I have been using Bookstack, I like it though it is missing a few features I would love:

• you cannot insert a video in it
• there is no possibility to comment on a particular text
• the permissions management is only done with roles. That’s fine generally but I wanted to be able to share a specific page with a specific user, and for that I had to basically create a dedicated role for this use.

Tailscale surprisingly was the fastest, even faster than plain Wireguard, despite being userspace. But it also consumed more memory (245 MB after the iperf3 test!) and CPU.

Do we know if this is a variation due to the test protocol or Tailscale is using wireguard with specific settings to improve, slightly, its speed?

With Tailscale and other mesh VPN, by default all your machines are client and servers. If you have 3 machines A, B and C, when machine A wants to send something to B it will connect to the server that B has.

These mesh VPN have a central server that is used to help with the discovery of the members, manage ACLs, and in the case one machine is quite hidden and not direct network access can be done act as a relay. Only in that last case do the traffic go through the central server, otherwise the only thing the central server knows is that machine A requested to talk to machine B.

You still have to trust them if you want to use their server, but you can also host your own server (headscale for Tailscale). Though at this point you still need to somewhat trust Tailscale anyway since they re the ones doing the client releases. They could absolutely insert a backdoor and it would work for a while until is is discovered and would then totally ruin their reputation.

One thing to keep in mind is that the websocket sync is not straightforward to set up with vaultwarden and the proxy. If you don’t have it working, then your client does not necessarily sync on every change.

Maybe this is related to this, with sync not being performed by the client you were using for modification?

If you are in an enterprise environment, it is easier to sell Ubuntu - at least there is a company that can provide support for it behind. Companies want to make sure someone is on the hook to fix an issue that would be blocking to them, and this is much harder with something like Debian.

That’s why Red Hat is used that much in companies, and what Canonical main revenues are coming from.

But as a selfhoster, I use Debian by default for my servers. Only if there is a very specific need for Ubuntu would I switch, and I am frankly tired of the Snap shenanigans on my desktop (thinking of migrating to PopOS or KDE Neon).

I don’t know if there is any specific utilities for that. You can always export your settings and reimplement them in lldap: this should be doable with a python script.

I never really understand why LDAP was so complicated. There must be needs in big setups that I am aware of but strangely I always found it not intuitive.

Yes, same for me. On android DAVx5 is perfect, and on MacOS, iOS there is native support. For Linux and Windows, your mileage may vary (fairly easy on Linux but very different variations and some require additional software).

It supports a proper sync (my wife’s shared events do show up on my phone and I can modify them there) and the address book is specific to each user by default, but you can create shared address books as well. Again, that is synced two ways.

For LDAP, by default nextcloud only reads it. But you can enable LDAP writing as well.

I do this with nextcloud (and lldap for the user management). Though that could probably be overkill for just contacts and calendars.

I’ll provide an ELI5, though if you actually want to use it you’ll have to go beyond ELI5.

You contact a web service via a combination of IP address and port. For the sake of simplicity, we can assume that domain name is equivalent to IP address. You can then compare domain name/port with street name/street number: you need both to actually find someone. By default, some street numbers are really standard, like 443 is for regular encrypted connection. But you can have any service on any street number, it’s just less nice and less standard. This is usually done on closed networks.

Now what happens if you have a lot of services and you want all of them reachable at address 443? Well basically you are now in the same situation as a business building with a lobby. Whenever you want to contact a service, you go to 443, ask the reception what floor they are in, and they will direct you there. The reception desk is your proxy: just making sure you talk to the right people.

I did consider it, and I have not cancelled the old one yet. But that becomes more expensive than migrating to the higher end plan without CG NAt of the provider.