I know you said you’re against rack mounting, but JUST in case:
I love the look and tidiness of a nice rack mount system. So I got a Chenbro 4U case. It’s perfect for reusing my old components, and it has a standard size area on the front to install a hot swap HDD cage.
restic without any doubt. I use it with S3 backend and SSH copy and it has an excellent performance (with copies of years).
Borg I was using it for a while (to compare) and I do not recommend it, it is not a bad product, but it has a lousy performance compared to restic.
Kopia I didn’t know it, but from what I have read about it it seems to be very similar to restic but with some additions to make it pretty (like having ui).
Some people say that Kopia is faster in sending data to the repository (and other people say it’s restic), I think that, unless you need ui, I would use restic.
I know this is not the best answer since you would probably like me to talk about Nebula, but I have to say that the best solution I have found for setting up a mesh VPN is Zerotier.
It is a very complete solution. Multisystem, very simple but very configurable, fast, etc.
You simply start by creating a network on the public controller (which will generate an ID for that network) and then join the rest to that network and everyone can communicate with everyone (by default, then you can create subnets if you want).
Using the public controller is completely optional (I personally use it because it is convenient for me and because I have few hosts) but if you want you can set up your own controller, I have an article (the bad thing is that it is in Spanish, but if you run a translator you can understand it perfectly) where I explain how to do it without any requirement. If not, you can use ztncui for it.
Take a look at it, you might find it more attractive than Nebula.
By the way, for me one of the great advantages of ZeroTier is that I don’t have to worry about certificates and keys, the controller takes care of everything for you and security is guaranteed from the point of view that each node has a unique identifier.
You’re using network_mode: “host” which makes the container use the host’s networking directly. When you use host mode, the port mappings are ignored because the container doesn’t have its own IP address, it’s sharing the host’s IP. Remove or change the network mode to see if that fixes it.
Will check it out. Setting up postfix + dovecot with dmarc and postgres was a funny experience but it’s starting to slip out of my memory how I did it and I don’t want to be through it again.
I looked at this, it looks pretty rudimentary compared to something like Mailcow-dockerized which has a full docker stack with clamAV, sieve, etc that you can add Roundcube on to, and has worked very well for me for years. There are precious few jmap clients out there so that’s not much of a consideration really. I’d rather have rspamd itself rather than their fork of it because then I can depend on the original’s documentation, because their documentation doesn’t seem very comprehensive comparatively.
Plus, I’d rather have a stack of separate docker containers rather than a single container that munges it all together, but maybe that’s not a big deal. I like to let Postgres manage the postgres container image and not put another layer in there.
I don’t think it’s you, it generally is a bad practice to have multiple processes inside a container. It usually defeats most of the isolation, introduces problems with handling zombie processes (therefore you need an init) and restarting tools when they crash (then you need something like supervisord, which I guess this image might use - I didn’t check). Each software adds dependencies, which can conflict (again defeating the idea of containers), and of course CVEs. Then you have a problem with users etc.
So yeah, containers are generally not meant to be used this way. The project might be cool but I would be very uncomfortable running it like this, especially if that’s going to be my primary email, with all the password resetting capabilities etc.
Reading the Dockerfile in their repo, it’s simply a clean debian:slim with four compiled rust binaries placed into it. There’s no services, no supervisord, nothing except the mail server binaries themselves.
What cert did you put on the proxy answering the inbound? Usually that error means either the browser doesn’t like the cert, or it’s connecting to 80, and modern browsers really fight you on that sometimes. Also, cache. Clear your cache if you’re bouncing between internal URL/IP and the public.
I assume you just want to expose to internet to learn art of reverse. Otherwise there’s better ways.
Mainly I want to expose it so I can access my stuff remotely. What would you recommend otherwise? Traefik looks alot more difficult to me from the get go but I haven’t tried it out yet (because I dont know where to start) Issue is just that I have a basic understanding about docker/ubuntu stuff now (or I know how to manipulate stuff like I want) but basically everything with Web and https is a big black hole for me which I can’t seem to grasp yet.
Yeah, it’s a lot. It’s a very large field, and you’re playing in two or three areas here.
Look at a couple of overlay options. ZeroTier is the one I remember off top of my head. There are others, Google alternatives. These use a coordination server. Some are a hosted service, but there’s some that you host yourself. These are supposed to be pretty easy. You watch a couple of videos on these, I bet you’re be fine.
Wire guard offers more traditional VPN. You can tunnel your device back to your network. Some routers offer a VPN option. There’s open sense, ddwrt, etc. Again, lots of videos.
Since you said you mostly wanted remote access, I strongly suggest not opening services to public and use VPN.
You can still learn reverse proxy too, but just do it internally, even though it wouldn’t technically be needed. This will be much safer and learner friendly.
I have ridiculous amounts of services running, but I use gateway router VPN to access most of them.
using a vpn or similar is not really an option as I have famiy members accessing it and I dont want to always connect using a vpn just for example to open my garage or accessing my shopping list. Security wise I just use 2FA so I dont think thats the issue.
selfhosted
Hot
This magazine is from a federated server and may be incomplete. Browse more on the original instance.