

No, I mean that the article appears to be AI slop. The “This was not X but Y” pattern is super common, and super annoying due to it’s lack of brevity.


No, I mean that the article appears to be AI slop. The “This was not X but Y” pattern is super common, and super annoying due to it’s lack of brevity.


This was not a simple configuration change but a manual, labor-intensive purge.
AI slop pattern.
Also the article appears to be completely unsourced. Here are what I believe to be the main sources:


You can use local certs with nginx proxy manager as well. You can upload certs via the web ui.
Rather than local certs though, I would recommend buying a domain and using it locally, with https. The problem with the local cert approach outlined in the video, is that importing a root cert opens up a big security hole to MITM attacks. If an attacker gets the root certificate, they can now MITM everything else your browser is accessing. You turn the browser from one of the most secure components of a modern OS, into only as secure as the server hosting the root certificates.
The approach I would prefer, is to buy a domain, and use it locally, using DNS-01 challenges to get letsencrypt signed certificates even from within an internal network. Both Caddy and NPM have support for DNS-01 challenges.


No, they are trivial to block using techniques like deep package inspection.
In addition to that, they aren’t truly decentralized (no decentralized network really is), both rely on relay/bootstrap servers to start up the connection. So, if you block the public relay/bootstrap servers, you effectively block access to the network.
Tailscale, netbird also can traverse NAT.
Iroh (the actually pretty interesting software which the vibecoded rayfish is based on) and Yggdrassil do have their uses, but evading blocks isn’t one of them.


You want a reverse proxy. A reverse proxy reads requests to subdomains and then forwards them to ports and back.
The easiest GUI one is: https://nginxproxymanager.com/
But there is also just straight nginx, or you can use Caddy or traefik or anything else.


Yes, I do lock it down. It’s still worth securing it because “internal servers” can still get exposed and touched, even though there are less paths to them, and it’s not as punishing to slip up vs a public server. For example, One of the wireguard client devices downloads a virus, and now you have a cyberattacker with access.
Another problem is supply chain issues. If the distributor of a docker container is hacked, it’s not that bad… as long as your kernel is up to date and is protected against some of the recent vulns, that would enable someone to break out of a docker container
Blajah.zone’s lemmy instance was hacked partially becuase internal servers weren’t being held to the same security standards as the public ones:
https://pen.blahaj.zone/supakaity/weve-been-hacked
I had not patched these internal servers that nobody should have access to against this. Rebooting DB servers causes downtime, and in my hubris – I thought nobody should (nay COULD) be on my servers except me, right?
I have a comment on that post with some potential solutions, that would have cut off attack paths.
Though, I guess, it still does depend. Like if it’s just gonna you wireguarding in and no one else, then the data on your devices is probably worth more than the data on the server, so no, it wouldn’t be worth spending too much effort to secure less valuable data.
But if you are handing out internal access to people, including to some relative who keeps falling for scammers, then yeah, I’d take some time to harden the systems.


https://programming.dev/comment/24515044
Same problem is present here. Uses JWT’s for auth.
Edit:
Using jwt’s for auth isn’t bad, it’s good and quite common The problem is when they are used in place of actual bearer/cookie/session auth methods. As I understand it at least, a jwt token with a lifespan greater than 5 minutes is a red flag.


I don’t use a UI.
I don’t use flux’s kustomize (there is also kustomize by kubernetes.
I use flux for installing helm charts, mostly.
Repo: https://github.com/moonpiedumplings/flux-config
It’s not up right now though. I am currently revamping it, which will also involve reorganizing the repo. I really dislike that I didn’t use (flux’s) kustomize, which is one of the things I would like to fix.
I’m on my phone rn, if I get to this post again from my computer later I will add longer/further thoughts.


i2p is based on freenet (back when it was known at freenet).
I don’t think it supports storage though, just routing.


It’s tough. The problem is that, on the tech side, technically, torrents don’t have to seed. People have made fake torrent clients that only pretend to seed, but actually only download. The IP’s are detected and then banned, but it’s a cat and mouse game.
Enforcing it with backups is a similar struggle. There exist paid solutions, that use crypto to pay for decentralized storage. You “rent” out some of your storage, or by some using crypto. Filecoin, sia, storj, and so on.
But these have flaws too. Often, there level of decentralization is questionable, and the maker of the crypto takes a cut, plus there are issues with using a custom crypto coin as well. The coin’s value can fluctuate — there are challenges with it simultaneously be an investment, AND a currency, but that’s what often happens.
A better solution, is just to trade hard drives with your friends, who you know in person. Or maybe trust online, at least. Just give them an encrypted backup. And then they give you an encrypted backup.
In my opinion “encrypted, decentralized backups”, is the kind of problem that is extremely difficult to solve technically, but is trivially solved via touching grass. I don’t really like the technical solutions people have presented to this problem, and a local community is a much simpler way to solve these challenges.


Second comment, but if you need/want Caddy we can help that too. It looks like the documentation link in the github page you linked is dead, and the correct one is: https://caddyserver.com/docs/json/apps/tls/automation/policies/issuers/acme/
I found that from this page: https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148


Setup legit Let’s Encrypt as wildcard locally to test services at *example.domain.com, then put them into production on mainsite wildcard *.domain.com on VPS or similar.
Just to be clear, why wouldn’t simply provisioning a certificate for each subdomain under the wildcard work?
Like, if you have a test site test.example.domain.com, you could have nginx (using acme) create a certificate for that. And then when you move to test.domain.com, nginx would do the same thing.
Now, technically letsencrypt does have a rate limit, but it’s a fairly generous rate limit:
Up to 50 certificates can be issued per registered domain (or IPv4 address, or IPv6 /64 range) every 7 days. This is a global limit, and all new order requests, regardless of which account submits them, count towards this limit. The ability to issue new certificates for the same registered domain refills at a rate of 1 certificate every 202 minutes.
I would do my testing this way, and I didn’t hit any limits, although I was careful to keep certificates and reuse them, and to not spam.
If you need more domains with SSL than that rate limit would provide, then it would make sense to investigate Caddy with porkbun, since DNS-01 challenges are the only way to get wildcard certificates, which apply to a whole wildcard.


One downside is that the cached file is not independently archived so it could be tampered with. Thanks for the idea.
You could have multiple researchers archive it and store copies independently. Then tampering would show up accross copies.
Unfortunately, central hosting doesn’t guarantee that it is tamper free. The host could be hacked, or could be malicious. Archive.is was caught tampering with their archived pages:
https://en.wikipedia.org/wiki/Wikipedia:Archive.today_guidance


Check out Zotero: https://www.zotero.org/
Zotero is an open source bibliography manager. It’s my main go to tool for generating works cited pages, like during essays.
But, it also has a browser extension, which can download, and archive sites or academic articles you are adding to the sources. I would then use the fulltext search that zotero provides for easy searching of sources.
Unfortunately, it’s not hosted, which would make it difficult to share.
EDIT: It does look like the server component is open source, AGPLv3: https://github.com/zotero/dataserver/
But, I cannot find any deployment instructions. But, it looks like their hosted version lets users create groups of shared items, including sharing archived snapshots of the various items.


Calling an enterprise-grade platform
Except you use JWT’s for auth, which is idiotic and a security nightmare. No enterprise that cares about security would ever accept this.
More info: https://gist.github.com/samsch/0d1f3d3b4745d778f78b230cf6061452
There are other problems, some of which I can see… and some of which I can’t. The problem is that I am not a comprehensive expert, I can only spot a few things here and there. Even if I was an expert, why would I audit your software for free lmao? Pay me for that shit.
What I do know, is that vibecoded apps are bad at security. Many, many vibecoded apps have been hit by horrific security bugs like remote code execution, xss, or authentication bypasses. That shit is simply unacceptable and should be extremely rare in modern apps. The fact that I’m not skilled enough to find them reliably makes me even more cautious and concerned around apps like yours.
It’s not just about the app architecture, but also about you. When a known community figure creates an app, I have confidence that they will have a good security posture and architecture. With vibecoding… not so much.
If you have an actual architectural critique
Nice bait, but the problem is this: Just because you get people to audit “critique” your software, doesn’t fix the root cause of those problems — you. Just because you manage to re-vibecode the app to not use JWT’s or to fix any other number of issues someone would point out, doesn’t actually mean more issues exist that that person missed. Like if someone specialized in python, then they might miss database issues, and so on. The second problem is that inevitably, you will expand this software, adding more features… and vulnerabilities. That is to say, even if you manage to fix the architecture and security now, you have not demonstrated the requisite skill needed in order to keep it fixed.


What if the new account user, who is working on a product that integrates with what the vast majority of selfhosters run, just found Lemmy?
This happens on Reddit, and basically my problem is that these users often don’t have enough experience to be able to actually give solutions. Reddit is full of people who think they have a good solution, dealing with comments of people explaining that what they are struggling with is actually a solved problem (or a skill issue). No one cares about your vibecoded slop that implements 1% of the features of an existing open source solution (they used to not be vibecoded but we still didn’t care). It being paid and proprietary is just even more annoying.
My idea of requirement to engage with the community is also about being able to ensure that the users are technically competent. If they are experienced, it will show up in the discussions we can see and review. For their benefit, if they lurk, then they can take a look at what is being used, and what problems actually exist, instead of making assumptions.
If they really believe their product is so good, they can spend a few weeks helping people with Linux questions and sharing their (non product related) insightful thoughts on Lemmy so I don’t dismiss them instantly when they finally advertise it.


It is possible to detect and moderate them, as long as your mods haven’t been disappeared and replaced by people who’s job is to accept bribes. And also when we can actually see people’s history, since reddit now has an option to hide your history from others because of course.
My usual method is to focus on content, rather than writing style. The AI bots can write a lot, or be brief, or whatever, but they don’t actually contribute to the discussion. They just kinda paraphrase and restate what has been said, or when trying to sell a product they disagree and go “Are you sure this isn’t an problem?” to everybody in the thread telling them that it’s actually a skill issue.
Sometimes they’ll be a little better, but it’s often surface level stuff that can be found at the top of a google search of keywords.
This also makes it possible to tell the difference between ESL speakers who are using AI to clean up their writing style, and true bots. Since the ESL speakers will actually have something to say, but bots won’t.
And then: https://xkcd.com/810/


Unraid is an example, that I consider fairly reasonable. Sure, it is a subscription.
But all of the services are docker containers. What unraid brings to the table is a nice management UI, and the ability to mix and match drive of different sizes in a single raid pool. It makes having a fairly resilient self hosting setup easier than trying to do all of this stuff from scratch.
Nice features sure, that many people find worth paying for, even if I don’t. But they are just nice to haves. If the company ever dies, it’s absolutely possible to export the data and move to say, portainer, or docker via the cli, or podman, or anything that can run containers.


On reddit, there is a community called r/progressionfantasy, which is about a specific type of fantasy fiction. They have a rule that self promotional posts (for paid books) must be preceeded by 10 comments, and actual engagement with the community.
This is a reasonable compromise, in my opinion. Known community member who has been answering questions and contributiting to discussions?
I would be okay if they dropped a paid product of good quality and with a reasonable business model (please no vibecoded slop).
But drive by ProductNameAccount users who have never posted on lemmy before a bunch of self promotional posts? Yeah ban that shit.
It looks like criticisms similar to mine were offered in the comments of the youtube video you linked at first, and now the youtuber has released a second video, a correction. In this video he uses nginx proxy manager and DNS-01 challenges:
https://www.youtube.com/watch?v=XEltHEZU6aE
Big respect for doing that.