Are you going fangless?

I would definitely go fangless. I have been bitten enough times. A bite might also transfer viruses. Nowadays I defang all my computers.

Great, I accidentally deleted my original comment because the Lemmy web interface doesn’t ask for confirmation when you click the delete button. And the buttons are so small on mobile that it‘s really easy to click the wrong button.

If you want to use these features for security, access them manually. But, OP said they are kind of a noob. Telling them to just use containers is dangerous and leads to false assumptions.

You are absolutely correct. I should have stated explicitly that I didn’t mean docker and/or using pre-built container images. I was talking about something like systemd-nspawn. And you are right that I should not have brought this up in this context. I will edit my original comment.

So, putting a process in its own network, file-system, user etc. namespace does not increase security in your opinion?

I see. That‘s a valid use case. Although, in the spirit of self-hosting, I personally would either get another ISP or run a reverse proxy on a cheap VPS and connect the homeserver to that via Wireguard.

deleted by creator

Why would anyone DDOS a random home server? I don‘t think OP has to worry about that.

Could you please be more specific what exactly Crowdsec brings to the table? In which way does it “secure the network”?

I don‘t know what specifically you would like to know and what your background is, so I will just elaborate a bit more.

The basic idea is that the VPS, which is not behind a NAT and has a static IP, listens on a port for WireGuard connections. You connect from the NAS to the VPS. On the NAS you configure the WireGuard connection with “PersistentKeepalive = 25”. That makes the NAS send keepalive packets every 25 seconds which should be enough to keep the connection alive, meaning that it keeps a port open in the firewall and keeps the NAT mapping alive. You now have a reliable tunnel between your VPS and your NAS even if your IP address changes at home.

If you can get a second (public) IP address from your provider you could even give your NAS that IP address on its WireGuard interface. Then, your VPS can just route IP packets to the NAS over WireGuard. No reverse proxy needed. You should get IPv6 addresses for free. In fact, your VPS should already have at least a /64 IPv6 network for itself. For an IPv4 address you will have to pay extra. You need the reverse proxy only if you can‘t give a public IP address to your NAS.

Edit: If you have any specific questions, feel free to ask.

I think Space Göring would be even more fitting. The Luftwaffe was like Göring‘s pet toy. Also he took a lot of drugs.

You could get a VPS only for getting around the double NAT.

Run a reverse proxy on the VPS and forward requests over WireGuard to your NAS. That way you wouldn‘t actually host any data on the VPS.

How many outgoing emails are we talking about? Because there are a lot of free or cheap options for personal use and small businesses.

You could try Consent-O-Matic. That’s what I use. It also doesn’t simply agree to everything like the other one but chooses the most privacy-friendly option instead.

Hadn‘t heard of Rumble. At first glance, it looks like it‘s run by Elon Musk. Andrew Tate on the frontpage, far-right political channels and crypto bros. I think I‘ll pass.

A reverse proxy does not magically make an insecure app secure.

When I looked around for CalDAV solutions the last time Nextcloud was the only one that allowed me to share calendars with my SO. Nextcloud isn‘t very taxing on my system because it doesn‘t do anything most of the time.

Do you know about problems reaching the big player mailservers?

Honestly, I don‘t know. I have never had a confirmed case of an email being rejected or classified as spam. There were some cases of not getting an answer to an email. But that could also be explained by shitty customer service.

It is tricky to setup everything correctly if you are trying to do it all on your own but SNM holds your hand for setting up DKIM, SPF and DMARC. That‘s where some people may have problems. Also, forget about setting up a mail server at home with any IP address you get from your internet provider.

• Plex and Jellyfin for movies and TV shows. I want to switch from Plex to Jellyfin but it is not quite there yet. It‘s very little effort to keep Jellyfin running in parallel though. I am keeping it around to regularly compare the two and re-evaluate.
• Tube Archivist for archiving and watching YouTube videos.
• Miniflux for reading feeds.
• Nextcloud, mainly for calendars and contacts; occasionally for sharing files with others.
• Syncthing for syncing files.
• Financier for budgeting.
• Paperless-ngx for managing documents.
• Qbittorrent for downloading and sharing Linux ISOs.
• Prowlarr for searching Linux ISOs.
• Copyparty for sharing Linux ISOs with friends.
• Shaarli for saving bookmarks.
• Jekyll for statically generating my personal blog.
• Caddy as HTTP server / reverse proxy for all of the above. Automatically provisions certificates from Let‘s Encrypt.
• PostgreSQL as database for Nextcloud and Miniflux.
• Simple Nixos Mailserver for emails with Postfix, Dovecot and rspamd.
• Dehydrated for getting certificates from Let‘s Encrypt for the mail server.
• Btrbk and Restic for backups.

Most of this stuff runs on my server at home (ASRock J4105-ITX, 8 GB RAM , 250 GB SSD, 18 TB HDD). The mail server and the blog run on a cheap VPS (1 vCPU, 2 GB RAM, 20 GB SSD). Both servers run NixOS.