I use a Firefox container tied to a socks proxy on my router to bypass VPN for tricky sites. Yeah I know not the answer you're looking for but some things have to be done (banking, health insurance) and if they already know my home address there's little reason to hide the IP address
My two issues with porkbun:
They don't seem to support wildcard/catch all email forwarding
Dynamic DNS is done with an API key that has access to the entire account(!!!)
Though, I might move to them anyway (just moved a domain to namecheap which I used years ago and wow their ux sucks, and they don't support dane or sshfp, Google domains was really good rip)
Passwords will be brute forced if it can be done offline.
Set a good high entropy password, you can even tie it to your login password with ssh-agent usually
Private SSH keys should never leave a machine.
If this actually matters, put your SSH key on a yubikey or something
If a key gets compromised without you knowing, in worst case you will revoke the access it has once the machine’s lifespan is over.
People generally don't sit on keys, this is worthless. Also knowing people I've worked with… no, they won't think to revoke it unless forced to
and you will never revoke the access it has.
Just replace the key in authorized_keys and resync
And you may not want to give all systems the same access everywhere
One of the few reasons to do this, though this tends to not match "one key per machine" and more like "one key per process that needs it"
Like yeah, it's decent standard advice… for corporate environments with many users. For a handful of single-user systems, it essentially doesn't matter (do you have a different boot and login key for each computer lol, the SSH keys are not the weak point)
If the keys are password protected… eh why not sync them.
Also ssh certificates are a thing, they make doing that kind of stuff way easier instead of updating known hosts and authorized keys all the time
Sounds like a pain to get non technical family members to use. If you're willing to break the non web app you could always put it behind an authenticating proxy (which is what I do for myself outside of VPN, setting up a VPN on a phone is obnoxious and I only look at metadata anyway on my phone)
Hint: you don't have to use ldap to use authelia (I haven't bothered). It's a bit awkward to use though, I'd only recommend it for single-user setups (I wish they would just add support for SQLite, they already use it for 2fa and stuff)
Potentially stability improvements as well (for the same reasons as the security improvements), especially for lesser used drivers and stuff.
Do authentication in the reverse proxy if you can (e.g., basic auth or forward auth like Authelia, the second also has the benefit of SSO).
An RSS reader (I use Miniflux), ended up being extremely useful
Miniflux is possibly the most important thing I self host. It tells me when software updates (basically everything on GitHub has RSS). It’s also great to keep up with blogs that don’t update consistently and also stay out of the “there are only three websites” bubble.