I’m not sure if this what you’re after, but it sounded to me that you were describing monitoring. Might be worth your checking out librenms or zabbix or checkmk. Those would give you a good overview of the health of your stuff and keep track of what’s where.
Not sure if this is the kind of thing you’re after, but I think learning a little about the very fundamental pieces of these systems really helps to understand the mechanisms at work.
One place that was really useful to me was years ago, the Security Now podcast did a series called “How the Internet Works” ( I think). Steve Gibson went over all the principles layer by layer and it helped my understanding a ton. This was many years ago, so the rest of each episode is probably filled with really old security news, but the main bits are as relevant as ever.
I’m not familiar with Zurg, but the WebDAV connection makes me recall: doesn’t LXC require that the FUSE kernel module be loaded in order to use WebDAV?
I’ve also seen it recommended that WebDAV be setup on the host and then the mount points bind mounted into the container. Not sure if any of that helps, but maybe it’ll lead you somewhere.
That’s a great tip. I’d completely forgot you can use telnet for that. Thanks!
Thanks for the response. I really should just dive in, but I’ve got this nagging fear that I’m going to forget about some DNS record that will bork my entire mail service. It good to hear about some working instances that people are happy with.
Tainted in that the kernel and ZFS have different licenses. Not a functional impairment. I have no way to check to check a system not using ZFS. For my use case, Debian plus ZFS are PVE’s principal features.
I have synapse server running in docker on a VPS and it’s been pretty reliable. At my office I use it as sort of a self-hosted Slack replacement. For our use case, I don’t have federation enabled, so no experience on that front. It’s a small office and everyone here uses either Element or FuzzyChat on desktop and mobile. It runs behind an nginx reverse proxy and I’ve got SSO set up with Authentik and that’s worked very well. Happy to share some configs if that would be useful.
Have you by any chance documented your PMG set up? I’m also a very happy Mailcow user and spinning up PMG is something I’ve been meaning to tackle for years so I can implement archiving with mailpiler, but I’ve never really wrapped my head around how everything fits together.
Ceph isn’t installed by default (at least it hasn’t been any time I’ve set up PVE) and there’s no need to use ZFS if you don’t want to. It’s available, but you can go right ahead and install the system on LVM instead.
In the long run you’ll want to specify where it lives. Manually you could use the mount command, but really you want the share to mount every time you reboot the machine so it’s always available. If you’re after a GUI app to do that, check out smb4k. I think that has options to do automatic mounting to a directory of your choosing (the path would typically be something like /media/<your username>/<synology hostname>/<name of share>).
If you want to do this from the command line, look into autofs, which lets you define a configuration and automatically mount an SMB share whenever your system needs it.
It sounds like in your situation, you’d create a shared folder where your media lives (smb or nfs) on the Synology and mount that share to the machine running jellyfin. Then adding the folder as a library will be the same as choosing a local folder.
I think you can do the same with LUKS (https://www.cyberciti.biz/hardware/cryptsetup-add-enable-luks-disk-encryption-keyfile-linux/) if that’s your preferred route.
Another idea for you: if you use ZFS for the install, check Debian directions on OpenZFS or zfsbootmenu and you’ll get directions for an encrypted installation. You’ll be able to specify the path to a key file, which you can keep on a thumb drive. When the machine boots up, it’ll see the thumb drive and decrypt the zpool automatically; yank the thumb drive and it won’t (backup the key of course).
The answers for this will vary widely, but the thing I think many people overlook when planning out expenses is a plan to back up the data. Having the file server is great, but start planning now for what to do when it breaks. Where will backup copies of your data live and how will you restore it?
As to the server itself, the hardware completely depends on your desires. Some like second hand enterprise gear; others prefer purpose-made home NAS devices or a DIY rig. On the software side my thought is keep it simple if you’re starting up. There are good readymade options (TrueNAS, XigmaNAS, openmediavault, unraid, etc). They’re all great and they help get up and running quickly. They also have a lot of tempting knobs to turn that can cause unexpected problems if you don’t fully understand them.
To my mind file servers have to be reliable above all else, so I’d avoid running anything besides file sharing on your server until it’s running like a top and then only add more layers one at a time.
Sorry for all the philosophy, but I really do think this is a common stumbling block for people getting started.
You ever see those Wired videos where they talk about a concept on five different levels ranging from beginner to expert?
The first level answer is likely that, yes, you’re reasonably secure in your current setup. That’s true, but it’s also really simplified and it skips a lot of important considerations. (For example, “secure against what?”) One of the first big realizations that hit me after I’d been running servers for a little while and trying to chase security is the idea of a threat model. What protects me from a script kiddie trying to break into one of my web servers won’t do much for me against a phishing attack.
The more you do this, though, the more I think you’ll realize that security is more of a process than an actual state you can attain.
I think it sounds like you’re doing a good job moving cautiously and picking up things at each step. If the next step is remote access, you’ve got a pretty good situation for a mesh VPN like Tailscale or Netbird or ZeroTier. They’ll help you deal with the CGNAT and each one gives you a decent growth path where you can start out with a free tier and if you need it in the future, either buy into the product or self host it.
It sure will handle a remote VPS, it’s just not as automatic to set up as it is with PVE.
I put this off for a long time, but I finally did it this weekend.
Basically, you install the proxmox-backup-client utility and then run it via cron or a systemd timerto do the backup however often you want.
You’re responsible for getting the VPS to communicate with your backup server (like pretty much any self-hosted service), so some sort of VPN between them would be good. I used NetBird for that part and I have a policy that allows access from the client to PBS only on TCP port 8007.
I’ve been quite happy with Proxmox Backup Server. I’ve had it running for years and it’s been pretty solid for all my VMs/containers. There’s also a bare metal client, which I’m adding to a couple cloud VPS machines this weekend. We’ll see how that goes.
Also, since it’s just Debian under the hood, I also use the PBS host as a replication target for my ZFS datasets via sanoid/syncoid.
I just had to do this. Don’t skip the release notes. They’re really good at highlighting potential pitfalls, just scroll back through and look for the heading “Breaking Changes.”
In my case there were a few, but they were only for API calls I’m not using, so I just did the update in one go and it worked out great. (Of course, I made sure to take a backup first.)
A hybrid is probably a good way forward. I had a career as a photographer for a while and I learned from that: going through 1000 photos takes very little time, but going through 10,000 takes an eternity. If you can star or mark your obviously important photos as you go along, it’ll take very little to print them at the end of the year.
There’s definitely nothing magic about ports 443 and 80. The risk is always that the underlying service will provide a vulnerability through which attackers could find a way. Any port presents an opportunity for attack; the security of the service is the is what makes it safe or not.
I’d argue that long tested services like
ssh, absent misconfiguration, are at least as safe as most reverse proxies. That doesn’t mean to say that people won’t try to break in via port 22. They sure will—they try on web ports too.