certificate Authority and signs certificates with that CA? (…) just a tool that spits out the certificates and I manage them that way, instead of a whole service for managing certs.

Yes, written in go, very small and portable: github.com/FiloSottile/mkcert.

Just be aware of the risks involved with running your own CA.

You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.

Why not Let’s Encrypt?

that’s fair but if your only concern is about “I do not want any public CA to know the domains and subdomains I use” you get around that.

Let’s Encrypt now allows for wildcard so you can probably do something like *.network.example.org and have an SSL certificate that will cover any subdomain under network.example.org (eg. host1.network.example.org). Or even better, get a wildcard like *.example.org and you’ll be done for everything.

I’m just suggesting this alternative because it would make your life way easier and potentially more secure without actually revealing internal subdomains to the CA.

Another option is to just issue certificates without a CA and accept them one at the time on each device. This won’t expose you to a possibly stolen CA PK and you’ll get notified if previously the accepted certificate of some host changes.

<span style="color:#323232;">openssl req -x509 -nodes -newkey rsa:2048 
</span><span style="color:#323232;">-subj "/CN=$DOMAIN_BASE/O=$ORG_NAME/OU=$ORG_UNIT_NAME/C=$COUNTRY" 
</span><span style="color:#323232;">-keyout $DOMAIN_BASE.key -out $DOMAIN_BASE.crt -days $OPT_days "${ALT_NAMES[@]}"
</span>

TCB13 , 5 months ago to linux in Is it possible to create an OS that simply automatically runs .exe files through WINE/Proton/Bottles?

Wine works great 😂

TCB13 , 5 months ago to linux in which linux phone is the most promising?

So while I agree with some or the majority of your commentary I would like to add a bit of context.

Well, the question is why are you excluding web banking? (…) If you’re allergic to webapps for some reason

I’m not allergic, I just happen to live in a country where banks unfortunately force you get their mobile app for certain operations / you can’t do everything on their web app because of “security” . There’s a big thing in Europe around secure transaction authorizations that require a secure 2FA methods (not SMS) and banks here decided to implement that in way that their mobile apps kinda work as a 2FA to the web version. Heck I can’t even generate a virtual credit card here without installing an app. Compatibility layers / emulation, such as Waydroid, even GrapheneOS is flagged by most of the banking apps here as well and they don’t allow you to proceed.

Why are you using contactless payment? Unsatisfied with the amount of data your bank collects

If I’m using the app from the banking alliance they won’t gather more info than what they already do whenever I swipe a debit or credit card on a payment terminal. I kinda becomes about convenience at that point. Obviously the same can’t be said for Apple Pay / Google Wallet and I avoid them.

Govt provides electronic versions of your identity card (…) Either way, this isn’t something you “need”, as carrying your documents around really isn’t a problem…

Actually that’s something I need, let me tell you why: I’m required to digitally sign a LOT of documents everyday and here you’ve two ways to do that. The classic one is by having a smart card reader in your computer, open a desktop app, choose a file and place the identity or professional card into the reader and type a PIN code. The second way is to open the application and click “sign with your phone”, this will prompt you to open the govt phone app and enter a PIN / biometric authentication there and the document will get signed as well. While the first option works fine it’s just annoying to have to carry a card reader around to meetings and other places and it also takes way more time for the desktop app to respond and sign the document if you se the identity card.

…first you buy an IoT device that connects to “the cloud”, then you say you need proprietary software to access it. Of course you do, that’s the kind of device you bought - the vast majority of IoT devices are made with zero regard to the user’s privacy and security, to hackability or right to repair. (…) That said, it’s very easy to find hackable devices if you do the bare minimum research

You proceed to give examples of vacuum cleaners and other stuff that is indeed easy to find more open.

I’m all for open-source IoT, I like it as an hobby and I run HomeAssistant and most of my IoT is DIY ESP32-S2 devices with sensors and relays. I also have some cheap relays and plugs from Aliexpress that are BL2028N and I managed to flash with ESPHome / Libretiny however things become a LOT harder when it comes to CCTV.

Cameras in general aren’t as easy as cheap plugs to deal with. There’s the OpenIPC project but it seems only to support very specific chips that are sometimes older, hard to find or not price/feature competitive with TP-Link offers.

For what’s worth TP-Link Tapo cameras (TC70, 71 etc.) aren’t that bad when it comes to privacy, there isn’t much “cloud”. They do require you to use their mobile app to setup the camera but afterwards you can just run them on an isolated VLAN / firewall them from the internet completely and you’ll still be able to use all of the camera’s features. Those cameras provide a generic rtsp stream that even VLC can play and there’s also a good HA integration that provides all features of the TP-Link Tapo application like pan / move / download recordings from the camera’s SD card and whatnot 100% locally / offline.

but don’t pretend there’s some insurmountable barrier preventing anyone from using it

No, but it would make my life considerably worse or at least impractical in some cases.