This is very cool, but you should not use Cloudflare Tunnels to stream media. This is forbidden by their terms of service (or at the very least not the intended use of Tunnels and they may disable your service). Use Wireguard or Tailscale instead.
Personally I'm switching to rathole+traefik, weirdly something I was researching and experimenting with in the early hours of this morning (I have now not slept and have to go to work).
This let's you use your own domain for your tailnet, isn't the funnel but - but isn't it even better? Unless you actually want a publicly routable domain name, then you're back some hosted ingress I guess
Since https://blog.cloudflare.com/updated-tos it is not completely clear if you disable Cloudflare's cache indeed. Still the terms are unclear enough that they could cut you out, and I'd feel uneasy exposing a Jellyfin instance publicly, but that's just me :)
Frustratingly, hash pinning isn’t good enough here: that makes the action immutable, but the action itself can still make mutable decisions (like pulling the “latest” version of a binary from somewhere on the internet). That’s what trivy’s official action appears to do.
(IOW You definitely should still hash-pin actions, but doing so isn’t sufficient in all circumstances.)
That's true. This specific attack was mitigated by hash pinning, but some actions like https://github.com/1Password/load-secrets-action default to using the latest version of an underlying dependency.
Edit: ah, I see you are referring to the setup-trivy action rather than the trivy-action. Yeah, that looks like a bad default, although to be fair it is a setting that they document quite prominently, and direct usage of the setup-trivy action is a bit atypical as-is.
I stopped there and had to read the answers to my comment to find out and revisit it. In hindsight, this is absolutely hilarious. Might be one of my new favorite pieces of software satire (because of how realistic, albeit absurd, it is).
I doubt that with level of accessibility that the GP suggest that would be easy. It would be easy to have integrated firewall management that just expose 443/80 ports for reverse proxy and handle communication with docker networks. Also it can help setup vpn server and disallow accessing the server except via approved client.
Someone suggested cosmos in the comment. I think this is the closest to what I am saying. However I am into self hosting for couple of years now with development experience so I would be biased. That would be probably different for average person without deep knowledge.
But then, your firewall or Cosmos is exposed to the internet waiting for a 0day to be released, and chances here they will not be updated as soon as it comes out.
VPN server is already what Tailscale does at this point. I'm not a shill by the way, just a regular user impressed by the ease of installation/use of their product.
Thanks, yes it is, there is a button at the bottom of the sidebar to mininize it. Looks like the black bar at the bottom is covering it. But i will look into this to avoid further explanation
I love my work-provided M1 MBP Max and would possibly consider getting a personal Air at this price range, but the 8gb RAM is still a no go for me, even for $699. My SO has a 2015 MBP that's still solid, and I credit that to its SSD and 16gb RAM. I can't see 8gb of RAM being usable in 2034.
For normal "office use" (web browser, an app or two) 8GB does work well enough. More RAM is always nice, of course, but the $500 you save compared to the cheapest M2 16GB Air now available is quite a bit toward the later purchase of a new laptop in 3-4 years.
