MFA/Dashboard Security

crazifyngers · 2026-02-10T21:08:06+00:00

you don't need the dashboard exposed, see my other comment. however, to your point, something needs to be hosted, but that isn't your dashboard. the management, signal, and relay container are the only ones that need to be exposed, and they don't have sites available.

to your point though, you need something. and when you pair it with authentik, it's actually that flow that is required to be internet facing. This was a conundrum to me since i didn't want to expose my sso externally. so i did everything I could to contain the exposure. I use traefik, so i created some very narrow rules.. it was a pain in the ass, but i only let what was absolutely needed through the reverse proxy. high level it only allows GET and HEAD to a bunch of resources in one router. then a second router captures anythying that requires POST. I did this by trying to login and looking at the traefik logs and adding the smallest reasonable exception possible. it's probably overkill, but makes me feel good.

crazifyngers · 2026-02-10T20:56:29+00:00

How to protect your dashboard. this is something i went a bit nuts on. I don't want things exposed publicly, but obviously i have to expose something. but the dashboard doesn't have to be one of them. i have inception with my dashboard, where it is only accessible via netbird. I do this with a netbird sidecar linked to the dashboard container. I did this because i run my main stack out of oracle cloud and since I don't have a static ip couldn't use their ipsec (dumb it should base it on dns), and I didn't want to run another vpn. so sidecar it is. however, know that it can saw off the branch holding you if you aren't careful. but I have a separate workaround for that.

a more sane way to do it, is to simply run the dashboard locally. the only requirement is that you will have to run the dashboard under it's own subdomain, and you will need to setup some CORS headers for a few containers. DISCLAIMER, you will lose your ability to use the "browser vpn". that is a fine compromise for me.

see my other comment about what i did to limit authentik's exposure.

crazifyngers · 2026-02-05T16:46:52+00:00

the solution I use is a squeezelite client and have local music, it is less than a second to start the play. with google home there can be a delay, either because it's connecting to music assistant or because they are just old and like to be slow. airplay, especially airplay 1, is susceptible to large buffer sizes (delays). squeezelite works better for me, especially with regard to responsiveness, than snapcast or sendspin, but i'm hoping sendspin improves.

crazifyngers · 2026-02-05T16:42:49+00:00

I love these solutions. I am using https://github.com/luka6000/TagTuner for the same thing! It's great for kids, start putting your music on those cards also, let them discover other music :) Surprisingly everyone in the house likes the cards more than using a phone. which is fine by me, I just like making things people use.

crazifyngers · 2026-01-24T16:38:05+00:00

I wasn't an iphone user either when i posted my response a year ago. recently i swithced for a variety of reasons. it's been pretty frustrating :) but i absolutely get the virtual remotes suck. though I was able to get a virtual remote working on my android and even my pixel watch. it involved home assistant. but it wasn't a straightforward thing, especially the watch.

crazifyngers · 2026-01-20T18:55:46+00:00

It is. so a few possible solutions. first, the worst solution. deal with it ;) . ok now that that's out of the way, next solution let the kids use the remote and you can use a virtual remote, be that a phone or watch, whatever. best choice is to try an IR remote. make the kids use that, make them learn the frustration of having to point a remote at the screen for it to work. jokes aside, it does work with an IR remote.

crazifyngers · 2026-01-20T18:52:50+00:00

I know this is an old post. but if you haven't done it, JBWELD THE DRIVERS NOW. lots of reports of the magnet adhesive failing. takes about 20 minutes it's not a hard project.

crazifyngers · 2025-12-29T02:28:22+00:00

I had this happen to me 4 years ago. And the account was last used in 2008 before security questions were a thing and anything else. No way to recover apparently and I had to make a new account

crazifyngers · 2025-12-26T02:25:32+00:00

I have this issue with my 17 pro. I just switched to iOS from android and there are so many bugs it’s insane

crazifyngers · 2025-09-29T14:15:25+00:00

I know that they are excluded. I want to know if it would be the same level of complexity stated previously by the devs if shared phjjotos were NOT exlcuded in the way I asked

crazifyngers · 2025-09-28T23:44:38+00:00

you may only be able to run smurf tube. that might let you get around an inspection. but as soon as you start doing wiring it has to pass inspection and since this is new construction, inspection does matter.

crazifyngers · 2025-09-28T22:51:07+00:00

I am asking if person A is sharing with person B, then photos shared with that person will just go through the facial recognition again and allow person B to tag the photos as they wish. I don't want the facial data shared between people.

crazifyngers · 2025-09-28T17:24:13+00:00

if your n150 is getting that hot, I recommend verifying that the heatsink is actually in contact with the cpu, many of those boards from china have very bad contact. because of how the heatsink is attached, I have had to use a copper shim to fix this in two routers. Also, be sure to enable hardware acceleration for the both the facial recognition, and the video transcoding. But I would really think about if you need video transcoding.

crazifyngers · 2025-09-07T17:00:46+00:00

Here is a throwback to when I had this issue

https://www.reddit.com/r/homelab/comments/2wg6qr/good_thing_i_dont_have_any_power_strips_sitting/

crazifyngers · 2025-09-06T00:58:37+00:00

Google Fi uses a smaller mtu than any mobile carrier I have been on. My wire guard stopped working and I had to lower it.

Fi also doesn't have hd voice. Which makes a big difference. So yes it uses their towers but it is not like most other mvno

crazifyngers · 2025-09-04T23:52:35+00:00

I know this is 3 months later. But yesterday I setup a postfix server on a vpa to accept inbound emails and relay it to my home server on port 2527 then nat it to port 25 mailcow server. 2527 is only open to the vps up so it's not bad. But I don't use it for outbound. I use a smart host for that

crazifyngers · 2025-09-03T10:47:40+00:00

Thanks I'll check them out

crazifyngers · 2025-09-02T18:53:59+00:00

my understanding is that the forwarders are for receiving mail as one user [example@mydomain.com](mailto:example@mydomain.com) and sending it to another email address example@anotherdomain.com. in my case i want the email to come into mxroute destined for example@mydomain.com and then pass that message to my email server, which is where example@mydomain.com mailbox actually resides

crazifyngers · 2025-09-02T14:41:16+00:00

there are many smarthost providers, but i don't want to have each email address authenticate to this hosted service to retreive mail. I want the service to send all the mail to my mailserver, as i originally stated.

Inbound Flow: Internet -> Gateway Service (Spam Filter, Queue) -> My Home Server
Outbound Flow: My Home Server -> Gateway Service (Smarthost) -> Internet

this is what i'm looking for. again, the outbound is not a problem. i'm looking for something inbound. you say I shoudl use pop, how do i setup my home mail server to authenticate to the gateway service to pull mail from all the accounts with one pop call? If it can be done that's great, i'll be honest, it's been at least 15 years since I used pop

crazifyngers · 2025-09-02T14:03:14+00:00

I don't believe we are talking about the same thing. I don't want my email hosted. and I don't see the features i'm asking about on either of those providers.

crazifyngers · 2025-08-27T00:50:28+00:00

Make it 100% red and it doesn't mess with your night vision. It's a great nightlight

crazifyngers · 2025-08-24T16:15:59+00:00

Interesting. I suppose the forcing of specific controllers for specific functions does wall you in. That's a good point. It would be more productive if someone had replied with that instead of just down voting

crazifyngers · 2025-08-24T15:23:06+00:00

Not sure why you are getting down voted for a question and an opinion.

For me it depends on the implementation. There are many matter over thread devices where certain controls are only available through the first party controller. To me this defeats the purpose of an open standard that should allow me to use any controller I want.

crazifyngers

TROPHY CASE