Even though it only happened once, I still set up monitoring for inode exhaustion.

I've never heard of that CNAME approach for changing the validation domain. That looks like a viable solution since it requires a one-time setup on the main domain and ongoing access to the second (validation) domain.

I see that AWS permissions can be set to limit the risk of compromised credentials. That's a good idea. I see that the lego project has an example of this in their documentation: https://go-acme.github.io/lego/dns/route53/index.html#least-...

The article says it is for those who

> prefer to keep DNS updates and sensitive credentials out of their issuance path.

As for putting it on a separate VLAN and securing traffic with firewall rules, that may be as much or more trouble than setting up the automated certificate renewal. At least with the automated certificates there may not be any further maintenance required. With firewall rules, you'll need to open up the firewall each time you want a new device to access the printer.

For internal-use certificates, you'll have to make use of a DNS challenge with Let's Encrypt. I've been hesitant to set that up because I'm concerned about the potential compromise of a token that has permissions to edit my DNS zone. I see that the author creates exactly that kind of token and has permanently accessible to his script. For a home lab where he's the only person accessing his hardware, that's less of a concern. But what about at a company where multiple people may have access to a system?

Am I being too paranoid here? Or is there a better way to allow DNS challenges without a token that allows too much power in editing a DNS zone?

Sure, your website may have unimportant stuff on it that nobody relies on, but do you want visitors to see ads in your content that you didn't put there?

I implemented 2FA for my previous employer and we would have gladly skipped SMS 2FA if we could get away with it. It's more expensive for the company and the customer. And it sucks to implement because you have to integrate with a phone service. The whole phone system is unreliable or has unexpected problems (e.g. using specific words in a message can get your texts blocked). Problems with the SMS 2FA is a pain for customer service too.

I implemented rate limiting/lockouts for too many 2FA failures. I added the ability to clear the failed attempt count in our customer support portal. If we had any problems after those were implemented, I never heard about them.

Also, hosting email under your own domain gives you the freedom to move from one email provider to another even if they do shut down.

I put my money where my mouth is. I wanted to degoogle and so pay $50/year for Fastmail. One feature I like is automatically snoozing certain emails. Most of my non-personal email is automatically snoozed until 6pm every day. This way I don't get multiple notifications throughout the day for emails that aren't time sensitive.

And you can host the service yourself! Hard pass. I'll read the 25 responses from your gist. Thanks!

It boils down to: "Why are people violating these unenforced rules? Sure it benefits them, but don't they feel bad?"