𝕽𝖔𝖔𝖙𝖎𝖊𝖘𝖙

  • 0 Posts
  • 42 Comments
Joined 1 year ago
cake
Cake day: June 20th, 2023

help-circle
  • I use a DNS server on my local network, and then I also use Tailscale.

    I have my private DNS server configured in tailscale so whether on or off my local network everything uses my DNS server.

    This way I don’t have to change any DNS settings no matter where I am and all my domains work properly.

    And my phone always has DNS adblocking even on cell data or public Wi-Fi

    The other advantage is you can configure the reverse proxy of some services to only accept connections originating from your tailscale network to effectively make them only privately accessible or behave differently when accessed from specific devices


  • Another cool trick is using tailscale to ensure your portable devices always can access your Pihole(s) from anywhere and then setting those server’s tailscale addresses as your DNS servers in tailscale.

    This way you can always use your DNS from anywhere, even on cell data or on public networks

    I keep a third instance of Pihole running on a VPS and use it as the first DNS server in tailscale so it will resolve a bit faster than my local DNS servers when I’m away from home




  • It depends what I’m backing up and where it’s backing up to.

    I do local/lan backups at a much higher rate because there’s more bandwidth to spare and effectively free storage. So for those as often as every 10 mins if there are changes to back up.

    For less critical things and/or cloud backups I have a less frequent schedule as losing more time on those is less critical and it costs more to store on the cloud.

    I use Kopia for backups on all my servers and desktop/laptop.

    I’ve been very happy with it, it’s FOSS and it saved my ass when Windows Update corrupted my bitlocker disk and I lost everything. That was also the last straw that put me on Linux full-time.




  • I use and love Kopia for all my backups: local, LAN, and cloud.

    Kopia creates snapshots of the files and directories you designate, then encrypts these snapshots before they leave your computer, and finally uploads these encrypted snapshots to cloud/network/local storage called a repository. Snapshots are maintained as a set of historical point-in-time records based on policies that you define.

    Kopia uses content-addressable storage for snapshots, which has many benefits:

    Each snapshot is always incremental. This means that all data is uploaded once to the repository based on file content, and a file is only re-uploaded to the repository if the file is modified. Kopia uses file splitting based on rolling hash, which allows efficient handling of changes to very large files: any file that gets modified is efficiently snapshotted by only uploading the changed parts and not the entire file.

    Multiple copies of the same file will be stored once. This is known as deduplication and saves you a lot of storage space (i.e., saves you money).

    After moving or renaming even large files, Kopia can recognize that they have the same content and won’t need to upload them again.

    Multiple users or computers can share the same repository: if different users have the same files, the files are uploaded only once as Kopia deduplicates content across the entire repository.

    There’s a ton of other great features but that’s most relevant to what you asked.



  • I would disagree.

    Particularly on the cost/beta stuff.

    Tailscale has long supported DNS addresses that link to your tailnet. Typically they only accept connections from addresses allowed within your tailnet, but there isn’t anything particularly complex about how funnel allows any incoming address.

    Further, like most of tailscale’s operations, funnel isn’t requiring them to host or even proxy any significant amount of data, it’s just directing incoming connections on that domain to a device on your tailnet.

    The hosting cost to tailscale is insignificant and really no different than what they do on a basic tailnet.

    I don’t think it will become a paid only option and I don’t think it’s too beta to use for a home server.

    Personally I don’t bother using it because I’m comfortable exposing my IP address and opening a port to my home server using direct DNS.

    But there are some advantages to using tailscale funnel in that your ip will be obfuscated and the traffic will be routed through WireGuard so potentially more secure.



    • 8 Hosts (6 physical/local, 2 VPS/remote)
    • 72 Docker containers
      • Pi-hole (3 of them, 2 local, 1 on a VPS)
      • Orbital-sync (keeps the pi-holes synced up)
      • Searxng (search engine)
      • Kutt (URL shortener)
      • LenPaste (Pastebin-like)
      • Ladder (paywall bypass)
      • Squoosh (Image converter, runs fully in browser but I like hosting it anyway)
      • Paperless-ng (Document management)
      • CryptPad (Secure E2EE office colaboration)
      • Immich (Google Photos replacement)
      • Audiobookplayer (Audiobook player)
      • Calibre (Ebook management)
      • NextCloud (Don’t honestly use this one much these days)
      • VaultWarden (Password/2FA/PassKey management)
      • Memos (Like Google Keep)
      • typehere (A simple scratchpad that stores in browser memory)
      • librechat (Kind of like chatgpt except self-hosted and able to use your own models/api keys)
      • Stable Diffusion (AI image generator)
      • JellyFin (Video streaming)
      • Matrix (E2EE Secure Chat provider)
      • IRC (oldschool chat service)
      • FireFlyIII (finance management)
      • ActualBudget (another finance thing)
      • TimeTagger (Time tracking/invoicing)
      • Firefox Sync (Use my own server to handle syncing between browsers)
      • LibreSpeed (A few instances, to speed testing my connection to the servers)
      • Probably others I can’t think of right now

    Most of these I use at least regularly, quite a few I use constantly.

    I can’t imagine living without Searxng, VaultWarden, Immich, JellyFin, and CryptPad.

    I also wouldn’t want to go back to using the free ad-supported services out there for things like memos, kutt, and lenpaste.


    Also librechat I think is underappreciated. Even just using it for GPT with an api key is infinitely better for your privacy than using the free chatgpt service that collects/owns all your data.

    But it’s also great for using gpt4 to generate an image prompt, sending it through a prompt refiner, and then sending it to Stable Diffusion to generate an image, all via a single self-hosted interface.





  • That’s cool, but also doesn’t sound all that useful.

    A fairly significant number of apps depends on Firebase and the like and don’t even have the option to pull notifications otherwise. And virtually every app at least use them.

    When’s the last time you’ve seen a chat app that didn’t require push notifications to function? Even Signal uses them. (Though they do so in a way that doesn’t expose any private data)

    You just can’t disable push without severely crippling the experience.

    Further I’m not even sure disabling them on-device will change anything at all about governments being able to surveil them server-side. Afaik you are only stopping your phone from receiving them, they would still be sent to the Firebase server from the app’s cloud servers.

    I don’t think this issue is avoidable other than app developers not using (or using in a secure manner) Firebase or GCM (or ACM) etc


  • Sandboxed GooglePlay services can be used, if needed.

    I don’t see how that would prevent this at all.

    What is being discussed here is governments compromising the push notification service on Apple’s servers (and presumably Google’s as well)

    Sandboxing Google services on your phone does nothing to change the fact that virtually all apps that receive messages/notifications are going to be using the push notification APIs that are compromised.

    Whether or not private data is sent in those pushes and whether or not they are encrypted is up to the app developers.

    It’s common for push messages to simply be used as a triggering mechanism to tell the device to download the message securely so much of what is compromised in those cases will simply be done metadata or even just “a new message is available”

    But even so, that information could be used to link your device to data they acquired using other methods based on the timing of the push and subsequent download or “pull”

    The problem is that if you go ahead and disable push notifications/only use apps that allow you to, you are going to have abysmal battery life and an increase in data use because your phone will have to constantly ping cloud servers asking if new messages/notifications are available.




  • I am big into self-hosting and would be happy to run my own Headscale server (I have actually) but imo it’s not worth the effort.

    It can be done but it requires a lot of effort and consideration to ensure the relays and routing work for when your clients are in challenging NAT scenarios. And the user experience is not as good.

    Instead what I do is continue to use Tailscale but I use the Tailnet Lock feature to give signing authority to my own specified devices so any new devices must be signed off by one of those other devices.

    This effectively eliminates the last point of trust where you had to trust tailscale’s servers to manage authorization. The result is you don’t have to worry about trusting tailscale at all, the entire system is zero trust.

    The catch is if you lose those devices and the recovery keys you lose the ability to trust or add to your tailnet and your only real option is to delete all the devices and start fresh.

    They also have the option to send a recovery key to their servers when you enable Tailnet Lock so support can rescue you in that scenario, but I think if you are using this feature on the first place it’s because you don’t want to do that so I imagine most choose not to lol

    I linked to their blog post above because I think it explains the feature well. If you just want the docs they are here