themachine

joined 1 year ago
[–] [email protected] 16 points 2 days ago (8 children)

What's bad about it? I'm a Linux admin by nature but an admin of all by profession and overall I have no real complaints about Teams. Has always worked just fine for me and to my knowledge everyone else.

[–] [email protected] 7 points 3 weeks ago

I constantly hear this but I just want to be the counter argument here.

Self hosting email is not the impossible tasks that people make it out to be. It is on the more advanced side of things though if you are hosting your primary email that you rely on.

I've been hosting my own email forany years now and have had no issues whatsoever but I also have years of experience and know how email works better than many that have no interest in such.

I would NOT recommended starting your self hosting journey with email but I will never discourage people from doing it.

Take your time. Ask questions any time you don't understand something. Be ready to learn a lot and design a solid plan for disaster recovery.

[–] [email protected] 4 points 1 month ago

Let's see the rule(s) then

[–] [email protected] 2 points 1 month ago

Just configured your mail clients pop/IMAP server as your fetchmail target and SMTP as your hosted service.

[–] [email protected] 17 points 1 month ago (15 children)

Yes and what exactly is a radical feminist to you

[–] [email protected] 2 points 2 months ago (1 children)

In the scope of wireguard it'll just be a matter of you building appropriate firewall rules.

Since you want their internet traffic to go through you then i assime you're effectively pushing a 0.0.0.0/0 route to your clients. You then need to add firewall rules on your server to block traffic to its local subnet and in the future allow traffic to only your jellyfin server.

This is also pretty simple and nothing wrong with that setup.

[–] [email protected] 1 points 2 months ago (3 children)

You did not answer what VPN tech you are using.

Without that knowledge i would recommend setting up tailscale and having your users use that. If you want to be fully self hosted you can also run Headscale as the control plane instead of relying on Tailscales own service.

I recommend tailscale as it is very easy to grant a user privileges to ONLY use an endpoint as an exit node but also grant access to any other endpoints as needed (such as your future jellyfin server) via theor ACLs.

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago) (5 children)

Best practices comes down to what you do or do not want the VPN clients to access. This mostly comes down to routing and firewall rules.

So, what should your users have access to?

Also what is the vpn?

[–] [email protected] 12 points 2 months ago (8 children)

I'm not entirely sure what the actual question is. Can you rephrase what exactly you are trying to accomplish?

[–] [email protected] 7 points 3 months ago

If you want simple you'll have to manually decrypt each time it needs doing.

If you want it to be "automatic" then your best bet is something network based. A "simple" would be to just have a script ssh's somewhere, pulls the decryption key, and then decrypts the disks. There's plenty of flaws with this though as while a threat actor couldn't swipe a single encrypted disk they could just log in as root, get your script, and pull the decryption key themselves.

The optimal solution would be to also encrypt the root partition but now you need to do network based decryption at boot which adds further complexity. I've previously used Clevis and Tang to do this.

I personally don'tencrypt my server root and only encrypt my data disks. Then ssh in on a reboot or power event and manually decrypt. It is the simplest and most secure option.

[–] [email protected] 6 points 3 months ago (1 children)

I backed this: https://www.crowdsupply.com/cool-tech-zone/tangara

Its not yet released and is in the manufacturing process but I think it's worth considering

[–] [email protected] 15 points 4 months ago
view more: next ›