Yes, Zscaler or any other Zscaler clone (e.g., Netskope, Cato, etc) -- they're all just sitting ducks, and once they are compromised, what happens to all the customers? It doesn't make any sense and shows how much we're willing to give up for convenience.
I get very similar vibes to early Docker as I do about Nix today: it requires doing things very differently, is difficult ramp up on because of that, but those who pay the cost to invest the time are gaining an advantage now by their ability to do dazzling things by adopting early.
Back in Docker's day it was (basically) the only thing out there that let you reliably package up an application in a portable way from any Linux distribution to any Linux distribution - before Docker it was prohibitively difficult to build your application on your Ubuntu desktop and run it on your CentOS servers because you had to wrangle system packaging, library differences, and see the app run in the same way as it would in production. Docker turned the runtime into one consistent thing everywhere (and the ability to ship it to the deployment target).
That's less novel in 2023 but solved serious problems a decade ago. In 2023 reproducible builds are important as reflected by efforts like Debian's reproducible builds or SALSA and nix zooms way beyond that to solve downstream problems, too
Speaking as a linux user since 2004: it absolutely was not "prohibitively difficult" as shown by every application pre-docker. Beyond that, it's hardly dazzling
It lets me run up-to-date daemons on my home server, with excellent uptime, on some old-ass version of Debian I never bother to update (don't worry, it's not routable from the public Internet) and without having to touch systemd (or sysv init, or openrc, or whatever), having written nothing but a single short shell script for each service. I could take all my exact same knowledge and scripts (and a backup of the data directories, helpfully and completely documented in those same shell scripts) and spin my whole stack up again on basically any other distro, only having to google what installing Docker looks like for that system.
Different init system? Older/newer packages than I want in the distro's official repos? Some futzing-about with third party repos needed to add to get what I want at a version that's not three years old? No option but downloading a tarball and dicking around with that, on this distro? Package on this distro stores some daemon's config in a different places from the last one, and carves it up differently, so you can't just drop in your old config and have it work? This distro or version puts data for this daemon somewhere different, so now your backup scripts are fucked?
I don't have to care at all. About any of that.
I no longer have to give any shits which distro or version my home server's on (within reason) and anything I learn managing it transfers basically anywhere.
I can turn around and immediately apply nearly 100% of that skillset to any day-job I've had in the last decade or so.
Thanks, I did read that blog post but adding yet another dependency to my stack just for authentication of a single user (me)? I don't know… Then I might as well just install Headscale.
Tailscale has captured mindshare, reminds me some of Cloudflare. There are many solutions out there offering unique value props relative to what Tailscale is doing, and it all comes down to customer needs. I'm not sure how broadly Tailscale has been adopted outside of the dev / HN crowd, so that's always something to dig into.
Let’s just say that as the person who introduced Tailscale within our org, it has been one of the most easiest solutions I ever had to convince my org of. Given the relative intrusiveness of switching a VPN provider (it touches a lot of core infrastructure), I expected a lot more resistance, but everybody was on board immediately.
In all honesty, Tailscale being so good, we never seriously looked at Zerotier. We only evaluated it on paper, not actually tried to use it.
That's what I do. Mailcow on an isolated machine, 25/587 open on firewall port forwarding to it, the rest of the various services it offers are only accessible via my home network (https, imaps, there's probably more). Then, I am always on my home network.
I started out with a different variation of this that was the same, except instead of using my (thankfully static) home IP in my MX record, I got some cheap hetzner/lightsail/whatever, then routed the incoming 25/587 across a 2 node wg network to the real mail server. It worked fine but ultimately I decided I'd rather expose my real IP in the MX record than pay $5/mo not to.
Of course, the secret to making this work without tearing my hair out is that my outgoing mail server only delivers mail to the relay I pay to deliver my mail to the 3 or 4 corporate behemoths who have taken over a once great decentralized service. I have no interest in tending to my deliverability or making appeals to Microsoft or whoever. Also at a personal mail volume with 0 transactional mail, it's very inexpensive.
Some https services are internet exposed with http basic auth as a first line auth requirement. Some services are available to friends, or I want access to from devices I can’t VPN from.
It's a small icon in the top bar on macOS. You click login, it opens your browser, you Google/Okta auth in your browser using any factor you want (push, totp, yubikey), and you're done. Login literally takes seconds and there is little chance for confusion.
