Tried to setup a personal matrix server last night, got it to federate, next step is Matrix’s Element Call, spent too many hours trying to block the /_synapse endpoint with Traefik because it is recommended by Matrix, no luck unfortunately.

All this in hopes I can add a Music Bot to my instance or something similar.

This was a while ago so the details are fuzzy, I gave it Traefiks docker labels on port :5380 but that didn’t seem to work then I read an a bug report saying give Traefik :8053 so I tried that and again didn’t work so I went back to :5380 and all of a sudden it reverse proxied but my login wouldn’t work even though it worked when going to the LAN IP+Port didn’t find much in terms of troubleshooting and documentation so I eventually gave up on it.

I have had terrible experiences with recursive DNS resolvers, PiHole+Unbound worked for maybe an hour then would completely kill my internet access, the same essentially went with OpenSense, I had hope for Technitium but alas didn’t feel the need to spend hours troubleshooting something that PiHole alone did with ease.

If only reverse proxying Technitium wasn’t a pain in the ass to do I would actually use it. Maybe one day they’ll fix the login issues until then PiHole works.

Download the file and upload to https://catbox.moe/

This just in:

Looks like someone took the liberty of uploading copyrighted shows and 3D printable gun parts to his file server.

Pro-Tip: You can reverse proxy any service on your network but if the IP of your reverse proxy does not match the IP of your A record, aka your server is behind a VPN, the public will not be able to access your server.

Http/s is neat that way, if the IP’s don’t match then it’s technically considered an insecure or misconfigured setup but it works great to prevent unauthorized access to one’s server.

I must agree with other users here, hosting a public file hosting server is a bad idea, at the bare minimum Authentik or Keycloak should be in front of it but I digress, https://catbox.moe/ already endures this pain for us.

Not sure what reverse proxy you’re using but alternatively Traefik’s middleware IPAllowList works great for blacklisting all IP’s and only whitelisting the known few.

With regards to the backup key, Yubikey recommends to save (screenshot) the QR code that is generated during 2FA setup to setup the backup key later on. Maybe that is also a workaround for services that only allow a single 2FA device. https://support.yubico.com/hc/en-us/articles/360021919459-How-to-register-your-spare-key

Just looking back at my purchase history, I got my Yubikey’s back in January 2020, it appears that I never read this doc about scanning the QR code for the backup key, or maybe I did? I don’t really remember it all too well. Regardless In certain circumstances my keys do the exact same thing and I’m quite sure I followed some guide to create one primary and one secondary key but it’s possible that guide has gone outdated.

Similar to something like Keepass, the database is local and you are in charge of making backups and such.

I can totally respect the folks who opted to self host, I’m horrible when it comes to backing up data and such and self hosting wasn’t really my thing back in 2020 so it never really was on my radar.

In the end this comes always down to an optimization problem between security and convenience that everyone has to decided for themself.

Couldn’t agree with you more, everybody has that dial between convenience and security and should adjust accordingly.

Doesn’t cover Traefik, plus the docker-compose.yml contains 4 separate images and researching into them didn’t provide much info. snicket_proxy, snikket_certs, snikket_portal and snikket_server. All four of these images bind to the host but if I am supplying my own reverse proxy then both snikket_proxy and snikket_certs are redundant right? Or do they serve another purpose? And if I wanted to take them off the host network, follow their firewall guide and expose the necessary ports manually behind a docker bridge network what images do I bind those ports to? When I tried binding them all to snikket_server that’s when my docker service crashed and I gave up.

Snikket locked my docker service up, their documentation sucks for when you want to use your own reverse proxy or bind it behind a docker network and not the host.

Can you explain a little more how you handle them in your daily life? I always liked the idea if Yubikeys, but I am a bit worried that I just would switch back to my phone (Aegis) for convenience.

I have two Yubikey 5 NFC’s, one I keep majority of my 2Fa auth codes on and keep on my keychain the other I leave at home mainly for backup 2Fa setups or desktop/WebAUTH/Single Sign-On logins, most websites won’t let you setup 2 2Fa keys so the second one mostly handles the plug-in and touch key portion of my setup.

Are they inconvenient? Yes, the amount of times where I got annoyed because I’ve had to grab my keychain to sign in has gotten annoying but not enough to switch back to online providers. I prioritized security over convenience in this circumstance. The Yubikey that I keep on my keychain also handles my work 2Fa codes, doesn’t feel necessary to have a dedicated key for that unless my company is willing to pay for it.

Do you just have it on your keychain a plug it in whenever you need it? Because always plugged in keys in your phone or laptop doesn’t really make sense.

It actually works out quite nice having it plugged in all the time, especially if you’re doing multiple 2Fa authentications, the keys won’t authenticate until you enter the password of the key (if you set one up) and touch the key, so even if your computer is compromised they still need to physically touch the key to generate the authentication codes.

As far as I know you can’t just clone a key.

So no you cannot clone a Yubikey to another Yubikey, which I think is dumb, but they have their security reasoning behind it I believe. Like I mentioned earlier all my 2Fa codes/keys are on my keychain so if I break that key I am in a horrible position as I lose access to a lot of accounts that I couldn’t setup multiple 2Fa’s for.

How easy is it to setup a backup key?

While Yubico does recommend having two keys as I mentioned certain services only let you setup 2Fa once and not multiple times. However, Linux (and I want to assume Windows as well) let you setup as many 2Fa keys as you want, so both the Yubikey on my keychain and the one I leave at home both grant Root access to my desktop and server.

I try to not use my phone for critical stuff, but there are times I have to just check an account. Do you use your phone with Yubikeys?

So I don’t have a USB C Yubikey ironically both my iPhone and iPad are USB C so I have the option to use a dongle or NFC, both have worked great, I have had a couple scares where the app will error and say “No response from key” but it seems that error is due to bad contact/connection. I’ve attached a few images of the iOS app to help get an idea of the layout.

Yubikey for 2Fa codes also works well for sudo and su (2Fa) or if you still use Windows I think it supports single sign on there. Absolutely worth the purchase have had my keys for years.

If you can make your own like I did I would highly recommend it.

Honestly I could, metal fabrication comes in handy, get it shop issued and laser or water cut send it through the machinists, I would have to supply the material myself which would be difficult but certainly doable.

I’ll have to consider this! By chance do you have drawings or dimensions of your rack as a starting point, looks like you’re using Aluminum HSS for the frame? Completely understandable if you rather not share the details,

Was eyeing a 52Pi rack for a good little while this post inspired me to get one, but then I saw the shipping cost.

Apparently the folks from the rreading-glasses repo accuse Chaptarr of being vibe coded, can find it directly in their README.

For the unaware rreading-glasses is a rebuilt metadata server for Readarr, also happens to be endorsed by Readarr/Servarr, just switch it out and you’re good to go. However, Readarr won’t receive anymore feature updates or bug fixes it seems.

Everyone here is telling you to ditch Arch for Debian and I absolutely agree with them however, if you’re so hell bent on having an Arch server than install Proxmox VE to the host and run both Debian and Arch, build your server up and get it working in Debian first then try to replicate it with Arch, compare the differences.

If you’re already familiar with BASH then making the switch from Arch to Debian wouldn’t be a hassle.

This gave me a chuckle, my server is about 4’ away from my cabinet and not nearly as flashy, pretty sure the thief is prioritizing in that situation.

I’m a bit confused on this comment here:

Additionally, I’d prefer not to not do something like: Computer -> Home VPN -> Mullvad server -> destination, as my upload speed is pretty bad and this would throttle every non-local connection

Because you also mention this:

Computer -> Mullvad server -> Home VPN -> Home server

Which would be the same thing, no? You’re just making a connection to the Mullvad server first then your home network?

I’ll share my experience but it looks like it’s not the solution you’re looking for, I opted to use my Asus WRT Router w/ Merlin Firmware to host my VPN server, the Merlin Firmware lets me connect to 5 different VPN clients at a time, in my case 4 different Proton clients and a buddies server, I use the “VPN Director” feature to route my VPN Server through one of the 5 different clients effectively creating the multi-hop.

I personally haven’t noticed much degradation in regard to connection speeds but at the same time I don’t constantly hop VPN clients or have the same internet speeds as you, I typically stick with the server closest to me.

Edit: To help visualize what i mean:

If I’m not mistaken Emby started to do some sketchy stuff which birthed Jellyfin.

As the end use my biggest gripe with Matrix is with voice communications, it’s almost as if you sneeze wrong you’ll lose connection to the voice group, screen sharing is horrible, no audio and the window is not adjustable, cant even make it full screen.

Now they’re reducing people’s usage by putting in a subscription and locking certain features, at least on the home server.

While I am disappointed they did at least take my advice and prevent Windows Recall from capturing people’s messages.

if you use the Netflix application chances are they’ll detect the virtual network on your system and if it’s in use, most people don’t seem to realize that applications have direct access to your hardware unless it’s containerized, virtualized or explicitly restricted by some policy.