TCB13

TCB13 , 7 months ago to selfhosted in What modern solutions are there similar to dyndns?

Obviously you should pick a domain that is run by josh (the guy that runs freedns.afraid.org) such as the mooo.com and you won’t have issues. freedns.afraid.org/domain/registry/

TCB13 , 7 months ago to selfhosted in What modern solutions are there similar to dyndns?

Yes ISPs do assign IPv6 blocks via Prefix Delegation, the thing is that Prefix Delegation is done over DHCP. They’ll assign a block and if your router/device is restarts they’ll just give you a new prefix. In some even more annoying cases you can even get a new prefix whenever the lease expires.

TCB13 , 7 months ago to selfhosted in What modern solutions are there similar to dyndns?

True, but that goes back to the irony of “I want to selfhost, and therefore I need a service provider…”, in this case HE. And won’t take of the IPv4 issue, we can’t just assume every network we use to connect to a home setup will be IPv6 capable. At that point you can just pick a Cloudflare tunnel and have it all working.

TCB13 , 7 months ago to selfhosted in What modern solutions are there similar to dyndns?

Assuming you’ve a static IP and you’re irresponsible :P

TCB13 , 7 months ago to selfhosted in What modern solutions are there similar to dyndns?

Well, unfortunately we can’t escape our ISP and a DNS provider.

TCB13 , 7 months ago to selfhosted in What modern solutions are there similar to dyndns?

… that may change at any time.

TCB13 , 7 months ago to selfhosted in What modern solutions are there similar to dyndns?

Oh I know he does, the project has almost 3x times the money in donations/premium features than what is required to run it. however it was never about making profit nor he will sell out to a bigger company and suddenly shutdown all free services. Actually I hope he continuous to make a profit and increase it because he deserves it.

TCB13 , 7 months ago to selfhosted in What modern solutions are there similar to dyndns?

freedns.afraid.org free, reliable and isn’t run for profit.

TCB13 , 7 months ago to selfhosted in Do you run a private CA? Could you tell me about your certificate setup if you do?

It makes me deeply uncomfortable to use a public domain and get public certificates for something inherently so private

You can obviously run your own CA, great exercise but why? What really makes you that uncomfortable? Once you go with the wildcard nobody will know about your internal hosts or whatever. Even if the domain is taken down, you’re offline or wtv your local DNS server will still be able to serve replies to those internal subdomains. You don’t need to publish those subdomains (A records) in a public DNS server, just on your own internal DNS server.

I guess if you rally want to take the CA route those tools I provided before are the best option. Simply issuing a certificate (without a CA) and allowing it on a browser might also work for you - less risks of stolen PK as described.

I hope the links and tips helped you in some way.

TCB13 , 7 months ago to linux in Arch or NixOS?

Fair enough.

TCB13 , 7 months ago to linux in Arch or NixOS?

I’ve already considered Debian, but… I dunno, this isn’t what I’d call the most logical reason, but I just kinda don’t like it as my desktop OS. I’d use Debian over basically anything else for a server, but as a desktop OS I don’t like the vibe.

I was on the same boat as you are, flatpak essentially made it all perfect.

TCB13 , 7 months ago to linux in Arch or NixOS?

Neither, rock solid Debian + flatpak for the latest software.

TCB13 , 7 months ago to selfhosted in Do you run a private CA? Could you tell me about your certificate setup if you do?

Okay that’s fair but if your only concern is about “I do not want any public CA to know the domains and subdomains I use” you get around that.

Let’s Encrypt now allows for wildcard so you can probably do something like *.network.example.org and have an SSL certificate that will cover any subdomain under network.example.org (eg. host1.network.example.org). Or even better, get a wildcard like *.example.org and you’ll be done for everything.

I’m just suggesting this alternative because it would make your life way easier and potentially more secure without actually revealing internal subdomains to the CA.

Another option is to just issue certificates without a CA and accept them one at the time on each device. This won’t expose you to a possibly stolen CA PK and you’ll get notified if previously the accepted certificate of some host changes.

<span style="color:#323232;">openssl req -x509 -nodes -newkey rsa:2048 
</span><span style="color:#323232;">-subj "/CN=$DOMAIN_BASE/O=$ORG_NAME/OU=$ORG_UNIT_NAME/C=$COUNTRY" 
</span><span style="color:#323232;">-keyout $DOMAIN_BASE.key -out $DOMAIN_BASE.crt -days $OPT_days "${ALT_NAMES[@]}"
</span>

TCB13 , 7 months ago to selfhosted in Disclosure of sensitive credentials and configuration in containerized deployments - ownCloud

My point was that “random deb” and/or “random web application” are way less likely to come with unsafe default ENV based configuration files and usually go with the config files securely stored in system directories with the proper permissions enforced during installation or simple .php config files that won’t get exposed and that will require the user to configure in a proper way (like WordPress does by providing wp-config-sample.php but not the final wp-config.php file required to run it). Those are the solutions people used before the containerization hype and things were just fine.

My second point: containers “lowered the bar”, allowing for almost anyone to be able to deploy complex solutions and this was / is bound to be a disaster. No matter how safe Docker and others become we can’t just expect people who know almost nothing about computers and networking to be able to safely deploy things. Even the ones that know a lot, like developers, sometimes use Docker to deploy things they wouldn’t be able to deploy otherwise and fall to the pitfalls of not understanding networking and computer security.

In any case, I would not expose such application outside of a VPN, which is a blanket security practice that most selhosters should do for most of their services…

Well, me too, however I understand that some people might want to expose it publicly because they might want to access their instances from public or work machines where they can’t install a VPN. For those cases I would recommend 2FA and only allowing specific IP addresses or ranges access to the thing - the office static IP, their ISP or eventually only the user’s country.

TCB13 , 7 months ago (edited 7 months ago) to selfhosted in I've tried ownCloud.

NC webmail is unusable. We have to pretend it doesn’t exist. Even with a completely empty IMAP server it takes 30 seconds to load

Did you ever try the single sign-on option that allows users to login to NextCloud using their IMAP credentials? After spending some time with it you’ll find it to be yet another half broken feature: github.com/nextcloud/mail/issues/2698 (see my reply bellow).

Roundcube is 1000x faster and has no cache at all. Can’t they just peek the source code?

Roundcube Open-Source Webmail Software Merges With Nextcloud … So, what should we expect now? To have RC as NextCloud’s default e-mail interface OR to get RC filled with mindless bugs and crappy features/decisions? Most likely the latter as NC’s “management” is what it is.

My second question about this merge is what is gonna happen with the Kolab guys (kolab.org / kolabnow.com) as they’ve been the ones actually “paying the bill” and investing serious development time into RoundCube and into useful plugins such as CardDAV and CalDAV that are actually better than anything NextCloud has done to this day. Their funding comes from their e-mail hosting service that is somehow in competition with NextCloud. Around 2006 Kolab also raised more than $100k USD to develop RoundCube so… that’s the kind of investment they’ve been working under.

Like nextcloud maps. In their blog they wrote a post over one year ago describing it as the next big thing after sliced bread.

Another joke by NextCloud.