I can get notification to ntfy, but I’m not sure if the app is certain to blow my phone up until I notice it, which is my goal. Frankly, if I could trigger the Presidential Alert, I would do that.

The application isn’t 100% likely to stay active in the background it seems. I tried to program one myself but there’s a lot of bullshit going on in background apps in Android that I’m not familiar enough with to trust that I can do any better.

This is my summer solar system. I like to winter in the Antares.

I’m trying to figure out how to add it to Mailcow Dockerized and hook the existing containers. If I sort it out, I’ll probably PR it to Mailcow. I think it would a nice addition to start to build out a network that isn’t susceptible to the same spam attacks as regular email (yet).

I remember as a kid I set up one of the first private Echomail nodes as part of my RBBS bulletin board. UUCP was a big part of that, as I was the hop for other nodes coming onboard in my area. I added another half-dozen modems eventually just to handle the email traffic, then had to offload it to a university because I didn’t want to have to charge for the traffic and it was getting too big to handle. But it was pretty interesting at the time.

You set up the VPN and it’s always on. There’s no hassle.

Like, good for you, man.

But you should really keep your stuff inside the VPN and not expose things, it opens up a pile of potential risks that you don’t need to have. You can still use a reverse proxy inside the VPN and use your own DNS server that spits out that internal address to your devices for your various applications. If you absolutely, positively must have something exposed directly, put it on it’s own VLAN and with no access to anything you value.

I don’t think a tailscale tunnel helps this anyway, maybe just from standard antispoofing and geoblocks, but it still gets to the application in full eventually, when they can do what they’d do if it was directly exposed. The attack surface might be an entire API, not just your login screen. You have no idea what that first page implements that could be used to gain access. And they could request another page that has an entirely different surface.

If someone has Nextcloud exposed, I’m not stopping at the /login page that comes up by default and hitting it with a rainbow table; I’m requesting remote.php where all the access goodies are. That has a huge surface that bypasses the login screen entirely, might not be rate limited, and maybe there’s something in webdav that’s vulnerable enough that I don’t need a correct token, I just need to confuse remote.php into letting me try to pop it.

You can improve this by putting a basic auth challenge at least in front of the applications webpage. That would drastically reduce the potential endpoints.