upvote

points

by linsomniac18 hours ago |
comments
upvoteby PunchyHamster12 hours ago|
next
[-]
Just giving them hostnames is easier.

In homelab space you can also make wildcard DNS pretty easily in dnsmasq, assuming you also "own" your router. If not, hosts file works well enough.

There is also option of using mdns for same reason but more setup

reply
upvoteby overfeed28 minutes ago|
parent|
next
[-]
> Just giving them hostnames is easier

Bitwarden annoyingly ignores subdomains by default. Enabling per-sudomain credential matching is a global toggle, which breaks autocomplete on other online service that allow you to login across multiple subdomains.

reply
upvoteby rodolphoarruda2 minutes ago|
parent|
[-]
Tell me about it... that infinite Ctrl + Shift + L sequence circling through all credentials from all subdomains. Then you brain betrays you making you skip the right credential... ugh, now you'll circle the entire set again. Annoying.
reply
upvoteby tehlike5 hours ago|
parent|
prev|
next
[-]
This is what i do.
reply
upvoteby c-hendricks11 hours ago|
parent|
prev|
[-]
How do I edit the hosts file of an iPhone?
reply
upvoteby nerdsniper11 hours ago|
parent|
[-]
You don't have to if you use mDNS. Or configure the iPhone to use your own self-hosted DNS server which can just be your router/gateway pointed to 9.9.9.9 / 1.1.1.1 / 8.8.8.8 with a few custom entries. You would need to jailbreak your iPhone to edit the hosts file.
reply
upvoteby simondotau7 hours ago|
parent|
[-]
I have a real domain name for my house. I have a few publicly available services and those are listed in public DNS. For local services, I add them to my local DNS server. For ephemeral and low importance stuff (e.g. printers) mDNS works great.

For things like Home Assistant I use the following subdomain structure, so that my password manager does the right thing:

  service.myhouse.tld
  local.service.myhouse.tld
reply
upvoteby gerdesj12 hours ago|
prev|
next
[-]
"Because all of my services share the same IP address"

DNS. SNI. RLY?

reply
upvoteby tbyehl52 minutes ago|
parent|
next
[-]
Not to diminish having names for everything but that just shifts the Bitwarden problem to "All of my services share the same base domain."
reply
upvoteby sv05 hours ago|
parent|
prev|
[-]
That's a bit weird to read for me as well. DNS and local DNS were the first services I've been self-hosting since 2005.

On Debian/Ubuntu, hosting local DNS service is easy as `apt-get install dnsmasq` and putting a few lines into `/etc/dnsmasq.conf`.

reply
upvoteby merpkz5 hours ago|
parent|
[-]
These modern-day homelabbers will do anything to avoid DNS, looks like to them it's some kind of black magic where things will inevitably go wrong and all hell will break loose.
reply
upvoteby predkambrij10 hours ago|
prev|
next
[-]
One cool trick is having (public) subdomains pointing to the tailscale IP.
reply
upvoteby timwis6 hours ago|
parent|
[-]
This is what I do. Works great! And my caddy setup uses the DNS mode to provision TLS certs (using my domain provider's caddy plugin).
reply
upvoteby m4637 hours ago|
prev|
next
[-]
or just use the same password for everything. ;)
reply
upvoteby ozim4 hours ago|
parent|
[-]
If it is like 12 characters non dictionary and PW you use only in your homelab - seems like perfectly fine.

If you expose something by mistake still should be fine.

Big problem with PW reuse is using the same for very different systems that have different operators who you cannot trust about not keeping your PW in plaintext or getting hacked.

reply
upvoteby brownindian14 hours ago|
prev|
next
[-]
Could also use Cloudflare tunnels. That way:

1. your 1password gets a different entry each time for <service>.<yourdomain>.<tld>

2. you get https for free

3. Remote access without Tailscale.

4. Put Cloudflare Access in front of the tunnel, now you have a proper auth via Google or Github.

reply
upvoteby lukevp12 hours ago|
parent|
next
[-]
You can also use cloudflare to create a dns record for each local service (pointed to the local IP) and just mark it as not proxied, then use Wireguard or Tailscale on your router to get VPN access to your whole network. If you set up a reverse proxy like nginx proxy manager, you can easily issue a wildcard cert using DNS validation from your NAS using ACME (LetsEncrypt). This is what I do, and I set my phone to use Wireguard with automatic VPN activation when off my home WiFi network. Then you’re not limited by CF Tunnel’s rules like the upload limits or not being able to use Plex.
reply
upvoteby johnmaguire11 hours ago|
parent|
[-]
Yup doing this with Caddy and Nebula, works great!
reply
upvoteby QGQBGdeZREunxLe13 hours ago|
parent|
prev|
next
[-]
Tunnels go through Cloudflare infrastructure so are subject to bandwidth limits (100MB upload). Streaming Plex over a tunnel is against their ToS.
reply
upvoteby miloschwartz12 hours ago|
parent|
[-]
Pangolin is a good solution to this because you can optionally self-host it which means you aren't limited by Cloudflare's TOS / limits.
reply
upvoteby mvdtnz13 hours ago|
parent|
prev|
[-]
Yeesh, the last thing I want is remote access to my homelab.
reply
upvoteby dewey18 hours ago|
prev|
next
[-]
This is always annoying me with 1Password, before that I just always added subdomains but now I'm usually hosting everything behind Tailscale which makes this problem even worse as the differentiation is only the port.
reply
upvoteby domh17 hours ago|
parent|
next
[-]
You can use tailscale services to do this now:

https://tailscale.com/docs/features/tailscale-services

Then you can access stuff on your tailnet by going to http://service instead of http://ip:port

It works well! Only thing missing now is TLS

reply
upvoteby avtar16 hours ago|
parent|
[-]
This would be perfect with TLS. The docs don't make this clear...

> tailscale serve --service=svc:web-server --https=443 127.0.0.1:8080

> http://web-server.<tailnet-name>.ts.net:443/ > |-- proxy http://127.0.0.1:8080

> When you use the tailscale serve command with the HTTPS protocol, Tailscale automatically provisions a TLS certificate for your unique tailnet DNS name.

So is the certificate not valid? The 'Limitations' section doesn't mention anything about TLS either:

https://tailscale.com/docs/features/tailscale-services#limit...

reply
upvoteby domh2 hours ago|
parent|
next
[-]
I think maybe TLS would work if you were to go to https://service.yourts.net domain, but I've not tried that.
reply
upvoteby nickdichev1 hours ago|
parent|
prev|
[-]
It works, I’m using tailscale services with https
reply
upvoteby altano5 hours ago|
parent|
prev|
next
[-]
In the 1Password entry go to the "website" item. To right right there's an "autofill behavior" button. Change it to "Only fill on this exact host" and it will no longer show up unless the full host matches exactly
reply
upvoteby miloschwartz12 hours ago|
parent|
prev|
next
[-]
Pangolin handles this nicely. You can define alias addresses for internal resources and keep the fully private and off the public internet. Also based on WireGuard like Tailscale.
reply
upvoteby wrxd17 hours ago|
parent|
prev|
next
[-]
You can still have subdomains with Tailscale. Point them at the tailscale IP address and run a reverse proxy in front of your services
reply
upvoteby dewey17 hours ago|
parent|
[-]
Good point, but for simplicity i'd still like 1Password to use the full hostname + port a the primary key and not the hostname.
reply
upvoteby zackify16 hours ago|
parent|
prev|
[-]
tailscale serve 4000 --BG

Problem solved ;)

reply
upvoteby techcode15 hours ago|
prev|
next
[-]
Setup AdGuard-Home for both blocking ads and internal/split DNS, plus Caddy or another reverse proxy and buy (or recycle/reuse) a domain name so you can get SSL certificates through LetsEncrypt.

You don't need to have any real/public DNS records on that domain, just own the domain so LetsEncrypt can verify and give you SSL certificate(s).

You setup local DNS rewrites in AdGuard - and point all the services/subdomains to your home servers IP, Caddy (or similar) on that server points it to the correct port/container.

With TailScale or similar - you can also configure that all TailScale clients use your AdGuard as DNS - so this can work even outside your home.

Thats how I have e.g.: https://portainer.myhome.top https://jellyfin.myhome.top ...etc...

reply
upvoteby lloydatkinson17 hours ago|
prev|
next
[-]
I wonder why each service doesn’t have a different subdomain.
reply
upvoteby cortesoft14 hours ago|
parent|
next
[-]
That's what I do, but you still have to change the default Bitwarden behavior to match on host rather than base domain.

Matching on base domain as the default was surprising to me when I started using Bitwarden... treating subdomains as the same seems dangerous.

reply
upvoteby akersten10 hours ago|
parent|
[-]
It's probably a convenience feature. Tons of sites out there that start on www then bounce you to secure2.bank.com then to auth. and now you're on www2.bank.com and for some inexplicable reason need to type your login again.

Actually it's mostly financial institutions that I've seen this happen with. Have to wonder if they all share the same web auth library that runs on the Z mainframe, or there's some arcane page of the SOC2 guide that mandates a minimum of 3 redirects to confuse the man in the middle.

reply
upvoteby tylerflick17 hours ago|
parent|
prev|
[-]
This is the way. You can even do it with mDNS.
reply
upvoteby photon_collider15 hours ago|
prev|
[-]
Ah nice! Didn’t know that. I’ll try that out next time.
reply