Almost all of selfhosting is editing config files, setting permissions and starting/stopping services.

Setting it up so you can administer a server by desktop is probably as hard as learning how to edit config files from a terminal. Maybe harder.

I’ve got 3 subnets on an L2 switch. You will have clashes over DHCP if you have both broadcasting on the same L2 switch without VLANs.

My guest wifi is on a vlan, but the switch is L2 and it’s fine. The router has separate physical ports for each subnet. The “guest” subnet is only accessible over Wifi, and the access points are configured so that the guest VLAN is mapped to a separate SSID.

My third subnet has no VLAN. It’s IPv6-only and all devices have a static IP address. It’s only used for security cameras. I did this so they don’t transmit on the same physical cables as my primary subnet. It is otherwise insecure, as I can join the subnet by simply assigning myself a static address in the same range.

Note: There is a bug in Windows where it will join an IPv6 subnet on a different VLAN. I had to tweak my DHCPv6 / radvd so that Windows would ignore it. Yes, Windows is this dumb.

I think the August 2001 backup is a good restore point.

Leave the battery in and you have a free UPS. Perhaps set it capped at 80% charge to increase its lifespan.

My server is always my old desktop hardware. It’s a 4th-gen i5 with 16GB RAM and it’s keeping up fine. I have thrown quite a lot of work at it too. If you avoid containers, you can serve 20 services off it no problem.

I too, was worried about power costs. Every time I do the maths, the new hardware will be obsolete by the time I make the money back in savings. If you’re concerned about environmental impact, the initial manufacture of hardware does more damage than running it over its lifetime.

Dedicated (1U rackmount) servers are always loud and power-hungry. I they idle at 130w and sound like a hairdryer that’s been left on.

Find secondhand on Facebook marketplace. Dive into an e-waste bin if you have to.

OMG Hypnotoad HTPC is so much better! Why didn’t I thnnk of that?

Server (big iron): Bender

Desktop (main character): Fry

Laptop (for accounting): Hermes

Netbook (small and dumb): Nibbler

Phone (held to my head): BrainSlug

HTPC (one big viewport): Leela

That’s basically it. My Ubuntu server is a router, NAS, plex server, public statum-1 NTP server, wordpress server, nextcloud server, security camera NVR, SMTP/IMAP mail server, CUPS print server, tor relay, and probably a few other things I forgot about.

You can do a lot with a single CPU from 2015.

I don’t have hostapd on it anymore. I now have dedicated APs on OpenWRT. The main problem with using a WNIC for an AP is that they don’t typically have a very strong broadcast output. I had to add an amplifier, and even then it wasn’t great.

I’ve done this before on Ubuntu. You can install nftables for routing, then install hostapd for a wifi AP.

I don’t even use it. Once I got SPF/SSL/DKIM/DMARC working, there was less spam than what I get on gmail.

The owners closed the restaurant and started a new one so I let the domain lapse.

ISPs often have SMTP relay servers. If you hook into that, your mail gets instant street cred.

Setting up fail2ban to block people trying to brute force the admin panel is a good start.

TightVNC. Use TightVNC.

I did have LUKS and a USB flash drive with a key to be inserted on boot. It was definitely difficult and caused performance issues. It was particularly difficult to add/remove drives from the array. These days I only encrypt my off-site backups that sit at the office where my coworkers potentially have physical access.

There have been recent advancements in TPM so disk encryption is easier to maintain and doesn’t affect performance. I’ll need to investigate this one day. My server/NAS is a 4th-gen i5, so it may not support the functions I would need. Full disk encryption will land in Ubuntu soon. I’m hanging out for that.

I personally would flick through the OpenWRT supported devices and pick the best supported device with 802.11ax.

Everything exposed except NFS, CUPS and Samba. They absolutely cannot be exposed.

Like, even my DNS server is public because I use DoT for AdBlock on my phone.

Nextcloud, IMAP, SMTP, Plex, SSH, NTP, WordPress, ZoneMinder are all public facing (and mostly passworded).

A fun note: All of it is dual-stacked except SSH. Fail2Ban comparatively picks up almost zero activity on IPv6.

Testdisk and photorec? It’s saved me heaps of times.

My wife has a laminated card which has the instructions to my KeePass vault, and an explanation of how the backup drives are encrypted.

Once the family photos are safe and she can login to all my accounts to finalize them, the server can be replaced with a WRT54G for all I care. Continuity will be impossible. Even a qualified sysadmin would probably struggle with it.

I’m on ABB and everything was fine after I called up and got CGNAT disabled and the ports unblocked.

You can unblock ports in the MyAussie phone app these days.

And you most definitely got a new IP address. Make sure you’ve updated your DNS. My IP hasn’t changed in over a year. It only ever changed when they upgraded their equipment.