JustEnoughDucks

Dropping instead of blocking might technically be better because it wastes a bit more bot time and they see it as “it doesn’t exist” rather than an obsticle to try exploits on. Not sure if that is true though.

For me:

• ssh server only with keys

• absolutely no ssh forwarding, only available to local network via firewall rules

• docker socket proxy for everything that needs socket access

• drop non-used ports, limit IPs for local-only services (e.g. paperless)

• crowdsec on traefik for the rest (sadly it blocks my VPN IPs also)

• Authelia over everything that doesn’t break the native apps (jellyfin and home assistant are the two that it breaks so far, and HA was very intermittent so I made a separate authelia rule and mobile DNS entry for slightly reduced rules)

• proper umask rules on all docker directories (or as much as possible)

• main drive FDE with a separate boot drive with FDE keyfile on a dongle that is removed except for updates and booting to make snatch-and-grabs useless and compromising bootloader impractical

• full disk encryption with passworded data drives, so even if a smash and grab happens when I leave the dongle in, the sensitive data is still encrypted and the keys aren’t in memory (makes a startup script with a password needed, so no automated startups for me)

For more info, I followed a lot of stuff on: https://github.com/imthenachoman/How-To-Secure-A-Linux-Server

Isn’t that sources available, not open source since they aren’t allowing community contributions, or am I misunderstanding that?

Kind of like how greyjay is source available but not open source?

They are a massive megacorp though. It always leaves me to wonder “how much”.

Tons of capitalist companies do stock options where “technically” the employees own a share of the company, though that percentage is usually extremely small, even collectively such that they have no decision power. I can’t help but think that it is similar with huawei, but with better marketing.

That is very fair!!

But on the other hand, 99.9% of users don’t read all of the change notes for their packages and don’t have notifications for CVEs. In that case, in my opinion just doing updates as they come would be easier and safer.

Doesn’t ucore also have to restart to apply updates?

Not super ideal for a server as far as maintenance and uptime to have unexpected, frequent restarts as opposed to in-place updates, unless one’s startup is completely automated and drives are on-device keyfile decrypted, but that probably fits some threat models for security.

The desktop versions are great!

I got my company to start using bitwarden. That was a huge step and 1/4 of the company forgot their password in the first 60 days. I sent a big email detailing how to make a mnemonic device with a passphrase that bitwarden generates 😂 complete with photoshop drawings on one i generated. no forgotten passwords since

I think now I understand why apps exist that track subscriptions and give you suggestions on which to cancel.

It seems “normal people” subscribe to damn near everything that they get more than an hour of use out of. Subscribing to a productivity, social media, or shopping app?? Those things already harvest the fuck out of your data and sell it to the lowest bidder. The only things I have ever considered subscribing to are health/fitness apps or streaming apps (because you have to).

How are people affording having 20 subscriptions to stuff they probably barely use?

You absolutely can fail. I daily drive bazzite but many things have been pretty rough:

Any coding apps that will use an external device -> you can’t use flatpak. You have to use distrobox that constantly freezes your entire mouse for 3-5 seconds upon any sort of dialog, settings, saving, anything where it has to access the filesystem. Then you have to add udev rules to directories that in the documentation says not to write to, and reloading the rules doesn’t work for testing, you have to fully restart with every minor change or it will seem like the change didn’t work.

Luckily most device drivers seem to work in the provided arch distrobox but holy dependency hell. Things will fail to install because they need a package that exists on the host but not the container so you get an unsolvable “file exists” conflict. When installing a package, it will sometimes just try to grab an old version of a dependency specifically that will 404 out instead of just grabbing the most recent version (never happened on arch itself to me)

Setting up a plasma vault with gocryptfs was not fun figuring out how. Also ran into tons of dependency problems and the fact that fedora just abandoned it specifically. Ended up just having to stick the binary in a random folder and point to it.

Any sort of document authentication/signing -> doesn’t work and will not work in the future for a long time.

You absolutely have to install rpms still for corectrl, any external devices, like drawing tablets, etc…

Some games inexplicably use <50% GPU and <40% CPU with terrible framerates and will not go any higher (or lower) no matter what, switching between low and high settings and resolution results in 0fps change.

When I have my config set and don’t have to change anything, it is super super nice to never have to manually update, but anything outside of very basic usage is weaving through nonstandard undocumented territory.

Bazzite trades maintenance headaches for configuration and installation headaches. For me, that is worth it.

Yeah, they have a spotify connect plugin that works, but chromecast probably will not be supporter because google holds all of the cast keys and esphome/music assistant/ home assistant would have to register with them (and probably play the fees) i think

To be fair though. The experience of google and Microsoft online word/spreadsheets/etc… also sucks ass on a smartphone. Much better, sure, but doing spreadsheets or writing a paper on a phone is a bad experience in general.

Only Android Open Source Project, not the different phone UIs, vendor blobs, firmware, camera apps, etc… It is really the basics that are open source.

But also the source of android is 100% controlled by google unless it is an alternative forked project like lineageOS (at least I think so)

That is a fantastic idea. Wtf how is this not commonplace? Or am I just way behind 😅

That is a different spin than the original comment, which is why I made that commen.

https://docs.getaurora.dev/ https://docs.projectbluefin.io/ aurora has one small page of documentation total unless you click on the logo which suddenly opens a hidden unlabeled drawer with sparse docs. Bluefin has even less. I consider this near-zero documentation. So how would OP’s non-techy girlfriend (or someone who has only heard of aurora and bluefin from this thread) know to go to bazzite, a completely different project to most people, to debug their completely different OS? Because googling “ublue aurora flatpak won’t install” literally gives this page: https://docs.getaurora.dev/guides/software/ which is literally almost useless.

Bazzite’s documentation has gotten way better since I installed it (they had almost nothing on rpmostree commands when I did), but I don’t believe everything in the documentation for bazzite applies the same to aurora and bluefin, especially with differences in pre-installed non-layered gaming defaults vs working with flatpaks will be not even close to the same.

Also fedora knoite has little documentation https://docs.fedoraproject.org/en-US/fedora-kinoite/. It has enough to get you started and installed, but that is about it. It has one single line of code about rpmostree for example, not even anything about installing an RPM not in fedora’s limited repos.

I didn’t say any of it was bad. Just that you have to be slightly careful with using those for non-techy users because the documentation just isn’t there yet.

Gotta be slightly careful with those spins though because there is near-zero documentation.

Motion activated recordings.

Continuouse, even h265 recordings, can only 2 weeks or so per terabyte.

Motion activated means he is probably recording 30 minutes per day vs 24 hours.