I don’t have any credible feedback for you.

I dislike php. That’s my feeling. The vibe.

When I’m browsing self hostable things I avoid php unless it’s really the only option.

My completely unsupported “feeling” is that apps written in php are awkward and clunky and just less pleasant to host.

I’m sorry if that offends you, and I don’t care at all what you think of my opinion.

I only mentioned “php apps feel old” because I could see you were some kind of php devotee and that it would trigger you. Maybe look into that.

Nextcloud really does feel old.

I wish there was something that just did file sync.

I know there’s syncthing but that’s not ideal for large repositories with many users and many files.

PHP apps always feel old.

This is what I do. Changing the port to a higher number will prevent almost all bots.

I understand that obscurity is not security but not getting probed is nice.

Also ssh keys are a must.

I do log in as root though.

However, I block all IPs other than mine from connecting to this port in my host’s firewall. I only need to log in from home, or my office, and in a crisis I can just log in to OVH and add whitelist my IP.

I feel like most commenters here haven’t understood what you’re proposing.

I’ve thought about doing this, I’ve seen other commenters say they’re doing it. It’s not a terrible idea. I haven’t done it myself because … it’s just not a priority and I’m not sure it ever will be. Anyway …

If you’re willing to set up and self host your own email stack like mail-in-a-box or whatever, then configuring a separate outbound SMTP server is fairly trivial in comparisson.

If you already had your own stack set up to be self hosted you would ordinarily be using the SMTP server there-with to send emails.

Firstly configure your client to use whatever other SMTP server you have access to. I think it’s possible to use mailgun or one of those API transactional senders. You could get a cheap plan with mxroute or any other email host and just use the SMTP server.

Suppose your client is Thunderbird and you set up your account like smtp.mxroute.com for outbound and imap.myserver.com for email storage. When you send an email tbird transmits it through mxroute and then stores it on your imap server at myserver.com in your sent folder.

The potentially complex part is configuring spf & DKIM records on your domain.

SPF

I’m not sure if I’ll be able to explain this clearly but… suppose a recipient’s spam service receives an email purportedly from marauding_giberish@myserver.com but transmitted by smtp.mxroute.com. That spam service will look up the DNS records for myserver.com and inspect the records for the spf record. This record pretty much lists which servers are authorised to transmit email from addresses ending in myserver.com. So with a more typical set up an spf record might be:

“v=spf1 include:myserver.com -all”

This would indicate that only the smtp server at myserver.com can transmit email from your domain.

You would edit that to include the mxroute smtp server like this:

“v=spf1 include:mxroute.com include:myserver.com -all”

This way, recipients can confirm that the owner of myserver.com domain has formally designated mxroute as an authorised recipient.

DKIM

Your SMTP server will have a public & private key pair which it uses to sign outbound messages. Recipients can use the public key to confirm the signature and thereby confirm that the message has not been altered in flight.

Whatever SMTP server you use will tell you the public key and instruct you to add that to the DNS records of your custom domain.

That’s the one that looks like this:

“v=DKIM1; k=rsa; p=MIIBIj [ … it’s a long key … ] op3Nbzgv35kzrPQme+uhtVcJP”

Once this is in place recipients of your emails can query the DNS for myserver.com and find this public key, and use it to confirm that the signature on the email they received is authentic.

Sorry to be that guy but replicating / syncing isn’t really backing up.

You need snap shots or versioning.

It looks like there’s several distinct components to gpodder which confuse things.

Firstly gpodder seems to be a desktop podcast client.

Secondly there’s the sync service / protocol. Gpodder.net provides this for free but according to antennapod doesn’t have adequate resources and causes errors in your client (which I can confirm). There are other containers available which are not from the gpodder team but emulate the protocol.

Finally there’s the recommendation / discovery service apparently provided by gpodder.net. I haven’t been able to get this to work because my client hasn’t been able to sync yet, despite 12 hours of trying.

In my own case, I already have a client (antennapod) and I’m not really interested in sync because I only use the one device. The recommendation / discovery service would’ve been cool but it seems broken for the moment.

Oh wow. I’d seen the gpodder thing in antennapod subscriptions but never realised it was a kind of discovery / recommendation service.

I wonder if the recommendation stuff works with a self hosted instance?

Sure mate, keep trotting out the dumb swiss cheese analogy. Fine by me.

I’ve heard this analogy before but I don’t really care for it myself.

It creates a mental image but isn’t really analogous.

In the case of a firewall on a server behind a NAT, ports forwarded through the NAT are holes through the first several slices.

This. It’s unnecessary but it’s another layer.

1. I’m running these services on an OVH server in a data centre. It’s costly but I need it for my consultancy anyway and it’s an absolute beast. immich runs in a container, along side wireguard and traefik containers. borgmatic (for backups) runs on the host.
2. I have 4 backup repos. One on disk alongside production data. One in OVH storage. One on my homeserver. One unencrypted on a removable disk in my fireproof safe. If OVH facility and my home both suspiciously burn down I will still have the data.
3. Are you talking about cloudflare tunnels? I’m using wireguard. Wireguard itself is easy enough to configure. Then attach the immich docker container to the wireguard container’s network stack. Traefik is a bit of a bitch though, happy to explain more if you’re interested.

I would think very carefully before contacting the police. I am not suggesting that you should provide a safe harbor for people sharing CSAM, or obfuscate their crime. You absolutely should take action, but carefully weigh your options before calling the police.

While it may (possibly!) be true in your jurisdiction that platform operators are not liable for user content, police aren’t on “your side”. Even if you assume the highest standards of professionalism from them, they need to represent the interests of the victims (not you) and need to diligently investigate the crime. That means they need to confirm beyond reasonable doubt that you are not involved beyond operating the host.

Just because you self-disclose does not mean that you are innocent. You could’ve been actively participating and when threatened with blackmail you’ve decided to self-disclose to avert guilt.

Another consideration is what else I have on my server. I’m catch and release for pirate movies and TV these days so there’s only 100gb or so. I do have several hundred pirate audiobooks though. Deleting all that before handing my server over will look very suspicious.

With all of this in mind, the only course of action is to talk to a lawyer. A lawyer will know exactly what laws are relevant, and can guide you through the process of self-disclosure while minimising the imposition on you.

ok so don’t hate me but h001, h002, h003, and so on.

That’s h for host. I also use n to number networks, and k to number physical keys.

I list them all in my keepassxc password database, where I can include any additional information.

With the prevalence of vms, docker containers, and docker networks, there’s just too many things to name. By numbering them I can just side step that whole game.

This is what I was thinking.

Syncthing will be the quickest to set up.

There’s a potential for collisions but that would likely be manageable.

In case anyone was wondering:

• namecheap: US
• porkbun: US
• INWX: Germany
• OVH: French
• onlydomains: NZ

I personally have been with onlydomains for a decade or so. No complaints.

I have a server with OVH. I hadn’t realised they’re a registrar also.

Yeah.

Sadly I think email will be with us for the foreseeable future. It’s broken, sure… but it’s just so fundamental to the web.

An alternative would need to be ubiquitous, and that seems unachievable.

I don’t think the SPF / DKIM / DMARC stuff is overly complex nor the core of the problem.

In my case it was recipients with bonkers microsoft exchange servers that just had weird ideas about who should be sending them emails.

For example, one thing that tripped me up forever ago was grey listing. Apparently the receiving server just wouldn’t acknowledge the sending server for an arbitrary period of time, say 12 hours or so. Spam senders would usually give up long before then, while a legit server would keep trying because it’s legitimately trying to deliver an actual email.

So my email-in-a-box type self hosted set up was fine really. Compliant you might say. But to send emails to this one in a thousand recipient I had to investigate what was going on and reconfigure things to ensure their server would interact with mine.

Another thing that can happen is that spammers just put your email address in the “from” field and fire off a few million emails. Obviously the DKIM signatures and SPF won’t match but it still just makes your future legitimate emails look spammy. Having the credibility of a larger organisation goes a long way in this type of instance.