Technology

Devil's advocate here: switching to Linux wouldn't help.

I recently had to set up a public web server for a org that I belonged to. The idea was that I would set everything up in the most secure and unbreakable way I can think of, write documentation on how to do everything, transfer ownership of all the "break glass" credentials and lock my own account once I'm done.

This turned out to be a huge mistake. What was supposed to be some free work for a hobby group turned into a massive pain every day at 3-4am (due to time zone differences)

The person in charge of managing access control couldn't figure out how wg-easy works. She managed to give her own credentials to EVERYONE who needed access, which obviously didn't work due to IP conflicts. When pointed out, she modified the IP in every config file, which of course, still didn't work. It took forever to tell her NOT to share credentials and create new peers for each user.

The biggest problem is some how NOT windows or mac users. There is a single Linux user that is causing the most headaches. When I set up wireguard, I tested on both Linux and Windows, with Linux being what I used. I ran into some minor hiccups with getting split dns to work correctly, but it was relatively easy to fix in Network Manager. I assumed if there are other Linux users they would be able to fix it themselves. Obviously I was wrong.

Said person had DoH enabled in their browser that they didn't know how to disable, running varieties of "I don't know" for their network stack, DNS resolver, etc. almost every question for dig, cat /etc/resolv.conf descended into "what's that?" or completely incorrect commands (e.g. resolving a http url in dig). I could not figure out what the person was running, the person themselves had no idea what was running (I think it was systemd-resolvd, but I still don't know as of now). Eventually, after 3 workdays of trying to help fix this at 3-4am, I gave up. I can't help with a personal device belonging to somebody that has no idea what they're doing.

As for why I'm mentioning this story: switching to Linux wouldn't help this lady with her problem. There are similar issues on linux that would prevent a login or a graphical session (there was an old work machine that ran VLC, where VLC threw GBs worth of QT errors, eventually causing systemd to crash on reboot when the drive was full). The problem here isn't just the system, it's the user. A lot of people seem to be allergic to providing more details than "it's not working", "I don't know" and "I didn't try anything". If the general mindset is "I don't know what's wrong with no details", there's no savings the user from technical problems.

On a side note for "why the hell did I knowingly volunteer to set up a web server for someone else": the whole project was already 5 months overdue. It was beneficial for everyone for the server to be up asap. Said person in charge didn't think of anything (dns, hosting, software stack) other than ask a bunch of CS college students to design a Web app for her. Needless to say the students bailed on her (which is probably the best scenario? In terms of maintainability and security concerns). It also only took me 2 weeks to set everything up (lamp stack, K3S, crowdsec, openappsec, wireguard, etc)