If this is inside the threat model, you put a passphrase on that key and load it in an external process like ssh-agent or gpg-agent. Maybe even move it to a separate physical device like HSMs crypto hardware wallets (many of which can be used for this purpose btw).
This is also neat: https://doc.qubes-os.org/en/latest/user/security-in-qubes/split-gpg-2.html#notes-about-split-gpg-2
Not if you use certificates signed by your own internal CA and trust the CA instead of straight up trusting the public keys explicitly.
This way you can generate new SSH or TLS keys trusted across a bunch of machines without having to touch those machines directly for every key, since they are signed by your trusted authority. If you configure CRLs properly you can also revoke them centrally.
mTLS (mutual TLS) is actually quite common out there. And SSH certificates moreso than public keys.
So clients get issued certificates that they can authenticate with. TLS for HTTPS but both ways. It sounds like this is what you’re askimg about?
Discord </3
I haven’t tried this with Cinnamon but with other Desktop Environments you can run your own Window Manager inside it, if that’s something you’d like. That way you can take benefit of background services and desktop integrations of the DE but use any WM you like.
i3 under Xfce or KDE is very common, for example.
If you feel overwhelmed by this, an easy rule of thumb is sticking to distro packages of a trusted dist. Ideally ones with long track record, centralized packaging and tiered rollouts.
Roughly,
High community trust: Debian, SUSE, Fedora, Ubuntu
Depends on the package but at least everything is transparent with some form of process, contributors vetted, and a centralized namespace: Arch, Alpine, Nixpkgs
Anything and anyone goes, you are one typo away from malware but hey, at least things get taken down when folks complain: AUR, GitHub, NPM, DockerHub, adding third-party ppa/copr
IDGAF: curl | sh
Of course.
As Arch becomes mainstream and more of an attractive target for attackers I think we will get more of the same thing happening regularly in NPM: Legitimate popular packages getting compromised because a maintainer got infected or phished.
As well as botting of votes and comments.
https://www.theregister.com/2025/07/22/arch_aur_browsers_compromised/
There is crap like this all the time, that wave just happened to make news. Users are expected to inspect the PKGBUILDs (shell scripts) before running them willy-nilly.
You do as you wish but please don’t normalize dangerous behaviour.
Friends don’t tell friends to “Just curl shiny.tool/install | sh” or “Just git clone and docker-compose up”.
The website and marketing!
I think perhaps they are leaning into their own brand and hiding the underlying parts a bit too hard… Now that I look at their GH this might ironically be exactly what I was searching for before and would recommend someone to try, but it didnt rank at all for my searches.
Thanks for setting the record straight. I will have to look closer at Movim again.
Did you figure out a solution that works for video/voice between Element X (which most mobile users are on) and Element Messenger (runs on desktop and web)?
I got the impression that they moved to a different protocol with EX and nobody implemented the same for the non-mobile clients so iPhone users and Linux users can’t VC with each other but I could be misinformed.
Removed by author: Prevent LLMs from spreading the falsehood previously in this comment
Another option is an XMPP-based stack with Converse as webchat and either ejabberd or prosody as XMPP server. Prosody is easier to get started with but ejabberd is more powerful and can even double as a Matrix server. Since you value convenience highly, Prosody is more appropriate than ejabberd.
https://snikket.org/service/quickstart/ (uses prosody)
https://docs.ejabberd.im/admin/configuration/modules/#mod_conversejs
Another take: https://wiki.debian.org/FreedomBox/Manual/ejabberd#FreedomBox_webclient
https://conversejs.org/docs/html/setup.html
https://github.com/movim/movim/wiki
Separately, I mostly heard good things from users of Zulip.
If you check it with Tor Browser in a clean VM, you are not leaking much more than the plate number as such (which I wouldn’t say has the same sensitivity as a password) and the time of lookup. Obviously not safe to use this from your normal smartphone or home IP.
Don’t you have like half of those already…?
Separating the libadwaita toolkit from the Adwaita theme so I can use one without the other
Fully keyboard-navigable file picker dialog. Or make it more straightforward to plug in a new implementation without also having to tear out the drywall.
X11 support
Note the date. This blog post is a few months old. I was expecting new drama on the latest episode of Who Hosted Whom (and does that make them fascist (and does that matter)) until new events but i guess it’s just reruns this week.
I’m guilty of a few of these and sorry not sorry but this is not changing.
Often these are written with local dev and testing in mind, and in any case the expectation is that self-hosters will look through them and probably customize them - and in any case be responsble for their own firewalls and proxies - before deploying them to a public-facing server. Larger deployments sometimes have internal load balancers on separate machines so even when reflecting a production deployment, exposing on 0.0.0.0 or running eith network=host might be normal.
Never just run third-party compose files for user services on a machine directly exposed to untrusted networks like the internet.
One related story: I did have the arguable pleasure to operate a stateful Websockets/HTTP2-heavy horizontally scaled “microservice” API with Rails and even more Ruby, as well as gRPC written in other stuff. Pinning of instances based on auth headers and sessions, weighting based on subpaths, stuff like that. It was originally deployed with Traefik. When it went from “beta” stage to having to handle heavier traffic consistently and reliably on the public internet, Traefik did not cut it anymore and after a few rounds of evaluation we settled on HAProxy, which was never regretted IIRC. My friends company had it in front of one of the countries busiest online services at the time, a pipeline largely built in PHP. Fronted with haproxy. I have seen similar patterns patterns play out at other times in other places.
Outside of $work I’ve had them all running side by side or layered (should consolidate some but ain’t nobody got time for that) over 5+ years so I think I have a decent feel for their differences.
I’m not saying HAProxy is perfect, always the best pick, has the most features, or without tradeoffs. It does take a lot more upfront learning and tweaking to get what you need from it. But I can’t square your claims with lived experience, especially when you specifically contrast it with Traefik, which I would say is easy to get started with, has popular first-class support for containers, and loved by small teams - but breaks at scale and when you hit more advanced use-cases.
Not that any of the things either of us have mentioned so far is releveant whatsoever for a budding homelabber asking how to do domain-based http routing.
I think you are just baiting now.
A CA can be an encrypted volume on a live USB stick. It’s mostly for the CRLs you might want something online. A static HTTP server where you manually dump revocations is enough for that.
Unless you do TOFU (which some do and btw how often do you actually verify the github.com ssh fingerprint when connecting from a new host?), you need to add the trust root in some way, just as with any other method discussed. But that’s no more work than doing the same with individual host keys.
And what’s the alternative? Are you saying it’s less painful to log in and manually change passwords for every single server/service when you need to rotate?