Btw, nice read OP. Always great to see more Nix “in the wild”.

Can’t believe noone mentioned this yet:

Any good password manager encrypts and decrypts your password file client side. The server should not even have the ability to read your passwords.

Even in the case of a leak of all of the server’s data, as long as your password for the manager was good, you’ve got nothing to worry about.

I’d say pick a PW manager where both client and server are open source. Pick a strong passphrase. Enjoy.

Yeah, but no dark magic involved.

• build image
• copy to proxmox ISO store
• import, resize disk
• start, wait to come online
• read ssh pubkey, save it
• rekey secrets
• rebuild VM

The only “magic” parts are two nix modules for handling proper networking and hardware setup, and exposing required attributes to the script.

Works really well, zero manual config (beyond the services you want to run…) required on nix or proxmox side.

Nothing. People fearmonger

Funny - same thing here. Got 3 proxmox hosts running, all virtual machines are NixOS though.

I’d love to go full Nix, but between my GF and I, we kinda split the responsibilities: hardware is hers, applications are mine. And there’s not a chance she’ll give up her Proxmox hosts 😄

Got it automated to a single “provision” command though that will spin up any of my nix VMS unanttended, so I’m happy with that.

Better open a package request (or pull request :D) then 😄

I host it publicly accessible behind a proper firewall and reverse proxy setup.

If you are only ever using Jellyfin from your own, wireguard configured phone, then that’s great; but there’s nothing wrong with hosting Jellyfin publicly.

I think one of these days I need to make a “myth-busting” post about this topic.

Consider this me asking

Fair, maybe remove the question altogether, and have dedicated GOV endpoints for specific attestations?

While that’s true from a technical perspective…

How/where do you keep the certificate? If you either need an app for it, or need to manually install it on your device, most users would probably be out. The benefit of my suggestion is that you need absolutely nothing except a way to authenticate with GOV.

2. is a Problem with all of these, that’s for sure.

I fjnt get the part about the info service tbh

As long as your browser saves an auth token or something for GOV somewhere, all of that can happen without user interaction.

I think that at the bare minumum, the PORN<->GOV connection must not occur. How about this (simplified):

• USER visits porn site
• PORN site encrypts random nonce + “is this user 18?” with GOV pubkey
• PORN forwards that to USER
• USER forwards that to GOV, together with something authenticating themselves (need to have GOV account)
• GOV knows user is requesting, but not what for
• GOV checks: is user 18?, concats answer with random nonce from PORN, hashes that with known algo, signs the entire thing with its private signing key
• GOV returns that to USER
• USER forwards that to PORN
• PORN is able to verify that whoever made the request to visit PORN is verified as older than 18 by singing key holder / GOV, by checking certificate chain, and gets freshness guarantee from random nonce
• but PORN does not know anything about the user

There’s probably glaring issues with this, this is just from the top of my head to solve the problem of “GOV should know nothing”.

Not sure. How about this (simplified):

• USER visits porn site
• PORN site encrypts random nonce + “is this user 18?” with GOV pubkey
• PORN forwards that to USER
• USER forwards that to GOV, together with something authenticating themselves (need to have GOV account)
• GOV knows user is requesting, but not what for
• GOV checks: is user 18?, concats answer with random nonce from PORN, hashes that with known algo, signs the entire thing with its private signing key
• GOV returns that to USER
• USER forwards that to PORN
• PORN is able to verify that whoever made the request to visit PORN is verified as older than 18 by singing key holder / GOV, by checking certificate chain, and gets freshness guarantee from random nonce
• but PORN does not know anything about the user

There’s probably glaring issues with this, this is just from the top of my head to solve the problem of “GOV should know nothing”.

I mean, yea. But it is also easy to buy them, they’re everywhere and fairly cheap. The Galbani one is also just 1€ or so more expensive.

To be clear, making your own is fantastic, it’s just not anything I’d want to do 2x/week

Mozzarella (talking about the balls of fresh mozzarella you get sealed in with their brine).

Can’t do store brand anymore after having tried Galbani.

I dream of a pure information protocol. Kinda like RSS, but… More.

• allow any piece of information (news article, DM, sensor reading,…) to be wrapped in a standard format
• subscribe to any number of source directly or indirectly (e.g. through a self-hosted relay server)
• allow networks to define default data sources (e.g. get sensor data from machines as soon as you are connected to corporate networks
• make the data declare what UI elements are required,
• but allow clients to display them however the fuck they want
• allow user to assign priorities statically or programmatically to any source, and to filter, sort, categorize based on it

Essentially: I want “the feed” from universes like The Expanse

On many trackers, you get “paid” for time seeded. Usually in the forms of bonus points or the like. You can then exchange these for improving your ratio (or a freeleech token, or an invite,…).

It’s a system that also rewards keeping media available even if you are not uploading to anyone.

Also, keep in mind that often, a large part of the available content is freeleech (meaning leeching it doesn’t affect your ratio), but seeding those torrents usually still does improve your ratio.

Containers != services.

I don’t think I am better than anyone. I jumped into these comments because docker was pushed as superior, unprompted.

Installing and configuring does not an expert make, agreed; but that’s not what I said.

I would say I’m pretty knowledgeable about the things I host though, seeing as I am a contributor and / or package maintainer for a number of them…

They are using a hosting provider - their dad.

“The cloud” is also just a bunch of machines in a basement. Lots of machines in lots of “basements”, but still.

OK, but I’d rather be the expert.

And I have no troubling spinning up new services, fast. Currently sitting at around ~30 Internet-facing services, 0 docker containers, and reproducing those installs from scratch + restoring backups would be a single command plus waiting 5 minutes.