You basically need a router between the networks. I would recommend pfsense or opnsense or if you like cli vyOS. I run a pfsense that has my ISP router on the WAN port and a network interface for all VLANs and then I configured the firewall to allow specific traffic to specific devices in specific VLANs. For example my PC can reach the smart home controller website but no other device. And the samrthome devices only can reach the DNS in the ISP network (my kinda DMZ) and the router to reach the internet. And for every VLAN there are own rules where goes what communication.

You also can setup that on the managed switch which you would need for setting up VLANs.

2 days for most hosts as they had a kernel update. Other hosts about 30 days (no updates pending). And the winner is my core switch with 750 days up time.

Hm. Lag spikes in Tarkov and you check your server? I mean Tarkov.

But yeah I can feel your misconception here. But I am also the other way around I uninstalled firewalld and do all on iptables level. I am just more used to iptables. And so the sole controlling instance is iptables. In the end it’s all netfilter in kernel space.

Yea don’t use enterprise stuff and build servers yourself with lowpower hardware. Less power less heat also can be cooled easier with Noctua Low RPM low noise fans.

Nope. No VMs. Don’t know why would I if I have a dedicated XCP-NG pool for that.

I use rdiff-backup to backup the volumes directory of my VPS to a local machine via VPN. Containers are stored in some public registry anyways. Also use ansible with all the configurations and container settings.

So you know how to do it securely and analyze what may go one when it is attacked. Or what else do you want with cybersecurity? It’s about securing services on the global network and local. And webhosting is one of those service.

Depends on the support case you got. If it’s technical you have basically 24/7. I am in Germany but had once a hard drive failure in a server at 1am contacted technical support and it took about 30 minutes overall and the new drive was resilvering and the server back online. Takes a bit as the NOC needs to go to the data center and so on.

The problem is a lot of people here are beginners and have no real clue about network security. And opening a port is opening a door. If you have a bouncer that clears people beforehand then you can keep the door open. But you will still need to keep your bouncer trained so he can take care of people you don’t want. Same with software. Keep it updated and have security enhancements in place like 2FA and analysis tools like crowdsec or fail2ban. And the open port might not an issue at all.

But if you open a device like a NAS (cough QNAP cough) then you have a higher security risk.

TLDR; if you know what you are doing it might not have implications.

Moved on from compose ages ago. So should you.

I run three piholes with gravity sync and have none of the problems you describe.

But pihole isn’t big magic it’s basically a dnsmasq with some management stuff around it. you could host a dnsmasq yourself and just fill the filter rules in the config file your self with ansible. The adliges are publicly available just get them with Ansible and parse them into a dnsmasq config template.

Here is an blog about it. https://alblue.bandlem.com/2020/05/using-dnsmasq.html

Maybe ask r/piracy. Not sure what this has to do with self hosting.

Mailcow is pretty good. They install fail2ban to protect all endpoints against attacks. And it’s pretty easy to setup and the documentation is pretty good.

Have a look at cloudflare tunnel. You still have vaultwarden in your lan but accessible from the world. No open ports needed.

ls

I use traefik as reverse proxy in front of my services and have it generate let‘s encrypt certificates with dns-challenge. Do Inexpect MIM attacks at my home. No not necessarily because they would be physical access to my infrastructure but yeah having it this way feels just better.

Not sure if the tik Logs traffic that detailed. But you could setup a remote logserver (syslog-ng) and have the tik send it logs to that and then push them with logstash into an ELK stack and use that. Or not Loki and Grafana analyze the log and build the dashboards you need/want.

I either use public available containers like from docker hub or other registry. Or if I build them myself I have them pushed to my own self hosted registry with a minio(s3 compatible) backend and mirror the MinIO instance to a VPS.

All dynamic data is saved with the VM backup the container runs on or is backed up with rdiff-backup to an offsite location.

Sure you can. The question is what are the exact specs and what do you want to self-host?

I have two HP EliteDesk 800 Mini as a XCP-NG pool. Both with i5 6th gen only but with 64GB each and they run about 20 VMs distributed between both.

Sure they won’t be able to perform large language model tasks but for most self-hosted services they are more than powerful enough.

A this is r/selfhosted and there for the solution is to self host.