Just as a side node, make sure to backup your immich / nextcloud services too.

I might be wrong, but it sounds like hosted nextcloud, not a completely new platform.

Thats from the current nextcloud docs:

We strive to bring Artificial Intelligence features to Nextcloud. This section highlights these features, how they work and where to find them. All of these features are completely optional. If you want to have them on your server, you need install them via separate Nextcloud Apps.

You’re right, that’s an option. I could set this up at my router, this way it would be almost indistinguishable from IPv6 via my ISP.

Its really not that hard. Sadly, my ISP doesn’t offer IPv6 yet, but for my vServer, enabling IPv6 was just a checkbox during creation. Then, you need to make sure that the service (e.g. webserver) also listens on the IPv6 address and maybe tweak the configuration of the webserver to actually serve websites via IPv6. Also, check your firewall settings. Lastly, you need to set the DNS AAAA records and you’re done.

I mostly try to read the docs, but sadly good documentation is pretty rare.

I’m currently following this guide to setup caddy reverse proxy with coraza web app firewall.

But be warned, this whole rabbit hole of WAF isn’t trivial, some protections don’t work well with some apps (e.g. portainer triggers some rules about system command execution) and it needs some tuning. I personally set it up to learn more about WAFs because I believe it will help me in my career, but I would not blindly recommend it to everyone.

Approaches like crowdsec and fail2ban seem much more suitable for selfhosters – and keep your server software updated.

I doubt using secret managers is popular among self hosters. These products are targeted at larger deployments, not homelabs.

I’ve installed coraza web app firewall with OWASP ruleset this weekend. I must admit that it wasn’t as easy as I expected it, but it now (mostly) works. I had to give up with nextcloud though.

RClone to a cloud storage (hetzner in my case). Rclone is easy to configure and offers full encryption, even for the file names.

As the data is only uploaded once, a daily backup uploads only the added or changed files.

Just as a side note: make sure you can retrieve your data even in case your main system fails. Make sure you have all the passwords/crypto keys available.

I’ve got it running for a few weeks now. Seems very nice

Nice list of suggestions, but implementing all of them feels a little over-the-top.

I don’t really get the love for fail2ban. Sure, it helps keep your logs clean, but with a solid SSH setup (root disabled, SSH keys enforced), I’m not bothered by the login attempts.

I’m currently comparing Authentik and Authelia. For me, Authentik was extremely easy to get into. Authelia with its text-based configuration is clearly not as easy for beginners.

I’ve started to setup Authentik this weekend. My goal is to learn more about SSO and have one account for most of my selfhosted services.

I’m missing the rpi1 in that list. Please fix ASAP.

I’e seen that some want it to host their own LLM. It’s far cheaper to buy DDR5 memory than somehow getting 100+ GB of VRAM. Whether or not this is a good idea is another question

The DNS record must point to cloudflare, not the instance IP

I’m glad that development is getting more stable, the regular updates with breaking changes were not so great.

That’s true, but might not really be a problem for most. Just set the jail time to something short (few minutes, maybe an hour).