Docker Swarm encryption doesn’t work for your use case. The documentation says that the secret is stored encrypted but can be decrypted by the swarm manager nodes and nodes running services that use the service, which both apply to your single node. If you’re not having to unlock Docker Compose on startup, that means that the encrypted value and the decryption key live next to each other on the same computer and anyone who has access to the encrypted secrets can also decrypt them.

Aqara sells one that works with HomeKit and should work offline. They say it will get Matter support later, but Home Assistant can use it through HomeKit without having to buy any Apple devices.

Be careful with doing this. X-Real-IP and X-Forwarded-For are good for when the client is a trusted proxy, but can be easily faked if you don’t whitelist who’s allowed to use those headers. Somebody with IPv6 access could send “X-Real-IP: 127.0.0.1” or something and if the server believes it then you’ll see 127.0.0.1 in logs and depending on what you’re running the user may gain special permissions.

Also be careful with the opposite problem. If your server doesn’t trust the proxy, it will show the VPS IP in logs, and if you’re running something like fail2ban you’ll end up blocking your VPS and then nobody will be able to connect over IPv4.

If all you want is to break out the VLANs to NICs using a Linux PC instead of a managed switch, create six bridge interfaces and put in each bridge the VLAN interface and the NIC.

There’s a lot of wrong advice about this subject on this post. Forgejo, and any other Git forge server, have a completely different security model than regular SSH. All authenticated users run with the same PID and are restricted to accessing Git commands. It uses the secure shell protocol but it is not a shell. The threat model is different. Anybody can sign up for a GitHub or Codeberg account and they will be granted SSH access, but that access only allows them to push and pull Git data according to their account permissions.

Linux has had LDAP and other ways to use the same credentials across multiple machines since forever ago.

That sounds like Cloudflare is giving you certificates intended only to be used for talking to Cloudflare.

You might be able to do it if Cloudflare sends a different SNI. It’s probably better if you get real certificates from Let’s Encrypt and just use those.

They have been in the process of rolling it out for what must be a decade now, meaning there are still areas where they don’t offer it.

They don’t allocate you a prefix. The website says they give you 5 addresses.

Some bad still ISPs don’t provide IPv6 connectivity. (Verizon)

Don’t laptops with batteries use slightly more energy than equivalent PCs? The battery will drain because it loses charge over time or because the laptop is designed to draw power from the battery during normal operation, and then energy is lost when recharging the battery because battery charging is not 100% efficient.

I don’t know how searxng works, but if it’s making many requests and aggregating the results, you will probably get much worse performance running it on your phone, even if the phone is with you. Instead of making one request over a bad cell connection, you would be making many requests over a bad cell connection.

I have the Aqara G4 doorbell and supposedly it works with WiFi and Frigate (via go2rtc), but I haven’t set up Frigate and I haven’t verified that it fully functions with the internet turned off. It uses Homekit but supposedly will receive Matter via a software update.

This sounds like immature project drama. I’ve seen it before where there’s a large, professionally maintained product and people make forks to add small changes and then different forks start fighting with each other over because it’s their features and they don’t want other forks to incorporate them. You should probably just avoid Floorp if possible.

New action items have been assigned to you:

• Remedial cybersecurity training (4hr): due by Mar 22

My favorite is when IT deploys software that replaces all the links in your e-mails with https://example.com/phishing/YiCdMdsY so you can’t tell whether the e-mail is phishing or not, frequently sends you very obvious fake phishing e-mails that interrupt your work by going straight to your priority inbox, and punishes anyone caught clicking on phishing e-mails. Then HR sends out e-mails that have all the indicators of low effort phishing and you’re supposed to click on those.

Isn’t puppeteering, aka self botting, a bannable offense one some of these networks?

https://support.discord.com/hc/en-us/articles/115002192352-Automated-user-accounts-self-bots This article is only half true. Bot accounts do not have full access to all API routes, but you can still be banned for botting regular accounts.

They’re competitors.

If you’re already using systemd, do not switch to Docker. Use Podman instead. Docker runs all your services under the Docker service. Podman can both run the same containers as systemctl services.

Normally this is bad advice, but if you already have CGNAT you’d be going from double NAT to triple NAT and it probably won’t make anything worse. At least it shouldn’t make things worse for IPv4. If you have 5G internet with CGNAT there’s no excuse for your ISP not giving you proper IPv6. Putting a second router between will complicate your IPv6 setup.

There are some tricks you can do for IPv4 in the precense of hostile DHCP servers. Serious OSes should allow you to configure a second IP address on the same physical interface, so you could have a dynamic 192.168.0.x assigned by the ISP’s DHCP server and a static 192.168.1.y assigned statically by you, and then you should be able to set up an additional route table entry to access 192.168.1.0/24 using the source address 192.168.1.y. As long as the ethernet/wifi switching between devices doesn’t filter ARP packets based on IP subnet, you should be able to communicate between your machines using fixed IPs on the second subnet.

That sounds kind of like CWE-836.