I think that any guides you find for Gitea + Renovate should work still for Forgejo + Renovate.

I believe the process is:

• Create Forgejo instance
• Create a user for Renovate within Forgejo
• Using the CLI on your local machine (or another tool to complete this step), create an SSH public/private key for the Renovate user
• Log into Forgejo using the Renovate user and configure the previously created SSH keys and separately generate a Forgejo token
• Create a Renovate instance with settings for at least RENOVATE_GIT_PRIVATE_KEY (SSH private key value), RENOVATE_TOKEN (Forgejo token value), RENOVATE_PLATFORM (gitea), RENOVATE_ENDPOINT (Forgejo API base URL), and any other Renovate settings that you may find helpful/necessary to configure (eg: GITHUB_COM_TOKEN, RENOVATE_AUTODISCOVER, etc.)
• Depending on how you want things to work, you may need to give the Renovate Forgejo user access to individual repos

It is not clear that this is the app that will be used for the new watches. I imagine it will support the new RePebble watches, but I believe that app was intended for the original Pebble watches.

The thing that makes it so unclear to me is that this is a repo owned by the Rebble team, not the RePebble team. I do not know how much overlap there is between the two teams, but the RePebble team does not have any open source repos that I could find. Any mention of open source software by RePebble (including the OS) are links to repos owned by other teams, which is a little concerning.

I understand that the watch operating system is open source. However, it seems that the watch will connect to a companion smartphone app. Do you know if the app is a requirement and/or if the app will be open source?

If you know your VPN’s DNS server, you can change your local DNS so that it redirects your specified domains/subdomains to the appropriate, local IP address and all other requests would then use your VPN’s DNS.

If you don’t know your VPN provider’s DNS server information, you may be able to still do something similar to the above depending on your setup. Otherwise, you could run your own DNS resolver or use a different DNS provider. I guess doing so could potentially be used to further fingerprint you, but the concern about “DNS fingerprinting” is moreso DNS leaks where your DNS queries are accessible to unintended parties due to improper configuration.

I believe the only other option would be to change your hosts file on each device you want to use to connect to your services, which is probably not the best approach and may be challenging/impossible for certain devices.

Also, unless you setup the self signed certs to be trusted on a network/domain level (or again on each individual device), you will likely get a warning/error about the self signed certs when accessing your services. You may need to work through this process each time the certs renew.

I recommend buying a domain if you do not already have one and finding a service that provides wildcard certification challenges. This would allow you to setup a valid, trusted certificate that you could reuse for all of your services. The only thing that you would need to provide is an email address (can be any email address) and your domain name (in addition to other information that may be required to setup an account at the cert provider, but you may already have an account there as it could be the domain name registrar or other services like VPS providers, Cloudflare, etc.). Since it is a wildcard cert, each subdomain does not need to be set publicly and if you only use the domain within your network, the domain does not need to be publicly associated with any IP address.

If you do go forward with that approach, you could use the wildcard cert directly within NginxProxyManager or other reverse proxies. They will also automatically update/maintain the cert for you.

There is no one-size-fits-all solution and there likely isn’t a solution that works for everyone even in specific situations due to different threat models. Purchasing and using a custom domain is often listed as a good practice for maintaining a person’s privacy. However, it can be even more detrimental to a person’s privacy than just using a trusted email masking/forwarding service and trusted email provider. For example:

• The domain is purchased without WHOIS protection (or without using non-personal information) or the WHOIS protection is not renewed
• The email server is hosted on hardware that can be linked to other services that identify the individual (eg: the email is self hosted using a home IP address)
• A self hosted email server is configured in a way that leaks information or is configured insecurely
• The email domain is used by only one person, which enables agencies to link each individual, unique email address back to that individual and create an aggregated profile across various accounts/services
• If the domain/DNS is not configured properly (or if the domain is not renewed), then the domain (and thus the email accounts) can be hijacked, which could lead to any additional accounts/services that are still using the domain vulnerable to a take over attack
• The email server is hosted by a privacy invasive company/service
• The person assumes that all emails are private since they use a custom domain on a trusted email provider (or self hosted email server), but continue to send emails containing sensitive information to email accounts running privacy invasive email services (eg: Gmail)

Please note that I am not saying that this is not a good option, but I just wanted to note some of the things that should be considered if a person decides to use a custom email domain to improve their digital privacy.

My beef with them is that they’re either pushed by scammer to empty honest but gullible people’s bank accounts, or they’re used to pay for illegal activities because they’re totally opaque and unregulated.

Scammers also use gift cards, checks, wires, cash, bank accounts, investment funds, and many other means to accomplish this. Several of them are tightly regulated and it does not seem to deter or prevent the scams from occurring.

My other beef is that they’re really securities and they’re not subject to the rules on securities for a reason that totally escapes me.

Admittedly, I am not well versed in this area. Do you foresee a way to properly subject cryptocurrencies to the same/similar regulations as other securities while still providing many/all of cryptocurrencies’ benefits, including anonymity? Are the legitimate cryptocurrency exchanges (eg: Coinbase) not subject to those regulations? How different is this from individuals being taxed on gains/losses from cryptocurrencies?

I don’t do cryptocurrencies both out of self-financial preservation, and also because I refuse to participate - and thus promote - stuff that’s generally bad for society as a whole.

The first part is in relation to investing in cryptocurrency moreso than using cryptocurrency.

What makes cryptocurrency generally bad for society as a whole? While I am not familiar enough with the current estimates, I know there are environmental concerns (eg: water/electricity usage, required hardware, etc.). I concede that the environmental impacts may be (and likely are) worse than traditional fist currencies, I am unaware of other reasons that make cryptocurrency generally bad for society as a whole.

Trump loves em

Many privacy advocates also love cryptocurrency. Two different people or groups of people (no matter how similar or different) can have one or more shared interests, even if the reasons or motivations are drastically different. It is likely best to avoid politics on this topic.

• Edward Snowden Says Use Crypto, Don’t Invest In It
• Edward Snowden Calls Bitcoin Most Significant Monetary Advance Since The Creation Of Coinage

Cryptocurrency

Hard no. I don’t partake in scams, even for the sake of privacy.

Is this in relation to the monetary value of cryptocurrency or the anonymity of cryptocurrency?

The list included cryptocurrency as a channel for anonymous payments, not an investment opportunity. The two cryptocurrencies listed are two of the more well established cryptocurrencies that are more widely accepted than many other cryptocurrencies (granted, one or both of them are still not accepted by a large number of merchants). Additionally, the list also mentions some of the considerations necessary to help ensure the cryptocurrency is obtained anonymously.

If the list only included insert_newly_created_obscure_cryptocurrencies then this would definitely be more concerning.

However, if the cryptocurrency is both obtained and used “properly” where the person is ultimately anonymously exchanging cryptocurrency for a desired good(s) or service(s), is it truly a scam?

In terms of privacy, you are giving your identity provider insight to each of the third party services that you use. It may seem that there isn’t too much of a difference between using Google’s SSO vs using your Gmail address to register your third party account. However, one big distinction is that Google would be able to see often and when you use each of your third party services.

Also, it may be impossible to restrict the sharing of certain information from your identity provider with the third party service. For example, maybe you don’t want to share a picture of yourself with a service, but that service uses user profile pictures or avatars. That service may ask (and require) that you give it access to your Google account’s profile picture in order to authenticate using Google’s SSO. You may be able to overwrite that picture, but you also may not be able to revoke the service’s ability to retrieve it. If you used a “regular” local account, that Google profile picture would never be shared with the third party service if you did not upload it directly. The same is true for other information like email, first/last/full name, birthday, etc.

There are other security and operational concerns with using SSO options. With the variety of password managers available, introduction of passkeys, and increased adoption of multi-factor authentication, many of the security benefits associated with SSO aren’t as prevalent as they were 10 years ago. The biggest benefit is likely the convenience that SSO still brings compared to other authentication methods.

Ultimately it’s up to you to determine if these concerns are worth the benefits of using SSO (or the third party service provider at all if they require SSO). I have a feeling the common advise will be to avoid SSO unless its an identity provider that you trust (or even better - one that you host yourself) - especially if you’re using unique emails/usernames along with strong and unique passwords with multi-factor authentication and/or passkeys.

Congrats on getting everything working - it looks great!

One piece of (unprovoked, potentially unwanted) advice is to setup SSL. I know you’re running your services behind Wireguard so there isn’t too much of a security concern running your services on HTTP. However, as the number of your services or users (family, friends, etc.) increases, you’re more likely to run into issues with services not running on HTTPS.

The creation and renewal of SSL certificates can be done for free (assuming you have a domain name already) and automatically with certain reverse proxy services like NGINXProxyManager or Traefik, which can both be run in Docker. If you set everything up with a wildcard certificate via DNS challenge, you can still keep the services you run hidden from people scanning DNS records on your domain (ie people won’t know that an SSL certificate was issued for immich.your.domain). How you set up the DNS challenge will vary by the DNS provider and reverse proxy service, but the only additional thing that you will likely need to set up a wildcard challenge, regardless of which services you use, is an email address (again, assuming you have a domain name).

Raspberry Pi + PiHole + PiVPN = Network Gateway Drug

Although, PiVPN is winding down so you might want to find something different instead. Setting up a regular Wireguard VPN isn’t so bad, but it may be simpler to setup a Tailscale Tailnet.

the only sites I give permenant cookie exception are my selfhosted services

This is what I was referring to. How are you accomplishing this?

I’m still looking for the switches to block all new requests asking to access microphone, location, notification

I can’t help with this at the moment, but if you’re still struggling with this I can provide the lines required to disable these items. However, I don’t know how to do this with exceptions (ie allowing your self hosted sites to use that functionality, but block all other sites). At minimum though you could require Firefox to ask you every time a site wants to use something. This may get repetitive for things like your self hosted sites if you have everything clearing when you exit Firefox.

Didn’t look at the repo thoroughly, but I can appreciate the work that went into this.

• Is there any reason you went this route instead of just using an user-overrides.js file for the standard arkenfox user.js file?
• Does the automatic dark theme require enabling any fingerprintable settings (beyond just possobly determining the theme of the OS/browser)?
• How are you handling exceptions for sites? I assumed it would be in the user.js file, but didn’t notice anything in particular handling specific URLs differently.

Calls made from speakers and Smart Displays will not show up with a caller ID unless you’re using Duo.

Is it possible to use Duo still? Google knows it discontinued/merged Duo with Google Meet nearly 18 months ago, right?

https://changedetection.io/

Change Detection can be used for several use cases. One of them is monitoring price changes.

Could you explain further? Wouldn’t this just need to be setup once per server that OP wants to connect?

Could you use symlinks? Not sure what the “gotchas” or downside to this approach is though.

tl;dr: A notable marketshare of multiple browser components and browsers must exist in order to properly ensure/maintain truly open web standards.

It is important that Firefox and its components like Gecko and Spidermonkey to exist as well as maintain a notable marketshare. Likewise, it is important for WebKit and its components to exist and maintain a notable marketshare. The same is true for any other browser/rendering/JavaScript engines.

While it is great that we have so many non-Google Chrome alternatives like Chromium, Edge, Vivaldi, etc., they all use the same or very similar engines. This means that they all display and interact with websites nearly identically.

When Google decides certain implementation/interpretation of web standards, formats, behavior, etc. should be included in Google Chrome (and consequently all Chromium based browsers), then the majority marketshare of web browsers will behave that way. If the Chrome/Chromium based browsers reaches a nearly unanimous browser marketshare, then Google can either ignore any/all open web standards, force their will in deciding/implementing new open web standards, or even become the defacto open web standard.

When any one entity has that much control over the open web standards, then the web standards are no longer truly “open” and in this case becomes “Google’s web standards”. In some (or maybe even many) cases, this may be fine. However, we saw with Internet Explorer in the past this is not something that the market should allow. We are seeing evidence that we shouldn’t allow Google to have this much influence with things like the adoption of JPEG XL or implementation of FLoC.

With three or more browser engines, rendering engines, and browsers with notable marketshares, web developers are forced to develop in adherence to the accepted open web standards. With enough marketshare spread across those engines/browsers, the various engines/browsers are incentivized to maintain compatibility with open web standards. As long as the open web standards are designed and maintained without overt influence by a single or few entities and the open standards are actively used, then the best interest of the collective of all internet users is best served.

Otherwise, the best interest of a few entities (in this case Google) is best served.

Alerts, notifications, person recognition, object recognition, motion detection, two way audio, automated lights, event based video storage, 24/7 video storage, automated deletion of stale recorded video, and more can all be accomplished 100% locally.

Granted, much of this functionality is not easily accomplished without some technical knowledge and additional hardware. However, these posts typically are made by people who state to at least have an interest in making that a reality (as this one does).

What security benefits does a cloud service provide?

Your options will depend on how much effort you are willing to put in and what other services you have access to (or are willing to run).

For example, do you have a Network Video Recorder (NVR) or something like Home Assistant that can consume a Real-Time Messaging Protocol (RTMP) or Real Time Streaming Protocol (RTSP) video feed? Can you modify your network to block all internet traffic to/from the doorbell? Are you comfortable using a closed source, proprietary app to setup the doorbell? Is creating your own doorbell feasible?

I’m not aware of a doorbell that you can buy which meets all of your requirements without at least one of the items I mentioned above. Additionally, I believe the only doorbell that meets all your requirements is building your own doorbell. However, some other brands that will get close to meeting your requirements are Reolink and Amcrest.

This is a “simple” question, but unfortunately the answer isn’t as simple. Much of this isn’t necessarily Google “individually and directly attacking people”, but instead Google providing others with the (otherwise unavailable) means to do so.

Regardless, is this an example that you were looking for? https://www.nbcnews.com/news/us-news/google-tracked-his-bike-ride-past-burglarized-home-made-him-n1151761