#dev 2025-02-25

2025-02-25 UTC
grufwub, NaomiAmethyst8, [morganm], rossabaker, sebbu3, jonnybarnes, GuestZero, nemonical and Guest6_ joined the channel
#
tecaster
anyone here self-hosting on a raspberry pi? can it be set up securely enough that i don't have to worry about it compromising the rest of my devices on the home network?
Luther_Gray joined the channel
#
immibis
yes it's just a small Linux PC
#
immibis
well not a PC but acts like one for most purposes as long as you only want to run Linux software
#
GWG-
My biggest Pi issue is the SD card for OS
#
immibis
everything works the same as long as your software is compiled for ARM
nemonical joined the channel
#
sebbu
GWG-, i have been using sdcard to store apps for over a decade. the A1 / A2 spec on cards matters
#
SylvatiCodes
i would like to know at least a summary good answer to immibis question. I am faced with either cloudflare tunnels (great in all aspects except for 100% privacy :shrug:), setting up nginx reverse proxy on self host server (which means opening 80/443?), or (if feasible) small vps with nginx reverse proxy to either self host server or all on a vps (the latter bearing a price tag)
#
immibis
people are afraid of opening ports on their routers even though this doesn't actually weaken security. Security is weakened if something weak is running on that port, not because of the port itself. Blocking all the ports by default is merely a defense-in-depth measure in case you have a server running accidentally.
#
immibis
server software like ssh and nginx is secure enough for all but the most paranoid people. Most webservers on the internet are running them.
#
SylvatiCodes
any veteran thoughts on self hosting greatly appreciated. it just seems so blasé for e.g. 'awesome open source' and others to suggest opening any ports you don't have to on your personal routers
#
immibis
SylvatiCodes: you need an open port to provide a service. Opening the port is just a formality to make sure you really meant to provide the service and you're not doing it by accident because something you thought was only open to the local network was open to the whole Internet by mistake.
#
SylvatiCodes
immibis i get that, totally... but it's your home router and tht just makes me think what if it does get exploited and once a hacker gets in they can pivot wherever they like (of course they'd need password or other explots available)
#
immibis
SylvatiCodes: is your web server exploitable? Don't use an exploitable web server.
#
immibis
Sandboxing it isn't a terrible idea UNLESS you go so far that it stops you being able to run it in the first place ...
#
immibis
if someone finds an exploit in nginx they're not going after YOU first... and that very rarely happens... has it ever happened? Even Heartbleed was read-only access.
#
immibis
(read-only access to any data going through the server, so maybe they could grab your admin password if you had an admin login to the same server)
#
SylvatiCodes
apart from constantly updating the nginx package, and understanding my threat model is probably the same as most people (i.e. more than non tech people think theirs is), what do you suggest if anything?
#
immibis
I suggest just running the damn server
#
SylvatiCodes
hahahaha
#
SylvatiCodes
are you a haxor
#
Loqi
rofl
#
SylvatiCodes
jk
#
immibis
it's nowhere near as scary as cloudflare wants you to think
#
SylvatiCodes
brb
#
immibis
are you also doing something super secure that you have to be paranoid about? then just run the damn server on a VPS separate from the secure stuff.
#
GWG-
sebbu: I just opted to switch to miniPCs... so I could get more robust storage
#
sebbu
like sshfs from a NAS with RAID6 ? :D
#
immibis
also a good option
#
immibis
the mini PC, that is. not so much sshfs.
Luther_Gray joined the channel
#
immibis
raspberry pi's do have the SD card reliability problem. I know some people choose to boot from NVMe or USB stick instead.
#
jeremycherfas
I'm in the middle of resigning my site, and after coding up a sidebar and larger footer (which contains some of the things that were all in the sidebar before) decided I really don't like it. So now I'm going to try getting rid of the sidebar entirely and see ho w I like that. I've a feeling it will make my life a lot simpler.
#
SylvatiCodes
i'm sure you can now boot from usb ssd on rpi now, at least with all the main linux distros
#
SylvatiCodes
sidebars are a pita
#
jeremycherfas
Then I'll be able to bug FrESH tonight about laght:dark mode :)
#
jeremycherfas
Why do you say that SylvatiCodes ?
#
immibis
a pita to design or to implement?
#
SylvatiCodes
pita to change after implementation... at least it it if you have you work with a couple of devs who think lines of code == good
#
jeremycherfas
To change content? Or to change implementation?
#
SylvatiCodes
i guess if solo then it is easier... i feel i have ptsd from my current job haha
#
SylvatiCodes
change how it is implemented on the page/s... but in your case it will be easier because it's a solo project... don't listen to me, i haven't had the correct caffeine dosage today
#
jeremycherfas
Fair enough. I definitely only an amateur dabbler with only myself to please, really.
#
SylvatiCodes
immibis i guess the thing is stuff that needs passwords to go over the wire e.g. nextcloud, irc relay and so on. I'd say i'm over cautious in comparison to the next person... but because I know I know very little, i prefer that stance if that makes sense
#
SylvatiCodes
bear in mind i use different passwords for everything so i guess that point is 99% moot
#
immibis
I have quassel open to the world with just TLS and password protecting it (i.e. the default and the same as 99% of websites) and haven't noticed a problem yet
#
jeremycherfas
I've just discovered that I like writing html and CSS in BBedit because it is so easy to preview
#
immibis
SylvatiCodes: almost all exploits happen in the application itself, not in an nginx reverse proxy. If you are running a web application you don't trust to be free of exploits you can protect it behind a password or mutual TLS, implemented in nginx, so that people who aren't you can't even get to the application.
#
SylvatiCodes
thank you for this, immibis... i guess i needed to 'hear' it in conversation
#
immibis
if you're hosting static files there's basically no risk from that (and nginx can serve them directly because it has that feature)
#
SylvatiCodes
so e.g. nextcloud self hosted behind nginx rp or pm is secure essentially because it is the nginx that has to be exploited before the nextcloud can be, unless you have weak passwords on nextcloud?
#
immibis
if nginx locks nextcloud behind a password then you can't send any request to nextcloud without using that password (I don't actually know how nextcloud works btw)
thegreekgeek joined the channel
#
[Joe_Crawford]
[jeremycherfas] yes! FrESH is best when folks have a specific itch to scratch!
#
jeremycherfas
Hoping to be there!
CRISPR joined the channel
#
jeremycherfas
Actually, I probably won't be ready to ask a focused question, but I'
#
jeremycherfas
ll still be there.
[KevinMarks] joined the channel
#
carrvo
Teca, immibis, SylvatiCodes we have a page for that! And edits are welcome.
#
carrvo
What is home server?
#
Loqi
A home server is a machine you keep at home to host some of your services https://indieweb.org/home_server
#
carrvo
What is self-hosting?
#
Loqi
self hosting is the practice of running the software for your personal website on hardware under your own physical control, typically on a home server, or sometimes refers to only the aspect of running web applications on a (possibly virtual or shared) server under your control but not necessarily in your home https://indieweb.org/self_hosting
#
carrvo
My experience (as someone with a home server) has been favourable so far with a couple of caveats.
#
carrvo
2 security notes: make sure to configure the webserver and it's apps/content securely; and your router IP is an identifier that you are exposing (if you don't put something like CloudFlare in front). Though this identifier can be exposed with everyday browsing!
bterry, barnaby, [dave] and nemonical joined the channel
#
[tantek]
[jeremycherfas]++ one of us! BBEdit++
#
Loqi
BBEdit has 2 karma over the last year
#
Loqi
[jeremycherfas] has 4 karma in this channel over the last year (13 in all channels)
thegreekgeek_, thegreekgeek, [lazcorp] and [mattl] joined the channel
#
[mattl]
I do love BBEdit for some things. Maybe it's me getting used to writing text on a Mac still but I find I tend to have BBEdit AND Nova AND TextMate open... vs. just having GNU Emacs open as I did before.
#
[lazcorp]
Changed my "View in context at..." links in my blockquotes (which are created by javascript from the cite attribute on each blockquote element) on my latest link-dump blogpost to use text fragment links so that the quoted text is highlighted
#
Loqi
[preview] [The Artist’s Notebook] Monthly Link Dump: February 2025
#
[lazcorp]
There's a couple of issues - one link to a Substack post redirects the page to the URL without the text fragment - I guess Substack don't want to be linked to with text fragments
#
[lazcorp]
The other issue is that one highlighted section is truncated (by the end of an <a href> in the middle of the quoted section) - for that one I'll probably need to check the docs
sebbu2 and geoffo_ joined the channel
#
sebbu2
https://csrc.nist.gov/pubs/ir/8475/final I'm sure this will interest a lot of people, but it's probably technical, so I'm posting this here
#
[tantek]
I wouldn't say, "a lot of people" at least not here
#
[tantek]
what is web3
#
Loqi
Web 3.0 (AKA #web3) is a phrase used to pitch visionary sequels to the popularity of "Web 2.0" to advocate for particular plumbing solutions looking for problems, starting with the "Semantic Web" in the late 2000s, decentralization in the 2010s, and now mostly blockchains & cryptocurrencies; the IndieWeb instead focuses directly on user-centric goals, with technologies only as a means https://indieweb.org/web3
#
[tantek]
^ and this is why
#
sebbu
well, it does talk about the decentralization part
#
sebbu
it's NIST, they haven't yet been affected by the blockchain/cryptocurrency scam and term hijacking
#
sebbu
(web3 meant semantic web / decentralization before blockchain came out)
#
[tantek]
The upfront framing around "web3" will mean folks in general (at least here) will likely ignore it. If you find value in it, I suggest extracting said value and blogging about it in terms of user-needs being addressed, without any reference to web3 or crypto/blockchain etc.