Guessing it is more a habit from back in time when ssl certification wasn’t common. Panic of MITM attacks, friends sharing their trusted access to other friends, etc. all contributed to my actual status of paranoia.
Don’t make me reconsider my cybersec approach ;)
Rotating passwords only for web services. Vaultwarden does make it easy. Not all services allow 2FA.
I’m somewhat paranoid therefore running several isolated servers. And it’s still not bulletproof and will never be!
Personally I use Raspi 2 and Zero for that purpose. HATS for digital connection or if you want connecting speakers directly consider AMP2 HAT.
Homeassistant controls grouping, volume etc.
You can configure multiple zones on a server snap with multiple hosts
A client can assign to one host only.
If I’m understanding you correctly, you could make use of a shell script for this. Use WGET to download lists, then combine them into a single large file, and finally create a new file with no duplicates by using “awk ‘!visited[$0]++’”
wget URL1 URL2 URL3
cat *.txt > all.txt (This overwrites all.txt)
awk ‘!visited[$0]++’ all.txt > no_duplicates.txt
It depends a bit on what you want to accomplish, the threat model, the devices in use, and other topics. I think this is a good read: https://avoidthehack.com/best-pihole-blocklists
Some specific social blocklists: https://github.com/d43m0nhLInt3r/socialblocklists
Beets is my favorite tagger since I prefer CLI. Match making policy can be adjusted and discogs plugin can be added I recommend the folder structure /artist/album/track
Possibly Home Assistant is able to cover your devices and needs.
Guessing, millions of people will feel obligated to share their ID. Not everyone can be saved
Check if Lidarr adds an artist* image in artist folder or add an integration for fetching images.
At last we keep it simple ;)
I set up custom bash scripts collecting information (df, docker json, smartCTL etc)
Either parse existing json info or assemble json strings and push it to Homeassistant REST api (cron)
In Homeassistant data is turned into sensors and displayed. HA sends messages of sensors fail.
Info served in HA:
Trying to keep my servers as barebones as possible. Additional services/apps put strain on CPU/RAM etc. Found out most of data necessary for monitoring is either available (docker json, smartCTL json) or can be easily caught, e.g.
df -Pht ext4 | tail -n +2 | awk '{ print $1}
It was fun learning and defining what must be monitored or not, and building a custom interface in HA.
I’m using network overlays for individual containers and separation.
Secondly fail2ban installed on host to secure docker services. Ban FORWARDING chains specific to docker instead of INPUT chains. [fail2ban docker](Configure Fail2Ban for a Docker Container – seifer.guru)
Use 2FA for services if available.
Rootless docker has limitations when it comes to port exposing, storage drivers, network overlays etc.
The host is auto-updating security batches but rebooted manually only.
Docker containers are updated manually too. I built all containers from file and don’t pull them because most are modified (plugins, minimizing sizes, dedicated user rights etc.)
Bind mounts are easy to maintain and backup. However if you share data amongst multiple container docker volumes are recommend especially for managing state.
Backup volumes:
docker run --rm --volumes-from dbstore -v $(pwd):/backup containername tar cvf /backup/backup.tar /dbdata
Database volume backup without stopping the service: bash into the container, dump it, and copy it out with docker cp. Run it periodically via crontab
Define which data is from value. I got 68TB of data but realistically only 3 TB are from such value I maintain several copies (Raspi + SSD) and online backup. The rest of data is stored on a cheap server built at a family member and synchronized twice a year. Make sure your systems and drives are all encrypted. And test your backups and redeployment strategy.
Edited: typo
If your data is such valuable, I’m sure you took the time to setup a complete encrypted system (LUKS).
I used VMs some time ago but never managed to look deeper into separation of bare metal vs VMs. Hence I can’t assess this reasonably.
Docker got me interested when it started and after discovering its networking capabilities I never looked back.
Basically I’m trying to minimize the possibility that by intercepting one dockerized service the attacker is able to start interacting with all devices. And I have lots of devices because of a fully automated house. ;) My paranoia will ensure the constant growth of privacy and security :)