Wow, thats very, very nice. I didnt know this even existed.

But I suppose if it had widespread support it would be the perfect solution.

Firefox mobile not supporting it might be a dealbreaker though, since it is the browser I use and the one I persuaded all my friends and family to switch to…

But this is an incredibly interesting technology and I will surely look into implementing at least partially if that works.

Thanks a lot for sharing!

I didnt mention on my original post but I do have a virtual machine on gcp, which I use to run mongodb. I didnt mention it because I am not too concerned with it, but mostly it follows the same practices, with the exception being that ssh is open and it has no private data in it.

But I suppose I could do something similiar to what you mentioned. The ideia of having and eating the cake is very nice. And if something goes wrong I could turn of public access and have the vpn still working.

I will consider implementing something like that as well, thanks a lot for sharing your thoughts!

Yes absolutely. For work most of my clients use cloudflare’s different services so I understand they have credibility.

For me though, part of the reason I self host is to get away from some big tech companies’ grasp. But I understand I am a bit extreme at times.

So thanks for opening my mind and pointing me to that very interesting discussion, as well as for sharing your setup, it sure seems to be very sound security wise.

Thats a good point. Maybe I can get away with just temporary file sharing. So when someone wants something I can upload it to the server and send a link. I bet even nextcloud could do that.

Still way less scary then having everything on the server all the time

Id like to know as well. I definetely dont want to be the first person of that story tough

Ive heard of someone who exposed the docker management port on the internet and woke up to malware running on their server. But thats of course not the same as web services.

Oh, now I get what you mean, thanks for the explanation

Yeah it makes sense, I had originally gone with onedrive for the much cheaper price but I will take a look into s3 compatible storage and consider migrating in the future.

Thanks for your reply!

Suggestion 1 definetely does make a lot of sense and I will be doing exactly that asap. Its something I didnt think through before but that would make me much more in peace.

Suggestions 2-4 sound very reasonable, I have indeed searched for a way to self host a waf but didnt find much info. My only only concern with your points is… Cloudflare. From my understanding that would indeed add a lot of security to the whole setup but they would then be able to see everything going through my network, is that right?

Been there, done that lol, my ISP doesnt change my IP half as much as I should like, and I renew my certs half as often as they deserve.

Seriously though, I had certs expire twice until I finally decided to get this setup properly.

I see, I appreciate you sharing your knowledge on the matter.

Yeah I thoght about the spike in size, which I would definetely notice because the amount of data is pretty stable and I have limited cloud storage.

Regarding your last point, I currently have everything under a user account: the data I am backing up, the applications and restic itself all run on the same user account. Would it be a good ideia to run restic as root? Or as a different service account?

Thanks for replying!

I do use dns challanges for renewing my certs. But I use port 443 for application data, not for certs.

Is a vpn always safer then a reverse proxy? Do you use wireguard or do you have any other options worth looking into?

I don’t know much about ransomware but thats what got me concerned. I always assumed if I were to be infected, restic would just create a new snapshot for the files and Id be able to restore after nuking the server.

Thanks a lot for your input. I honestly had not considered this possibility.

Others in the post recommended removing those important files from the public facing server so that in the case of an attack they wouldnt be exposed. So I will try and follow this recommendation asap.

But your answer still applies to everything else I will be hosting so I am concerned. I had no idea ransomware was this smart. I will research more about this topic, but basically if I access a file from two different servers and its fine it means the file is free from infection?

That makes a lot of sense. Thats also very easy to setup so I will do it tonight.

Thanks again for your amazing input!

Thats a good point, I hadnt thought about it before. I like the possibility of sharing these files in my intranet but I suppose you are right. Maybe I could use openwrt to split two networks, one for public stuff only, but my knowledge of networking is quite limited.

That was a great answer, thank you so much!

Yes I didnt even notice the family photos and docs dont need to be on that same server. Initially I just put them there to act as a local file share. But you are absolutely right, moving them from the public server is the best thing I can do to protect them.

I will look into setting up a second server for the private stuff that is not publicluly accessible

Thanks for the amazing reply and specially for the explanation regarding wireguard.

I didnt know about crowsec and kata containers, both amazing projects, I will definetely look into it and try to set them up.

Just one quick follow up question, when you mention dedicanted service user, do you mean its best to have a sepate user for each service, such as one for nginx, one for adguardhome and so on? Currently all of them run under the same user and I didnt think about this possibility before.

Have you played around with Grafana? It really is quite simple if you have prometheus already working.

For a home lab environment you dont even need to use prometheus-alertmanager. Grafana can handle alerts as well.

Grafana also has hundreds of pre-made dashboards you can import. Node monitoring is quite straightforward.

Assuming you have prometheus good to go, all you need to do is go to Grafana - Datasources, create a new datasource, point to your prometheus instance.

Then you can import the dashboards you want.

Now you can setup your alerts - you can use SMTP, telegram, slack among others for your notifications.

I don’t really have any issue for what the software is supposed to do. I can access my instance, read and edit, templates and queries work fine.

But overall the user experience is not so good on mobile. On desktop it is really easy to navigate my notes, specially so because of the great support for keyboard shortcuts. Now for mobile it doesnt feel too good. Navigation works but the interface is too small - making tapping a bit clunky. I also find it uncomfortable to use for to do lists - things like groceries lists that I need on the go. Sometimes toggling works fine if touch but sometimes it switches to view mode.

I really dont think any of that is an issue with the software itself. Its just the format I guess? I still use silverbullet and Ive never tried anything as good for organizing work stuff. But I still wish something more “native” for android.

What issues did you have? I have updated recently and didnt notice any problems so far. Also do you have any suggestion for alternatives? For me personally silverbullet is great for desktop usage, not so much on mobile though.

Grafana is just the frontend, its a dashboard for your different data sources Prometheus is the “database”, it scrapes data from your endpoints over http

Thank you for your reply!

Personally I am fine with nginx configuration, at least when using containers. The syntax is fine and all I need to do is map one file into the container

But I took a look at the automatic cert feature and wow, that is very, very nice. I may give caddy a try for this feature only - it would simplify my current setup.

I am also surprised it allows using HTTPS over port 443 for cert renewal. I didnt even know this was possible, so I was always stuck with DNS challanges.

So again, thanks for your reply!

Honest question: why not use nginx?

I have run it in so many different scenarios, both professionally and personally, its crazy. Nginx has never failed me, literally. My homeserver is quite limited but nginx has a very small footprint, it performs beautifully well and it satisfies all my hosting, proxying, redirecting and streaming needs.

It works for modern and legacy applications, custom code, webhosting, supports all the modern features and its configuration is very easy with literal thousandsof examples available online.

Apache probably can do all that but I hate how unintuitive its configuration is to me personally. HAproxy cant do half the stuff nginx does.

As for caddy Ive heard of it but never really used it. What does it offer that nginx doesnt?

Awesome! If you decide to give it a go you may want to take a look at the authors youtube channel:

https://www.youtube.com/channel/UCdPAeHKtE5XcBQ8ScLhGsgQ

He has shared some examples of the things you can do with it.

Anyways I hope you can find somethinflg that suits your needs!

Not familiar with obsidian nor logsec, but silverbullet is a programmable notebook. Everything is indexed and can be used, acessed and manipulated using javascript.

You can then write queries to fetch the data and then use templates to display it.

I have a very simple query that displays all my pending tasks for each project I am working on.

I also have created a template for displaying ttrpg character sheets, and the data is polulated by a yaml object which contains the actual character data. Custom javascript code automatically calculates stats, skills, checks and carry weight for me.

So basically I believe that you can do what you’re looking for on silverbullet but maybe not out of the box.

Can you share some info on how you did that folder organization? Did you provide the AI with a list of files?

I dont get the downvotes. If op is into containers and security, podman sure is worth considering.

I am sorry that happened to you

Thanks for sharing your story, though. I have a few domains, two of them being very important for me (one I use for all my emails, and the other one for all my self hosted stuff). So I’ll be paying close attention to their renewal

I hope you can find another domain that you like and that you can transfer your stuff to it.

I am currently running baikal using podman, quadlets, rootless mode. What kind of issue did you have?

That said, although baikal does get the job done, I am actually considering migrating to nextcloud just because of caldav/carddav, since it seems to be the most complete implementation out there.

It is worth taking a look at the features you need before fully migrating. As far as I can tell baikal may have some issues for some people with invitations, sharing calendars and sending email.

I’ve seen people recommend radicale, which probably works well, but from what I read is the least adherent to caldav/carddav protocols.