Yeah, what they said.

OP, invest in a UPS - cheap or less cheap - you can get them as big as your bank account, and they’re worth it. I tend to like Cyberpower for price, because they’re common enough that one never found a model that nuts didn’t already know about, and they tend to have replaceable batteries. As parent said, the nightmare is if power for out, and even though the laptop has a battery, you’re buying yourself extra time. Plus extra surge protection and all that.

I’m not probably saying anything you don’t already know, OP, but I fell there’s a general under-valuing of UPSes when I hear about people’s set-ups. They may mention a surge protector, but rarely do I see folks taking about their UPSes.

Caveat: this is not my area of expertise. However, I agree SSO is going to be the hardest part of this.

OP, you can use lldap to centralize authentication, so that each user had only one account and one password for all sites. It’s trickier to get each of these platforms to work together with SSO. For that, you’ll need something like Authentik (OSS SSO solution, like Okta) which you then back by lldap - Authentik handles the SSO and authorization part, and uses lldap for the authentication part. I suggest doing it in stages: install your servers, get them using lldap to log in, and then when it’s all working insert Authentik into the mix. Doing something like this and learning all the technology at once is boiling the ocean.

I’m recommending lldap over OpenLDAP because I’ve used both extensively, and OpenLDAP is a nightmare whereas lldap isn’t. lldap is trivial to install, and comes with a nice, simple user/group admin web interface, a sane default schema configuration, and is stupid easy to back up. Just getting OpenLDAP configured with the right schemas can take forever. If you’d said you already had a lot of experience with LDAP in general, then sure: OpenLDAP is capable and powerful. But it’s harder.

My one caveat about lldap is that I’m not sure that it’s possible to set up master/slave replication - or any sort of replication - which is probably not going to be an issue for your all-in-one set-up, but would limit scaling and failover if you ever get there.

I do rant a little about OpenLDAP because LDAP was in supposed to be lightweight OLAP, and yet is some of the most frustrating software I’ve ever had to deal with.

Again, I’m not a devops, or any sort of ops, guy, so my perspective is colored by the an attitude that ops is a necessary evil, and not something I love, so easier==better.

That’s what’s been stopping me; it has to at least be a decent phone, and it sends as if there’s always something.

Touch is supposed to run on the FP5 - I guess I need to find a functionality Matrix now.

Thanks for the info!

I just went looking to see what it ran and found this forum, which has a pretty comprehensive list.

I didn’t have much trouble getting Touch on a really old Pixel, but the battery runs down in 3 or 4 hours so I didn’t do anything with it. That’s probably more to do with the age of the phone than the OS.

I did look at that one! Specifically for the non-Android OS support. I’m really interested in trying SailfishOS, but if one of the Linux-based mobile OSes works reasonably well (my issue in the past has always been terrible battery life), I’d be thrilled.

Do you have one? Of so, which OS are you running? How do you like it?

Ok.

I agree about KeePass. Self-hosted password store satisfies neither of my constraints. I’m (1) not sharing my credentials with anyone, and (2) SyncThing satisfies replication across devices. On top of both of those, in this particular case not self-hosting a server is added security, as my key store is never exposed on a public server. It helps that both KeePassXC & Keepass2Android’s DB merging and conflict resolution is outstanding.

I have, however, been contemplating getting myself a YubiKey, b/c my life gets a little harder of I lose my phone while traveling. I’d have to go through several steps to get into my home LAN to get passwords out of my kdbx, one of which involves a VPN secret key I don’t have memorized.

Anyway, yeah, I agree about that one. Publicly hosted password stores are not only unnecessary but - IMHO - kind of a stupid idea. Talk about maximizing your attack surface.

For example, Immich. Immich requires to be run on a server to function, but a lot of (or even all) of its functions are things that could reasonably done entirely on-device

And you don’t share your photos with family, friends, or the public? Or is your sharing solution to spam people with MMS text messages?

Obviously, some features like AI image tagging are missing, but you get the point

No, I don’t. If Immich provides a feature your phone doesn’t, then it’s not a good example of something that doesn’t need to be self-hosted.

But let’s talk about this.

I change phones every few years (as infrequently as I can, but until Framework starts making cell phones my options are limited). I’ve had cell phones break. I haven’t yet lost one, but I can imagine it happening. Keeping all of my eggs in one easily broken, easily lost device over which I have increasingly less control sounds really stupid. But we can back the phone data, and that doesn’t require self-hosting, as you say.

So when does self-hosting make sense? For me, it comes down two cases: (1) data sharing, and (2) multi-device use. The first one accounts for maybe 80% of my self-hosting. I really hate cell phones as computing devices. I hate typing on them, their absurdly small screens, and limited app selections. So my other case for self-hosting is so I can do most of my work on a desktop or laptop, yet still have access on a phone when I need to. Oftentimes, there’s no mobile app for the data I want to access, or there is but app developers are using some stupid bespoke data format that nobody rose uses; so be self-hosting, I can get at and interact with that information from not only my mobile device, but from any device. I can borrow my wife’s laptop if I didn’t being mine; I can borrow my BIL’s desktop when we’re visiting them. I’m not forced to use a tiny screen and crappy hunt-and-peck on screen keyboard on my phone.

I’m interested in other examples you have; it sounds as if many self-host solutions perplex you, beyond Immich - what are they? I’m honestly curious. We know Immich adds value (for some people) through AI tagging, and that alone justifies self-hosting Immich for those people. What other software do you think it’s silly to self-host?

Especially with anything requiring Python. I also isolate anything using node.

Yes! I’m not into that, so it was a little off putting until I noticed the bike horn, and then when I saw the frying pan I cracked!

I can guess the secret of the bike horn, but the… oh. Oh, I just realized what the frying pan is for.

Ok, the hilarity has passed. To each their own, but hoo boy.

Agreed, SQLite 💗. It does have limitations when you need to scale with remote connections and concurrency; then you have to start bringing in layers, and it’s really not designed for that. For those jobs, it’s just better IMO to reach to something designed for that use case to begin with.

Sure. I mean, it’s doing the right thing for the wrong reason, but you do reduce the taxes you pay by contributing to charities.

I like PSQL far more than Maria DB, but it is the most stupid software for upgrades. It is the reason that, whenever I can’t use SQLite, I use a NoSQL DB like Mongo - any single executable NoSQL that contains the entire DB to a single directory seems to be the common factor. Sometimes you might hit an API change, but I think the number of times I’ve had a production application break because of a NoSQL DB server software upgrade is still at 0.

Sort of; I object only to the way you presented it, not the facts.

You’re donating to a cause, which I assume you believe in, which reduces the value used to calculate your taxes. If you make $10, and you donate $1 to a charity, you get taxed as if you made $9. This applies to all income taxes, since state taxes are based largely on your taxable federal income. So OP could try to do something like do their fed taxes and instead of copying “$9” put "$10” where their state forms say to use the federal value, but that’s likely to raise a flag somewhere.

My main issue is the portrayal that donations are “spending money.” You could probably successfully argue that “donating” satisfies the definition of “spending money”, but that does a disservice to charity.

Also, just as an aside, OP would never save $0.45 on a dollar donation. No income tax bracket is that high except for the very rich, and they have many other ways to avoid paying taxes that in no way benefit charities.

hexbear

Just ban it already. If we can ban FukTok, you can ban Shitter. At the moment, you’ve got a few more functioning brain cells than the US; use them.

And, no, I don’t expect our ban to last.

Oh! And kick FB out, too. The average IQ of the country will go up a couple points, at least.

@shimitar’s advice is what I’d go with.

Ideally:

1. Set up a Wireguard subnet. Test it thoroughly, including restarting the server a couple of times.
2. Close all ports except your Wireguard ports in your server firewall. Do this manually first (not persistent) and test.
3. Make the firewall changes permanent.

Then, it kinda doesn’t matter what else you do on the server, although you can fuss around with locking things down more.

Caveats:

• you won’t be able to use LetsEncrypt with this
• accessing your services from an Android phone will be futzy, because Android is too stupid to be able to use more than one VPN at a time. Unless you don’t use a VPN on your phone, in which case it won’t be an issue.
• you’ll only be able to access your server from computers/systems in your Wireguard subnet, so make sure you include multiple devices in the config from which you can ssh

Wireguard is super easy to build VPN networks with, and there are tools (e.g. dsnet) to make it even easier.

A pretty girl is a pretty girl… I can overlook a little espionage.

Actually, really good point. Sorry, person-I-responded-to. I thought you (PIRT) were comparing Maria to Postgres, when you (PIRT) were referring to Maria vs MySQL.

Both PostgreSQL and MariaDB are OSS and free; MySQL is covered with cooties and boogers, and you don’t want to get any of it on you.

Maria database is free and open source.

Why are you implying that PostgreSQL isn’t?

I need to read the article, but I’m going in skeptically. I think progressives - especially younger, more idealistic ones - are ignorant of just how much money and influence AIPAC wields.

Maybe she could have gotten those 29% (however many actual votes that amounts to), but it AIPAC would have turned actively hostile against her, my guess is those votes would have been overshadowed by the loss of pro-Israel votes she did get.