• 1 Post
  • 34 Comments
Joined 1 year ago
cake
Cake day: July 5th, 2023

help-circle
  • Wow, thats very, very nice. I didnt know this even existed.

    But I suppose if it had widespread support it would be the perfect solution.

    Firefox mobile not supporting it might be a dealbreaker though, since it is the browser I use and the one I persuaded all my friends and family to switch to…

    But this is an incredibly interesting technology and I will surely look into implementing at least partially if that works.

    Thanks a lot for sharing!


  • I didnt mention on my original post but I do have a virtual machine on gcp, which I use to run mongodb. I didnt mention it because I am not too concerned with it, but mostly it follows the same practices, with the exception being that ssh is open and it has no private data in it.

    But I suppose I could do something similiar to what you mentioned. The ideia of having and eating the cake is very nice. And if something goes wrong I could turn of public access and have the vpn still working.

    I will consider implementing something like that as well, thanks a lot for sharing your thoughts!


  • Yes absolutely. For work most of my clients use cloudflare’s different services so I understand they have credibility.

    For me though, part of the reason I self host is to get away from some big tech companies’ grasp. But I understand I am a bit extreme at times.

    So thanks for opening my mind and pointing me to that very interesting discussion, as well as for sharing your setup, it sure seems to be very sound security wise.





  • Thanks for your reply!

    Suggestion 1 definetely does make a lot of sense and I will be doing exactly that asap. Its something I didnt think through before but that would make me much more in peace.

    Suggestions 2-4 sound very reasonable, I have indeed searched for a way to self host a waf but didnt find much info. My only only concern with your points is… Cloudflare. From my understanding that would indeed add a lot of security to the whole setup but they would then be able to see everything going through my network, is that right?



  • I see, I appreciate you sharing your knowledge on the matter.

    Yeah I thoght about the spike in size, which I would definetely notice because the amount of data is pretty stable and I have limited cloud storage.

    Regarding your last point, I currently have everything under a user account: the data I am backing up, the applications and restic itself all run on the same user account. Would it be a good ideia to run restic as root? Or as a different service account?




  • Thanks a lot for your input. I honestly had not considered this possibility.

    Others in the post recommended removing those important files from the public facing server so that in the case of an attack they wouldnt be exposed. So I will try and follow this recommendation asap.

    But your answer still applies to everything else I will be hosting so I am concerned. I had no idea ransomware was this smart. I will research more about this topic, but basically if I access a file from two different servers and its fine it means the file is free from infection?




  • That was a great answer, thank you so much!

    Yes I didnt even notice the family photos and docs dont need to be on that same server. Initially I just put them there to act as a local file share. But you are absolutely right, moving them from the public server is the best thing I can do to protect them.

    I will look into setting up a second server for the private stuff that is not publicluly accessible


  • Thanks for the amazing reply and specially for the explanation regarding wireguard.

    I didnt know about crowsec and kata containers, both amazing projects, I will definetely look into it and try to set them up.

    Just one quick follow up question, when you mention dedicanted service user, do you mean its best to have a sepate user for each service, such as one for nginx, one for adguardhome and so on? Currently all of them run under the same user and I didnt think about this possibility before.



  • I have a domain with one of the new TLD which I used for my emails.

    Most services worked fine with it, but there were a few cases where my email was flagged as fraudulent and I had to call, explain it was legit and provide with another email.

    There was one service I registered which explicitly said they oy accept gmail addresses.

    Roughly one year ago I acquired a new domain using the .org extension, I am migrating my accounts to this one, and I havent had any problems so far.

    So overall my conclusion is that most services are fine with custom emails, a few of them block based on TLD and an even smaller subset will allow only specific providers. Since I am moving alway from big corp, having a widely used TLD that seems to be accepted in most cases is my personal sweet spot.


  • Have you played around with Grafana? It really is quite simple if you have prometheus already working.

    For a home lab environment you dont even need to use prometheus-alertmanager. Grafana can handle alerts as well.

    Grafana also has hundreds of pre-made dashboards you can import. Node monitoring is quite straightforward.

    Assuming you have prometheus good to go, all you need to do is go to Grafana - Datasources, create a new datasource, point to your prometheus instance.

    Then you can import the dashboards you want.

    Now you can setup your alerts - you can use SMTP, telegram, slack among others for your notifications.