For DNS challenges, I personally prefer using acme-dns. It’s a separate DNS server that only serves ACME DNS challenges. I felt a bit uneasy using an access token for my actual DNS host since it grants full read/write access to every record. acme-dns reduces the attack surface.

Let’s Encrypt follows CNAMEs and supports IPv6-only DNS servers, so you could just run acme-dns on a spare IPv6 address (assuming your internet provider has a static IPv6 range, or you have a VPS with IPv6).

I think it’s all read-only access through, so you can only use it to import data not make new transactions.

That’s alright. Even read-only access is useful. I could write a script that pulls my current investments, prompts for the amount I’ll be investing in total, and prints out the buys (eg “buy 10 x VOO, 5 x VXF, 20 x VXUS”) that’ll keep the account balanced based on some percentages.

Does SimpleFIN use OAuth to log into bank accounts, or do you need to enter your bank’s username and password?

Unrelated to this post, but do you know if SimpleFIN supports investment accounts? If it does, it seems like an easy way to let me write a script to help rebalance my investment accounts. I might look into it.

I didn’t see a docker image

https://actualbudget.org/docs/install/docker

https://github.com/actualbudget/actual-server/blob/master/docker-compose.yml

Did you see something that said it was an LLM?

Edit: Indeed it’s an LLM. They published the model here: https://huggingface.co/reglab-rrc/mistral-rrc

Good idea to send donations to the syncthing-fork devs to keep it alive though.

In that case, could the syncthing-fork app be renamed to syncthing, now that it’ll probably be the main Android app for Syncthing?

mostly a wrapper around their proprietary library

I’m not familiar with exactly what Bitwarden are doing, but Nvidia are doing something similar to what you described with their Linux GPU drivers. They launched new open-source drivers (not nouveau) for Turing (GTX 16 and RTX 20 series) and newer GPUs. What they’re actually doing is moving more and more functionality out of the drivers into the closed-source firmware, reducing the amount of code they need to open source. Maybe that’s okay? I’m not sure how I feel about it.

Open source software doesn’t have a reason to lock you in like proprietary software does :)

More and more proprietary SaaS systems are allowing data exports now, to comply with laws like the GDPR “right to know”. Say what you want about Google and Facebook, but they were the first big companies to start allowing data to be exported before there was any law requiring it - Facebook in 2010 and Google in 2011.

That’s a good point. I didn’t consider the fact that all the encryption is done client-side, so that’s the most important part to audit (which Bitwarden has already done).

I hope it gets security audited one day, like Bitwarden was.

I self-host Vaultwarden but I use a VPS where I keep things stable. My VPSes run Debian Stable and have unattended-upgrades installed and configured to automatically install security updates. My home server runs Unraid and is more experimental - I’m not running anything of critical importance on it.

You only have to pay for a license if you need multiple users or want to use their cloud services, I believe.

AFAIK you can have multiple users for free when self-hosting, and the features are essentially the same as the free hosted version. You need to pay if you want to get the premium features or share passwords across multiple users using an organization. Essentially the pricing is the same as the hosted version.

I’d recommend Vaultwarden for a small-scale self-hosted solution. It’s not Bitwarden, but it’s fully API-compatible so you can use all the Bitwarden clients and browser extensions. Self-hosted Bitwarden is quite a bit heavier than Vaultwarden since it’s designed for large-scale usage (like for an entire company of tens of thousands of people)

if you work somewhere that uses 1password, you can usually get your personal subscription comped as an individual

Same with Keeper as far as I know (which is what we use at work).

I prefer security software to be open-source though, which is why I love Bitwarden. Even if you don’t self-host it, there’s still value in it being open-source.

don’t need to worry about Internet access at all.

For what it’s worth, Bitwarden caches the database for offline use, so it works fine without internet access too. When you get internet access again, it’ll sync with the server.

Accessing Vaultwarden through a VPN

Hmm maybe I should move mine to my VPN. Currently I have it publicly accessible so I can access it from systems where I can’t run other VPNs for security reasons (work systems). I use a physical token with FIDO2 (Yubikey) for two factor authentication though, so I’m not too worried about unauthorized access.

https://greencloudvps.com/billing/store/budget-kvm-sale

https://lowendtalk.com/discussion/191501/real-deals-here-win-big-with-thousands-in-prizes-racknerds-new-year-offers-new-year-2024/ (New Year 2024 deals but I think they’re still available)

Also, there are a LOT of sales during Black Friday. HostHatch usually have great Black Friday deals. Keep an eye on Lowendtalk.com forums.

I’ve got a few VPSes at GreenCloudVPS (in San Jose, California) and HostHatch (in Los Angeles, California) and they’re both pretty good. I live near San Jose so I get <10ms ping to those VPSes :)

HostHatch is a bit better (their control panel is more powerful) but you’d have to wait for them have a sale, whereas GreenCloudVPS usually has good deals year-round.

I’ve used RackNerd in the past. They’re good too, although I prefer GreenCloud and HostHatch.

What’s the downside to having one’s phone number in the public directory?

The difference is that an IP of a VPS doesn’t directly connect back to you. It’s in the provider’s name. Some providers let you change your IP address to a different one for a small fee.

it seems pretty sub-optimal for a personal site to be publicly associated with even a permanent IP address

What’s the downside you see from having a static IP address?

I don’t see any way to achieve this without a CDN, unfortunately.

I think you’re looking for a reverse proxy. CDNs are essentially reverse proxies with edge caching (their main feature is that they cache files on servers that are closer to a user), but it sounds like you don’t really care about the caching for your use case?

I don’t know if any companies provide reverse proxies without a CDN though.

That’s not Cloudflare-specific; you can use any CDN that supports origin pull in the same way :)

It’s not ideal because… Cloudflare… but at least you’re using standard web tools. To ditch Cloudflare you just unplug them at the domain and you still have a website.

Definitely agree with this! That’s one of the pain points of “cloud” services - they really try to lock you in, making it impossible to swotch.

without having to deal with LetsEncrypt.

You still need encryption between your CDN and your origin, ideally using a proper certificate. Let’s Encrypt (and other ACME services like ZeroSSL) are pretty easy to use, and can be fully automated. I’m using Let’s Encrypt even for internal servers on my network, using a DNS challenge for verification instead of a HTTP one.

Perhaps its irrational but I’m bothered by how many people seem to think that Github Pages is the only way to host a static website

It’s strange because out of all the possible options, Github Pages is the most basic. You have to store your generated files in a Git repo (which is kinda gross) and it barely supports any features. For example, it doesn’t support server logs or redirects.

I guess it’s popular because people already use Github and don’t want to look for other services?