Half off-topic, sorry: if you have some spare time on the weekend, you might want to take a look at nftables. AFAIK iptables is also just using nftables under the hood, so you are basically using a deprecated technology.

nftables is so much nicer to work with. In the end I have my custom rules (which are much saner to define than in iptables) in /etc/nftables.conf, then I have a very simple systemd unit:

[Unit]
Description=Restore nftables firewall rules
Before=network-pre.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/nft -f /etc/nftables.conf
ExecStop=/usr/sbin/nft flush table inet filter
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

and finally if I push updates via ansible I simply replace the file and run nft -f /etc/nftables.conf (via ansible; on-change event).

Edit: oh and as an example how the actual rules file looks like:

#!/usr/bin/nft -f

add table inet filter
flush table inet filter

table inet filter {
  chain input {
    type filter hook input priority 0;

    # allow established/related connections
    ct state {established, related} accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # core services
    tcp dport {80, 443} accept comment "allow http(s)"
    udp dport 443 accept comment "allow http3"

    # everything else
    reject with icmpx type port-unreachable
  }

}

and with that I have my ipv4+6 firewall that allows pings and http

The shopping list alone is beautifully done. Glad that I could help 🙂

There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors.

– Leon Bambrick

Regarding your requirement, you might want to take a look at KitchenOwl.

If you prefer freestyle notes/lists, Joplin can share and sync note collections as well.

CryptPad is absolutely fantastic. Easy to host and secure design.

Stalwart is 95% awesome. What holds me back is, that Mails are stored in a Database and not Maildir. Maildir is insanely trivial to backup incrementally and to restore individual mails if necessary. That currently holds me on dovecot.

It’s more comparable to Snikket. Both Snikket and Prose use Prosody as server with their own extensions.

You could look into prose. The interface of slack/discord/mattermost, built on XMPP, with E2EE.

Mostly a nitpick, but for that little helper I would have stuck to the stdlib and not pulled in a dependency like echo.

Otherwise: nice idea. I did something similar but since caddy runs directly on my host, I added permissions for the other services that need the cert and then pointed them directly at it.

FeedDeck

If the AppleTV allowed side loading, it would be my dream device. The UX and the speed of Apple devices are just so damn pleasing. But the artificial limits they impose on what you can run on them is damn frustrating.

SiYuan is an opensource Notion alternative. (Not a clone.)

I am surprised that no one mentioned snikket yet, which is essentially a distribution of Prosody with sane defaults and a custom client.

I meant DNS within your container network. Exposed stuff should be mapped to host ports.

The bigger issue (IMO) is, that you now have a hard requirement on the startup order of your services. If another one happens to get the IP assigned automatically befor your service starts that requests it explicitly, you now have a conflict that you manually have to resolve.

DNS is the only sane solution here.

But everyone does keep their license. A company can not really take over in the sense that you lose your old code. They can stop developing in public but keep using your code, but so can you keep using the last public version and keep developing it. Or you can take your contribution and apply it elsewhere.

Tbf, systemd also makes it relatively easy to sandbox processes. But it’s opt-in, while for containers it’s opt-out.

Props for spelling “spelling” wrong in the title .

My point however was that people who want that kind of convenience (or rather who don’t want to fiddle around manually), why would they want to run HASS in a container in the first place? Either you are tinkerer, then it doesn’t matter or you are not, in which case you probably don’t arrive at the point of running HASS on anything other than a preinstalled distro in the first place.

Now I am intrigued to develop one that is called YOLO.

But just in case: no, I don’t monitor my server. If I notice something not working, I ssh into the machine and check what’s up. I don’t want to deal with another zoo of services for the monitoring part.