This isn’t exactly what you asked for but just in case it might interest you; I ordered this Aoostar WTR Pro recently to replace an Odroid that died on me. It has an intel N150 and lets you install whatever OS you want. I’m pretty happy with it so far.

Paperless-ngx - it allows you to upload important documents like receipts, contracts, etc. and uses OCR so you can search them

has some basic monitoring on them.

What monitoring software are you using?

I feel like the other measures you talked about (backups, condom of network traffic, etc) I’m doing ok on. Its really just the monitoring where I’m stuck. There’s so many options

I’ll look into it, thank you

I’ve seen a bunch of people recommend Authelia. Do you mind if I ask why you went with it over other software? I only went with authentik because I found a tutorial on it first

1. check

2. check

3. check

4. I saw someone else recommend crowdsec. I’ll look into it, thanks

if you use one of those 5$/month VPSes, with a VPN tunnel to your backend services, that adds one layer of “if it’s compromised, they’re not in your house”.

I’ve heard this mentioned before but I don’t really understand how this works in practice. If the VPS was compromised, couldn’t they use the VPN to then connect to my home?

Caddy only allows private IP ranges

Do you mind telling me more about this? How does that work; a VPN?

that’s awesome. thanks!

Have also set it up so they get banned on Cloudflare’s side, so before another malicious request ever reaches me.

How did you end up setting that up?

I feel weird about having those apps on the internet and basically being blind to threats. I mean yeah, I’m not a target on anyone’s list and most IPs visiting the site are bots but I would still like to know what’s going on.

I don’t work in tech for a living, this is just a hobby for me so I have limited time to work on this stuff and do research. It’s very possible I fucked something up and don’t know it. I figured if I at least got an alert that said “hey, your immich server db was dumped and sent to <insert IP>”, I could at least turn it off

I get where the original commenter is coming from. A VPN is easy to use, why not have my partner just use the VPN? But like, try adding something to your routine that you don’t care about or aren’t interested in. It’s an uphill battle and not every hill is worth dying on.

All that to say, I appreciate your comment.

A few reasons

1. My partner has plenty of hobbies but sys-admin isn’t one of them. I know I’ll show them how to turn off wireguard to troubleshoot why “the internet isn’t working” but eventually they would forget. Shit happens, sometimes servers go down and sometimes turning off wireguard would allow the internet to work lol
2. I’m a worrier. If there was an emergency, my partner needed to access the internet but couldn’t because my DNS server went down, my wireguard server went down, my ISP shit the bed, our home power went out, etc., and they forgot about the VPN, I’d feel terrible.
3. I was a little too ambitious when I first got into self hosting. I set up services and shared them before I was ready and ended up resetting them constantly for various reasons. For example, my Plex server is on it’s 12th iteration. My partner is understandably weary to try stuff I’ve set up. I’m at a point where I don’t introduce them to a service I set up unless accessing it is no different than using an app (like the Homeassistant app) or visiting a website. That intermediary step of ensuring the VPN is on and functional before accessing the service is more than I’d prefer to ask of them

Telling my partner to visit a website seems easy, they visit websites every day, but they don’t use a VPN everyday and they don’t care to.

awesome, thanks for the info

That’s interesting, I didn’t know that was a thing. I’ll look into it, thanks!

the lack of logs

That’s the best part, with a script, you can pipe the output of the updates into a log file you create yourself. I don’t currently do that, if something breaks, I just roll back to a previous snapshot and try again later but it’s possible and seemingly straight forward.

This askubuntu link will probably help

I appreciate the info, thanks

That’ll be my impetus to learn how to write a script.

This part caught my eye. You were able to do all that other stuff without ever attempting to write a script? That’s surprising and awesome. Assuming you are running everything on a linux server, I feel like a bash script that is run via a cronjob would be your best bet, no need to ssh into the server, just let it do it on it’s own. I haven’t tested any of this but I do have scripts I wrote that do automatic ZFS backups and scrubs; the order should go something like:

open the terminal on the server and type

mkdir scripts

cd scripts

nano docker-updates.sh

type something along the lines of this (I’m still learning docker so adjust the commands to your needs)

#!/bin/bash

cd /path/to/scripts/docker-compose.yml
docker compose pull && docker compose up -d
docker image prune -f

save the file and then type sudo chmod +x ./docker-updates.sh to make it executable

and finally set up a cronjob to run the script at specific intervals. type

crontab -e

or

sudo crontab -e (this is if you want to run the script as root but ideally, you just add your user to the docker group so this shouldn’t be needed)

and at the bottom of the file type this and save, that’s it:

# runs script at 1am on the first of every month
0 1 1 * * /path/to/scripts/docker-updates.sh

this website will help you choose a different interval

For OS updates you basically do the same thing except the script would look something like: (I forget if you need to type “sudo” or not; it’s running as root so I don’t think you need it but maybe try it with sudo in front of both "apt"s if it’s not working. Also use whatever package manager you have if you aren’t using apt)

while in the scripts folder you created earlier

nano os-updates.sh

#!/bin/bash

apt update -y && apt upgrade -y
reboot now

save and don’t forget to make it exectuable

then use

sudo crontab -e (because you’ll need root privileges to update. this will run the script as root without requiring you to input your password)

# runs script at 12am on the first of every month
0 0 1 * * /path/to/scripts/os-updates.sh

Ok so I currently have a cert set up to work with:

domain.com

www.domain.com (some browsers seemingly didn’t like it if I didn’t have www)

subdomain.domain.com

Are you saying I could just configure it like this:

domain.com

*.domain.com

The idea of not having to keep updating the cert with new subdomains (and potentially break something in the process) is really appealing

Do you mind giving a high level overview of what a Cloudlfare tunnel is doing? Like, what’s connected to what and how does the data flow? I’ve seen cloudflare mentioned a few other times in the comments here. I know Cloudflare offers DNS services via their 1.1.1.1 and 1.0.0.1 IPs and I also know they somehow offer DDoS protection (although I’m not sure how exactly. caching?). However, that’s the limit of my knowledge of Cloudflare

there’s so many acronyms. Thanks