Oh… Oops. Hahaha

DigiCert have said they’re not changing their prices as a result. It’s still a yearly payment (or every 2 or 3 years if you prefer that).

7-day validity is great because they’re exempt from OCSP and CRL. Let’s Encrypt is actually trying 6-day validity, not 7: https://letsencrypt.org/2025/01/16/6-day-and-ip-certs

Another feature Let’s Encrypt is adding along with this is IP certificates, where you can add an IP address as an alternate name for a certificate.

This is one of the reasons they’re reducing the validity - to try and convince people to automate the renewal process.

That and there’s issues with the current revocation process (for incorrectly issued certificates, or certificates where the private key was leaked or stored insecurely), and the most effective way to reduce the risk is to reduce how long any one certificate can be valid for.

A leaked key is far less useful if it’s only valid or 47 days from issuance, compared to three years. (note that the max duration was reduced from 3 years to 398 days earlier this year).

From https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days:

In the ballot, Apple makes many arguments in favor of the moves, one of which is most worth calling out. They state that the CA/B Forum has been telling the world for years, by steadily shortening maximum lifetimes, that automation is essentially mandatory for effective certificate lifecycle management.

The ballot argues that shorter lifetimes are necessary for many reasons, the most prominent being this: The information in certificates is becoming steadily less trustworthy over time, a problem that can only be mitigated by frequently revalidating the information.

The ballot also argues that the revocation system using CRLs and OCSP is unreliable. Indeed, browsers often ignore these features. The ballot has a long section on the failings of the certificate revocation system. Shorter lifetimes mitigate the effects of using potentially revoked certificates. In 2023, CA/B Forum took this philosophy to another level by approving short-lived certificates, which expire within 7 days, and which do not require CRL or OCSP support.

Yes, this requirement comes from the CA/Browser Forum, which is a group consisting of all the major certificate authorities (like DigiCert, Comodo/Sectigo, Let’s Encrypt, GlobalSign, etc) plus all the major browser vendors (Mozilla, Google, and Apple). Changes go through a voting process.

Google originally proposed 90 day validity, but Apple later proposed 47 days and they agreed to move forward with that proposal.

The current plan is for the floor to be 47 days. https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days, and this is not until 2029 in order to give people sufficient time to adjust. Of course, individual certificate authorities can choose to have lower validity periods than 47 days if they want to.

Essentially, the goal is for everyone to automatically renew the certificates once per month, but include some buffer time in case of issues.

Tailscale serve might work; I haven’t tried it so I don’t know what it’s capable of.

Usually I’d recommend getting a real domain name and using Let’s Encrypt. .com domains are around $10/year but some TLDs are even cheaper. If you don’t mind which TLD you use, go to tld-list.com and sort by renewal price.

Edit: I forgot to mention - a server does not need to be publicly exposed to use Let’s Encrypt. You can use a DNS challenge instead of a HTTP one.

Interesting! They used to have a warning about it. I guess they removed it at some point. It’s referenced in this discussion for example: https://github.com/immich-app/immich/discussions/13008

Tailscale is great. You should use it. Most of their code is open-source. Their coordination server is closed-source, however there’s a self-hostable open-source reimplemention called Headscale if you want a fully-open-source Tailscale stack.

Tailscale is a peer to peer VPN, meaning there’s no central server like with OpenVPN. Systems on the VPN connect directly to each other. You can also use Wireguard in this way if you configure it as a mesh (every device on the VPN has every other device configured as a peer, and for each pair, at least one of them has the port open and forwarded). Tailscale is more reliable for that as it uses several NAT traversal techniques, so you don’t need to open the port and it works even if both ends are behind NAT.

Immich doesn’t rely on Tailscale; you can use any VPN. They don’t recommend exposing it to the public internet at the moment though, which is why you’d use a VPN (edit: as per a reply, this is not the case any more). In general, never expose anything publicly unless it absolutely has to be (like a website that anyone can access). For giving access to friends, you can share a device with them via Tailscale and configure an ACL so they can only access particular services on it.

For the drives, I’d recommend ZFS instead of Ext4 or NTFS. ZFS can detect bitrot and corruption using checksums, which neither Ext4 nor NTFS can do. NTFS isn’t recommended unless you’re running Windows Server, but you already said you’re using Proxmox.

IMO, use Syncthing instead of Nextcloud, unless you’ll be using all the other apps that come with Nextcloud (calendar, office tools, chat, etc). Syncthing does one thing and it does it well, which is almost always better than using software that tries doing a large number of things. Consider Seafile too.

For backups, I’d recommend Borgbackup and Borgmatic. Get a cheap storage VPS to store it. You should be able to get a deal for less than $2/TB/month during the current Black Friday sales. Check LowEndTalk for deals. A Hetzner storage box would work great too.

Unfortunately it looks like that one is for Apple devices, whereas I use Linux on desktop and Android on mobile.

There’s some, but I haven’t seen any that have the main features Plex and Plexamp have:

• Cross-fading when playing random tracks, but gapless playback when playing an album in order
• Analysis of the music using a local neutral network, such that you can tell it to play play “similar” sounding songs to the current one
• Automatic playlists - liked songs, decades, etc
• Downloads for offline playback
• Multiple libraries, for example I keep regular music separate from DJ mixes
• Equalizer with presets for common headphones

And probably other things I’m forgetting.

Thankfully CGNAT isn’t as common in the USA as it is in other countries. In the US, ISPs generally either offer native IPv4 (most of the major ones), or only use IPv6 and provide IPv4 at all. The latter is the case with a lot of the mobile carriers, especially T-Mobile. Your phone only gets an IPv6 address, and their network uses 464XLAT to connect to legacy IPv4-only servers.

Do you have a CVE for this?

Plex still has the most fully-featured music streaming app (Plexamp)

Prices rarely, if ever, go down in a meaningful degree.

In 2011, there was a large flood in Thailand that impacted ~40% of hard drive manufacturing. As a result, hard drives significantly increased in price. This was back when SSDs weren’t mainstream yet.

A year or two later, when manufacturing capacity was restored, prices were essentially back to what they were before the disruption.

Apart from disruptions like that, HDDs, SSDs, and RAM have always been going down in price.

Hmm, it’s missing the Docker repo. Check in /etc/apt/sources.list.d and see if there’s even a file for it.

LTS is supposed to contain stable components though. They really should wait for a stable (1.0) release before committing to it.

I’d connect vis SSH and manually inspect the files that it’s supposed to be creating. Does apt update show any errors?

I think the real issue isn’t the rewrites, it’s the fact that Ubuntu started using the new Rust coreutils even though they weren’t ready for production yet. uutils hasn’t even reached version 1.0 yet, and still fails some compatibility tests.

All your internet traffic is likely going through at least one network administered by a furry. It seems like there’s a much higher proportion of furries in network admin and cybersecurity jobs compared to IT/tech jobs in general.

The healthcare system in the US isn’t great, but you do get a decent experience if you have an employer that offers good insurance. My employer pays most of the cost of my health insurance. I pay around $200/month for my wife and I, but that’s pre-tax money, and the plan is great for US standards. $15 for doctor visits and $100 maximum for ER visits.

In Australia we pay a 1.5% tax to fund the public health care system, so for a $60k salary that’s $900/year.