irotsoma

03:14:07 UTC, 19 January 2038.

One of the primary requirements for my latest project moving a bunch of stuff to self hosted is that if it has a GUI that is going to be internet facing, it either has to support OIDC or it has to be something low risk enough that I feel comfortable setting it up without much security and just setting up a single basic auth login with traefik. A few apps I had trouble finding, but worked most of it out.

It’s just how HR does stuff in the US. Most applications have to go through an automated system for filtering before reaching a person, unless it’s a pretty small company. That system usually requires very specific criteria to get through. Like I remember applying for a seasonal job at Target, around the end of 2010 when I was laid of, and having to fill out a really detailed application online and take a bunch of personality tests. Turns out I scored too high on leadership and had too much professional experience to be a stock person/cashier, so I was rejected before it was sent to the store manager.

It’s not an accident or unintended consequence kind of thing either. It’s how they can have a job position “open” and have hundreds of applications, but still be understaffed and thus force workers to work what should be extra people’s jobs for no extra pay. It’s just how the mega-corp culture is in the US for the most part.

As for the software and some other very technical industries, it’s a similar cultural thing, but on top of that, most recruiters are not technically literate and so don’t know how to judge a technical person, but are made to filter applications before passing then on. My last job had a position open the entire 10 years I worked there and there were no interviews at the hiring manager or team level in all that time. It was an analyst position and I would have hired basically anyone who had the one bit of specialized knowledge if it was up to me. But I did the job of two people the whole 10 years and was never able to move up I the company because of it.

Only reason I didn’t leave sooner was that I didn’t have the funds to get a degree when I was younger and fell into a time when the crazy unsecured loans were not as much of a thing, and most companies filter out software related candidates without a degree up front, regardless of experience. Finally got a degree when I found a program that I could handle while also doing two peoples’ worth of work.

If it’s just one job post, then automating it is not going to be very useful. I don’t think OP meant that. Seemed like they want to give a general CV/resume and then feed it each job posting and get customized versions for each posting. Many HR departments have keyword filters necessary to clear before it gets to a person. Otherwise, it takes only a few minutes to customize one time and would be much better to do manually anyway.

Problem is, these days it usually takes 50-100 job applications per interview depending on industry. In the software industry (in the US anyway), that’s about average. Last job took me about 500 applications and that led to 3 third-round interviews and 2 of them gave offers. Total I probably had around 8-10 first round interviews, not including the many 5-10 minute phone calls with headhunter recruiters that contacted me based just on my resume on LinkedIn and various other sites.

It’s good to use SSL even if you don’t plan to use it externally. At some point you may change your mind, or you may need to access it via VPN and there may be one hop between your browser and the VPN that will then be in plain text. Plus, not all devices are trustworthy anymore. An Android or iPhone device might have “malware” (including from reputable companies like Google trying to track you for ad purposes but recording unsecured http traffic to do it.) Or a frienday bring a bad device over and connect to your wifi and inadvertently capture that traffic. Lots of ways for internal traffic to be spied on.

Google: “how to create self signed certificate authority on <your workstation OS>”

And if that article doesn’t have it, google: “how to create a domain certificate from a self signed certificate authority”.

It doesn’t have to be a valid external domain, just use “.internal” as the top level domain which is reserved for this kind of thing, like “vaultwarden.internal”. You can also just use IP addresses in the certificate, but I find that less desirable.

Then google: "how to add a trusted certificate authority on <all your OS’s of all internal devices>”. Depending on what web browser you use, you may need to add it there as well. Once the certificate authority is trusted by your devices and browsers, then the domain certificate created by that CA will be as well.

You can set your expiration dates to be far in the future if you want, to avoid having to create new ones often, but be sure to document how just so in 5 or 10 years or so, if it’s still that way, you’ll know how to update them.

Cloudflare DDNS updated by ddclient on my OpnSense router. Cloudflare happens to be my current domain registrar. Honestly, my IPv4 doesn’t change that often. And when I used to be on Comcast, they assigned a block of IPv6 addresses and the router dealt with that. Unfortunately, I now have Quantum Fiber who only assign a single IPv6 address, so I gave up on IPv6 for now.

The split view seems really useful. I was actually just fiddling with that on my laptop with two browser windows.

How does this compare to LibreWolf or other Firefox derived projects?

Depends on how secure the application and the security you use in front of the application such as reverse proxies, load balancers, etc. If you are exposing a web application with no SSL, no two factor with, or something in a beta state or if you can’t trust your ISP not to create man-in-the-middle attacks for advertising and collecting information to sell which also likely introduces security vulnerabilities, then that could be a problem and a VPN or similar might be a big help.

https://forgejo.org/

I have it running on a raspberry pi at home behind a reverse proxy on my router and backed up to rsync.net. But hosting it on a cheap VPS might be easier.

I host forgejo for myself.

The answer to your question of why it’s so hard to give artists your money is exactly the same as it has been for ages for all media. The few companies who survived the consolidation of the industry have done everything in their power to make sure they are the gatekeepers of content. They buy and merge or kill off any competing companies or technologies.

They weren’t successful with MP3s or with streaming because they didn’t bother to understand the technology or that the Internet was the new marketplace and thought they could just do what they had done with physical media and pay for laws that protected their interests and sue everyone, but they ultimately lost control because you can’t sue hundreds of millions of people like you can sue a few thousand stores. So they had to give the people what they wanted for a while so they could have time to buy up all of the companies.

But they’ve now done that and paid enough to get the laws and precedents on interpreting those laws that they wanted, so courts are becoming better at enforcing those laws more quickly. So they can pressure new tech that pushes the limits on interpreting the laws to not last long enough to get people hooked. And now that they’ve reconsolidated most of the market and technologies as capitalism tends to do if you’re patient enough and there’s no possibility of monopoly regulation or market disruption, we’re stuck with pirate or use the garbage they feed to us and most artists are back to having to sign their art away and sleep with executives to get the marketing and distribution from the gatekeepers just to get a chance at success. The rest have to rely on word of mouth and self distribution which even online can be expensive without the advantages of centralized hosting providers, merchant accounts, and bandwidth.

Docker automatically upgrades if you tell it to by specifying “latest” or not specifying a version number. But it only upgrades if you issue the pull command or the compose up command. There are ways to start without a pull like using start or restart. So yes, there was warning and something you did actively told it to upgrade.

And it’s really bad practice to update any software without testing, especially between breaking/major version numbers.

Finally, it’s not uncommon for a platform to release its update and then the plugins or addons to follow. Especially with major updates that require lots of testing before release. This allows plugin/add-on makers to fully test their software with the release version of the platform rather than all of the plugin makers having to wait for one that may be lagging behind.

Native OIDC support…something I wish more self hosted apps would prioritize. I shouldn’t need to maintain a bunch of user account systems on my own servers.

There’s really no need to reverse proxy ssh. What are you attempting to accomplish with the reverse proxy exactly? Http proxying allows you to add things like TLS encryption and modify headers. But ssh is a secure protocol already and you can’t really modify much in transit.

Would only be worth it if you created a system for easily deploying applications on an already set up subnet with routing preconfigured.

Like set up a single server kubernetes distribution like microk8s or minikube on the server with metalLB and ingress already preconfigured on the server and router. You could also give instructions on how to install a GUI like Lens and how to use it to deploy a few things. Probably using workstation applications would be better than a web UI like Portainer to keep the server lighter, but either might work.

Termius

Not just Android, I want a cross-platform ssh client that shares keys. Termius is probably overkill for that, but I haven’t found anything else that works on Linux and Android. The real issue that made me stop paying for it is that for rpm based Linux I have to use the snap version and snap is buggy as heck with multitasking.

Yeah, you definitely should run it on a separate machine. A home NAS itself probably shouldn’t be doing anything beyond serving files and basic maintenance. Using them for too much will reduce their ability to serve data fast enough. Just be sure the media server and NAS have appropriate network cards, preferably gigabit, though even 100Mbit probably is enough for most of your network isn’t already too busy, and ideally are connected to the same switch (again preferably gigabit) with good quality network cables.

Use Drive or if it’s more than 15GB or whatever the max is these days. Pay for storage for one month for a couple of dollars on one of the supported platforms and download from there.

It’s reasonably priced. I was in the same boat with the Google domains shutdown. As long as you aren’t a heavy user, it has lots of cool features. But if you get their attention they’ve been known to fleece the crap out of small businesses that were using their free services. Most of my stuff is self hosted applications to move myself off of Google services, so my traffic is minimal.

I agree that it’s the wrong way, but not because of any of this other than the first half of the first sentence.

It’s the hard/wrong way because it means you are having to be responsible for securing the root cert private keys and because most people will do it wrong and set up a root cert with the ability to sign not just tls certs, and that’s where the problems can occur if the keys are compromised and you’ve set up all of your machines to trust it.

But it’s also not true that you shouldn’t use HTTPS or that you should trust your own network, not because of the router, but because of the devices. People don’t control their devices anymore. Many home automation devices, nanny cams, security devices, water leak detectors, etc., contain firmware that is poorly configured and can easily expose your network traffic if it’s not encrypted. Not to mention a lot of apps these days on smartphones are Trojans for spyware, Temu, WeChat, etc.

And as for cost, you can get a domain name for a few dollars per year or as mentioned, a subdomain from something like a DDNS service, so it definitely can be totally free to do it the right way.