You can get Audiobooks from Spotify using the app Soundbound. You need to insert a list of plugins, then it works.

Apart from that, youtube? Or sailing the high seas?

Not using Windows helps a ton :)

I recently got a zipbomb + trojan through a Github comment. Was removed very quickly and unrecoverably, crazy that they can even so this, not even the repo owners see it anymore.

Well I have enabled both webgl and wasm on both browsers ;)

Mull has it enabled but it may be broken for some reason.

Vanadium and Mulch have a JIT/wasm toggle which I turned on, webgl is not blocked at all. Those browsers are blocked by UA (I guess), while most sites display them as the latest Android Chrome

Figma blocks Vanadium and Mulch, and it doesnt load on Mull, what a crap.

Yes this is true. That is why a separate method would be needed, to log into and hand the password to the LUKS decrypt of the server.

I heard Debian can do this with ssh in the initramfs?

Sounds like a hella pain of course.

Alternatively I thought about using a security key to unlock, and in scenarios where I am worried about getting hardware stolen, I can pull it out and need to manually enter the password.

Yes the threat model is people pulling out the drive, of course.

How should they get access to the server when it is running? You still need to connect to it and log in, which wouldnt be the case.

Okay this makes it way better.

But still I guess it would be better if the native Dolphin thing could be extended, instead of some different javascript stuff that simply runs on the Chromium-based webengine that the DE also uses.

Rebasing is not important, for the most people.

I like to try variations of the same system, like Fedora Kinoite, uBlue kinoite-main, uBlue Aurora, secureblue Kinoite-main, went back.

But resetting is the key.

Also rebasing would allow you to switch from normal deployment to a local image host, like in your LAN. This could already be worth it if all your family uses the same system, even more a company.

You can do uBlue style stuff at home on your own server, mostly with podman and buildah

Btw if you miss some performance, as far as I grasp it, you can disable “secure app spawning”. Again, afaigi it is for a pretty high threat model (apps trying to attack others, with their memory layout as attack surface).

This will reduce RAM need a ton, speed up app spawning and can reduce many issues like

• OSMAnd crashing or running slowly
• apps being killed in the background, increasing the issue of…
• … slow app spawning (the app performance is normal, except from low memory edge cases)

That device gets no updates at all anymore. GrapheneOS may give you some security backports.

This looks like a good project, but afaik makes no sense at all.

I am not sure if this uses QtWebengine but think it doesnt and uses Chromium/Electron instead.

This means it is not fast and really no big improvement.

Meanwhile Plasma Dolphin absolutely has a system to preview videos, images, pdfs, text- even office files (Libreoffice format). This means previews should totally work, with very little delay.

KiView is not that.

Yes microOS ticks those 2 boxes.

Fedora on its own doesnt do backups at all, which I find crazy.

rpm-ostree or bootc though are better, as they allow rebasing, resetting etc. This is not possible with microOS, which is a huge dealbreaker for having a server that will never have the need to be reinstalled.

I will try Caddy! Did you use NGINX before?

The threat scenario is currently very harmless, but I had situations where Raids could be likely. This is always a shitty case, you need to hide a backup laptop in a different location etc.

But honestly I just find this security hacking a ton of fun.

Hm, so when using Nextcloud, is the db itself encrypted or something?

All my devices are encrypted.

Access to the decrypted data requires RAM access, or even a cold boot attack. There are people that only use their USB 3.0 ports and desolder all the rest, because normal (non thunderbolt) USB is pretty safe and has no access to the RAM, unlike PCIe, SATA etc.

This would be fun and certaily possible modifying the hardware to fit those SSDs still inside the case could be fun too.

I have 4 enclosures for that, and using Ethernet would mean the Wifi Card (Intel AX3000, a modded 200 for mPCIe) could be removed.

https://www.spiegel.de/netzwelt/web/hardware-hacker-wie-man-einen-laptop-vor-angreifern-schuetzt-a-955702.html

Or access to the server via ssh (fail2ban, strong keys) or the admin or user nextcloud accounts (again with strong passwords and possibly TOTP or webauthn).

I already fiddled with the required Nextcloud Addons for TOTP and it worked great. Webauthn is an Android/GrapheneOS limitation poorly, maybe that gets fixed some day.

The issue of course is upgrades. I should do a second post on that topic. There are solutions for that, like mounting encrypted partitions and running Nextcloud on there. This could be automated.

For the obvious raid attack, I would have a udev rule that detects when AC is disconnected and then performs a clean shutdown.

Thanks for the tips!

Both SSDs are SATA and I want to LUKS encrypt both too.

So automatic updates could work, but I guess I would need to manually reboot as there is no remote LUKS unlock option. Debian has one?

That would also be a reason against Fedora with its very fast release cycle.

Yes it does. Fedora Atomic and others could be problematic with Docker, while Docker may be less secure or whatever but is also easier.

Also the distros packages matter, etc.

But no shit I have no idea why they dont just use GNOME software

Wtf did I just watch

My backup is seeding.