My experience is it’s really a lot of work and with the prevalence of letsencrypt, there is not a lot of automated setups for this use case (at least that I have been able to find). It is kind of a pain in the ass to run your own CA, especially if you plan to not use wildcard and to rotate certs often. If you use tailscale, they offer https certs with a subdomain given to you:
[server-name].[tailnet-name].ts.net
That’s honestly what I’m moving towards.
Another vote for wiki.js. It has tons of authentication options and integrations. The mobile web interface is a tad clunky but usable.
Yea that looks pretty amazing. Thanks for sharing!
Single node k3s is possible and can do what you’re asking but has some overhead (hence your acknowledgment of overkill). One thing i think it gets right and would help here is the reverse proxy service. It’s essentially a single entity with configuration of all of your endpoints in it. It’s managed programmatically so additions or changes are not needed to he done by hand. It sounds like you need a reverse proxy to terminate the TLS then ingress objects defined to route to individual containers/pods. If you try for multiple reverse proxies you will have a bad time managing all of that overhead. I strongly recommend going for a single reverse proxy setup unless you can automate the multiple proxies setup.
And here I am running a bare metal k3s cluster fully managed by custom ansible playbooks with my templatized custom manifests. I definitely learned a lot going that way. This project looks like it has just about everything covered except high availability or redundancy, but maybe I missed it in the readme. Good work but definitely not for me.
Check out Termux. It lets you install nearly any linux software on your Android device. Probably a good place to start to get your toes wet.
I know this isn’t what you’re asking for but I think this is still a good starting point. Like you correctly surmised, identity and authentication management is not an easy subject and does require extensive experience and theory.
I had similar problems doing the same thing with a Pi 4.
Try running a server image on it without desktop and then logging into it over the network from another device like a laptop via ssh
My list is very similar but I have my Pis in a k3s cluster with a NAS for PVs. That allows me to not worry about what physical device is hosting the service, and I built it so I can intermix amd64 devices when I start adding in my used laptops into the mix.
I set up kata containers on my k3s cluster for some pesky containers that require privileged access. It works great for isolation purposes. I haven’t yet experimented with the kata-qemu runtime so not sure how that works.
Having experienced Canonical’s support, if anyone actually needs it they go to RHEL.
How do you have your auth working? Is it basic user/password managed on Nextcloud (external database connected?), is it external auth against something like Okta, or is it user/pass that you define from docker-compose?
If via docker-compose then a restart would clear anything an attacker would have done and it would reload from the docker-compose process I think? I’m not too familiar with the specifics on that as I’m not a security researcher, but generally some attacks are resident in memory only and a restart can clear them only for it to crop up again later either due to a running process that was set to rerun an exploit or someone monitoring your system externally and retrying the exploit remotely again.
Or it could just be some bug in Nextcloud or unique to your environment. Personally I’m only hosting things that are internally accessible via VPN anymore. Tailscale makes that super easy these days.
Are you exposing it to the Internet? Weirdness like that might be from someone exploiting your instance.
Sounds a lot like Netbox, for network management. You can define data centers and racks and equipment and sub equipment as well as the actual network information like what cable is plugged into which port on which device, VLANs, IP addresses, subnets, BPG ASNs, etc.
That sounds awesome. Does it have maintenance reminders and consumable part descriptions/part numbers? I can never remember different filters I need for various things (water, fridge, furnace, cars, etc).
I set up dokuwiki for that the other day. Thanks for posting this, I’ll have to check it out
I’m sorry that you’re going through this and I have no useful advice. If anyone else is reading this, this is why the saying is if you’re not storing offsite you have no backups.
I’m not an electrician. I would assume one adapter in the line would probably be fine if it’s a good quality adapter and no chance of coming loose. I would be worried about shorting / fires and would want an adequate breaker behind it, maybe arcflash.
No judgement here. I think it’s a worthy goal just not one I am particularly interested in at this point. Maybe if the automation was a bit easier and the mobile device management was easier I might join you.