Well, they have – I think. When you download an edited image, it supposedly downloads an image with edits applied. The original is optionally available too.

If you download the edited image, this is effectively equivalent to the status quo of image editing.

SearXNG is not a search engine, it’s a search engine proxy. The actual search engines that are being proxied are still the same old google, bing etc.

Disabling su is stupid because you always need some form of privilege escalation, restricting sudo to apt offers no security benefit whatsoever as apt allows arbitrary file modification, disabling root ssh provides no benefit when the unprivileged user has sudo access – I could go on.

Yikes, lot’s of bad advice in this thread.

My advice: Go develop an actual threat model and find and implement mitigations to the threats you’ve identified.

If you can’t do that, that’s totally okay; it’s a skill that takes a lot of time and effort to learn and is well-compensated in the industry.

You will need to pay for it. Either through an individual assessment by someone who knows what they’re doing, managed hosting services where the hoster is contractually liable and has implemented such measures, by risking becoming part of a botnet or by not hosting in a world-public manner.

My recommendations:

• Pay for proper managed hosting for every part of your system that you are not capable of securing yourself. This is a general rule that even experienced people follow by i.e. renting a VPS rather than exposing their own physical HW. There are multiple grades to this such as SaaS, PaaS and IaaS.
• Research, evalue and implement low-hanging fruit measures that massively reduce the attack surface. One such measure would be to not host in a manner that is accessible to the entire world and instead pay for managed authenticated access that is limited to select people (i.e. VPN such as Tailscale)
• git gud

Wow is that ever a load of snake oil.

I see this kind of guide as actively harmful because it creates a false sense of security.

Kagi is a search engine where you just simply pay with money rather than being instrumentalised in all kinds of awful ways in order to make the operator money.

I was very sceptical at first too. I highly recommend to simply try using it with the gratis 100 searches. That lasted me for a few days and I quickly noticed what there is to love about it.

It’s the best (and to my knowledge only) search engine money can buy.

The first two points have nothing to do with HTTP‽

The last one is just August before Eternal September ¯\_(ツ)_/¯

That’s for encrypting your data to protect against an untrusted storage back-end.

They also have e2ee for users though where the server cannot see the plaintext either.

https://nextcloud.com/encryption/

Thanks for the explanation!

Though it ought to be possible to only respond with the new self-signed cert when LE does the challenge and with the previous, properly signed cert otherwise.

I found https://codeberg.org/neilpang/acme.sh/wiki/TLS-ALPN-without-downtime which demonstrates one method to achieve that but I lack practical experience judge whether that’s optimal.

Forgive my ignorance but why would that incur a downtime?

The only way I can think of for downtime to happen if you switched certs before the new one was signed (in which case …don’t) or am I missing something?

It also strikes me as weird that LE requires 80 but does allow insecure 443 after a redirect. Why not just do/allow insecure 443 in the first place?

https://blog.kagi.com/small-web is the closest I’ve seen but it is indeed quite small and often not useful.

Kagi is generally a tool that can be made to clean your search results of poorly incentivised content. It already categorises “top 10” click farms as such OOTB and lets you disable them entirely.

The ability to block websites from appearing in your results is the most useful though IME. If I stumble upon a poorly incentivised website, I can simply block it and it will never appear again.

It’s not all you’re asking for but it gets you the closest that I know of.

There’s also the option of just leaving an offline disk at someone’s and visiting them regularly to update the backup.

Having an entirely offline copy also protects you/mitigates against a few additional hazards.

If you don’t process any user data beyond what is technologically required to make the website work, you don’t need to inform the user about it.

Should have just been a reply.

I doubt most user have any need for great nc performance.

I also doubt those “super performant nextcloud flakes” are actually any faster than a plain old default nc deployment; especially for our use-cases.

Using NixOS is a good recommendation though. Just don’t do flakes unless you actually understand what problem they intend to solve and how catastrophically bad they are at it.

I’d suspect the bots would just try again with a masked user agent when they receive a 403.

I think the best strategy would be to feed the bots shit that looks like real content.

The web version works without an account? That’d be news to me.

I wouldn’t go ARM unless you really like tinkering with stuff.

I bought a used Celeron J4105-based system years ago for <100€ and it’s doing just fine. The N100 is its successor that should be better in every way.

Don’t be afraid to buy cheap used hardware. Especially things like RAM or cases that don’t really ever break in normal usage.

Two 4TB HDDs for 120€ each is a rip-off. That’s twice what you pay per GB in high capacity drives. Even in the lower capacity segment you can do much better such as 6TB for 100€.

If you have proper (tested!) backups and don’t have any specific uptime requirements, you don’t need RAID. I’d recommend getting one 16TB-20TB drive then. That would only cost you as much as those two overpriced 4TB drives.

Sure but that won’t do anything about software issues :p

Specifically this section:

Why is Magic Earth free? What is the business model?

Magic Earth is free for all our end-users but we also have a paid Magic Earth SDK for business partners. For instance Selectric.de (a supplier for navigation solutions for ambulances and fire trucks), Smarter AI (developing ADAS systems) or Absolute Cycling (using the platform on bicycles). For more info on the SDK, you can check magiclane.com.