Thank you all for the feedback. I've incorporated some of the
suggestions and published the post :)

https://secluded.site/pull-vs-push-intentional-notifications/

Hello all o/

I've drafted a new blog post, but would like some more eyes on it before
I publish. Any feedback is welcome :)

https://paste.sr.ht/~amolith/a06295a53b2397345c4ecd5f9c4038e3709d3f66

Cheers,
Amolith

Ingo Hoffmann <ingo@hoffmann.cx> writes:
> I see where you're coming from. My main concern is that, IMHO, billing should
> be more protected/has an extra layer of security.

I had the same concern while initially reading the proposal. I checked
the billing page and, personally, wouldn't have a huge problem with any
of my employees having read-only access to the information here. It
shows card type, last four digits, postal code, expiration month, and
when you paid how much. If it showed more sensitive information, like
more of the card details, I would absolutely want some knob to twist to
disable read access.

_Ideally_, that page could be hidden from all but a select few people

> relying on what you host, redundancy becomes much more important. At
> that point, I would say a minimum of two self- or professionally-managed
> nameservers is ideal.

I misplaced a word while editing. I meant to say "a minimum of two […]
*secondary* nameservers is ideal", the goal being three total, one
primary and two secondary.

> How risky is it to only run a primary service and rely
> on a free secondary service like ns-global.zone?

As long as you're content with relying on two nameservers for all your
stuff, I see no problem with it :) For personal services, I think even a
single primary is sufficient. You'll notice when something's
inaccessible and fix it if/when you need to. Once other people begin
relying on what you host, redundancy becomes much more important. At
that point, I would say a minimum of two self- or professionally-managed
nameservers is ideal.

> I always wonder why (almost) no public free software service host
> offers authoritative DNS.  Is there a security implication

> Though I doubt it's far up on the priorities list, it might be a way for
> sourcehut to earn some additional revenue. Thinking of how DNS is
> currently, your only options are either the big oligopolists (yuck) or
> small providers like Zilore or Hurricane Electric (stretching "small"
> a bit here) that haven't caught up on modern standards like DNSSEC or
> record types.

In my experience, authoritative DNS is quite trivial for most minimally
experienced admins to run themselves. Grab a few of the smaller servers
from someone like BuyVM distributed across multiple datacenters, spend
half a day learning PowerDNS, set one up as your primary, the other two
as auto-secondaries, and enable automatic security updates. You're 95%
of the way there. All that's left is using some of the free secondary

> I’d like to request upload access. I wish to upload old animation in the public domain. I’m currently signed up with @disney_public_domain@libremedia.video

For the time being, I'm going to have to say no; I am actively
maintaining the system when I can, but I periodically lose access
because the server is physically managed by my co-admin and he
periodically just disappears with no warning for months at a time. I
don't want anyone to begin relying on LibreMedia only for everything to
break for the next six months.

> Hello, I'd like to start uploading video recordings of tabletop RPG sessions.
> They will be under CC BY-NC or BY-NC-SA. I have around 64GiB of recordings so
> far, with more to come. The sessions are currently streamed on Twitch on a
> weekly basis and we'd like to eventually stream simultaneously on LibreMedia
> too.

For the time being, I'm going to have to say no; I am actively
maintaining the system when I can, but I periodically lose access
because the server is physically managed by my co-admin and he
periodically just disappears with no warning for months at a time. I
don't want anyone to begin relying on LibreMedia only for everything to
break for the next six months.

Daniel Wilkins <tekk@linuxmail.org> writes:

> On Wed, Jul 20, 2022 at 11:09:56PM -0400, Amolith wrote:
>> Signed-off-by: Amolith <amolith@secluded.site>
>> +	// Allow incoming Sprig/relay connections
>> +	err = sh.Run("ufw", "allow", "in", "7117")
>> +	if err != nil {
>> +		return err
>> +	}
>> +
> Do we want to allow ssh in too?

You already allowed SSH in the original code you wrote.

> Should this include hte service name somewhere in the sh.Run
> invocation? I don't run systemd so I can't test off-hand.

No, any time you modify or add systemd services, you have to run
daemon-reload to re-create dependency trees and regenerate things. After
modyfing or adding services, you can't start, stop, enable, or disable
anything until you run daemon-reload.