Disagree. “Necessary to provide the service” means whatever they want it to mean. If they deem it necessary to monetize your data so they can offer you their service “for free”, that is well within their right to do. The fact that you " retain all rights" just means you can use your data too without asking Cloudflare for permission.
Subject to the terms of this Agreement, you hereby grant us a non-exclusive, fully sublicensable, worldwide, royalty-free right to collect, use, copy, store, transmit, modify and create derivative works of Customer Content, in each case to the extent necessary to provide the Services.
You’ll have to be fine with Cloudflare having any and all rights to the data transmitted through the tunnel, while you in return have none. They pinky promise not to fuck you over, but they also promise to legally burry you for any infringement at their discretion.
For me, this is a non-starter.
I have tailscale, which is great for ssh-ing onto my Nas from the outside world. But to access my services, is a VPN the best way to do it?
The main point about Tailscale that I see people on here often get wrong is that they compare it to a “classic” hub-and-spoke VPN, when in fact it is an end-to-end zero trust encrypted mesh network. End-to-end does not mean machine-to-machine, it means user to service. So in your case, you should place one tailscale node in each pod (collection of containers that make up one service) as a sidekick. That way, a user need to authenticate in order to even open a network connection for a specific service, which is a very secure solution.
If you like pass, you might want to look into passage
The main downside of docker images is app developers don’t tend to play a lot of attention to the images that they produce beyond shipping their app. While software installed via your distribution benefits from meticulous scrutiny of security teams making sure security issues are fixed in a timely fashion, those fixes rarely trickle down the chain of images that your container ultimately depends on. While your distributions package manager sets up a cron job to install fixes from the security channel automatically, with Docker you are back to keeping track of this by yourself, hoping that the app developer takes this serious enough to supply new images in a timely fashion. This multies by number of images, so you are always only as secure as the least well maintained image.
Most images, including latest, are piss pour quality from a security standpoint. Because of that, professionals do not tend to grab “off the shelve” images from random sources of the internet. If they do, they pay extra attention to ensure that these containers run in sufficient isolated environment.
Self hosting communities do not often pay attention to this. You’ll have to decide for yourself how relevant this is for you.
Syncthing uses inotify to watch for changes, so it’s pretty much instant
Yeah, and for that reason, I opted for syncthing instead of Git for this use case.
Never had merge conflicts I take it 😄
Does not have great UX on phones though.
I ran a funnel test and yes it works, but still have to use the ts.net
Out of curiosity, why is that a deal breaker for you?
That’s just not true. When you run an nginx proxy on a tailscale node, that nginx will terminate the TLS. There is no “gap” between your browser and that server.
Both CF and Tailscale play MITM with your HTTPS connection
That’s not correct, tailscale does not intercept the traffic, TLS is terminated on the node. Tailscale mandates HTTPS / TLS with ts.net certificates so it can route traffic to the correct node in your tailnet.
Except you can condense that whole thread into
I absolutely agree with this. If you cannot easily reproduce you configuration, all you are doing is pushing the problems down the line. Eventually, even simple things will get uncomfortable because it becomes uncomfortable to make. Better address the problem now while its still small
Definitely, the specs are nice and I also cannot say I’m a huge fan of the RPi foundation. More competition in this space would be great, but not having mainline support is just too much of a hassle.
Fair, but I’m not running armbian, so my requirements boils down to: Must run any up to date Linux distro without having to side-load custom kernels or anything. Should work out of the box.
Yeah, I figured. I’ll stick to the Raspberries then, mainly because the “just work”™
My experience with Banana PIs is that they require some obscure kernel to run because the developers cannot be bothered to bring their hardware support and drivers upstream. Same was true for uboot. Has any of that changed in the meantime? If not, that this is a no go for me.
With Tailscale, you would typically cut out the VPS, the connection would be client <-> homelab. No intermediary required. You COULD of course do it how you describe with the subnet router and everything, but the point of tailscale is really to have end to end connectivity.
No it doesn’t. The first sentence does not state anything that is not already clarified by law. Hence, it adds zero value to the actual meaning of the paragraph.
Same thing, you can say if I redact the first two sentences from the quote I’m being disingenuous, but really I’m just trying to get one over on you by making you feel like you have some control in this when in actually you do not.