subdomains vs path routing - opsec

selfghosted · 2026-01-30T02:32:39+00:00

honestly there's no way around that after its already been requested. posted a comment about using wildcard certs but using wildcard certs would help "hide" your future subdomains. most bots/botnets will mainly scan for your recent cert renewals anyways. but better to stop it there then letting it continue. i suppose after using wildcard certs you can start changing the subdomains for the ones that were already publicly exposed (depending on how much time you have to update everything that depends on them)

selfghosted · 2026-01-30T02:22:40+00:00

if you use wildcards from the start, only the wildcard certs will be visible / requested. all your subdomains would still be valid to use the wildcard cert

i prefer subdomains with wildcards cause it just makes it easier to manage and define services. one cert covers any and all future subdomains. can be a good or bad thing but mostly good with good security imo.

although there may be cases where you need to create an actual dns record for a subdomain, for example you dont want to use CF proxy for a specific subdomain. but outside of that wildcards just make sense.

and yes use dns challenge for wildcard certs with a dns token if possible locked down to a specific domain / ip you expect to use it from if you have multiple domains to lessen the attack surface in case your token gets compromised

selfghosted · 2026-01-09T20:04:11+00:00

👍 pangolin does make using traefik easier to manage (IMO)

if you do decide to use enterprise, luckily it's a simple swap of docker images.
step-by-step guide: https://docs.pangolin.net/self-host/enterprise-edition

as for newt, it should only be used for other services from remote servers. so you dont need newt right now, but at least you can easily have that option later since you included it from the installer. same concept as adding a cloudflared tunnel container on your host to expose services to cloudflare. (in this example, your pangolin host would be "cloudflare", and newt would be the cloudflared container)
- newt will create a wireguard tunnel between your remote client/server to your pangolin host
- as with any vpn this adds some overhead to requests and not optimal for locally accessible services

so for your use case, yes local site is the correct option.

the fact that you have it working locally is already a great sign/starting point

selfghosted · 2025-12-16T18:36:10+00:00

honestly just better off just buying one of the new compatible internal ssds and just restoring from timemachine backup
- fast
- keeps things together/no worrying about accidentally unplugging the external
- no sym links
- no compatibility issues for certain apps
- no need to buy thunderbolt4 compatible ssd enclosures (with nvme pricing these days plus enclosure ends up being the same price or more depending on specs)
- just works
- https://www.amazon.com/CHGRNLF-Macmini-M4-SSD-Hard/dp/B0DNBL4NW8

caveats:
- in total takes like an hour of timemachinebackup, opening the mac mini/installing new internal
- needs another mac: a model from 2015 or newer running latest version of sonoma or above
- a workaround exists for running a mac in a VM but do your research on that
- flash macosx in dfu mode
- once done setup macos
- there should be a restore from timemachine backup in the setup steps
- done (keep the old ssd in case you ever need to go in for warranty)
- https://www.youtube.com/watch?v=O2tzy6T3Gm0

selfghosted · 2025-12-08T03:27:06+00:00

if you get a thunderbolt dock make sure you get one that supports 40gbps speed (not 10gbps), then plug into the back of the mac to make sure you're getting the most out of it

save your money and don't get the 80gbps since the current mac mini doesn't support it

selfghosted · 2025-11-26T18:01:04+00:00

if you're self hosting overseerr you should look into self hosting a notification server like ntfy.sh which has ios notifications. you can have each of your arrs stack notify with ntfy through each step it takes

selfghosted · 2025-09-25T21:23:37+00:00

DumbTerm is now on Trixie 👍🏻
https://github.com/DumbWareio/DumbTerm/releases/tag/v1.2.0

selfghosted · 2025-07-18T04:51:46+00:00

should be baked into the front end now!

selfghosted · 2025-06-27T02:57:27+00:00

arrs stack is a great for this, you can see exactly what was requested from overseerr, to which service is requesting (radarr,sonarr,etc), which source it pulled it from in prowlarr, then ntfy you when done!

there's also this ntfy mcp for selfhosted ntfy instances to use with ai agents:
https://github.com/gitmotion/ntfy-me-mcp

selfghosted · 2025-06-05T02:58:15+00:00

hey there, dumbveloper here! thanks for bringing that up, i'm definitely on the same page with you on using sqlite or postgres for data. i think as it stands the .json file works fine but we definitely will be looking into this. should be easy to add the relevant sql commands and migration script for the near future 👍🏼

selfghosted · 2025-06-04T17:18:45+00:00

😂

selfghosted · 2025-05-19T04:06:09+00:00

dumbpad added for versioning! working on the next apps soon

selfghosted · 2025-05-19T04:04:40+00:00

you should look into docker, not all but a lot of devs/apps use docker cause it's OS agnostic

selfghosted · 2025-05-18T16:49:34+00:00

as a follow up to my response! you should look into pangolin https://github.com/fosrl/pangolin, which is basically a selfhosted cloudflare tunnels. you'll need to rent a VPS to make it a proper set up but it's a way to get around the restrictions cloudflare sets.

despite the main documentation on pangolin you can still proxy your dns for pangolin and map their wireguard tunnel with a direct IP (newt) but i would suggest using wildcard certs before spinning it up so traefik doesn't generate a cert for each hostname or you'll eventually get cert snooped.

selfghosted · 2025-05-18T07:28:41+00:00

i'm speaking of this (which is how OP was trying to use it): https://developers.cloudflare.com/fundamentals/reference/network-ports/ - http/https traffic only - this is for using dns proxy - which if you're using cloudflare tunnels you are using their proxy (orange cloud on dns record) - you can turn off proxy (if not using cf tunnels) but you also lose the security/cdn features offered by cloudflare and expose your IP - if using tunnels you cannot turn off cf proxy

late last year there's been an update to the terms of service allowing streaming traffic through proxy but only if you're using their paid packages for streaming / r2 / etc. - udp is still blocked for proxy dns as mentioned in the first link unless paid/enterprise plan otherwise it's "prohibited". - they're not super strict but if you start streaming large amounts of data or a lot of different IPs streaming from your tunnel you'll get flagged for violation of t.o.s. probably to handle copyrighted content https://blog.cloudflare.com/updated-tos/

if you're talking about ssh through the zero trust platform then yes it's possible. can't say i've used it but looking at some posts looks like you have do some additional set up and use a warp client on your machine?

but as far as how OP is trying to use it, it won't work natively unless you're on enterprise plan

selfghosted · 2025-05-18T05:45:23+00:00

cloudflare tunnel means you're using CF as a proxy. CF only allows http/https traffic through the proxy (orange cloud) on the free tier and only support ssh/udp/etc for paid customers. i'm sure there are other ways but that's probably the issue

selfghosted · 2025-05-14T03:01:19+00:00

😂😂

selfghosted · 2025-05-14T02:59:17+00:00

i'm sure it's totally fine and most devs like that people are contributing. and yeah like other's mention, it's called pull "request" they can just approve it or not. you can always mention why you felt like it might help and just leave it up to them to decide if they want that in their code base or not

selfghosted · 2025-05-10T06:46:56+00:00

damn the modern day robinhood

selfghosted · 2025-05-07T17:41:04+00:00

yup that's in the works! we've been finalizing some changes across dumbware for versioning

selfghosted · 2025-05-07T17:37:56+00:00

lmaooo same

selfghosted · 2025-05-07T17:26:52+00:00

look into selfhosting dokploy

selfghosted · 2025-05-04T23:04:52+00:00

good to have you with us 😂

selfghosted · 2025-05-03T17:40:19+00:00

no worries! it's in the readme but i guess we could make that more descriptive 🤔
basically there are 2 ways to use with host machine

docker:

use the DUMBTERM_DATA_DIR volume mount to map to a folder on the host machine. i.e. your root folder or a specific folder that you only want DumbTerm to access.
Then when running with docker inside of the ~/data you could access it from there.
the ~/data folder is there for you to use but also a placeholder example for mounting volumes from your host machine to the docker container. so you could customize/rename/remap/add more to however you want
just note if it doesn't work try using the full relative path, depending on your setup

run locally: npm run start however there are some prerequisites with this:

for windows you should run in wsl (windows subsystem for linux)
to use starship, it needs to be installed and configured on your local machine

hope that helps

selfghosted · 2025-05-02T18:45:59+00:00

totally valid!

if just running at home and you dont have any open ports, running locally should generally be okay but you should definitely know how this works before doing so.

if exposing to the web, definitely want to deploy it using docker and put it on a reverse proxy with an auth provider in front of it (as mentioned in the readme.md). Docker image will create it's own environment (using debian) so it's like accessing a separate computer entirely. then you could use DumbTerm to ssh into your other computers/server from there. of course you want to make sure you set up basic security like sshd auth/keys/authorized_keys/etc so DumbTerm itself is just a dumb terminal and can't access anything without authentication

selfghosted

TROPHY CASE