I’d rather not have my library files available to everyone in the house. My NAS only has secured access via these apps.

As mentioned they keep position, copy files over as you access them, tailscale allows access everywhere.

I transition from mobile phone to PC more than twice a day. Just because you don’t want an app to do it doesn’t mean others don’t have the requirements.

I’d rather not have them probing my website at all. I’m not Facebook, my data is not unlimited and free.

You’re going to have to read every single release with breaking changes.

I’m trying to block the most likely attack vectors which is definitely VPS providers at this point in time. I just figure if I am blocking subnets plus additionals I identify it will force them out of these vectors to attack in ways I might be able to report better abuse.

Here check out my analysis.

No I think f2b handling it would be totally fine for me. Kids got in the way with digging around too much but will try this week.

Ahhhmazing, I’ll set this up tonight. Really appreciate the help.

I’ve used it on a machine before but given I am using a cloudflared container for ingress, can I route my traffic through a f2b container to the app? This might be ideal from a co fig perspective.

LLMs say yes but I’ll need to play around.

I have more than 50k but even that page doesn’t recommend it.

Top of that page

Recommendation: Use WAF custom rules instead

Cloudflare recommends that you create WAF custom rules instead of IP Access rules to perform IP-based or geography-based blocking (geoblocking):

• For IP-based blocking, use an IP list in the custom rule expression.

On the fail2ban front, can I run my traffic through a f2b container and out into my app?

How easy is it to configure?

My goal is to download some lists from github and generate one big ban list to feed into the WAF but the community lists of Crowdsec might negate the need.

I use namesilo for everything but my .au domains.

Mount your NFS in the fstab and make sure you have docker set to wait until the mount is working. Here is a guide. https://davejansen.com/systemctl-delay-start-docker-service-until-mounts-available/

I’ve only had to delay on my N100s.

So I have the mounts set and then just use those paths in my compose. All my machines have the same paths.

I’ve looked at it but never actually given the Synology proxy a go despite using their DNS server. Does it do auto certificate renewal?

Have you considered using a Cloudflare tunnel to bypass the CGNAT? You can do that into a proxy or straight into the service.

Might be the population on lemmy but elsewhere docker or podman are way more common. K8 in Enterprise.

All the services OP has listed run great in docker, excluding Frigate (not tested personally).

Or just run them in containers and skip the need to run the VMs at all. You can do snapshots with Debian fine.

Personally I would keep it simple and just run a separate NAS and run all your services in containers across the devices best suited to them. The i3 is not going to manage for Jellyfin while sharing those other services. I tried running it on an N100 and had to move it to a beefier machine(i5). Immich for example will use a lot of resources when peforming operations, just a warning.

If you mount a NAS storage for hosting the container data, you can move them between machines with minimal issues. Just make sure you run services using a docker-compose for them and keep them on the NAS.

You completely negate the need for VMs and their overhead, can still snapshot the machine if you run debian as the OS there is timeshift. Other distros have similar.

So I recently sandboxed a webapp I am getting ready to launch.

Basically Unifi switch > Vlan port > Server > Hosting Webapp instances, worker instance, cloudflared and DBs.

Pretty chuffed at the docker config actually. Just configuring my WAF and tunnel settings with Cloudflare to reduce the scanning from VPS providers. Anyone have a solution or will I need to configure some sort of nginx instance to do it as Cloudflare only allows a certain length for each WAF rule for free.

Side thought, does anyone know of a tutorial for CICD to auto build my containers and deploy? I’ve been reading github and codeberg docs and playing around to no avail. I’m temped to just write a go script to handle it on my server.