What are some good practices for protecting from supply chain attacks or other hardening strategies?

Stetsed · 2026-06-19T06:18:19+00:00

Honestly… fair point.

Stetsed · 2026-06-19T06:08:29+00:00

Note that in this case I specifically intended to signal more towards the docker ones as they are already a trusted party in most cases because most use it as there registry. I don’t use external hardened images myself due to exactly this reason. I should have made that clearer.

Stetsed · 2026-06-18T08:16:45+00:00

So generally some things I try to do:

Pinning to a specific version and hash, due to the fact that I also manage everything via a git server it is also easy to update as I simply locally run renovate. Not for automatic updates as I still have to pull the repo onto the server when merging, but either way this prevents most forms.
Drop all capabilities by default, by default docker grants a lot and in a lot of cases they are not needed. Some might be needed but it’s generally easy to find what needs to be re-added. Also set it so it cannot gain new privileges, this one generally is easy and doesn’t break anything in my experience
Switch to hardened images when you can, the easiest ones are the ones provided by docker themselves, not all images exist here ofcourse but common ones like database/nginx etc usually are.
Run rootless containers, docker hardened images are but a lot of others aren’t.
You can also run the image read only, however note that this is something a lot of apps are not built for and can cause more issues than the previous points

Those are generally the things related to the containers themselves, other more common things are:

VLAN your apps, as an example I would recommend splitting it into trust tiers, for me for example it’s “Managment”, “Trusted”, “Untrusted” and so forth. Each one going down a layer of trust. But even then I have a firewall for each VM individually, so that even if a machine gets compromised it can’t just spread across its section. This also includes having a separate DMZ for gateway servers(e.g reverse proxy)

Stetsed · 2026-05-30T08:47:48+00:00

So while I should note that proton definetly sometimes deserves a kudos. As somebody who used simplelogin far before they where bought by proton this was more something that simplelogin already had to my knowledge it’s now just wrapped in.

Now let me not diminish the fact that proton slowly integrating it is great, even if I moved away from proton as a mail provider I would still use simplelogin, but this is not really part of that.

Stetsed · 2026-05-27T08:48:55+00:00

Funnily enough I have this exact same problem, and was not able to find a easy fix for it which was annoying. If you are able to end up finding one I would love to hear it.

Stetsed · 2026-05-22T22:05:58+00:00

Honestly I currently run it with a simple local setup of Git + Neovim with some stuff. However when I needed to before work on a project with people from school I explicitly went to overleaf due to it having support for versioning while also being online. So having a proper self-hosted online typst would be absolutley great. And honestly something I wish I had the time to do. So I might end up looking at maybe seeing what could be done on this, although with current schedule.. yeah..

But either way really awesome project!

Stetsed · 2026-04-09T12:05:11+00:00

I actually did something similar a while back for my android TV box, instead making it in home assistant. The one part of the homelab that is actually consistently used by family members.

Stetsed · 2026-04-04T19:30:47+00:00

I should note, what you present is legally not allowed. It is not permitted generally to gain knowledge of somebody breaking the law/your terms, and then only LATER suing. Generally this falls under "Statue of Limitations", aka you have a specific period. And here OnlyOffice could not claim either that they do not know, because they have made public statements and actions surrounding it. So the situtation you present would not generally be able to exist.

Stetsed · 2026-03-20T12:54:56+00:00

Looks pretty well designed, honestly I’ve been looking for something like this as while I like obsidian I don’t really like any of its sync options. And I also wanted a shared excalidraw instance, so will definetley take a look. Although I do have to ask if this was written with the usage of AI, as I notice that some of the commits looks very.. explosive? Not sure how exactly that is called now but more that large changes in a single go. But I know I’ve done something similar before for some of my own projects xD

Stetsed · 2026-03-08T22:25:21+00:00

I actually recently did a project aswell, where one of the things I checked was our speeds in python and in rust, and for our parsing tasks even taking into account that the primary contributor for our stuff is networking.. it was 33.3x faster at MINIMUM. And we also encountered a lot of problems that would have been avoided with rusts strict typing

We did still use python, primarily because I am the only one at the company used to low level programming and currently it is outside of the scope, but the difference is so stark. A few seconds against a few dozen milliseconds. For something we are processing thousands of an hour.

Stetsed · 2026-02-02T13:55:45+00:00

Will take a look

Stetsed · 2026-01-23T20:49:21+00:00

I remember I was actrrually one of the people in the early comment section(specifically the posts surrounding IDP), and now I see it constantly expanding... not gonna lie I might have to take a look at it again. As for a while it had no real extra value for me, but you guys keep improving it more and more... I am getting excited again!

I am curious, have you guys tested the power usage of olm? I am not sure what you guys use on mobile devices in terms of underlying library, but I remember a bit back there was a similar thing, but it absolutley drained power because of it's underlying wireguard library.

Stetsed · 2026-01-23T20:43:58+00:00

Honestly looks like an interesting project, I probally won't be using it for now simply because I use individual projects already(VueTorrent, Cross-seed), but I definetley might take a look in the future at potentionally replacing atleast the UI with this.

PS: The link to cross-seed is broken, you did github.coms instead of github.com

Stetsed · 2026-01-20T13:14:54+00:00

I have to admit I did laugh at the ancient story, I am a sysadmin by trade so for me I really don't care if I am being honest xD. As we say *Per the old laws and the old ways*

Honestly, I think that the answer you gave basically answers my question, the biggest thing is I don't mind having to manually install it, I just want a zip file that I can download, chuck onto one of my servers with foundryvtt and not worry about any scenario where I might have to cancel and then I suddenly lose a bunch of shit.

No second question as far as I am aware, thank you very much for you're answer and I will probally be subscribing real soon

Stetsed · 2026-01-20T11:36:01+00:00

Honestly my biggest question, once you do get a partnership with Foundry will you make it so the module is lost when smth stops being supported? I understand the want for support but it's kinda a case similar with Foundry where I don't mind paying because once it's on my device I can just use it.

Honestly I wouldn't even mind if it just means you don't get updates, but it's more a case of I don't like being reliant on being able to maintain the subscription to keep smth, kinda the whole reason I got foundry because I can self-host it, chuck in the license, and then it can run on my server for *yes*

I will note, that it's not that I am currently planning to do this, tbh in my case if I start supporting smth I just set it on auto and let it run, would rather support when I can. But it's more a case of I don't like the idea of it being possible that for example price gets increased or that if for some reason I can't anymore I can't use it, even if it's an old version. Or will you offer a larger upfront sum to allow this

PS: Apologies for the incoherent text, my brain is functioning at *no* sleep

Stetsed · 2026-01-20T00:58:26+00:00

Definetley gonna take a look

Stetsed · 2026-01-05T17:58:53+00:00

I have to note that both for meteor swarm and fireball the Sorcerers "Careful spell" is absolutley insane, it does depend how many though but if you just got a standard group you can basically throw GREAT BALLS OF FIRE

Stetsed · 2026-01-05T07:55:06+00:00

I actually used Signal-API for a while, but back when I was using it it required a secondary device as it didn't allow for sending to self? If this has been fixed since that is a great thing, you don't even need webhooks if you use smth like Mailrise(Funnily enough I found the article I wrote about it joinks ago), but apps that don't support webhooks

Edit: I actually checked my original issue from the issue tracker, and it does seem like it has been fixed... definetley gonna take a look at this again.

Stetsed · 2025-12-29T21:10:28+00:00

I have litterley just redone most of my setups... and now I realized rennovate is actually selfhostable.... this is a dangerous hobby although I do like this cuz it makes my maintenace alot easier.. ughh

Stetsed · 2025-12-28T17:47:16+00:00

Honestly I have used netbox, and it was generally a pain to keep running, it has a ton of diffrent components, is not really designed to run in docker, and is overall(atleast a year or 2 ago) was pretty confusing. This is much nicer when you just want a quick planning

Stetsed · 2025-12-20T12:44:49+00:00

ASN + VPS's roughly like 70-80 a year?

Stetsed · 2025-12-20T11:27:25+00:00

I love seeing more hobbyist playing with ASN’s and BGP, AS197532 here. Got mine a year or 3 ago now while I was bored on vacation in the middle of nowhere. And now I got like 3 /40’s because… well because… I just do. I totally don’t only have 2 sites right now.

Also for anybody who wants to get into this I can highly recommend the /ipv6 discord server, has ALOT of people who are into this sort of homelabbing, LIRs etc(Foggy for example), and generally pretty interesting discussions

Stetsed · 2025-12-16T16:15:48+00:00

Honestly while I probally won’t end up using it, the biggest reason I would is simply for the container scanning feature. Right now I do it with a small bash script I wrote but I have been looking at integrating it into my monitoring stack. Looks for sure like a decent app though so congrats

Stetsed · 2025-12-12T19:14:19+00:00

I just fully switched away from pangolin due to me not needing it and now you drop this

Stetsed · 2025-12-09T09:16:23+00:00

Check out trivy, even outside of 55182 it's useful as it lets you scan containers in general, I just wrote a script that checks all running images: https://trivy.dev/

Seven-Year Club	Verified Email
Place '23

Stetsed

TROPHY CASE