Bamboozled!!! Highlight of my day!
brewery
joined 1 year ago
Lots of little things really. Obviously I couldn't say for certain but they seemed to on top of it without causing us too much difficulty in doing our jobs.
Sometimes things were blocked like if a new email, or questioned after to check it was expected and followed policy. Policies were clear, and there were helpful prompts or warnings.
We were involved in something where we had to copy a sh*t load of files from a shared folder to a hard disk. There were like three automatic blocks that kicked in at different times, which was a pain at first to figure out but because we had a good reason, someone in IT just kept at it to get it done and looking back, that should have raised flags given the size of it all.
They changed from passwords changing every 6 months to no changes but had to be longer and mandatory 2FA. We were told to use keepass for all passwords for things that weren't SSO for various reasons.
Don't provide services to others, including your own family, actually especially your own family, until you are quite comfortable with what is going on and what might be causing issues. Focus on helping yourself or keeping whatever other services you were using before just in case.
Trying to fix something at night, with a fuming partner who's already put up with a difficult to use service, because of your want for privacy even though they don't care care, whilst saying "it should work, I don't know what's wrong", is not a great place to be 😁.
Overall though, I found it so interesting that I am doing a part time degree in computer science in my 30s, purely to learn more (whilst being forced to do it to timelines and having paid for it).
I have a very comfortable and 'forget about it' setup my family are now using. Every now and then I add new services for myself, and if it works out, will give access to others to use, keep it just for me or just delete it and move on.
I have a reason I don't think is covered. A few programs I have come across that I want to try recommend docker and some only provide instructions for docker. They can spend less time trying to help you with dependencies and installations knowing they've included everything you need in the docker file. I don't have a background in Linux or programming so unless they tell you exactly how to install something, I can struggle. Their installation page is then just the docker compose file with a note on the environment variables you can change.
Either try to work out how to pass headers through to get around the service login or give up and find another app. On some services, the service auto logs onto one account so anybody who gets through Authentik sees the same stuff which is fine. I definitely don't have two levels of login!
I should say I use Plex's and vaultwarden's own login systems.
They serve two different purposes. You can have one, both or neither. Sorry if you already know all this below but thought it might be good to explain in detail.
NPM is a proxy provider so passes subdomains to the right service (e.g. service1.url.com passes to service 1 at IP x.x.x.x on port 5050). This allows you to only open one port to NPM but access other services through subdomains. I have NPM in front of myexternal apps so I can access each through a subdomain (e.g. service1.url.com). You could also use it for accessing internally if you setup your internal DNS to pass (e.g. service1.internal) to the IP address and port of your service, and set NPM only to allow access from internal IPs.
Authentik provides single sign on so instead of having different usernames and passwords for every user on every service, you have one set of users and it manages the passwords.
There are at a high level two levels of using it.
Some services have proper SSO integration so you setup Authentik to replace it's own login system. For instance, with Nextcloud you are going to the Nextcloud homepage but it then goes out to Authentik to do the login process and once passed, Authentik will tell Nextcloud user B has successfully logged in, I vouch for them and here are their details. You can do this for internal and external access. Obviously with Nextcloud you need to login either through it's own login system or via SSO so even if I go directly to the internal IP and port (and therefore don't need NPM to access it), I still need Authentik to login so it knows it's me and not my partner trying to access her account
Some services don't have SSO integration or have no login required. For instance, I have Stirling PDF which doesn't need user details or login. However, you don't want to just allow anyone to access so I have setup NPM to use Authentik as a proxy pass. If I go to stirlingpdf.url.com then it sends me to Authentik to login. You can only ever get to the Stirling app if you successfully log in. You can also set Authentik so that only certain users or groups of users can access certain apps but that's more than I need.
It does take some effort to get SSO working correctly for each service and it's only really worth it if you do have multiple users or services that need logins.
You don't want just NPM unless you trust the service to have a secure login.
Others will probably say, you shouldn't have anything facing externally. You can setup Tailscale or Wireguard tunnels so you always appear to be on the local network. That way, you don't need NPM to be open externally. However you might still want it so you can type the address service1.internal instead of 192.168.1.1:8063 each time. You probably also want Authentik to make the login shared.
In terms of network access to get them working, NPM needs to be able to access Authentik internally on your network. You could either put them on the same shared Docker network or in my case, they are both on the same server so share an internal IP. I have opened the individual ports on Docker so they can access each other internally just like I can access both from my laptop. If I'm accessing away from home, I have my domain pointing my home external network ID, port 443 open on my router pointing to my home server with NPM. NPM then "talks" to Authentik through the home network so I login through that but I don't have to open the Authentik port externally.
In my case, in the NPM settings, instead of using the docker created network for Authentik (like 172.3.1.1 or something that might change), I use the internal IP of the machine (like 192.168.1.1:4443 {if 4443 is the Authentik port}). I also have an NPM entry auth.url.com that points to Authentik which some apps need instead of the internal address. It took some playing around to get it right but once you do, it's essentially copy and paste for new services.
It will be funny when they eventually decide the AI bureaucracy is the problem like they are blaming the civil service now. Nothing to do with their disastrous unworkable policies (Rwanda), pandering to the extreme elements of their party (Truss) or their complete ineptitude (pretty much everything else)...
One good thing that happened in recent years is the digital push and gov.uk websites. I have to say, getting a driving licence, renewing a passport, finding information on lots of topics has massively improved. Carry on with this, not wasting money on untested technology. Of course, that's silly for me to say. The money will all go to friends of the party with nothing gained.
Honestly, I am so glad my parents didn't move to the USA and moved to the UK instead. Me and my sister had several health issues including asthma, food allergies, broken bones playing sports, and as a result several hospital and doctor visits. Considering my parents were self employed shop keepers, I don't know if we'd be alive, let alone what sort of life we would have had. Then also having to pay for college would've been tricky. Having so few work holidays also completely sucks!
We are now both professionals with great jobs, paying lots of taxes and volunteer a lot to try to give back. Would that be possible in the USA - I honestly have no idea! Would we move to the USA - absolutely no way! We'd both actually earn lots more money in the USA in the same role but factoring in health and happiness, it's not worth it.
When you hear "greatest country on earth" and "the American dream", I think anybody in Western countries really roll their eyes. It's not a utopia here in the UK but nobody claims it to be, and stories like this just prove we are better off here.
However, we know the people themselves are great and don't deserve this position. We feel sorry for you and wish part of your population would travel and see things for themselves to push for changes back home.
In the UK, we are terrified that we will end up in the same position as our out of touch political elite and ultra wealthy would love to copy this.
It never went away but lots of people I know who did all that stopped bothering.
When the range in netflix went down, fees went up and everybody launched different services, I was really thinking of sailing but it was Netflix blocking sharing that was the final straw.
A stack of 15 floppy disks for one program. Please insert the next disk to continue (I can't remember the exact wording). Command prompt to A:\ and having to see what the install program might be called. Bring amazed that CDs could autorun programs.