Second. I used to self-host Bitwarden. Then I realized it’d be too devistating to lose all my passwords, even with backups. So I moved to their cloud service and paid for my families accounts too.
Joplin tho, Joplin stays on the server with no backup. I should really, really make a backup this weekend.
I host in the way that you describe: “service.domain.com”. I use Cloudflare, docker, and Caddy.
I don’t remember any pit falls off the top of my head. Make sure to use HTTPS (port 443). Everything on http is basically open for everyone to see. Caddy should set that up for you automatically, tho. I recently moved to Caddy from Traefik, it’s an awesome tool.
Oh, here’s a pitfall. One time I opened a port, #22, for ssh access to my server. I installed fail2ban on my server. One weekend I looked at my logs and found I’d banned hundreds of IP addresses. Some bot found my open port and then begun attacking the login with some kinda rainbow table. I moved the port from the ssh default to something else and never had a problem since.
Also, and this isn’t a requirement but just useful, I set up a VLAN for my selfhosted server. It’s firewalled from my local network. That way, if someone access’ my server they don’t have access to my whole network.
So, tldr, have fun and midigate risk where you can.
This is valuable feedback. In retrospect I didn’t explain my problem at all. I’m really good at reading instructions, pretty poor at asking for help.
I’m going to take another crack at this, after I read up on and learn all about Caddy. At first glance it looks like it takes away a lot of my pain points from Traefik.
That’s a tuff ask, and it’s been awhile since I looked.
My kids phone is Android, computer is Windows, and I couldn’t get away without Googles Family link.
The PC was easier. I use Pihole to primarily block ads, but it can also log DNS requests from my kiddos PC, and I use my switch to kill his internet. It’s a desktop and doesn’t have wifi. So it’s just a Ethernet cable to his room. Kill the port or unplug the cable for dramatic effect. Any OS he’s on he’ll have restrictions and monitoring as long as he doesn’t spin up a VPN or learn how to change the DNS host. But much to my dismay I don’t think he’ll ever love Linux, or networking.
The phone was harder. Android gives up a random MAC address so blocking him from wifi was difficult, and it didn’t matter anyway since he had cell service. Eventually I came to realize that if he’s in the Google ecosystem, I have to play with Google if I want parental controls on his phone. It sucked. But, again much to my dismay, he doesn’t seem to think a big company knowing literally everything about him matters all that much so… Whatever. Maybe I’m the one that’s crazy.
ProtonMail. 100%.
I set up custom DNS and catchall so yourcompanyname@saltycowboy.org is really how I filter spam.
Please note, saltycowboy.org isn’t really my domain.