Just be aware of the risks involved with running your own CA.
Just be aware of the risks involved with running your own CA.
Yes, LetsEncrypt with DNS-01 challenge is the easiest way to go. Be it a single wildcard for all hosts or not.
Running a CA is cool however, just be aware of the risks involved with running your own CA.
You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.
I want the WAN coming in from the router from the Pi’s Ethernet port, and the LAN coming out as Wi-Fi. I may also stick an additional Ethernet adapter to it in the future.
Can you try to explain this a bit more?
Define “negative way”… GNOME changes in negative ways in a weekly basis so… Notification DDoS? :P
No, Matrix is just a privacy disaster that is run by a for profit company.
Link wasn’t there when the original post was made.
When your device requests an IP it sends over a significant amount of data.
Like…?
Those are alternatives not the 100% compatible solutions that professionals who spend 8h/day in front of those tools need.
. I think once we critical mass joins with their buying power, things should change.
Yeah me too, but for that to happen you need to get: Adobe CC, MS Office, Autodesk and a few others the masses use as native desktop apps. The Linux Desktop year will not come until those exist… and until GNOME fixes their shit and stop thinking their users are stupid and desktop icons are useless.
They might have done their stats and figured out that only 0.0000001% of their users would benefit from it and there weren’t much profit there to make.
“After years of pushing their proprietary and closed solutions to privacy minded people Proton decided that it was in their best interest to further bury said users into their service as a form of vendor lock-in. To achieve this they made yet anoter non-standard groupware feature - a document editor.
If you want a git “server” quick and low maintenance then gitolite is most likely the best choice. https://gitolite.com/gitolite/index.html
It simply acts as a server that you can clone with any git client and the coolest part is that you use git commits to create repositories and manage users as well. Very very or no maintenance at all. I’ve been using it personally for years but also saw it being used at some large companies because it simply gets the job done and doesn’t bother anyone.
So I want to get back into self hosting, but every time I have stopped is because I have lack of documentation to fix things that break. So I pose a question, how do you all go about keeping your setup documented? What programs do you use?
Joplin or Obsidian? Or… plain markdown files with your favorite text editor.
Yeah that one is very good.
Maybe the NextCloud guys will follow… oh wait that would just be yet another perpetually half-finished NC thing.
Here’s the problem, RCS isn’t a truly open thing and Google kind of maintains a lot of the software that even carriers use for it. It essentially opens the door for the tech companies to take over yet another big chunk of the carrier services and tap into more user’s data at the network level.
In June 2019, Google announced that it would begin to deploy RCS on an opt-in basis via the Messages app, with service compliant with the Universal Profile and hosted by Google rather than the user’s carrier, if the carrier does not provide RCS
In October 2019, the four major U.S. carriers announced an agreement to form the Cross-Carrier Messaging Initiative (CCMI) to jointly implement RCS using a newly developed app. This service was to be compatible with the Universal Profile.[33] However, this carrier-made app never came to fruition. By 2021, both T-Mobile and AT&T signed deals with Google to adopt Google’s Messages app.[34][35][36] In 2023, T-Mobile and AT&T agreed to use Google Jibe to implement RCS services, and in 2024 Verizon agreed to use Google Jibe.
Apple stated it will not support Google’s end-to-end encryption extension over RCS, but would work with GSMA to create an RCS encryption standard.
Yes ksmtuned
is your friend. For VMs it can be managed / enabled like any other Linux Kernel + QEMU/KVM running with KSM enabled.
On LXC containers it may be a bit harder as it depends a LOT, best results if you’re using systemd both the host and containers. It may work out all out of the box or you’ll have to resort to ksm_wrapper
in both the Incus executable and the stuff running inside your containers.
Don’t forget that:
KSM only operates on those areas of address space which an application has advised to be likely candidates for merging, by using the madvise(2) system call: int madvise(addr, length, MADV_MERGEABLE). https://www.kernel.org/doc/Documentation/vm/ksm.txt
How does it handle Windows VMs
As one would except from QEMU… https://blog.simos.info/how-to-run-a-windows-virtual-machine-on-incus-on-linux/
Does the WebUI give a nice and easy novnc window
Yes it works fine. https://youtu.be/wqEH_d8LC1k?feature=shared&t=508
Actually it would be interesting to see cockpit-machines move to Incus as a virtualization backend and support both LXC containers and QEMU VMs tat way.
Just be aware of the risks involved with running your own CA.
You’re adding a root certificate to your systems that will effectively accept any certificate issued with your CA’s key. If your PK gets stolen somehow and you don’t notice it, someone might be issuing certificates that are valid for those machines. Also real CA’s also have ways to revoke certificates that are checked by browsers (OCSP and CRLs), they may employ other techniques such as cross signing and chains of trust. All those make it so a compromised certificate is revoked and not trusted by anyone after the fact.
For what’s worth, LetsEncrypt with DNS-01 challenge is way easier to deploy and maintain in your internal hosts than adding a CA and dealing with all the devices that might not like custom CAs. Also more secure.