GOAT vehicle. It’s purely functional in pristine egg form. Bulletproof drivetrain. Comfy as hell, even by today’s standards. If one ever comes up on autotrader in good condition I’m buying one.

Do you people not put milk in your crude oil? I find it suits the subtle bitterness of Alberta tar to give it a wonderful but subtle aftertaste.

If it’s cheap, sure.

Canada- my standard breakfast is oatmeal with homo milk and 2 spoonfuls of maple syrup or brown sugar, depending on the season. I try to get the maple syrup from the Amish/Menno dudes out in the country.

Breakfast cereal is a scam invented by a psychotic incel, but oatmeal is cheap and a good source of fibre.

It’s fine. RAID is not a backup. I’ve been running simple mirrors for many years and never lost data because I have multiple backups. Focus on offsite and resilient backups, not how many drives can fail in your primary storage device.

Not sure how to do that in docker, I’ve run mine as a plain old PHP-FPM site for years and years. It might be something that can be tweaked using config files or environment variables, or might require building a custom image.

ClamAV is slow and doesn’t catch the nastiest of malware. Its entire approach is stuck in 2008. It’s better than nothing for screening emails, but for a private file store it won’t help much considering that you’ll already have the files on your system somewhere. And most importantly, it slows down file uploads 10x and increases CPU load substantially. The only good reason to use ClamAV for nextcloud is if you will be sued if you don’t!

It needs some tweaks to be snappy. The defaults are really bad.

• change database from SQLite to a proper database like MySQL or Postgres, and configure the database server to use your memory fully
• increase the PHP memory limit from the default (128M on many distros) to >1G, the more the better
• install APCu in-memory cache for PHP
• add Redis as additional cache
• turn off the antivirus extension, if installed (ClamAV is useless)
• use http/2 on Apache/nginx to increase performance with multiple connections

https://docbot.onetwoseven.one/services/nextcloud/

Yep. Firewall, routing, dhcp, dns, everything you’d expect from a gateway device. Plain Debian (or really any distro) can do it all. With a 1gbps bi-directional connection fully saturated it will run at about 10% cpu on my very crappy low power Celeron CPU.

Plus, there’s no web UI full of janky and insecure CGI scripts to exploit, and software updates are forever (well, until x64 is deprecated, so basically forever).

IPtables on Debian because I like my life to be boring and unchanging.

Best bet would be to setup postfix or opensmtpd as an open relay. Just make sure it is only accessible in trusted networks though!!

https://docbot.onetwoseven.one/services/postfix/

You’d want to set the listen address to 0.0.0.0 and use a non-loop back interface.

Could always whitebox it with Debian, nftables, dnsmasq, hostapd, etc. on an old mini PC if it has two NICs…

5 yrs for free is LTS, 10 for “Pro” enterprise subscription ($$$).

It’s pretty good. I understand and somewhat agree with the concerns about concentrating the web around one company, but tunnels is simply a great product. So convenient for running services behind CGNAT or dynamic IP without good port forwarding options, and it’s just set and forget. If there was an alternative that good I’d use it.

Not strictly RSTP, but the “zmninja” app works with a Zoneminder server, which can record and manage RSTP/ONVIF cameras. I would really recommend some sort of NVR (like Zoneminder) if you have cameras since there’s a low probability you’ll be able to watch them live all the time.

Yep, banning scanners with ipset lists is a great solution. I use a slightly convoluted method to perma-ban abusers, but fail2ban also works great.

https://nbailey.ca/post/block-scanners/

Best advice I can give is to make sure the default virtualhost on nginx/apache just sends a 404 to all requests to your IP, and only serve the apps you want when they’re accessed by the correct hostname. The vast majority of spammy scanners are just hitting all public IPs, so as long as you don’t tell them what you’re hosting you’ll be alright.

Then, I’d advise having some sort of basic web application firewall (WAF). Modsecurity is a common one, NAXSI is another. These take some time to set up, but are quite good at absorbing attempted attacks.

Generally speaking, yes, but things can get a little weird when you’re dealing with an abstraction like docker.

It looks like it’s not able to reload the service. Could be permissions? As the nginx user (www-data often), try touch /run/nginx.pid

Keycloak is decent. It has its own built in user database, or it can connect to an “upstream” idp like AD, GitHub, google, fb, basically anything that speaks openid or SAML. Then, it can act as an idp to each service you run. It is a bit of a chore to configure, but compared to other SSO servers it’s pretty good (looking at you shibboleth)

Not for a new selfhoster, no. It’s fairly complex and has lots of moving pieces. Start with a simple syslog server before going way into the deep end.