I host my mail with mailcow and it is almost set and forget. I only had a couple issues with some mail providers, but a small email exchange with the admins cleared that up.

Have a handful of users, that have not complained about anything not working or spam or whatever 🤷‍♂️

Besides that, security by obscurity is the worst possible form and barely qualifies as security at all.

In fact security by obscurity is not security at all. In this case it should be authenticated or to the very least to actually use a random string like a uuid. But, changing the root path does prevent it from exploiting. Not perfect but a temporary solution.

It’s also another place where the Jellyfin devs leave their users to their own devices when it comes to securing the server against malicious actors.

Another place? What else? You mean setting up you own server? That is in fact your responsibility.

End-to-end encryption means the service provider can’t see your data even if they wanted to

Not necessarily. All it means is that intermediaries can’t see the data in transit. You need to trust that the data is handled properly at either end, and most service providers also make the apps that you run at either end.

This is incorrect. End-to-End is defined as from “User to User” and not “User to Service provider”. That would be just transport encryption.

https://en.m.wikipedia.org/wiki/End-to-end_encryption

I switched to adguard, yes. But you can just give pi-hole a dnsmasq config file. The underlying dns server Pi-Hole uses does support those.

Just mount the file via a docker volume. I will have to look up the exact paths. Config would look like

address=/domain.tld/192.168.0.1

Based on you screenshot from the NPM Dashboard there seems to be something wrong. In the setup window you show that you forward the traffic with http and port 80, in the dashboard screenshot you forward the traffic with https and port 80.

Just skip http and self signed certificates all together. Modern Browsers make it a pain to use non https sites. A simple domain setup with dns acme challenge is a little bit of a hassle but worth the hour(s) of invested time. Especially with npm were it is a set and forget option.

Does pihole support wildcard dns entries yet? To my knowledge the gui only supports single entries so that you have to enter every subdomain manually in pihole that you want to have forwarded. Workaround would be to use a dnsmasq config file or use something else like addguard.

It usually is the directory where you execute the docker compose command.

Performance is not the goal, but cleaner code and more manageable code. But both will ultimately lead to better performance. As of now it was basically impossible to change something in the database structure since it was hard to estimate the impact of it.

… and may also break compatibility with previous 10.Y releases if required for later cleanup work.

If you read through the whole paragraph, it is clear that they mean the compatibility of previous jellyfin versions.

Also, again:

Note however that the 10.Y.Z release chain represents the “cleanup” of the codebase, so it should be accepted that 10.Y.Z breaks all compatibility,

That means that the code is not cleaned up with that release.

If you would release 11 before the code is considered cleaned up, you would basically break your own defined versioning convention. That is best decided by the active maintainers.

Consider the 10.y.z simply to be 0.y.z and everything works out.

Jellyfin inherited a lot of shitty code and architecture from emby. They simply cannot guarantee anything across patches until it is sorted out.

imho much better then releasing major version after major version because the break stuff regularly.

Also for internal use. The original emby source used not within the code base standardized database access.

Basically changes to the database were not possible since finding references across the code base which part uses which values was impossible.

Note however that the 10.Y.Z release chain represents the “cleanup” of the codebase, so it should be accepted that 10.Y.Z breaks all compatibility,

Its right there at the link you posted.

Tailscale offers way more then just wireguard. ACLs, NAT traversal etc. etc.

While some use cases can be replaced with traditional wireguard, others not.

Really surprised about this. I am using syncthing now for many years on various devices and never encountered issues with it. And also, file sync is not a backup solution.

cve-2021-3156 heap overflow in sudo. roughly 10 years long in sudo. Allowed privilege escalation. It was huge.

Still the same but afaik they now somewhat support running zfs

There are many ways to harden against it, but “just disable root auth” is not really it, since it in itself does not add much.

No you can alias that command and hijack the password promt via bashrc and then you have the root password as soon as the user enters it.

With aliases in the bashrc you can hijack any command and execute instead of the command any arbitrary commands. So the command can be extracted, as already stated above, this is not a weakness of sudo but a general one.

And how would you not be able to hijack the password when you have control over the user session?

And what do you suggest to use otherwise to maintain a server? I am not aware of a solution that would help here? As an attacker you could easily alias any command or even start a modified shell that logs ever keystroke and simulates the default bash/zsh or whatever.