I test installed it in Proxmox in a Debian 12 LXC for the sever part, it was fairly easy, just run three commands. The client was as well, but failed to do something with the email during registration. It has a while longer to go I think. But I put it in my bookmarks to visit every so often as well. :)

I use Technitium DNS as both my DHCP and DNS Server on my network. I then have my ISP Router’s DHCP turned off, and point the primary DNS IP To Technitium’s on my network. I have roughly 66-67 network devices at a given time on my network, mostly wireless. (Think wiFi locks, Lights, Outlets etc) then I have my phones and gaming systems an any given thing.

To manage my IP’s I use an Airtable type of database via BaseRow, also self hosted. Through my router’s records, I copied/pasted every single MAC address I found, into a column in my BaseRow table there, and then added the device name or friendly name to another with an assigned IP I want to use. I have a more organized system of ranges 192.168.1.1-10 is mobile devices, 192.168.1.11-30 is IoT etc…

By having my network setup in this fashion, I accomplish a few things, all new devices which power on or connect to the router to get their IP assignment fail to get it since it’s turned off there, and they search the network for an available DHCP Server which lands squarely on the TechnitiumDNS server and are assigned it through there. I also have adblocking enabled through the same server so I have a more home wide adblock which works. (You’d be amazed at how much Telemetry a TV Sends out for every single remote keypress!) I have been able to block those with the adblock enabled. With the DNS server, you can also assign DHCP ranges address, it is really an overly complex server and probably overkill for a home network. I’ve only scratched the surface of what it can do.

If you don’t want to fuss with TechnitiumDNS, there’s AdguardHome, or even PiHole you can use if you want to block Ads (or you can simply disable that function) and those also act as a DHCP Server.

Or, if you are wanting to spend a few hours configuring it, you could run your own DHCP Server in a VM or dedicated device such as a Raspberry Pi.

With all of these settings, it’s important to set your DHCP lease offer long enough that if you have to reboot the DHCP Server for kernel update, or it crashes, you won’t have any devices fail as some do regular polling to check for connectivity (My Linux computer does this a lot). I don’t remember if it’s KDE or Arch. Anyway, running the DNS Server also allows you to custom build your own “domain” system if you will. So could assign maybe your self hosted Calendar for example to http://calendar.local or http://calendar.internal.

By setting up a dedicated DHCP Server, using the manual method or one of the different AdBlock systems, you can also turn off DHCP registration for ‘foreign’ devices or those which aren’t in your DHCP table. This offers a small element of extra security for your WiFi, but it’s not 100% secure if someone knows your IP ranges and Subnet Mask. Also, this will make it easier in the future for you if you upgrade your router or replace it as there’s just two settings to change. (DCHP Server off and the optional self hosted DNS).

Why not use a different DDNS service? There are plenty out there. :) I think this may solve your issue. I’ve been using freemyip.com’'s for a while and have had no problem in the past issusing LetsEncrypt SSL’s. At the moment, I’m on Cloudflare tunnels so it’s automatic with them, which I know is a huge trust issue for a lot of people, but I don’t mind it for my stuff. But I do like to have my DDNS as a backup service from time to time.

I have been using Tailscale, connected it to my domain, I use Authentik for my OIDC/SSO Sign in and tied it that way for the MFA OIDC Login Tailscale let’s you use. All I needed to do is setup a webfinger for it and once it verified my domain, I was able to give them my OIDC settings for them. Tailscale so far for me in the last year or so has been quite simple to use. Plus, being able to log into my admin console and any devices I enroll through Authentik’s front end, has given me peace of mind knowing it’s quite secure. (All of this on a Proxmox server BTW).

One may argue about self hosting Wireguard and I agree, it’s quite easy to do if you use something like wg-easy which makes it simple to add phones to your network. My concern with it though was having to poke a hole into my firewall for the WG traffic to hit the server, once I got into Tailscale, it’s made it easier and I don’t have any open ports on the router now. I think this is primarily why the Jupiter Broadcasting guys push it so much on their podcasts, not to mention one of the hosts on his podcast is an employee for Tailscale as well, so that probably helps a bit.

As for funding for both Nebula, or Tailscale, they do cater to enterprise customers so you have the assurance that they do have to answer to them if they revoke a service or ruin it. :)

For Tailscale, it’s just a matter of them allowing you to add 100 devices for free and it’s simple command to install it on any client via the cli including Apple TV for example. For phones, I have Tailscale on my phone connected 24/7 to my exit node which is my Proxmox server which acts as one, and as a backup, my Raspberry Pi which acts as one as well. So, even if I’m on the road or away from home, I’m always on my home network (unless blocked by overzealous sysadmins on their public WiFi networks). There’s not much to manage via the phone, but I like to think it’s ‘set and forget’ really, once you have it all configured, it just runs in the background and they do not decrypt your traffic much less care what goes through it.

I took a quick read of the comments and I apologize in advance if this has been suggested already.

I use a self hosted DNS server (AdGuardHome) I was using TechnitiumDNS for a long while, but moved over to the other recently so I could do some more blocking as needed (adult special needs house dweller sometimes needs limited internet). It also acts as a DHCP Server so it takes the role of both the DHCP assignments away from the router. As it so happens, this week, I got to experience the benefit of having this setup live when my main router also went down, I was able to switch to a spare router (My ISP provided one) and all I had to do was turn the DHCP off and optionally point the DNS To my AdGuardHome address, set the SSID’s up and I was in business. All of my devices happily reconnected and grabbed their assigned IP’s.

In short, if you have a spare computer, SBC such as a raspberry PI or whatnot, you can easily host something like that and not have to worry about setting those again.

Cyberchef, I’ve looked at but honestly for me, IT Tools works best for my needs so it’s all good on my end.

Dozzle is just log viewing plain and simple. Dockge shows more that’s all I know. I tested Dockge earlier on in development and haven’t been back since, I know it’s grown a lot more since.

I’ve seen a few mentions of PiHole and AdguardHome, I started on PiHole, then moved to AdguardHome for adblocking. Then I heard about and have been using TechnitiumDNS server which is sort of overkill for our needs, but with the right ad-lists, it is fantastic at blocking advertisements on my home network. Super fast install too, even on a Raspberry Pi 2 :) I run that along with Proxmox-VE (Protected behind OIDC Login) and several other containers on my cranky old Dell Desktop server.

Mostly Vaultwarden, and a few other services for home private use such as PairDrop for inter system sharing and a self destructing file sharing server for when we need to send documents to our Attorney’s (rarely but sometimes we need to) office via Pingvin.

I also run:

• Home Assistant
• Transmission Dockerized so I can help contribute to the Linux community and share the ISO’s.
• For some of my externalized sites, I run Authentik It acts sort of like a Reverse Proxy if you configure it to do so. I love that I can simply identify myself with my WebAuthn device skipping any passwords. :)

With Authentik setup, I can login to things like my Fresh Tomato Router TechnitiumDNS (Both use HTTP Auth headers) and Memos which uses OIDC/SSO. It’s meant to replace our Google Keep notes.

• Tailscale is installed and I connect to it from my phone when away from home to always stay on my network. Sometimes, hotspots block it so I generally avoid those as much as possible.
• Wallos to help keep track of our re-occuring subscriptions.
• Grafana and Promethus - both are staged and ready for configuration and one of those I will get around to eventually.
• InfluxDB - I plan on moving Home Assistsant logging soon to that which should tie nicely into Grafana later.
• Ben Phelps’ Homepage - it’s my main server dashboard my wife and I use to access our server. Quite simply one of the best dashboards IMHO.
• Wyze Cam Bridge - One of the better services in which you can log into your Wyze cams and convert their streams to RTSP, RTMP or HLS streams easily. I have that feed to my Home Assistant Security Dashboard.
• Baserow It’s a good Airtable alternative and I use it to keep track of my Static IP assignments, Sleep tracker (I suffer from insomnia), and other data points. It’s pretty amazing. I even created a pain logging for for my wife so she just accesses it and answers basic questions about her pain levels and it pushes it to the database for later retrieval.
• Joplin Server - Sorry, I don’t have the link, but it’s installed via compose. I use Joplin Notes on my phone and computer for keeping my code snippets. I’ve tried Obsidian and it didn’t really meet my needs and Also Anytype, but that’s not self-hosted. Joplin server is for me and that’s become handy a time or two when on the road.
• Bookstack - my grand plan for that is to build a Wiki for my family to use in the event something should happen to me, they can know how to manage the server with nice screenshots and instructional steps. I have that protected behind Authentik’s OIDC logins.
• IT-Tools - hands down one of the coolest self hosted tool sets you can use.
• Webcheck - All-in-one OSINT tool for analyzing any website https://web-check.xyz/ is their demo site. :)
• Stirling PDF - Kind of like a Swiss-army knife for PDF’s. :)
• Dozzle - For those times with you really need to see what your Docker logs and too lazy do run a docker logs -follow command.

I still use Portainer-CE and am happy there, I may try Dockage or the others, but it’s fine for what I need it for (It’s also protected by OIDC)

I’m sure I may have missed a few, but this post has gone on long enough. :)

You can always use something like SSHwifty It retains your logins through your browser’s session data and never on your server, but it will allow you to remote into your local system from anywhere on the WWW if you desire to do so. With Tailscale, once you are connected into your Tailnet, you can pretty much SSH into any of your devices as long as the subnet sharing flag is turned on I believe. I’ve never had any issues with mine not allowing any SSH connections.

Homebox - before we relocate - whenever that is, I will be printing labels and putting them under and behind my stuff, scanning it into there and then will use that to keep track of our items after the move to know what is in which box etc.

NocoDB Self Hosted (I use this for a few things) - started out with my network ip’s I have on my servers and ports for my containers and most recently a sleep log.

Just a couple there.

Grafana + Prometheus dashboards can be quite addicting or useful. Noted.lol put together a nice tutorial for getting started.

For most of my services though, I simply use Uptime Kuma which then sends an alert to Gotify when my services go down or whatnot, Gotify then instantly notifies my phone so I can be aware. It helps keep the spouse happy when their go to service for some reason crashed. :)

From their readme. I asked about that last night and he replied an pointed me to it. :)

Kiosk mode

Kiosk mode can be activated by a checkbox on the page. Note that there is no way out of kiosk mode (except refresh or closing the browser), and the play/pause and other controls will not be available. This is deliberate as a browser’s kiosk mode it intended not to be exited or significantly modified.

It’s also possible to enter kiosk mode using a permalink. First generate a Permalink, then to the end of it add &kiosk=true. Opening this link will load all of the selected displays included in the Permalink, enter kiosk mode immediately upon loading and start playing the forecast.

I didn’t see IIS mentioned, but I didn’t take a close look at the code. They give you a docker run command to set it up, so I converted it to a docker compose file so I can run it later. All of this is running on a Debian 12 system, so if IIS is needed, I’d wager that is if you are running a Windows setup.

I have mine embedded in Home Assistant now as an iframe using the Kiosk mode setting which works.

Looks nice! I set mine up and have it as an Iframe in Home Assistant. The app is a fork from https://github.com/vbguyny/ws4kp with his demo site here: https://battaglia.ddns.net/twc That version has the music we all came to know and love from back then.

Authentik is my IDP provider so I put it in front of all my publicly facing Apps which support OIDC login. For example, I can log into my Portainer instance from an external network, but to do so, I log into Authentik First which sends it to my service.

For the apps which support HTTP headers, like I said, Pomerium acts as the service which passes my credentials to the device. I admit - Authentik does this also without the need for Pomerium, (through their flow settings) but I found Pomerium to be much easier to set up for this than Authentik and haven’t looked back or felt the need to change it.

With that, I use Pomerium for apps which accept a HTTP Headers, for example, my Fresh Tomato firmware flashed router, it has a HTTP dialog. This allows me to login from the road if I need to manage something like rebooting it or updating firewall rules etc.

My access flow is this :

router.example.com —> Cloudflare Tunnel —> Pomerium IP —>Authentik —> Router’s Gui.

It works flawlessly. I don’t often use it, but when I do, it helps. I also had it enabled for AdguardHome but moved to Technitium DNS which I prefer and that doesn’t have the HTTP Headers so it’s not fully compatible with Pomerium that I’m aware of.

https://www.youtube.com/@cooptonian His Authentik videos are top notch and they (Authentik) have also had him make some for them. One of those videos, I can’t recall shows you how to do this, I think it may be the 2FA/MFA one. I use Authentik and can login with fingerprint login without using my UN/PW first. It’s pretty slick.

I am a former IT Desktop drone…er…support worker… I used to swap towers for my local municipality back when Windows XP was being replaced with 7. I saw passwords on post-its attached to the monitor, mouse pad, and even under the keyboard or keyboard drawer (I had to get under desks to do the swap). Our policy was to remove those whenever we saw them and trash them in a different can across the building or a different one. They have a standard 90 day password cycle and most people couldn’t handle that. I would answer the phone often to 'unlock" their account after 3 attempts. My all time favorite when I would help an end user with software was when I would encounter someone’s “God Mode” icon for some of the registry hacks that used to float around. Everyone had Admin privileges (ironically), so it wasn’t really needed anyway.

Their primary server admins and IT folks in the main office were Top notch though. Never any downtime and the main security guy was very strong in making sure everything was adhered to. We, as desktop support didn’t have the master password to decrypt a laptop which was GPG protected and had to bring it to him if we had a user which locked themselves out. With great consternation, only a few machines would be allowed to XP and those were VLAN’d and isolated from the outside world.

The rest of the server admins handled everything with ease seemingly. The fun part was when they had a third party come in and do a security audit. No problems on the server side, but it wasn’t a success. They did the 'ol drop a flash drive randomly in different locations test. Knowing human nature, they knew someone would pick it up, plug it in and be baited with an excel file which looked like it had financials. Unbeknownst to the user, it sent a ping to their reporting server and the drive ID. Which was later reported back. They also did physical security penetration tests - walk in behind you type of thing. I remember seeing a group of guys non company ID badges try to follow me into the main IT office. I stopped them and asked who they were and what they wanted (this was a Govt building), and the look of confusion mixed with satisfaction from them that I stopped them was priceless. I let the head IT guy know who was at the door and left it up to them to unlock it for them.

I now work in a help desk position for a software company and miss those days of desktop support. But, I know for a fact that I.T. Guys an Gals don’t get enough recognition. They are the understated backbone of a company’s well-being especially when holidays and weekends are prime time for systems to fail and they are practically on call no matter what.

I am testing it and it seems to run every 5 minutes to sync. Handles standard IMAP and POP inboxes. No auth for main page, so they caution appropriately to avoid public facing web exposure. They are planning on adding more support for Gmail and the like:

https://github.com/bandundu/email-archiver/issues/6

It installs by default in debug mode which may or may not be a red flag depending on your security model.

The email search is fast, but could use work, I will say it is VERY early in development. But for downloading email for later storage, it should do. It stores your e-mails in a SQLite database in the same directory as the installer, so if you want to manipulate the compose file a bit, it should be able to point to your desired storage directory. With that said, I also was able to add a TZ= directive so my logs at least are a bit cleaner with timestamps to match my timezone, something they have not added.

If you wish to access this remotely before they add a public facing login, protect it with a SSO solution or other front facing login setup so it would not be accessible. Or securely access it via Wireguard, TailScale, or Headscale.

I use Proxmox and don’t use Truenas. My setup is basically to install Cockpit on the host server via apt-get and then the 45 Drives cockpit-sharing plugin. This provides the NFS and Samba sharing I need and use. I host Home Assistant in a VM and Docker containers in a few LXC containers which host about 10 containers each. Then, in combination with https://tteck.github.io/Proxmox/ you can set up pretty much anything you need from there.

This is on in computer terms, ancient; a 13 year old Dell Optiplex 990 with 16gb Ram and software such as Authentik and Vaultwarden from different dedicated LXC containers. Never have any issues with overload of the system resources or running out of memory. It’s pretty much rock solid.

Tailscale is but since you already tried them, maybe headscale that’s supposed to be the self hosted version of Tailscale that someone wrote, so you have better odds at less latency! https://headscale.net/

Zerotier? Not sure -https://www.zerotier.com/ can speak more to this.

If behind CGNAT and forwarding is not an option, Headscale, Tailscale or ZeroTier may be an option. I use Tailscale and it have ZERO forwarding on and can access anything on my network when connected through it. Think of these as Wireguard on Steroids. :)

As Another Proxmox user - I’ve been doing well with it. I use these scripts for the LXC’s which has been fantastic:

https://tteck.github.io/Proxmox/

I also can log into it from the web as it’s secured by Authentik, SSO OIDC login when Away from home and need to manage it. Rare! But the option is there! :)

The older IDE drives with the 5.25" platters and smaller ones make great wind chimes. The laptop ones are a bit .ore fragile due to thinner material. Years ago, we used to do this with a few of them.

If the app supports SSO and allows user creation, then it’s just a matter of passing the user claims such as username or email which the app expects from your provider.

I use Authentik as my solution, which uses a GUI for user management and supports all major SSO options, from MFA, to OIDC, SAML, LDAP and more.

Xpipe https://xpipe.io/ is an alternative it runs and stores your data locally on your machine and not web based. I’ve been playing with that a bit, it does auto discover Containerized apps and you can sort of exec into them to run commands and also browse the directories of your containerized apps with a simple click in a File type GUI. It uses your OS’s default Terminal application so it won’t bring any extra with you so it’s more native to your OS.

I’ve been a Konsole user on KDE for a few years now and it’s pretty much what I’ve been used to. Trying out Xpipe now and Termius about a year ago, I can say that Xpipe is stronger in it’s ability to interface with my containerized apps (Docker), but lacks the polish that Termius has visually. They both get the job done, but at the end of the day, I still reflexively just hit my Ctrl+Alt+T key combo to log into my machines.

Then, for a whole different take, SSWifty! https://github.com/nirui/sshwifty - Instead of launching an app, deploy this on your server, and then use your browser’s session to securely access your sites.

I got lost with setting up a nice inbox downloader to store all my emails on a HDD attached to my RPI4, but haven’t quite mastered the SMTP server part or found the right software to run on it. It’s currently powered off waiting for a reflash of the SD Card so I can try again. The end goal for mine is to set up fetchmail and have it grab from my inboxes then imap capabilities so I can read it in Thunderbird. (Don’t talk to me about webmail, I know it’s the way but I’m older than Star Wars (Original one) and am stuck in my ways. Now get off of my lawn!

Seriously though, I have tinkered with it before as an AdguardHome Server, but somehow, my latency increased so I dropped that. Most of it’s life was spent hosting Home Assistant on it until I moved that to the umm…more controversial Proxmox VM method. I’m also on the fence about setting up the Raspberry Pi Nextcloud on it. (Maybe).

Here is a good resource for 36 different things you could possibly do with yours.

Anytype is amazing, but when they give you these super long passkeys to decrpyt? That makes having to either memorize the something like 12 short words, and keep them in the exact order they tell you, you sort of have to put them in a notebook (ironically), password manager or whatever you choose to store it.

It needs to be self hosted - no docker containers that I can find.

https://github.com/streetwriters/notesnook-sync-server

Based on this, it’s not yet available. I use Joplin server for my stuff and have been wanting to move away to a web based platform as I tend to reinstall my OS every few months and like to be able to dial in my self hosted instance and reference for what I need.

Installed and no way to login, see this in your GH issues:

https://github.com/linkwarden/linkwarden/issues/415

This is a fresh install as about 10 minutes ago so using the :latest tag which I believe is the v 2.4.8 build. Signing up is possible and I was able to create my user account so that’s a good start at least. :)

Since you didn’t include a link to the source for your recommendation:

https://github.com/canonical/lxd

I’ve been on Proxmox for 6 or so months with very few issues and have found it to work well in my instance, I do appreciate seeing another alternative and learning about it too! I very specifically like Proxmox as it gives me an actual IP on my router’s subnet for my machines such as Home Assistant. So instead of the 192.168.122.1 it rolls a nice 192.168.1.X/24 IP which fits my range which makes it easier for me to direct my outside traffic to it. Does this also do this? Based on your screenshots, maybe not, IDK.

Constructively speaking, when I see this in almost every change log, it scares me away. :)

[BREAKING CHANGE]

But I will check it out sometime this week or next. :)

Probably the only true way of knowing is by setting up an EXTERNAL host somewhere on a VPS or maybe a reputable VPS provider. Then, on that provider, set up Uptime Kuma, or if you don’t want to go through that trouble and don’t mind a potential 10 minute gap in knowing, https://uptimerobot.com/ which checks every 5 minutes and sends an alert.

Once you do this, unless you have a Static IP, you will want to register with a DDNS provider so you can then tell the uptime service to ping your DDNS host which should echo back . If your internet is down, it won’t echo back and then it will trigger their alert. Of course, this won’t work if your IP changes, so staying on top of that is key unless you use a router which auto updates it which a lot do now days.

Or, if you use Cloudflare Tunnels, it can be configured to alert you when the tunnel is down or unhealthy (A.K.A. No internet or the server is rebooted).

I will update my OP soon, but with the help of Dave811@lemmy.today here I was able to resolve my domain to my machines at least through Cloudflare using the ‘’’ --accept-routes’‘’ tag in my tailscale up command. This then, allowed me to point the A Record to the IP for the machine which Tailscale gives. I will have more details on this later this weekend or maybe sooner. I’m still working on resolving my password manager being exposed through Tailscale which I figured out this morning, so I need to migrate that over to a new LXC container. Then, after that - I’m ready to move away from CF once I copy my existing tunnel mappings over to the A name records with Porkbun. (shoot! I might just write a new post about this so anyone can glean from it when I’m done). Its still very much a Work in Progress.

Understood! I have subnet routing enabled as well. First thing I did when I realized my phone couldn’t access my local server once connected to Tailscale. :)

Simply put - I won’t risk making my work’s IT mad by logging into my machinename.tailscale-defined.ts.net. I don’t know if it’s blocked there, but you never know with IT polices and such. I’ve already been able to get through to my foo.example.com address without issue so I’m letting a sleeping dog alone so to speak.

Also, I think it’s easier to tell someone to go to videos.example.com than machinename.tailscale-defined.ts.net. :)

Gotcha, so normal means of exposing services via reverse proxy. :) With mine so I could access my local IP I just enabled the --advertise-routes option.

Nice! So, using the --accept-routes part, does that allow you to use a CNAME record to your funnel’s address (machine.tailscale-id.ts.net) ? I tried to do this and it failed to resolve for reasons of too many redirects.

Thanks! That’s one part of the equation. I think. I have a lot to read up on, I just got set up about an hour ago with Tailscale so a lot to ingest.

Ideally, I want to replace my Wireguard connection which I am currently using (WG-Easy) to stay connected to my home network when I’m away from home so far that’s been hit/miss on 2 out of 3 phones I have running Android 13. I’m working on getting that to work with my new setup on Tailscale.

Don’t use Curl Just use the IP or domai it asks for then your token.
Mine works without issue.

I just installed Pomerium and got it to integrate with AdguardHome and my router which both use basic HTTP, I also use Authentik. It’s a bit of a learning curve, but in short, this is what the config.yaml file needs to work to get it up and running:

The basic auth header for this is just UN: example PW: Password

authenticate_service_url: https://verify.mydomain.com
idp_provider: oidc
idp_provider_url: https://Authentik.mydomain.com/application/o/pomerium/
idp_client_id: AUTHENTIK'S CLIENT ID
idp_client_secret: AUTHENTIK'S CLIENT SECRET
idp_provider_scopes: null
routes:
  - from: https://agh.mydomain.com
    to: http://192.168.1.200  ##Adguardhome address
    policy:
      - allow:
          or:
            - email:
                is: myemail@mydomain.com
    set_request_headers:
    # https://www.blitter.se/utils/basic-authentication-header-generator/
       Authorization: "Basic ZXhhbXBsZTpwYXNzd29yZA==" #AdguardHome
      allow_websockets: true


  - from: https://router.mydomain.com
    to: http://192.168.1.254
    policy:
      - allow:
          or:
            - email:
                is: myemail@mydomain.com
    set_request_headers:
    # https://www.blitter.se/utils/basic-authentication-header-generator/
      Authorization: "Basic ZXhhbXBsZTpwYXNzd29yZA=="  #Router 
    allow_websockets: true


cookie_name: pomerium
cookie_secret: RANDOM 32 CHARACTER COOKIE=
cookie_domain: mydomain.com
pomerium_debug: true

So, now when I go to my Adguardhome’s URL ( agh.mydomain.com), it auto directs to my Authentik instance, then upon matching my signed in email in the browser session, it transparently logs me into Adguardhome without issue. The same applies to my router’s login.

In short, if you have found an NVR which supports basic http auth, Pomerium is the missing piece I’ve found to work.