Thanks for your point of view. All of my services are containers that have config and data folder bind mounted from an encrypted partition. After power on, a script download from a website half of the key needed to decrypt data, the other half is in the boot partition. In this way if my server gets stolen I can delete the half key stored on the website and the data disk can’t be decrypted. About swap, you’re right, but that doesn’t worry me at all since I don’t think that there’s anybody that would goes into that trouble just for my data. If someone is able enough and takes the trouble to read it, I guess that’s going to be the last of my problem: it would mean that I’m already in biiiiig troubles! 😆
If you tick the encryption box during install, you will have to enter the decrypt password at every boot and that means that if the power goes out for long enough (UPS doesn’t keep the server up for hours), I (and my family) will not have access to the self hosted stuff until I’ll be home and this is why I encrypt only the data partition and not the boot one.
I do bind mount data folders of the containers, I do backups, I have a notification system that alerts me if a container is not up, but a container can be up but have problems and, most importantly, I (and I guess a lot of other people) don’t always have time to solve problems. When I a few spare minutes a do a snapshot, I update the containers and if something goes wrong if I have time I troubleshoot it, otherwise I just roll back the snapshot and I’ll have a look at the problem when I’ll have time.
But from the moment that the script updates and breaks something and the moment he realizes it may be too late for some applications.
For example I host Traccar to track car/vans and in this case some tracks would be lost. Or maybe SyncThing, he may realize days/weeks later that a sync is not working and if he was synching his smartphone pictures with his server and the smartphone is lost/broke/stolen, he may lose days/weeks or even months of pictures.
I wouldn’t trust a script. Use Watchtower or What’s up Docker
But the attacker should know the internal and the external DNS. If the internal DNS doesn’t have any SSL certificate on its name, it’s impossible to discover.
By the way, I always suggest to reach services through VPN and use something like Cloudflare tunnel for services that must be public.
P.s. Shouldn’t public and private DNS be inverted in your curl example?
Or just point secret.local.mydomain.com to the LAN IP of the server.
No way! For just 1 reason: I will have to learn another new thing and replace it in about 6 servers. I value my time and for now Proxmox is fine.
P.s. Incus seems nice though! NO, stop tempting me!!! I’m already in the rabbit hole with a gazilion of self hosted services and dozens piling up in the to do list 🙈🙈🙈
Have a look at this video I’ve used a Fujitsu Futro S720 (30/40€ on ebay) and I’ve created my router with firewall, VPN, VLANs and so on with OPNsense
Why do you distinguish on premises from self hosting? If the server is in a server farm or in my basement, I’m still hosting myself my services.
From Wikipedia:
Self-hosting is the practice of running and maintaining a website or service using a private web server, instead of using a service outside of someone’s own control
A private web server is not defined by its location.
How do you convince your family/friends to switch to a new app on their smartphone and use one just to talk with you/others in the crew?
Well, if you use the CloudFlare WAF with login protection (available in the free tier), you’re pretty much safe since the connection doesn’t arrive at your server if you don’t authenticate in CF first (with Gmail, Microsoft, OTP, etc.) @foremanguy92_@lemmy.ml
how do we fix this?
With startpage.com!
Have you found a way to stream Netflix at 4K?