Nobody needs ocsp or clr in their homelab. And if they’re a trained netsec professional they know that its far better with short-lived certs than any revocation model. Both zerossl and letsencrypt are easy to use - and works flawlessly with something like caddy on a wildcard domain, or an acme proxy. Openssl is easy, and you can clr with that or even use their ocsp for homelab.

Yeah - i mistook it for user keys, not host. Im guessing they used piv/smart-card and not fido, as fido is indeed made with interactive use in mind

Nah - storing cryptographic key pairs is a supported and valid use-case for fido2

Been using this for a while - yubico has a nice guide. Dunno why you struggled to find good info as i can just google «fifo2 ssh» and use the top link

Nevermind - i see OP is trying to reinvent a broken wheel. Ignore my comments on this post

Ive used Secure ShellFish and Remoter Pro for a few years. Both have served me well

But get an external keyboard no matter what client you use. Using on-screen keyboard is pain.

Nah - its not crap, its much better than signal for my low tech friends. You are confusing your ideology with usability.

If you wanna be twitter you behave like twitter.

What caddy does are automatic certs. You set up your web-portal and make a wildcard subdoman that points to your portal. Then you just enter two lines in the config and your new app is up. Lets say you want to put your hone assistant there. You could add hass.portal.domain.tld {reverse_proxy internal.ip:8123 } and it works. Possible with other setups too, but its no hassle

There is also headscale if you want self-hosted, but its not plug and play like tailscale/zerotier and similar mesh-vpn solutions

Then an exit node is what you want. You can set up with vpn like wireguard using port forward on your side. The raspberry would connect using static ip or dynamic dns.

You can get tailscale basic tier for free, and that will provide an easy to use solution

To me it seems like he wants to be able to «bring along» his homenet services without exposing them on the internet.

Tip for OP is to explain wanted outcome, not process to get there. Its hard to do, but gives better results

A service like tailscale will solve the connection to your home net automagically. You are however stuck without routing from friend-net so you cant access homenet devices directly

You can solve this by setting up a reverse proxy like caddy on your raspi, and access home-net web-apps and services through that. Like [assigned-friendnet-ipaddress]:8444 or similar. The reverse proxy would forward this to homenet devices through the tailscale vpn

some plants like raspberry can propagate through roots. Others like strawberries have stolons. And theres plants like blackcurrant where branches can root when they hit the ground.

But mostly its done by humans through cuttings.

either create a cert group and give that group permission to the certs, or add a handler to distribute the cert+key on renew to your service’s folder, and change owner/group to whats relevant to the service

Note: the “live” folder only contains links to the archive folder

Are the links correct? @anoyongbot

Run iperf internally to see if your bottleneck is switch/ap or fw. I set up a j1900 pfsense for my sisters family a while back to do qos (gamer bois in the house) amd it had no problem staying at 500mbps. No ids or other stuff.

Not built any opn/pf-sense in a while, but i always use intel server-nic’s. Used to have way better support than other stuff on bsd

Yeah, but if your house burns down copies on different hdd wont matter much. Offsite like cloud will

Basically why i feel more comfortable with LXC than docker for my home lab services. It feels more like a VM in management.

We run a good mix of docker, vm’s and bare metal at work; no containers are auto-updated

Removed by mod

Stick to strong keys and keep it on 22 for ease of use