TBH, it sounds like you have nothing to worry about then! Open ports aren’t really an issue in-and-on itself, they are problematic because the software listening on them might be vulnerable, and the (standard-) ports can provide knowledge about the nature pf the application, making it easier to target specific software with an exploit.
Since a bot has no way of finding out what services you are running, they could only attack caddy - which I’d put down as a negligible danger.
My ISP blocks incoming data to common ports unless you get a business account.
Oof, sorry, that sucks. I think you could still go the route I described though: For your domain example.com and example service myservice, listen on port :12345 and drop everything that isn’t requesting myservice.example.com:12345. Then forward the matching requests to your service’s actual port, e.g. 23456, which is closed to the internet.
Edit: and just to clarify, for service otherservice, you do not need to open a second port; stick with the one, but in addition to myservice.example.com:12345, also accept requests for otherservice.example.com:12345, but proxy that to the (again, closed-to-the-internet) port :34567.
The advantage here is that bots cannot guess from your ports what software you are running, and since caddy (or any of the mature reverse proxies) can be expected to be reasonably secure, I would not worry about bots being able to exploit the reverse proxy’s port. Bots also no longer have a direct line of communication to your services. In short, the routine of “let’s scan ports; ah, port x is open indicating use of service y; try automated exploit z” gets prevented.
I am scratching my head here: why open up ports at all? It it just to avoid having to pay for a domain? The usual way to go about this is to only proxy 443 traffic to the intended host/vm/port based on the (sub) domain, and just drop everything else, including requests on 443 that do not match your subdomains.
Granted, there are some services actually requiring open ports, but the majority don’t (and you mention a webserver, where we’re definitely back to: why open anything beyond 443?).
Client side, under advanced:
That’s a setting
Alright, thanks for the info, that’s good to know. Trying to make the jump becomes more enticing every day.
Thanks for sharing! Sounds about as good/bad as I was expecting. How’s the browser experience? Also, are there any features/tweaks you are aware of that you could not get through Nix, that the more “commercial” Linux device manufacturers have developed for their devices?
Holy crap! A NixOS-on-phone user in the wild! You are rocking my dream setup. How’s your experience been with it? Is it remotely daily drivable for phone things?
What does this have to do with Privacy?
Re: Spain: the headline was bullshit. If you are arrested and then investigated and it turns out you use Graphene, they’ll go “huh, I wonder why. We’ve seen a lot of drug dealers use Graphene. Let’s investigate in that direction as well”.
Noone is being arrested or targeted FOR having GOS.
In the case of Germany: confidential computing tech ensures all data is encrypted in storage and in memory, shielded even against data center employees / hosting providers. I imagine that’s become the standard for most countries.
When we need to know each others location, we share it via element / matrix. Our own server, so no third party.
Happens maybe four times a year.
(Also, do you just always have location services enabled?? IMO it’s a battery drain, I pretty much only enable it for this and while I need to navigate)
Ah crap, forgot to ping you! Sorry!!
Yep, easy decision now. Migration went smoothly, just had to move the state dir and chown it to continuwuity:continuwuity. Might be different on docker though, no idea, sorry 😄
There’s nothing technically wrong with it, it’s just a glacial development speed. I tried contributing there myself when I wanted a specific feature (which had been requested years prior by someone else and was deemed a good idea), it took months before I even got a single comment back.
In the meantime, I had switched to conduwuit because it was a much, MUCH more active project. However, conduwuit has diverged substantially from conduit, including irreconcilable database changes, so it is not possible to migrate back, that would require starting from a fresh slate and loosing all user data.
Roger, will do.
Yeah, community driven sounds like unless there’s new drama. But yeah, currently tending towards continuwuity. Purely vibes based from snooping around both repos.
Now THAT is something I wouldn’t ever trust.
Either your argument is that morality is somehow “god given” through religion, in which case I have to ask, which god? Which religion? There’s a lot of those around or no longer around, with different nuances of morality, contradicting that idea.
Or each civilization developed religion and incorporated their respectove ideas about morality, but then morality necessarily precedes religiosity.
Either way, doesn’t make sense.
Besides, the idea that a fear of god is necessary to make people “moral” is ridiculous. If you would commit immoral atrocities if you didn’t believe in god, then I’m sorry, that makes you a bad person; but don’t project that unto other people.
Empathy is sufficient for morality, while god, arguably, is an amoral monster.
Cheers, a moral atheist
Matrix fits the bill.
Unless you don’t like the federated nature.
OK, add step above: use wildcard certificate for your domain.
Terminating the TLS connection at your perimeter firewall is standard practice, there’s no reason your jellyfin host needs to obtain the certificate.
Grew up on it. My dad set up a Ubuntu 4.10 PC for my brother and I when we were 3/5 (no internet, obv), and it stuck.
Used Windows for a brief time in highschool to be able to play online with friends.
Went right back to Linux when going to university. Will never change back, both for ideological reasons and because Linux is just better.
Next step: NixOS on a phone