What do you mean with encryption? Does it need to be transport encrypted, end to end encrypted or is encryption at rest (when the server is offline) good enough?

Yes i do i and you do you. But advertising those things as security measures while not adding any real security is just snake oil and can result in neglecting real security measures.

As i said, the whole internet can be port scanned within seconds, so your services will be discovered, what is the risk you assume to have when your IP address is known and the fact that you host a service with it? The service has the same vulnerabilities if it is hosted via cloudflare tunnels or directly via port forwarding on the router. So you assume that your router is not secure? Then unplug it, cause it is already connected to the router.

Geoblocking is useless for any threat actor. You can get access to VPN services or a VPS for very very very little money.

2. Guess what, all IP addresses are known. There is no secret behind them. And you can scan all IPv4 addreses for ports in a few seconds at most.
3. So some countries are more dangerous than others? Secure your network and service and keep them up to date, then you do not have to rely on nonsense geoblocking.
4. Known bots are also no issue most of the time. They are just bots. They usually target a decade old Vulnerabilities and try out default passwords. If you follow my advice on 3. this is a non issue

You want your backup functional even if the system is compromised so yes another system is required for that, or through it to the cloud. Important that you do not allow deleting or editing of the backup even if the credentials used for backing up are compromised. Basically an append only storage.

Most Cloud Storage like S3 Amazon (or most other S3 compatible providers like backblaze) offer such a setting.

I doubt that this is the case, whether it is encrypted or not. The complexity and risks involved with decrypting it on the fly is really unrealistic and unheard of by me (have not heard of everything but still)

Also the ransomware would also need to differentiate between the user and the backup program. When you do differentiated backups(like restic) with some monitoring you also would notice the huge size of the new data that gets pushed to your repo.

Edit: The important thing about your backup is, to protect it against overwrites and deletes and have different admin credentials that are not managed by the AD or ldap of the server that gets backed up.

During that time, your data is encrypted but you don’t know because when you open a file, your computer decrypts it and shows you what you expect to see.

First time i hear of that. You sure? Would be really risky since you basically need to hijack the complete Filesystem communication to do that. Also for that to work you would need the private and public key of the encryption on the system on run time. Really risky and unlikely that this is the case imho.

This is not really correct. Those companies take complete control of the secret keys. And no, it is not the same effect when you use tailscale compared to wireguard cause of various reasons. CGNAT, no port forwarding, funnels etc.

Netmaker, Tailscale or Zerotier

No way in hell i am giving a company complete remote access to my servers and clients.

This is not the invention of an IP KVM, those are old. This product just offers the functionality of an IP KVM for very little money.

It is based on completely different hardware. A Raspberry Pi CPU is much more expensive than the CPU that is used here.

Power issues can cause problems that the hardware glitches into states it should not be. Changing something in the BIOS or updating it. Hardware defects. OS upgrade fails (Kernel bug causes the network driver to fail) Etc. Etc.

Those devices are not for the weekly “oh my setup failed” its for the once in 10 years “i am on vacation and the server is not reachable and for some reasons my system crashed and has not rebooted by its own”

And for below 100€ it’s a no-brainer.

I just set it up. Yes i dislike the fact, that you need another party for syncing it, but i doubt it would be possible otherwise, just too much work to support everyone.

I read up on GoCardless and they do not sound that evil

But not sure if i will keep the connection up. Will see i guess.

Really disliking that discord is used as helpdesk/forum. Not really searchable via the web.

Also no link to the repo.

I am talking about the fork. It is operated by someone else.

The syncthing fork on f-droid is still an option. An issue has been opened on the github repo. Lets see what will happen with the fork

The thing is, those poor design decisions have nothing to do with those features, i claim that every feature could be implemented without “holding the compose files hostage”.

Btw. dockge does support connecting to another docker dockge instance.

No, that would make no sense and is obviously not what i meant.

But you could separate the arr stack from things like pihole with a vm. For example you could pin one thread to that VM so you will not bottleneck your DNS when you are doing heavy loads on the rest of the system. This is just one example what can be done.

Just because you do not see a benefit, does not mean there is none.

Also, VMs are not “heavy” thanks to virtualization technology built into modern hardware, VMs are quite light on the system. Yes they still have overhead but its not like you are giving up big percentages of your potential performance, depending on the setup.

You talk like there is not in between containers and VMs. You can use both.

What exactly are you referring to? ZIL? ARC? L2ARC? And what docs? Have not found that call out in the official docs.

I use a consumer SSD for caching on ZFS now for over 2 years and do not have any issues with it. I have a 54 TB pool with tons of reads and writes and no issue with it.

smart reports 14% used.