For just an AP, I’ve used a number of the GL-AR300 and they’ve been fine as AP and repeaters, but only 2.4 GHz. I have no interference issues where I am so that’s fine for me, but if you’re somewhere populated, YMMV.

They also have the full firewall/router set on them, but I generally don’t use them for that.

+1 for using Activities. There’s dozens of us!

Might be easiest to just find a mail host that supports push notifications and keep using the mail client that works for you. Unfortunately, I don’t see how you’re getting a webmail client with multiple mailboxes without hosting that yourself with something like Snappymail. Maybe someone offers a paid and hosted Snappymail.

I host my own mailcow server and enable notifications for mailboxes I want to get notified for via Pushover. I have Snappymail in the stack, but rarely use it because I like K9 on mobile better.

Probably something here that you can use like that:

https://github.com/gotify/contrib

OPNsense and HAproxy might be a place to start, they work well together. You can define a backend pool of servers for roundrobinning, and if you buy a block of IPs you can roundrobin the incoming requests as well. I run OPNsense as a VM so that I can use Proxmox’s high availability service for the router and it’ll failover or manually livemigrate if I’m doing maintenance. You can VLAN the servers off from the rest of the network as well with OPNsense, and set up VPNs there for clients if needed, or use the SDN functions in the hypervisor to segregate servers if you’re running them on the hypervisor.

7-3s

Lack of routability is a feature for ISPs, not a bug.

If you take another stab at it, look for NPMPlus, its a better maintained fork. But yah, without a real domain, let’s encrypt will be a pain to get to fly.

Maybe a bit, but if you’re not running rootless docker if they get out of that container they’ll have the run of your docker host. It is a lot of layers to crack, but sometimes they’ve got nothing but time, or it’s been so long since the containers been updated that its trivial. That’s why rootless docker or podman, and Watchtower are your friends.

Also, vlan off your exposed surface and build firewall rules for the VPN and LAN inbound to it, and specific outbound rules if you need those servers to reach into those networks themselves.

And yet here you are, making sure this guy knows he can expose anything he wants except the specific thing you decided is troublesome like immich. Maybe you’ll be here to help him put it all back together with your wealth of knowledge and experience.

Take a hard look at yourself, you’re doing all the stuff you accuse someone else of. Maybe you aren’t always the smartest person in the room. In any case, I’m done with your shit. Go ruin someone else’s day, you ray of sunshine.

Yah, imagine my surprise, it’s almost like people are smart enough to manage a VPN without you holding their hands.

Nobody said they had to. I made him aware of the risks in case he wasn’t. You seem to have an axe to grind there.

Well, apparently a bunch of farmers are smart enough to press a button without even bothering me about it.

I have a couple dozen customers on ios that use their camera servers via Tailscale. Never had a peep about that sort of thing.

And the last is the typical sort of “convenience” that gets people popped.

You set up the VPN and it’s always on. There’s no hassle.

Like, good for you, man.

But you should really keep your stuff inside the VPN and not expose things, it opens up a pile of potential risks that you don’t need to have. You can still use a reverse proxy inside the VPN and use your own DNS server that spits out that internal address to your devices for your various applications. If you absolutely, positively must have something exposed directly, put it on it’s own VLAN and with no access to anything you value.

This is necessary for CGNat ISPs. That or cloudflared or ngrok or the like. Because you aren’t really routable on a CGNAT address.

I don’t think a tailscale tunnel helps this anyway, maybe just from standard antispoofing and geoblocks, but it still gets to the application in full eventually, when they can do what they’d do if it was directly exposed. The attack surface might be an entire API, not just your login screen. You have no idea what that first page implements that could be used to gain access. And they could request another page that has an entirely different surface.

If someone has Nextcloud exposed, I’m not stopping at the /login page that comes up by default and hitting it with a rainbow table; I’m requesting remote.php where all the access goodies are. That has a huge surface that bypasses the login screen entirely, might not be rate limited, and maybe there’s something in webdav that’s vulnerable enough that I don’t need a correct token, I just need to confuse remote.php into letting me try to pop it.

You can improve this by putting a basic auth challenge at least in front of the applications webpage. That would drastically reduce the potential endpoints.

The HA stuff is as hard as prepping the cluster and making sure it’s repping fine, then enable whichever guests you want to HA. It’s seriously not difficult at all.

Oh, they’re noisy as hell when they wind up because they’re doing a big backup or something. I have them in my laundry room. If you had to listen to them, you’d quickly find something else. In the end, I don’t really use much processor power on these, it’s more about the memory these boards will hold. RAM was dirt cheap so having 256GB available for experimenting with kube clusters and multiple docker hosts is pretty sweet. But considering that you can overprovision both proc and ram on PM guests as long as you use your head, you can get away with a lot less. I could probably have gotten by as well or better with a Ryzen with a few cores and plenty of ram, but these were cheaper.

At times, I’ve moved all the active guests to one node (I have the PBS server set up as a qdevice for Proxmox to keep a quorum active, it gets pissy if it thinks it’s flying solo), and I’ll WoL the other one periodically to let the first node replicate to the second, then down it again when it’s done. If I’m going to be away for a while, I’ll leave both of them running so HA can take over, which has actually happened without me even noticing that the first server packed in a drive, the failover was so seamless it took me a week to notice. That can save a bit of power, but overall, it’s a kWh a day per server which in my area is about 12 cents.

I’ve never seen the point of TrueNAS for me. I run Nextcloud as a docker stack using the AIO mastercontainer for myself and 8 users. Together, we use about 1TB of space on it, and that’s a few people with years of photos etc. So I mount a separate virtualdisk on the docker host that both nextcloud and immich can access on the same docker host, so they can share photos saved in users NC folders that get backed up from their phones. The AIO also has Collabra office set up by default, so that might satisfy your document editing ask there.

As I said, I’ve thought I might get an eGPU and pass it to a docker guest for using AI. I’d prefer to get my Home Assistant setup not relying on the NabuCasa server. I don’t mind sending them money and the STT service that buys me works very well for voice commands around the house, but it rubs me the wrong way to rely on anything on someone else’s computers. But it’s brutally slow when I try to run it even on my desktop ryzen 7800 without a GPU, so until I decide to invest in a good GPU for that stuff, I’ll be sending it out. At least I trust them way more than I ever would Google or Amazon. I’d do without if that was the choice.

All of this does not need to be a jump both feet first; you can just take some old laptop and start to build a PM cluster and play with this. Your only limit will be the ram.

I’ve also seen people build PM clusters using Mac Pro 2013 trashcans, you can get a 12core xeon with 64GB of ram for like $200 and maybe a thunderbolt enclosure for additional drives. Those would be super quiet and probably low power usage.