There are many ways, a popular choice would be managing your own recursive DNS resolver and then blocking the endpoint it contacts.

PiHole - Non recursive but offers blocking capabilities, can make it recursive with Unbound.

Technitium - Recursive but not nearly as user friendly as PiHole, also lacks the fancy Ui.

With regards to the backup key, Yubikey recommends to save (screenshot) the QR code that is generated during 2FA setup to setup the backup key later on. Maybe that is also a workaround for services that only allow a single 2FA device. https://support.yubico.com/hc/en-us/articles/360021919459-How-to-register-your-spare-key

Just looking back at my purchase history, I got my Yubikey’s back in January 2020, it appears that I never read this doc about scanning the QR code for the backup key, or maybe I did? I don’t really remember it all too well. Regardless In certain circumstances my keys do the exact same thing and I’m quite sure I followed some guide to create one primary and one secondary key but it’s possible that guide has gone outdated.

Similar to something like Keepass, the database is local and you are in charge of making backups and such.

I can totally respect the folks who opted to self host, I’m horrible when it comes to backing up data and such and self hosting wasn’t really my thing back in 2020 so it never really was on my radar.

In the end this comes always down to an optimization problem between security and convenience that everyone has to decided for themself.

Couldn’t agree with you more, everybody has that dial between convenience and security and should adjust accordingly.

Doesn’t cover Traefik, plus the docker-compose.yml contains 4 separate images and researching into them didn’t provide much info. snicket_proxy, snikket_certs, snikket_portal and snikket_server. All four of these images bind to the host but if I am supplying my own reverse proxy then both snikket_proxy and snikket_certs are redundant right? Or do they serve another purpose? And if I wanted to take them off the host network, follow their firewall guide and expose the necessary ports manually behind a docker bridge network what images do I bind those ports to? When I tried binding them all to snikket_server that’s when my docker service crashed and I gave up.

Snikket locked my docker service up, their documentation sucks for when you want to use your own reverse proxy or bind it behind a docker network and not the host.

Can you explain a little more how you handle them in your daily life? I always liked the idea if Yubikeys, but I am a bit worried that I just would switch back to my phone (Aegis) for convenience.

I have two Yubikey 5 NFC’s, one I keep majority of my 2Fa auth codes on and keep on my keychain the other I leave at home mainly for backup 2Fa setups or desktop/WebAUTH/Single Sign-On logins, most websites won’t let you setup 2 2Fa keys so the second one mostly handles the plug-in and touch key portion of my setup.

Are they inconvenient? Yes, the amount of times where I got annoyed because I’ve had to grab my keychain to sign in has gotten annoying but not enough to switch back to online providers. I prioritized security over convenience in this circumstance. The Yubikey that I keep on my keychain also handles my work 2Fa codes, doesn’t feel necessary to have a dedicated key for that unless my company is willing to pay for it.

Do you just have it on your keychain a plug it in whenever you need it? Because always plugged in keys in your phone or laptop doesn’t really make sense.

It actually works out quite nice having it plugged in all the time, especially if you’re doing multiple 2Fa authentications, the keys won’t authenticate until you enter the password of the key (if you set one up) and touch the key, so even if your computer is compromised they still need to physically touch the key to generate the authentication codes.

As far as I know you can’t just clone a key.

So no you cannot clone a Yubikey to another Yubikey, which I think is dumb, but they have their security reasoning behind it I believe. Like I mentioned earlier all my 2Fa codes/keys are on my keychain so if I break that key I am in a horrible position as I lose access to a lot of accounts that I couldn’t setup multiple 2Fa’s for.

How easy is it to setup a backup key?

While Yubico does recommend having two keys as I mentioned certain services only let you setup 2Fa once and not multiple times. However, Linux (and I want to assume Windows as well) let you setup as many 2Fa keys as you want, so both the Yubikey on my keychain and the one I leave at home both grant Root access to my desktop and server.

I try to not use my phone for critical stuff, but there are times I have to just check an account. Do you use your phone with Yubikeys?

So I don’t have a USB C Yubikey ironically both my iPhone and iPad are USB C so I have the option to use a dongle or NFC, both have worked great, I have had a couple scares where the app will error and say “No response from key” but it seems that error is due to bad contact/connection. I’ve attached a few images of the iOS app to help get an idea of the layout.

Yubikey for 2Fa codes also works well for sudo and su (2Fa) or if you still use Windows I think it supports single sign on there. Absolutely worth the purchase have had my keys for years.

If you can make your own like I did I would highly recommend it.

Honestly I could, metal fabrication comes in handy, get it shop issued and laser or water cut send it through the machinists, I would have to supply the material myself which would be difficult but certainly doable.

I’ll have to consider this! By chance do you have drawings or dimensions of your rack as a starting point, looks like you’re using Aluminum HSS for the frame? Completely understandable if you rather not share the details,

How else are they going to train their AI to make stupid images of yourself?

Who needs padding on the stock when you got steel wire!

Was eyeing a 52Pi rack for a good little while this post inspired me to get one, but then I saw the shipping cost.

PIA is an American owned company obligated to comply with the Five Eyes Alliance, they’re legally obligated to retain your personal information unless noted otherwise.

Source their privacy policy, which FYi compare their Privacy Policy to another company like Mullvad and notice how theirs reads like a novel compared to Mullvads, that’s an immediate red flag.

So glad I ditched discord the second they considered going public, converting people to Matrix sucks because Element is terrible for group calls, [Edit] tried setting up a Snikket server via Docker compose yesterday but their documentation sucks for manual setups, I don’t need them handling reverse proxying for me and rather they didn’t bind to the host network and instead bind to a docker network eventually my tweaks broke docker itself and I had to restart the service.

Because of SSID location mapping

People really out there mapping SSID’s? I fail to understand how that data is at all valuable, changing an SSID takes seconds and a gram of brain power.

What does this mean for Apple then? Will someone open a case against Apple arguing unlawful practices? Man I hope so.

Apparently the folks from the rreading-glasses repo accuse Chaptarr of being vibe coded, can find it directly in their README.

For the unaware rreading-glasses is a rebuilt metadata server for Readarr, also happens to be endorsed by Readarr/Servarr, just switch it out and you’re good to go. However, Readarr won’t receive anymore feature updates or bug fixes it seems.

It’s comic strip, not a meme.

Everyone here is telling you to ditch Arch for Debian and I absolutely agree with them however, if you’re so hell bent on having an Arch server than install Proxmox VE to the host and run both Debian and Arch, build your server up and get it working in Debian first then try to replicate it with Arch, compare the differences.

If you’re already familiar with BASH then making the switch from Arch to Debian won’t be a hassle, just got to learn the Apt package manager.

This gave me a chuckle, my server is about 4’ away from my cabinet and not nearly as flashy, pretty sure the thief is prioritizing in that situation.

Think about it let like this,

When you open a port on your router you’re allowing inbound connections from the internet to that port via your WAN IP, with a VPN however, that typically does not work since you’re forcing all your traffic through a specific data centre with its own firewall. Most well developed VPN providers will offer Port Forwarding as a feature which usually opens a random port for people to make those inbound connections, you instruct your download client to use the port your VPN provider gives you so that people can leech from you without exposing your WAN IP.

Hope that makes it easier to understand.

I’m a bit confused on this comment here:

Additionally, I’d prefer not to not do something like: Computer -> Home VPN -> Mullvad server -> destination, as my upload speed is pretty bad and this would throttle every non-local connection

Because you also mention this:

Computer -> Mullvad server -> Home VPN -> Home server

Which would be the same thing, no? You’re just making a connection to the Mullvad server first then your home network?

I’ll share my experience but it looks like it’s not the solution you’re looking for, I opted to use my Asus WRT Router w/ Merlin Firmware to host my VPN server, the Merlin Firmware lets me connect to 5 different VPN clients at a time, in my case 4 different Proton clients and a buddies server, I use the “VPN Director” feature to route my VPN Server through one of the 5 different clients effectively creating the multi-hop.

I personally haven’t noticed much degradation in regard to connection speeds but at the same time I don’t constantly hop VPN clients or have the same internet speeds as you, I typically stick with the server closest to me.

Edit: To help visualize what i mean: