dinosaurdynasty

joined 1 year ago
[–] dinosaurdynasty@lemmy.world 5 points 10 months ago

Miniflux is possibly the most important thing I self host. It tells me when software updates (basically everything on GitHub has RSS). It's also great to keep up with blogs that don't update consistently and also stay out of the "there are only three websites" bubble.

[–] dinosaurdynasty@lemmy.world 2 points 11 months ago

Collision, not pre-image attack (the two are different)

[–] dinosaurdynasty@lemmy.world 4 points 11 months ago (2 children)

This is FUD. There is no publicly known pre-image attack against SHA1, the hash used in mainline DHT.

[–] dinosaurdynasty@lemmy.world 1 points 11 months ago

Do not expose Jellyfin to the general Internet. They have security issues, I would not trust that (no cloudflare does not save you by default).

There are basically two ways: VPN, or authenticated reverse proxy. VPN is probably the easiest to setup and the most flexible, but it's a bit of a pita to use.

Authenticated reverse proxy will break apps, but the web app will work (and you can setup your reverse proxy to allow specific user agents from the VPN to bypass it, allowing apps on the VPN to work). I currently do this so I can look at metadata on my phone without a VPN setup.

[–] dinosaurdynasty@lemmy.world 1 points 11 months ago

You don't even need the vps unless you're behind cgnat Though you should never expose Jellyfin to the Internet, they have had and continue to have major security problems

[–] dinosaurdynasty@lemmy.world 5 points 11 months ago* (last edited 11 months ago)

My two issues with porkbun:

They don't seem to support wildcard/catch all email forwarding

Dynamic DNS is done with an API key that has access to the entire account(!!!)

Though, I might move to them anyway (just moved a domain to namecheap which I used years ago and wow their ux sucks, and they don't support dane or sshfp, Google domains was really good rip)

[–] dinosaurdynasty@lemmy.world 4 points 1 year ago (1 children)

Tbf Tor needs benign traffic for the important stuff to hide in.

[–] dinosaurdynasty@lemmy.world 1 points 1 year ago

Fair, have never looked at the price, I just have a Linux mini PC running Jellyfin lol

[–] dinosaurdynasty@lemmy.world 1 points 1 year ago

Passwords will be brute forced if it can be done offline.

Set a good high entropy password, you can even tie it to your login password with ssh-agent usually

Private SSH keys should never leave a machine.

If this actually matters, put your SSH key on a yubikey or something

If a key gets compromised without you knowing, in worst case you will revoke the access it has once the machine’s lifespan is over.

People generally don't sit on keys, this is worthless. Also knowing people I've worked with... no, they won't think to revoke it unless forced to

and you will never revoke the access it has.

Just replace the key in authorized_keys and resync

And you may not want to give all systems the same access everywhere

One of the few reasons to do this, though this tends to not match "one key per machine" and more like "one key per process that needs it"

Like yeah, it's decent standard advice... for corporate environments with many users. For a handful of single-user systems, it essentially doesn't matter (do you have a different boot and login key for each computer lol, the SSH keys are not the weak point)

[–] dinosaurdynasty@lemmy.world 1 points 1 year ago

And here I just press the right arrow key lol

Plex has so many antifeatures I can't ever imagine using it, and Jellyfin is okay enough to use.

[–] dinosaurdynasty@lemmy.world 2 points 1 year ago (2 children)

If the keys are password protected.... eh why not sync them.

Also ssh certificates are a thing, they make doing that kind of stuff way easier instead of updating known hosts and authorized keys all the time

[–] dinosaurdynasty@lemmy.world 2 points 1 year ago

Sounds like a pain to get non technical family members to use. If you're willing to break the non web app you could always put it behind an authenticating proxy (which is what I do for myself outside of VPN, setting up a VPN on a phone is obnoxious and I only look at metadata anyway on my phone)

view more: next ›