Pretty good. Downloads on the main app has been something that held people back.

Moving your port over to a nonstandard one is not a solution (unless the problem you experience is too many logs from sshd, and even then, logrotate exists), its security by obscurity which doesn’t really solve anything at all. Only way your server will be safe is by ensuring the packages on your server are up to date and that you harden it to the point where it isn’t too much of nuisance.

It is aimed at members (often new)of private trackers, a hobby which often assumes you’ve already got a 170tb NAS at home that just needs content to fill it. This is evidenced by the fact they inherit HDBs “golden popcorn” system and tier their groups pretty high up.

I think TRaSH serves as a good base. Their custom filters can be instantly imported using recyclarr and give you a general idea of how custom filters are meant to be used (which can be very overwhelming when you’re new to the ordeal) but sadly I disagree with TRaSH a lot on their group tiers for media formats. I think they make some mistakes placing some encoders as high as they do. (for example: micro encodes from PTer and BHDStudio shouldn’t be in the BluRay groups at all, as some of their releases are compressed harder than WEB releases from streaming services. I download BluRay encodes because I want it to be compressed to the point where it still looks identical to the BluRay it was sourced from.) Once you’re in the game long enough you just make up your own mind on what release groups should be prioritized over others.

As for your question regarding staying within the same file system, the answer is yes. Moving things over to the SSD does two things for you. 1) for every file you also need a duplicate on the SSD, not very efficient. 2) there’s not much to gain from this unless you’re expecting a large amount of simultaneous traffic. An HDD can carry about ~20 streams of 1080p content (as most releases are compressed to 8-10mbps) which is more than enough for most households.

I’d keep the SSD for seeding honestly, so that you can build up buffer on the trackers you’re on, but for most it’s still perfectly doable with HDDs only.

https://trash-guides.info/

0.0.0.0 means listen on all IPs

1. I don’t think this is a problem with tailscale but you should check. Also you don’t have to pipe all the traffic through your tunnel. In the allowed IPs you can specify only your subnet so that everything else leaves via the default gateway.
2. in the DNS server field in your WireGuard config you can specify anything, doesn’t have to be RFC1918 compliant. 1.1.1.1 will work too
3. At the end of the day, a threat model is always gonna be security vs. convenience. Plex was used as an attack vector in the past as most most people don’t rush to patch it (and rightfully so, there are countless horror stories of PMS updates breaking the whole thing entirely). If you trust that you know what you’re doing, and trust the applications you’re running to treat security seriously (hint: Plex doesn’t) then go ahead, set up your reverse proxy server of choice (easiest would be Traefik, but if you need more robustness then nginx is still king) and open 443 to the internet.

For the license to be changed every team member needs to submit a written agreement that he agrees to the change, otherwise their contributions must be removed as they were written under a different license, the only exception is usually permissive licenses such as MIT/BSD 3 clause.

Usually, to rugpull FOSS contributors, companies who maintain FOSS software ask contributors to sign a CLA which waives their rights and lets the control their contributions. Immich isn’t doing any of that, and it will likely remain AGPL forever because changing the license will be a big hassle for them with the amount of contributors.

Hi, I recommend you read the book “Run Your Own Mail Server”. The fact that a book exists for this topic is all the proof you need to not do this decision. But if you absolutely must, this is the way.

Only I rely on my services and if they break I’ll fix them myself.

I don’t run Immich specifically but all other software I run is on :latest tags and unattended-upgrades on Debian. It works so, why bother?

Docker Engine is open source. They could’ve easily contributed patches to it which just further proves that it is a NIH syndrome response.

I use Docker exclusively. Podman is the NIH syndrome response to an industry standard. It has its benefits but Docker just works.

I remember researching the topic a while back. SimpleMDM seems to do it, but it requires paying Apple $300 a year. Luckily, Mosyle allows up to 30 devices for free.

Other then the slowly increasing log file (if you use fail2ban for example), it will take thousands of years to actually hack you through this method as long as root auth is disabled and authentication is only via SSH keys, I wouldn’t worry about it.

It is possible to tighten the security of a machine to the point it is no longer usable. It is important to secure our devices but we cannot forget about convenience, so the trick is to tighten it but also make it so you don’t have to jump through a number of hoops till you get to your destination.

I for example, wouldn’t use your method because it would make it difficult to use some services I host from my phone.

Port knockers for the most part aren’t worrying. In an ideal situation, the only ports that should be open are 22, 80, 443 and using a reverse proxy to mask headers. (Poor configuration for example, go to Shodan and type bitwarden in the search bar and see how many people expose their instances to the world carelessly without an SSL cert) and the occasional UDP for game servers/media servers.

It all depends on the features you want in that router and how much you’re willing to spend. I bought a MikroTik hAP ax3, which has many enterprise features (that can come handy to us selfhosters as well) that I found myself not necessarily needing, but definitely enjoying.

You’ll be surprised how cheap some equipment goes for when a company runs out of business. Just sayin

I have my 22 port opened on IPv6 only and I can only authenticate with my private keys, which are all added in .ssh/authorized_keys. Fail2ban is configured to keep the bots out but the ban log is empty because there are either no bots operating on IPv6 yet or my IP is so far out of reach it will take the bot a millenium to get to my address.

Some set up WireGuard or another VPN protocol but I like having everything within reach as long as the device I’m carrying has my key on it.

One thing you should avoid is opening your docker containers to the web. If your VPS isn’t behind a NAT (they usually aren’t) becareful when binding ports which usually bypasses whatever firewall configuration you may have because docker writes it’s changes directly to nftables.

https://docs.docker.com/network/#published-ports

Other then that, remember that this is just a hobby (for now) and take a break when something doesn’t work or you don’t understand it. I personally did a lot of mistakes because I was just eager to finish something and I was rushing it.

My MikroTik has built in WireGuard functionality so it was an easy pick 😁

I’d prefer if we stopped bringing up Reddit altogether. We no longer use the platform, we should be happy with what we have here instead of constantly peeping into the neighbor’s garden.