https://trash-guides.info/

0.0.0.0 means listen on all IPs

1. I don’t think this is a problem with tailscale but you should check. Also you don’t have to pipe all the traffic through your tunnel. In the allowed IPs you can specify only your subnet so that everything else leaves via the default gateway.
2. in the DNS server field in your WireGuard config you can specify anything, doesn’t have to be RFC1918 compliant. 1.1.1.1 will work too
3. At the end of the day, a threat model is always gonna be security vs. convenience. Plex was used as an attack vector in the past as most most people don’t rush to patch it (and rightfully so, there are countless horror stories of PMS updates breaking the whole thing entirely). If you trust that you know what you’re doing, and trust the applications you’re running to treat security seriously (hint: Plex doesn’t) then go ahead, set up your reverse proxy server of choice (easiest would be Traefik, but if you need more robustness then nginx is still king) and open 443 to the internet.

For the license to be changed every team member needs to submit a written agreement that he agrees to the change, otherwise their contributions must be removed as they were written under a different license, the only exception is usually permissive licenses such as MIT/BSD 3 clause.

Usually, to rugpull FOSS contributors, companies who maintain FOSS software ask contributors to sign a CLA which waives their rights and lets the control their contributions. Immich isn’t doing any of that, and it will likely remain AGPL forever because changing the license will be a big hassle for them with the amount of contributors.

Hi, I recommend you read the book “Run Your Own Mail Server”. The fact that a book exists for this topic is all the proof you need to not do this decision. But if you absolutely must, this is the way.

Only I rely on my services and if they break I’ll fix them myself.

I don’t run Immich specifically but all other software I run is on :latest tags and unattended-upgrades on Debian. It works so, why bother?

Docker Engine is open source. They could’ve easily contributed patches to it which just further proves that it is a NIH syndrome response.

I use Docker exclusively. Podman is the NIH syndrome response to an industry standard. It has its benefits but Docker just works.

I remember researching the topic a while back. SimpleMDM seems to do it, but it requires paying Apple $300 a year. Luckily, Mosyle allows up to 30 devices for free.

Other then the slowly increasing log file (if you use fail2ban for example), it will take thousands of years to actually hack you through this method as long as root auth is disabled and authentication is only via SSH keys, I wouldn’t worry about it.

It is possible to tighten the security of a machine to the point it is no longer usable. It is important to secure our devices but we cannot forget about convenience, so the trick is to tighten it but also make it so you don’t have to jump through a number of hoops till you get to your destination.

I for example, wouldn’t use your method because it would make it difficult to use some services I host from my phone.

Port knockers for the most part aren’t worrying. In an ideal situation, the only ports that should be open are 22, 80, 443 and using a reverse proxy to mask headers. (Poor configuration for example, go to Shodan and type bitwarden in the search bar and see how many people expose their instances to the world carelessly without an SSL cert) and the occasional UDP for game servers/media servers.

It all depends on the features you want in that router and how much you’re willing to spend. I bought a MikroTik hAP ax3, which has many enterprise features (that can come handy to us selfhosters as well) that I found myself not necessarily needing, but definitely enjoying.

You’ll be surprised how cheap some equipment goes for when a company runs out of business. Just sayin

I have my 22 port opened on IPv6 only and I can only authenticate with my private keys, which are all added in .ssh/authorized_keys. Fail2ban is configured to keep the bots out but the ban log is empty because there are either no bots operating on IPv6 yet or my IP is so far out of reach it will take the bot a millenium to get to my address.

Some set up WireGuard or another VPN protocol but I like having everything within reach as long as the device I’m carrying has my key on it.

One thing you should avoid is opening your docker containers to the web. If your VPS isn’t behind a NAT (they usually aren’t) becareful when binding ports which usually bypasses whatever firewall configuration you may have because docker writes it’s changes directly to nftables.

https://docs.docker.com/network/#published-ports

Other then that, remember that this is just a hobby (for now) and take a break when something doesn’t work or you don’t understand it. I personally did a lot of mistakes because I was just eager to finish something and I was rushing it.

My MikroTik has built in WireGuard functionality so it was an easy pick 😁

I’d prefer if we stopped bringing up Reddit altogether. We no longer use the platform, we should be happy with what we have here instead of constantly peeping into the neighbor’s garden.

PBX admins are laughing in the background as their uptime is almost 4k days, running CentOS 5

If there’s an automated set up, absolutely go for it, you shouldn’t be doing the same mundane task over and over again. I, however, recommend at least once to do it yourself/go over the docs just to understand how to troubleshoot when stuff breaks or if it interests you how the software works. For example: A lot of people think that Watchtower queries the docker repo to see when it was last updated and that’s how it processes it’s updates. The truth is, watchtower downloads the entire image, checks it against your currently used image and if it’s not the same it updates. What then happens is that server maintainers set the poll interval really low (like 10-15m) and end up using a lot of bandwidth.

Someone already owns selfho.st, wonder when they are starting up the selfhosted Lemmy instance

This is a great suggestion, some things I want to follow do not have RSS feeds built in so thanks a lot.