<gestures at all the enshittified software products from the last 30 years>

In our current economic philosophy, yes.

Google is what happens when good marketing meets OSS, so careful what you wish for.

What you’re saying is true, however VPNs connect both hosts and subnets. If you have a VPN server on your subnet, you can easily allow any client that connects to it to have access to your LAN.

VPNs are simply networking over encrypted tunnels. What you do with that tunnel is up to you.

It was a general statement, I was using “work” as a Lithmus test of “playing the video in public”.

Glad I was able to help, because samba has a lot of knobs and switches.

When I was first learning samba in 2003, I got overwhelmed pretty fast until my colleague told me the best way to handle samba is to start with a working and simple global directive, then one simple share, and layer security on top of that.

I agree.

I’m getting bored with the AI influence on everything. And now this poor person has been led down the garden path with that silly article.

You are being prompted because the nobody/nogroup user/group has no password, no shell, and no permissions.

That tutorial is wrong. Couple of problems immediately:

• “valid users” specifies “all the users in this group are allowed access”. It is incompatible with “force user/group” directive
• you should be using the “guest user=” directive, which sets the identity of any public access. Your permissions should match this user.
• nobody/nogroup are special user and group that (usually) have no access to any file. They exist for processes to run with minimal provileges, or for a fallback default if UID/gid map are invalid. Using this user/group combo for this samba share implies that you will either alter them so that they now DO have privileges to access files, or that you intend samba to never access any files. Create a guest user, set permissions and umask in the directory.

You only need one VPN peering point inside your network. You do not need WG on other internal devices, just routing between intermediary subnet and LAN.

Am I misunderstanding your scenario?

If a yt channel is unpredictable enough that you can’t turn it on at work where folks can hear it, it’s crossed beyond “rant” and into “inappropriate” territory. I would personally question what I’m getting from this guy, but I’m not here to make your choices for you.

Well the portemanteau suggests it’s WINdows on inTEL, so that makes sense.

• I’d add a WireGuard VPN configuration file and make both accessible outside the LAN but only on my devices

I don’t understand this part. Wouldn’t this device be on your home network already, or am I misunderstanding your meaning?

I can run app based routing and blocking on my router, but whether that would restrict DNS for those services I don’t know.

That’s the double-edged sword of DNS over https. It allows us to hide our DNS queries from local ISP and others, but it also allows applications to hide theirs also. It just looks like encrypted web traffic to your router.

Not sure what you mean by “network based dns”.

Hard-coded DNS is in the application, you cannot change this from any dhcp option. Browsers do it, lots of versions of prime video apps do it. Google nest and home devices are famous for this.

You can write a NAT rewrite rule at your router to catch any UDP or TCP request on port 53 and send it to your ad-blocking DNS server/forwarder, but you won’t be able to stop DoH (DNS over https), which just leaves the subnet encrypted on 443.

Yeah. Real DNS zones that transfer are a thing of beauty.

Thanks for the context. I did read the articles on this, but you’ve summed up the positives well.

Unfortunately, these articles also point out that putting uutils into the wild of 25.10 will doubtless reveal some hitherto unknown breakages and rough patches.

Which I agree with. No one is forcing anyone to use 25.10, but there is no better way to smoke test sw than pushing it to prod.

I’m a Debian user, so I have the luxury of waiting to see the outcome of these efforts for now.

What’s the advantage of radicale over NC?

Functionally, they work the same. I got kinda tired of fixing NC every other upgrade, though. It was always some “occ add missing indices” or some similar garbage. Like just solve this, already. Make that part of the upgrade.

Certain apps do not allow one to use freeotp et al (o365).

I moved my calendar to Nextcloud, then radicale. My contacts too. Gmail is just a wean away.

My problem is how I’ll be able to deal with work apps like ms authentication. Even if I set up a 2nd “normal” phone for work only, I need to sign in to the play store to get the app… Its a chicken-and-egg problem.

I’m about 90% decoupled from Google, it’s been a journey.

I’m at the difficult stage of contemplating how to decom my gmail email, and the Google account itself.

I’ll throw my hat in the ring and offer any help if you need it. Similar to others here, I suggest you start with something discrete like photos.

Well, it wouldn’t hurt anything to install fail2ban and enable the popular templates, but it sounds like you might need to explain your service layout and how it’s exposed to the web before anyone can suggest a security measure.

Generally in the self-hosted space there are two common approaches: set up a VPN into your network for your trusted devices, or set up a reverse-proxy with a trusted tunneling proxy like cloudflare.

That you are seeing “attack attempts” in your caddy logs should be elaborated as well. What exactly are you seeing?