I’m subract. This is my place to share what I’m learning and working on, mostly in my homelab.
Want to chat? Drop me a line via email (self@<this domain>) or Matrix.
False security: Dashy's client-side authentication
Update 3/28: The devs have announced that the auth system is to be deprecated. See details below. About a month ago, I went looking for a dashboard for my homelab—something to help visualize the services I run. I found Dashy, a popular (14.6k GitHub stars) dashboard designed for self-hosters. I deployed it and started configuring it, but noticed that something about its authentication felt off. I started digging and quickly found its security to be borderline useless, permitting unauthenticated reads and writes of its configuration....
Three ways to break your back(ups)
tl;dr: Don’t put yourself in a position where you ignore alerts. Don’t update your software without reading release notes. And especially don’t make assumptions about error handling in bash scripts! I recently discovered a failing backup that, upon deeper investigation, turned out to be a chain of three failures. I’ll explore how it happened, why it went on for far longer than I initially thought, and what fixes I identified....