Immich has a whole set of end-to-end automated tests to ensure they don’t accidentally make public any URLs they went to be private:

https://github.com/immich-app/immich/tree/main/e2e/src/api/specs

As a popular open source project, that would be e glaring security hole.

Using this proxy puts the trust in a far less popular project with fewer eyeballs on it, and introduces new risks that the author’s Github account is hacked or there’s vulnerability in he supply chain of this docker container.

It’s also not true that you “never need to touch it again” . It’s based on Node whose security update expire every two years. New image should be built at least every two years to keep to update with the latest Node security updates, which have often been in their HTTP/HTTPS protocol implementations, so they affect a range of Node apps directly exposed to the internet.

Yes, there are broken uses of the HTTP protocol verbs where filtering to GET won’t work.

A simpler way to protect a private service with a reverse proxy is to only forward HTTP GET requests and only for specific paths.

It’s extremely difficult to attack a service with only GET requests.

The security of which URLS are accessible without authentication would be up to immich.

Although, If I have my own Amazon referral link in my blog post and they replace the referral code in their feed, I would not be happy about that.

They could be injecting their own ads or affiliate links into the content.

For example, if a post links to Amazon.

I have not looked at the source code.

Have you tried doing CAD work on a phone or iPad over a Remote Desktop connection?

Seems unpleasant enough to drive someone to buy a proper laptop to travel with.

If you don’t have a proper computer, how will you access this remote server to do your CAD work?

I imagine BitWarden is sufficiently good. The big leap in security comes from having no password manager to a decent password manager.

LastPass does not seem as serious about security so it doesn’t meet my personal bar for decency.

LastPass doesn’t have your password, so it can’t be stolen during a breach.

But 1Password goes a step further, also requiring a “secret key”, which also can’t be stolen.

https://support.1password.com/secret-key-security/

Even if an attacker manages to steal your encrypted data from 1Password and also guess your master password, they still can’t access your data without a secret key.

For that reason, your 1Password account is more likely to compromised through your own device, not their server. And if your own devices are thoroughly compromised, no password manager can save you— the attacker can potentially grab all you type and see all you see.

I evaluated both BitWarden and 1Password for work and 1Password generally won across the board.

If you host yourself make sure backups are rock solid and regularly monitored and tested. Have a plan for your infrastructure being down or compromised.

1Password’s security model guards against this. Even if they are breached, your passwords cannot be decrypted.

You are more likely to screw up your own backups and hosting security than they are.

I like to manage services maximally with systemd so it was a natural fit for me.

It did not seem difficult to set up web and database quadlets so they are properly networked.

I tried a USB KVM switcher. I only recall there were serious issues and it didn’t last long.

Now I use a high quality USB dock and physically unplug/re-replug a work and personal laptop. That’s been a simple and reliable solution.

For my home server, I ssh into it.

Ghost has a lot of these features as well as being a blog and handling paid subscriptions and donations.

You use an IMAP syncer, like this one:

http://www.offlineimap.org/

A word of caution: I professionally hosted email for over a decade.

90% or incoming email will be spam. Anti-spam tools will need regular updates. Backups are also super important.

All things considered, I don’t host my own email anymore although I know all the pieces involved.

There are also some independent email hosts that are good like Fastmail or for extra privacy, Proton Mail.

If the emails live on your server, can’t you use software there to send, receive and search emails?

There aren’t log visualizers for every artisanal log file format. But there’s a movement towards supporting JSON format logs for more services, and lots tools that can understand JSON logs making generating graphs and metrics from arbitrary logs fairly efficient.

If this tool is making the logs harder to parse by using a custom format, that’s something the tool could improve.

Some apps support both plaintext logs for humans and JSON logs for tools.

I recommend generating some metrics from the logs and graphing them yourself.

Perhaps the free Grafana plan would have what you need to parse the log files and visualize the metrics you want.