Cloudron does that,not for free, though. But cheap

I can recommend using Cloudron but I don’t use Radicale.

Cloudron is in no way a necessity for anyone - it’s simply me being too lazy to keep everything up to date, read all the necessary documentation for all the services we run,etc. Cloudron does all that for me - and I couldn’t be happier. Johannes,the owner, provides fast support (had two glitches with Hetzner DNS over the years) and the amount of Apps is getting wider each year, although I would rather see their range be broader (e.g. a proper Monitoring system instead of yet another project management),but that’s just me.

In theory it’s even possible to create your own apps for cloudron, both for public and private use, but that is beyond my capabilities. It can also be used as a SSO provider and reverse proxy,btw.

Simply put:No.

You need to make sure none accesses your phone even when stolen (for a myriad of other reasons as well) so passwort protect it.

This has nothing to do with WG-easy or any wireguard implementation itself-it’s simply part of Wireguard. What you could do to at least discourage an attack is to save parts of the secrets (Preshared key, public key of your network) in a password manager like bitwarden and copy and paste it into the client every time you connect - and remove it from there after you’re done. But be aware that this will only discourage a technically inept attacker - the WG client and the OS,etc. will keep enough of data of these transactions around to easily find out this information and for a good attacker you actually make it easier this way. So I would clearly not recommend it. Password protect your phone.

WAG and other solutions put another layer between your network and WG. Basically they add a captive portal and only “unlock” it once you authorised yourself there. It is not a pretty solution and you need to be aware that it easily locks you out of your own network.

Another solution could be that you build two WG connections - one that is limited to your firewall and can exclusively connect to that device. And one that has broader access. Use the first one to enable access, the later one for actual access. Then the first one to disable access again.

The WG easy container should always be run behind an authentication layer,even in LAN as it enables an attacker (who might be already in the LAN) establish full outside connections. This can easily be achieved with a reverse proxy like Caddy/nginx proxy manager. The container then needs to be behind the proxy in it’s own network with only the WG port exposed. Requires a bit of work but is easily doable…And Portainer is your friend in that regard.

2N Verso.

• Works totally offline/Cloud free if required.
• Can be integrated into any NVR&SIP environment
• Can easily be used with plausible deniability. “Yeah, officer,I am just using it when someone rings the bell, no recording,the bell system never records,no!”
• Very sturdy and reliable hardware
• Offers indoor viewing stations (for the less technically adept household members)
• PoE based, can be used with LTE in some versions.
• Good documentation
• With the automation licence (Costs a bit extra,but is “buy once” at least) basically everything one can imagine automation wise can be achieved, including API calls,etc.
• Can be extended with RFID, Fingerprint, Bluetooth,Induction loops,etc.

If you want to use their cloud service you have to pay a small fee,but that’s purely optional and you can easily use your own SIP solution to avoid this. Or simply don’t answer your door from somewhere else.

The big downside? It’s ridiculously expensive. But I mean…how often does one buy a new doorbell?

On a RPi 3 mod B? Not really. Load spikes have already been mentioned and especially Home Assistant is prone to them, PiHole can be, but it can be avoided (you still wouldn’t want it to update its blocking lists while you print something as it causes load spikes).

IF you do it you need to configure it in a way that the Octopi is getting priority over everything else - which is possible with a lot of tinkering or using a VM layer like Proxmox - which is adding to the overhead again, though. This will push the 3B to its limits even more.

Personally I would advise against it heavily. If you already have a 3B, use it for the 3D Printer and buy another device for everything else (not necessarily a Pi, Arm has it’s downsides - there are a lot of energy efficient x64 solutions out there these days.) And then slap Proxmox on it,run HAOS, Pihole and whatever comes your way in the future on it. (Paperless and Frigate/agentNVR seem to come along the way naturally.

If you are more into a full DNS solution that can also block Technitium DNS is a reasonable choice. It is fairly userfriendly, can be run in an LXC easily (I am doing exactly that), able to use multiple block lists in any combination you want, can be controlled by an API, is regularly updated,etc.

I couldn’t be happier with it, even though the learning curve is somewhat steep, when you are new to DNS. It is a fully fledged DNS server after all.

Very likely a stolen device. Or a mining camp with shared access.

I can feel the heart attack they had when opening their phone bill next month…

Holy shit!

Why the f*** is someone using Intelsat for that. That must be so fucking expensive (for the victim of the bot) and slow for the hacker.

Also a vote for Matrix and Synapse. Works great and you can decide if you federate or not.