Keys spread out? I don’t understand…

I appreciate the reply, but I guess I wasn’t clear on what I was asking.

It’s obvious who this is for in the literal sense, what I mean is: what is the use case for this?

On the homelab front, I don’t see enough need to unify my GUI access, and i have roughly 30 containers to manage. At that point, most homelab admins gravitate to automation.

On the professional front, I can tell you that unifying the keys to mgmt interfaces to critical infrastructure in a single app is not a welcome tool to see on my junior admin desktops. And if it’s simply the interface to mgmt portals without storing keys, then I would have my doubts about a junior admin who hasn’t developed a personal strategy to manage this themselves.

Don’t get me wrong, I’m happy to encourage you to develop this, but the second you write “trying to make a living from this”, you should know that these questions are coming.

If I were across the table from you trying to understand what you’re selling me, I would want to know:

• how do you handle secrets in transit and at rest?
• can I deploy this once and set access for various departments or employees?
• can I find out who has been using the tool?
• how does the app handle updates?

You can see where this is going. If I buy this tool for use by several people, I don’t want to have to wrap it in vault entries and update scripts just to meet compliance with my client’s environment.

What is your target audience for this? I’m having trouble understanding who this product is for.

Sounds reasonable, and I’m sure you’re on your way to solving this.

In my experience thinking hard about my storage needs, I’ve found that as long as I can get decent performance and a bit of redundancy, a solid and tested backup plan can fill in the rest in terms of data safety and integrity.

Your focus shouldn’t be on what technologies to use, because you can’t know what will help until you know what you’re trying to do.

Define your use case and the problems you can see now, and the technologies to address them will become more apparent.

I’m trying to indicate that docker has its own kinds of problems that don’t really occur for software that isn’t containerized.

I used the immich issue because it was actually NOT indicated as a breaking change by the devs, and the few of us who had migrated the same compose yml from older veraions and had a problem were met with “oh, that is a very old config, you should be using the modern one”.

Docker is great, but it comes with some specific understanding that isn’t necessarily obvious.

For one, if the compose file syntax or structure and options changes (like it did recently for immich), you have to dig through github issues to find that out and re-create the compose with little guidance.

Not docker’s fault specifically, but it’s becoming an issue with more and more software issued as a docker image. Docker democratizes software, but we pay the price in losing perspective on what is good dev practice.

zfs overlay / docker snapshot issue has been solved since 2021. Proxmox is also well into 8.3, 8.0 has been stable since early 2023.

There’s a give-and-take here, where disclosing the vulnerability should be done soon enough to be responsible to affected users, but not so late that it’s seen as pandering to the vendor.

We’ve already seen how much vendors drag their feet when they are given time to fix a vuln before the disclosure, and almost all the major vendors have tried to pull this move where they keep delaying fix unless it becomes public.

Synology hasn’t been very reactive to fixing CVEs unless they’re very public. One nasty vulnerability in the old DSM 6 was found at a hackathon by a researcher (I’ll edit and post the number later), but the fix wasn’t included in the main update stream, you had to go get the patch manually and apply it.

Vendors must have their feet held to the fire on vulns, or they don’t bother doing anything.

Jeff Geerling and Craft Computing have recently reviewer these units on YouTube and they’re fairly optimistic about them.

Do you have xattr fixed for the underlying zfs?

I know this is a joke, but honestly, this would support the artist more than the past 75 years of labels and streaming corps, which is IMO high seas piracy in itself.

Whoah, dude.

Not only are you being told what could have and will ward off unplanned breakage, but you have somehow characterised yourself as an unsuspecting victim here? Inaccurate and really inappropriate comparison.

You knew enough to take on deploying a service, now comes the grown-up part where you hedge against broken updates.