from daniel31x13@lemmy.world to selfhosted@lemmy.world on 27 Aug 15:48
https://lemmy.world/post/35086101
Today, weâre excited to announce the release of Linkwarden 2.12! đ„ł This update brings significant improvements and new features to enhance your experience.
For those who are new to Linkwarden, itâs basically a tool for saving and organizing webpages, articles, and documents all in one place. Itâs great for bookmarking stuff to read later, and you can also share your resources, create public collections, and collaborate with your team. Linkwarden is available as a Cloud subscription or you can self-host it on your own server.
This release brings a range of updates to make your bookmarking and archiving experience even smoother. Letâs take a look:
Whatâs new:
𫧠Drag and Drop Support
One of our most requested features is finally here! You can now drag and drop Links onto Collections and Tags. This makes it much easier to organize your bookmarks and keep everything tidy.
đ€ Upload from SingleFile
SingleFile is an awesome browser extension that allows you to save complete webpages as a single HTML file on your device. As of Linkwarden 2.12, you can upload your saved links directly from the SingleFile browser extension into Linkwarden. This allows you to easily save articles which are behind paywalls or require authentication directly from your browser.
To use this feature, simply install the SingleFile extension, and then follow the documentation.
đ Progressed Translations
Weâve made significant progress in our translations, with many languages now fully supported. If youâre interested in helping out with translations, check out our Crowdin page.
â And moreâŠ
There are also a bunch of smaller improvements and fixes in this release to keep everything running smoothly.
Full Changelog: github.com/linkwarden/âŠ/v2.11.8...v2.12.0
Want to skip the technical setup?
If youâd rather skip server setup and maintenance, our Cloud Plan takes care of everything for you. Itâs a great way to access all of Linkwardenâs featuresâplus future updatesâwithout the technical overhead.
We hope you enjoy these new enhancements, and as always, weâd like to express our sincere thanks to all of our supporters and contributors. Your feedback and contributions have been invaluable in shaping Linkwarden into what it is today. đ
threaded - newest
Linkwarden user here. Can confirm - itâs a great tool to dump links for later. Iâve setup an iOS shortcut that lets me share links directly to linkwarden. Super handy
Great to hear! Just wait till you hear about the upcoming official mobile app!
Nice, how are you hosting it?
For however needs it, LinkGuardian on Android (izzyondroid for fdroid) offers the same thing!
Iâve been using this which works great.
f-droid.org/packages/com.sbv.linkdroid/
Works with my single sign on setup as well which was critical. Creates a nice share target on android so any share button gives the option of sending the link to linkwarden
You know what, I like it more than LinkGuardian. Great suggestion!
This is a fantastic tool, but Iâd love to confidently expose the API to the internet for the shortcut. To do that you need read-only and running as a user; I saw that thatâs not a thing that works from the issues.
Any thoughts on getting those security features working? Cause the app itself is so smooth Iâd let my parents use it and be confident they wouldnât need to be herded constantly.
So you want to disable registration? Itâs possible.
No what I said isn't about user registration; it's about adding these to the
docker-compose.yml:to prevent running as root and making the file system read-only. The API needs to be exposed without a VPN or other proxy login since my parents' can't handle that, so if I was able to implement these recommended security steps I'd feel like I could open up the container to the internet at large without too much risk.
Per this issue https://github.com/linkwarden/linkwarden/issues/799 it seems like there's a lot of steps to take to get these settings to work.
It would be also ideal if I didn't have to give the container (but not a deal-breaker):
as the issue also states is required for the headless chrome scraper browser.
I am using it internally now and it's really good, but to open it up for my parents (which I think they'd dig) I'd definitely want these security settings on without major issues. Linkwarden is an internet-facing application so these recommended security practicies are in its wheel-house, feature-wise, as well.
Hope that helps clear up my comment!
Oh I see, thanks for letting me know! Yes thatâs actually requested and weâll be getting to it sometime.
Great to hear! Itâs seriously slick and âjust worksâ. With those security features up you can tout them on the cloud offering too :)
So I have mine running in a podman quadlet. It runs as root in the container but it is unpriviledged. Mine has NET_ADMIN and SYS_MODULE but I honestly canât remember why⊠SYS_ADMIN seems extreme though
Edit: Iâm dumb, and the linkwarden container has no capabilities set. I set them for the tailscale container which definitely needs it.
Care to share your quartet? Iâm just getting into the quads with trixie out - and I havenât gotten this working yetâŠ
The permissions do seem intense; if youâre getting by without maybe those arenât quite needed!
Sure thing, Iâll edit this reply when I get back to my computer. Just note that I also have a tailscale and nginx container in the pod which are not necessary.
Youâll see my nginx config which reverse proxies to the port the service is running on. On public servers I have another nginx running with SSL that proxies to the port I map the podâs port 80 to.
I usually run my pods as an unpriviledged user with
loginctl enable-lingerwhich starts the enabledsystemctl --userservices on boot.All that being said I havenât publically exposed linkwarden yet, mainly because itâs the second most resource intensive service I run and I have all my public stuff on a shitty vps.
Edit: My opsec is so bad hahaha
Edit2: I just realized the caps I gave were to the tailscale container, not the linkwarden container. Linkwarden can run with no caps :)
I added the tailscale stuff back
files:
linkwarden-pod.kube:
linkwarden-pod.yml:
--- apiVersion: v1 kind: Pod metadata: name: linkwarden spec: containers: - name: ts-linkwarden image: docker.io/tailscale/tailscale:latest env: - name: TS_HOSTNAME value: "link" - name: TS_STATE_DIR value: /var/lib/tailscale - name: TS_AUTHKEY valueFrom: secretKeyRef: name: ts-auth-kube key: ts-auth volumeMounts: - name: linkwarden-ts-storage mountPath: /var/lib/tailscale securityContext: capabilities: add: - NET_ADMIN - SYS_MODULE - name: linkwarden image: ghcr.io/linkwarden/linkwarden:latest env: - name: INSTANCE_NAME value: link.mydomain.com - name: AUTH_URL value: http://linkwarden:3000/api/v1/auth - name: NEXTAUTH_SECRET value: LOL_I_JUST_PUBLISHED_THIS_I_CHANGED_IT - name: DATABASE_URL value: postgresql://postgres:password@linkwarden-postgres:5432/postgres - name: NEXT_PUBLIC_DISABLE_REGISTRATION value: "true" - name: linkwarden-nginx image: docker.io/library/nginx:alpine volumeMounts: - name: linkwarden-nginx-conf subPath: nginx.conf mountPath: /etc/nginx/nginx.conf readOnly: true - name: linkwarden-postgres image: docker.io/library/Thanks! Thisâll def help me get tooled up for podman :)
Just curious why you chose a kube quadlet instead of the typical podman container quadlets?
I think itâs cool that I can take that config and drop it into kubernetes and it usually just works. I donât have a cluster anymore, but if I decide to use one in the future, the overhead will be negligible
Fair enough! I toyed with the idea of doing it that way because the systemd component would just reference a single yaml file for each service, which feels portable. That said though, my quadlets as they are are pretty portable too. Thanks for sharing!
How would you add new links if its read only?
As always you store data you want to keep in the volumes section.
With read-only you prevent new binaries from being added in the image space. You can add ânoexecâ to your volumes/tmpfs preventing binaries to the areas that are writable. Then ideally you are using an image with minimal surface area (e.g., only sh and the exact binaries needed to make it go) and itâs very secure! Itâs still plenty secure without a minimal image.
Couldnât the attacker just drop a dangerous binary into the data volume then?
Not if you annotate your data volume with said ânoexecâ which prevents execution from anything in the data volume. It looks like this, you can slam it on any volume you like - no volumes should have executables in them anyways.
Also Iâm pretty sure ânoexecâ is the default, so thatâs by default protected. But I canât confirm that from a quick search so not 100% on that.
â/mnt/data:/container/place/it/wants:rw,noexec,nosuid,nodev,Zâ
ârwâ means read/write. You can change it to âroâ for read-only if the volume shouldnât write to it (maybe a config file).
Z is for selinux that means âonly one program can read/write tho thisâ. You can change it to âzâ lowercase in case more than one needs to read/write. Only case Iâve found for little z is crowdsec needing to watch Caddyâs log for blocking.
So overall, the idea is that your volume mounts canât be used to execute arbitrary binaries AND the image file system is frozen so that arbitrary binaries cannot be loaded into the image (which is by default all executable, a requirement to run anything in it). So if someone was able to hack into an internet-facing container, they wonât be able to load up whatever they want. Theyâll be limited to whatâs built into the image (which ideally are secure and limited in scope).
This is great. Thanks!
Sweet! Single-file looks like a decent workaround for those links that get locked behind captcha when theyâre being saved. Always frustrates me when I go to review a link and it turns out it only saved a cloudflare redirect lol
Glad you like it!
Freaking quality post, OP! Lots of information about whatâs new, barely even have to visit the link to know whatâs going on here. Love to see it.
đđ
Thanks! :)
Linkwarden kicks butt! I use it all the time now.
Iâd love to move to it, but I cannot find any easy way to export from Readeck and import to Linkwarden. At least a list of pages.
I was using it, switched to hoarder, then readeck. Now Iâm thinking about moving back to linkwarden, so this is bad news for me.
I do host an instance of it but rarely use it. Iâd love to see more in depth archival features like deep link archiving and archiving resources behind authorization. My use case is more archiving than bookmarking.
Then, I think you should be using Archive Box. Maybe you already do.
I actually donât! Iâll check it out if it fits my needs. Thanks!
Nice. Started using it just a couple weeks ago. I tested a big chunk of them and while Linkwarden isnât perfect, it does everything better than everything else I tried.
Do we self-hosters need to do anything special? I remember looking at some docs about upgrading versions, but I donât know how to tell which version I have.
As a general rule when installing anything with Docker Compose, rather than using âlatestâ I prefer to specify a version as it makes it easier to roll back should i find issues with an update.