And it’s only necessary because Nix doesn’t include it. Which is the only way anything is allowed to run on an SELinux system. SELinux doesn’t require Nix mutation, it requires Nix to be complete.

There are workarounds to fix Nix’s incomplete definitions, but most end users opt for the easy post-install solution that ends up mutating thier store rather than including the fix as a unique derivation for every package to add the missing SElinux labels and policy.

It’s not. SELinux predates Fedora. Fedora went all-in on SELinux pretty early on though (a few other older distros too, but Fedora is one of the few remaining with significant mind-share), and many other distros decided not to do security at all for many years.

AppArmor is “sufficient” if you only want to deal with known-in-advance high risk applications being locked down, which was the approach most other distros took since it’s extremely complex to have a policy for absolutely everything (like SELinix requires).

In the latest distros using AppArmor, it’s been expanding so much that it is arguably easier to just implement SELinux and derive from Fedora’s Standard Policy. Ubuntu 24.04 for example was been broken by thier various AppArmor bugs for almost 1.5 years after release, all because they slapped system-wide AppArmor policy restrictions on the default system and didn’t coordinate any of it.

SELinux also doesn’t mutate the store unless the package in the store failed to set an SELinix file label. Providing the labels in most cases is trivial, so trivial in most cases that a global SELinux Nix policy package exists in a number of distros that can set normal defaults that work for most things.

Quad9 is OK, but they follow thru on Spain’s DNS takedown demands when even Google refused. No shame on them, but it made me want to try something else.

You might look at OpenNIC

SELinux is used on all the Fedora Immutable distros, and the OpenSUSE Immutable distro. It’s actually much easier to do SELinux in Immutable distros in a lot of ways than non-immutable. Especially the bootc-style ones where even more of the system is defined and prebuilt before deployment.

AppArmor is OK, but the whole issue is that you have to know what to throw into it. That’s also its benefit, you can focus in the high risk things and ignore the low risk things. It keeps expanding profiles more and more though, and ironically the ultimate destination is everything being under MAC.

I think you found it was exactly what I said? You worked around it by changing a specific setting directly in Firefox that disables the exact check I mentioned without needing to disable all of private DNS in Firefox though.

The Racknerd $35/yr seems to be the 500MB RAM VPS with a 500GB/mo network data limit. That’s probably sufficient power for a wireguard endpoint for ingress, but that’s pretty low network data limit if you’re putting a media server behind it (10GB/hr of video isn’t unexpected, data is counted twice when having to ingress+egress thru the endpoint=25 hours of quality video per month)

Vs Cloudflare I agree. Giving up the MitM isn’t an acceptable trade off in my opinion either.

I see, so Pangolin includes the Tailscale Funnel functionality (which Headscale currently does not), integrates Authentik and Traefik, and sells it as a stand alone service. I guess there’s probably a narrow market for that, though it’s unlikely to be self-hosting. My experience is that any OAuth or RBAC solution is too involved and/or poorly supported by self-hosted applications to see more than a small number self-hosters using it, and those that do are advanced enough users that they would probably just build it themselves with free tools instead.

Hosting the tunnel is the only real value add from these services, which is why I’m confused by Pangolin’s business model.

To some extent. Cloudflare is extremely explicit about it for their free service though, and they do actively exercise the option if they think you’re getting too much benefit from it.

Most of the chips in a smartphone are made by Qualcomm, both processors and peripheral chips like 5G modem, LTE modem, WiFi, and Bluetooth. Qualcomm chips require proprietary binary blobs to function, and usually only have a support lifetime of about 2 years. They also only supply those blobs to the manufacturer of the device.

To be clear, these are game problems, not NVDIA GPU problems. Some games only work on Windows and need to use a translation wrapper, which has overhead.

So what benefit does Pangolin actually provide then if you already have to provide the VPS? Routing back to your network from a VPS is trivially easy, it’s getting the affordable VPS (given bandwidth prices) that’s actually the sticking point of any solution.

Warning: Cloudflare Tunnel ToS explicitly prohibits hugh-bandwidth activities on it, naming media streaming in particular. Some people take the chance anyway until Cloudflare might suddenly terminate your connection, it’s merely a low-stakes risk to using it.

Also worth mentioning: Cloudflare has historically had some involvement with DMCA detection and take down, so if your running a media server with them able to MitM your traffic, they’re almost certainly able to detect and scan if they so chose. They’re a big company so they may not do any relevant scanning on your Tunnel, or you may have only completely Public Commons content on your server, but something you should be aware of.

Related: I was doing something similar also from Ohio not that long ago. It turned out that most of the ISPs in Ohio have horrible reputations in the global network routing, so they are given low-priority and poor interconnects to other Internet routing companies. It affected both my incoming and outgoing network speeds and reliability. Cloudflare speed tests were the only ones giving any good values, I constantly had disconnects and timeouts for everything else. But when I put a VPN (that had a decent interconnect) on my router with an exit node in D.C. or Chicago, suddenly all my speeds went back to normal values matching Cloudflare results.
TL;DR your ISP having a poor reputation with their gobal interconnects is very likely to blame for the poor speed issues without Cloudflare Tunnel, and literally any tunneling solution would probably resolve it.

I’ve been trying to figure out what purpose Pangolin serves in this. Do they offer a paid service that has the internet-accessible entry/exit point that I’m not seeing?

Self-hosters aren’t lacking in tools to connect between a home server and some internet exposed server so they can tunnel from that public internet server back to their home server, they’re lacking in affordable options for the internet accessible server itself. Cloudflare Tunnel, Tailscale Funnel, and similar can easily be trivially replaced by a simple Wireguard connection from your home server to a public VPS with a couple trivial routing rules. But you have to have an affordable VPS with reasonable bandwidth and high reliability. Pangolin appears to just be Tailscale-ike permission-based routing software, but without the actual connections tools or hosting. That’s already available for free with Headscale, but Headscale also includes the connections part too. Am I missing something that would make Pangolin even equivalent, let alone better than, the free Headscale project?

Funnel has some significant limits on what you can use it for, esp with respect to streaming media FWIW. Not sure if it’s relevant here, but worth noting.

Why are you involving Cloudflare at all at that point? It sounds like you setup your own “Tunnel” service using Tailscale and/or direct Wireguard already.

Serious limits on Cloudflare Tunnels:

1. Only works if you use Cloudflare as your domain registrar for that domain
2. You can’t use it for anything high bandwidth, specifically including streaming media (e.g. Plex/Jellyfin)
3. They reserve the right to terminate your service tunnel randomly at any time without warning for any/no reason unless you pay them for the service.

And that doesnt address the issue of getting in bed with Cloudflare (which has its own ethical ramifications).

I’d recommend one of the alternatives like localxpose.io that offer the same thing but without the limitations. Or you can slap together your own with a wireguard tunnel to a minuscule VPS with some routing rules on it. Both are about €5/month, which is cheaper (the same?) as paying for Cloudflare Tunnel to avoid the random termination and vendor lock in.

I usually combine with using client certificate authentication as well for anything that isn’t supposed to be world accessible, just internet accessible for me. Even if the site has it’s own login.

People sleep on the DNS-01 challenges option for TLS. You don’t need an internet accessible site to generate a LetsEncrypt/ZeroSSL certificate if you can use DNS-01 challenges instead. And a lot of common DNS providers (often also your domain registrar by default) are supported by the common tools for doing this.

Whether you’re doing purely LAN connections or a mix of both LAN and internet, it’s better to have TLS setup consistently.