TBH, it sounds like you have nothing to worry about then! Open ports aren’t really an issue in-and-on itself, they are problematic because the software listening on them might be vulnerable, and the (standard-) ports can provide knowledge about the nature pf the application, making it easier to target specific software with an exploit.

Since a bot has no way of finding out what services you are running, they could only attack caddy - which I’d put down as a negligible danger.

My ISP blocks incoming data to common ports unless you get a business account.

Oof, sorry, that sucks. I think you could still go the route I described though: For your domain example.com and example service myservice, listen on port :12345 and drop everything that isn’t requesting myservice.example.com:12345. Then forward the matching requests to your service’s actual port, e.g. 23456, which is closed to the internet.

Edit: and just to clarify, for service otherservice, you do not need to open a second port; stick with the one, but in addition to myservice.example.com:12345, also accept requests for otherservice.example.com:12345, but proxy that to the (again, closed-to-the-internet) port :34567.

The advantage here is that bots cannot guess from your ports what software you are running, and since caddy (or any of the mature reverse proxies) can be expected to be reasonably secure, I would not worry about bots being able to exploit the reverse proxy’s port. Bots also no longer have a direct line of communication to your services. In short, the routine of “let’s scan ports; ah, port x is open indicating use of service y; try automated exploit z” gets prevented.

I am scratching my head here: why open up ports at all? It it just to avoid having to pay for a domain? The usual way to go about this is to only proxy 443 traffic to the intended host/vm/port based on the (sub) domain, and just drop everything else, including requests on 443 that do not match your subdomains.

Granted, there are some services actually requiring open ports, but the majority don’t (and you mention a webserver, where we’re definitely back to: why open anything beyond 443?).

Client side, under advanced:

That’s a setting

Thanks for sharing! Sounds about as good/bad as I was expecting. How’s the browser experience? Also, are there any features/tweaks you are aware of that you could not get through Nix, that the more “commercial” Linux device manufacturers have developed for their devices?

Holy crap! A NixOS-on-phone user in the wild! You are rocking my dream setup. How’s your experience been with it? Is it remotely daily drivable for phone things?

Yes. Using simple-nixos-mailserver as the foundation.

Really great experience, and have had no deliverability issues.

How exactly does Free, non-open-source software prevent that?

Ah, nice. In that case just beware to move /var/lib/private/conduwuit to /var/lib/private/continuwuity, not /var/lib/conduwuit to its counterpart

Ah crap, forgot to ping you! Sorry!!

Yep, easy decision now. Migration went smoothly, just had to move the state dir and chown it to continuwuity:continuwuity. Might be different on docker though, no idea, sorry 😄

Update: seems to me tuwunel is drama waiting to happen. See updated post for details.

Yes, completely agree. It seems that the matrix foundation could easily take a different path to allow the community to flourish and third-party servers to have a much easier time. Since I’m not federated, I wouldn’t even mind if whatever fork I’ll end up on eventually says “fuck this, we’re not following synapse specs any more”.

But yeah, I am sure selling premium accounts on matrix.org is what will save the matrix ecosystem… 🤦🏼‍♀️

Understandable.

Hm, fair enough, I actually have very little experience with XMPP. (Only through prosody, which I personally am on a war footing with.) From a cursory glance, I also couldn’t find an Android lient I’d really want to use, but of course that is subjective.

In any case: I have a matrix server up and running, and it has been a pain to get friends and family on there; I do not want to do all of that again with a new protocol/clients. As long as it’s sustainable, I want to stay with the same server installation, and that means choosing a conduwuit for me.

There’s nothing technically wrong with it, it’s just a glacial development speed. I tried contributing there myself when I wanted a specific feature (which had been requested years prior by someone else and was deemed a good idea), it took months before I even got a single comment back.

In the meantime, I had switched to conduwuit because it was a much, MUCH more active project. However, conduwuit has diverged substantially from conduit, including irreconcilable database changes, so it is not possible to migrate back, that would require starting from a fresh slate and loosing all user data.

Understandable. Funny thing is, I’m not even federated; I think that keeps me away from a lot of drama.

But yeah. The drama sucks, and so does the Matrix Foundation. So many dumb decisions, so many years old issues that could easily boost acceptance and usability, but… Nah. No better alternatives around though if you want to own your data, have proper multi-client support, and at least the option to federate.

Nice, how’s it been going?

Roger, will do.

Yeah, community driven sounds like unless there’s new drama. But yeah, currently tending towards continuwuity. Purely vibes based from snooping around both repos.

We have NixOS, Proxmox and TrueNAS in use.

• TrueNAS on a dedicated NAS host. It’s great for that, and has been super stable. The snapshotting works great, and all the little tasks associated with a NAS are taken care of without needing to spare a thought.
• Proxmox as VMS host. You haven’t mentioned it above, so I’ll leave it at this: also works really well for its purpose.
• NixOS: acouple dozen NixOS VMs runnign on the Proxmox hosts. I like the separation (i.e.: one VM <-> one task/service), but it’s not necessary, esp. if you plan on using a stable branch. I absolutely love NixOS, and would never run server applications on anything else ever again. The documentation thing is trueish. There’s not even close to the same documentation as with e.g. Arch and the Arch Wiki, but that makes sense when you think about it: instead of hundreds of lines of documentation, you hide that complexity behind an option, e.g. graphics.nvidia.enable = true; which then becomes pretty self-explanatory, at least if you are somewhat familiar with the ecosystem already. The way I’d recommend going about documentation with nix is this:
  • go to search.nixos.org/options, search for the service you would like to host. 90% of the time, the options and descriptions shown are all you need.
  • if an option is unclear, click on its “declared in” link. You’ll be taken to the module source in nixpkgs. Look at what they are doing there/the comments explaining why. Often, this resolves any ambiguity, or helps you out with your goal.
  • if that did not help, check the NixOS wiki; often, common pitfalls are documented there, together with the nix expression to fix them.
  • another great way is to search GitHub for language:nix <thing you need to do>. As a random example: I recently wasn’t sure how to configuring scaling in hyprland on NixOS, but searching for an appropriate term will quickly show you how other people have solved the same problem. It’s not really documentation, but the declarative nature of nix means it’s easy to find TONS of working examples via a github search.
  • all else failing, ask on discourse.nixos.org. Youńll usually get useful help very quickly there.

So, what’s my advice?

If you are unfamiliar with NixOS, it’s probably a bit of a headache getting a NAS to run satisfactory. Truenas works so well, there isn’t really a need for nix. But running your services in nix is great, totally recommend!