We kind of selfhost almost everything - while we operate a small server ourselves, the main burden is on a dedicated server setup. Basically a FreeIPA+Authentik+OpenCloud Stack as a base,with Redmine, Kimai, Zammad, Matrix, Jitsi and a few more apps. (Moodle, Seed DMS, Netbox, Zabbix, OPNsense, Vaultwarden, Forgejo, Ansible). Additionally we use a fair share of software remotely via RDP.

Backups are done onsite and to three different offsites, including cold storage backups.

As we all work fully remote this setup is also fairly adaptable and the switch to a (almost fully) Linux shop went far better than expected - my staff is fairly content with their setup (afaik).

The only thing I refuse to selfhost are email and VoIP.

Still mediocre compared to OPN/pfsense, IPfire, VyOs,etc.

I must admit I can’t find the exact guide I used anymore. Especially not a English one.

But the official guide should help you: https://www.zabbix.com/de/integrations/proxmox

I think whatever I used was pretty close to it. If you have any issues send me a DM.

(And tbf, I use both the Agent2 and the API in a perverse mixture. And for some nodes IPMI on top of it. It’s really kinky,but it does the job)

Absolutely, but unlike Ubiquiti they did not keep them under the rug that long. (Nevertheless: Both are shit for firewalling. Put a OPNsense before it?)

Zabbix is extremly nice.

Why?

• API Monitoring for Proxmox and Docker/Podman. Aka "you don’t need to setup monitoring for every container/LxC/VM. Do it once for the host,then everything gets autodiscovered.

• Active and passive agents as well as SNMP, IPMI,etc. can be combined as you like. Also does Website/service/application/database monitoring, SSG/Telnet checks and nowadys can even do Prometheus and MQTT/Modbus

• The proxy is really really worth it. It collects data from nodes you do not want exposed and relays them to the server. This includes all kind of inputs and is really easy to setup.

• Due to it being around for two decades there are a shitton of templares for devices - and it’s fairly easy to do your own.

• Unlike other systems (cough checkmk cough Grafana) there are no features that are only available to paying customers.

The most major downsides are the fact that it’s moderately to fairly ressource intensive to run in a small setup(but does consume less than others in large Setups) and it’s far less flashy dashboards. (Which are still powerful,though)

Not a fan. Absolutely not.

They had multiple security incidents which they kept under the rugs for a long time, they have the tendency to EOL devices without warning (which then means you need to replace your sometimes 9month old device or your whole enviroment can’t be updated), their lock-in into their ecosystem is much more complete as they can’t be used properly without their enviroment.(e.g. Omada devices can work without the Omada stuff, with Unifi you will always need a controller for some functions).

So if you realy need SDN features like Unifi look at Omada,otherwise Mikrotik is a solid alternative. (And OPNsense for firewall)

My company is a part of critical infrastructure and we provide consulting in disasters (e.g. how to get a hospital back up and running). So we fall under European legislation to have certain precautions. And as I colocate in my companys rack…it’s easier. As the rack is in a room I rent to my company. (We are small and I am the founder,that makes it easier)

But yeah, we put a bit of thought in it. Waiting for Iris2 finally materialise so I can get rid of LTE finally.

I have a LTE Backhaul,but admittedly if the firewall itself craps out I would also be offline - but I can at least reboot it via a plain old GSM power plug. That thing does not directly reboot the firewall,though, but brings up a old raspberry (usb boot,I don’t trust sdcards) which then checks if outside connectivity is still available (so if the GSM power plug gets compromised it’s not an issue) and if not tries a shutdown or,if that is unsucessful, a powercut of the firewall. If that also doesn’t work it triggers a dry contact in the GSM plug which leads to the plug sending out a SMS so I know I am fucked and need to get someone with a key to the rack.

Have a look at open cloud.

Have a look at Agent DVR. Works locally and the “pro” features that one would need to pay for are basically just Plugins. Everything else works nice without it. Additionally it accepts basically everything you throw at it camera wise and is far easier to configure than frigate, also has a (good) HA integration and is extremly mighty if your system grows over the years.

The mobile app is nice, but it also works fairly well in a browser on mobile.

Did you just seriously recommend port forwarding to a NVR login? Even worse with a consumer grade router? With HTTPS,non Standard Port and a strong password as the only security tips?

Please,people,for the love of god: Don’t do that. Really. Don’t. This is really bad advice,sorry.

Unless you are very very sure that your NVR solution is impecable in terms of security (none are), you are 100% sure you stay up-to-date all the time (including reviewing updates for issues) and have additional measures like fail2ban, IDM/IDS,etc. in place this is a very bad idea. HTTPS is only helping in terms of password transmission/spoofing,which is an unlikely vector here, a non standard port doesn’t help one bit here(have a bit of fun with shodan and see yourself) and while a strong password helps it only helps if the auth of the system and the OS below itself is watertight - a hard task.

It is always a bad idea to port forward unless you really really cannot avoid it.

Use a VPN - as you said, wireguard.

Simply choose a private DNS server like mullvad,quad,etc. and it should work…

Absolutely the best.

Pihole has a few drawbacks when your systen grows - a lot of things then need to be done by hand that others do either automated or at least easier.

Personally I have become very fond of technitium - it does everything you will ever need and the main drawback is that it seems so fucking overwhelming initially. But: Once you figured out that you basically only need 10% of the fields it becomes easier. And it’s fucking solid and just works and works and works.

Not a fan of Pi-hole itself, but other than that,why not?

(Technitium DNS has some advantages down the road)

That is a bad setup then. Not an issue of the software or hardware.

Yeah. And Netbird/Pangolin go a long way these days.

Have a look at Layer7,btw. They are more than decent and you can easily install Proxmox on them as a Hypervisor.

Just a theory: There is a good chance that your provider does CG-NAT and that was the issue with OpenVPN. These would persist with wireguard,sadly, unless you solve them properly. (Which can be tricky). But just for the book: Running an Wireguard Container behind your router and have a port forwarded to it is an option. (But still needs CG NAT adressed)

Thaft leaves you with a few options:

• Cloudflare: Imho a bad idea - it’s evil, it’s monopolistic and while it’s “an easy way” it has its technical downsides. As you said a domain is still required.

• Use a small VPS and run a wireguard tunnel and maybe pangolin as a reverse proxy on it.It has the benefit of being very flexible and once configured is fairly stable and it puts the security part outside your network. But it costs money unless you maybe make it work on oracle’s free tier. I would still recommend using a cheap domain,though)

• As others have mentioned: Tailscale/Zerotier/Netbird absolutely are an option if it’s just for you. But they get nasty if it’s for more people or larger deployments with tailscale and while netbird is far better it’s less common and does require a domain as well. (Which,again,is not a bad idea to have)

Netbox,especially when combinded with Plugins is so incredibly good and might,that’s it’s almost funny how good it is. What I do Plugin wise:

• Documents: not implemented yet by me,but one could store manuals,etc. directly within netbox.

• Lifecycle and Inventory: While it’s not as good as snipe-it (tbh, inventory is imho one of the worst plugins) it does the job for my small deployment

• Slurp it to scan automatically

• QR Code for obvious reasons

• Floorplan as well

Of course that sounds overkill for a small deployment, but I simply forget too many things after a few months otherwise and it’s something my family (wife is in IT and far more qualified than me) would need if something happens to me,so a proper documentation would be essential for that as well.

Just saying:

There are alternatives for LE,not for all things, but for a lot. Afaik not all of them do follow suit.