Hm, after the initial upload, it shouldn’t really generate much traffic if I can only manage to upload the diff, so it might not be much of an issue for me. I am not yet really familiar with tools like rsync and rclone, and also don’t know how the changes are stored in the Borg repo (e.g. if I move a 1 GB file from one folder to another, does that get picked up as a 1 GB change by the syncing tools?), so I would need to do some more research to see if that would be achievable.

Hetzner also looks nicely priced, but it would’ve been nice if I could choose an even cheaper tier with less storage, as 1 TB is quite overkill for this particular use case. I could of course use it to backup other things.

Not a requirement that it is E2EE, as the Borg repo is already encrypted. Guess my knowledge of these services is biased towards E2EE from previous research for use cases where that was a requirement.

Thanks for the tip, hadn’t hard about Backblaze before. Very reasonable pricing. Would a good strategy then be to schedule rclone to have it synced, or are there other ways that would be better?

I recently started organizing my music to use with Jellyfin and/or Navidrome. Since Jellyfin requires a particular folder structure, I used this, and I’ve also used MusicBrainz Picard to tag all my music so that it works better with Navidrome. I ended up just using Jellyfin as it suited my needs perfectly, and using it with a desktop client on my laptop (Feishin) and mobile client on my phone (Finamp).

The way Jellyfin requires it to be organised is the way I would’ve done it myself anyway:

Artist 1
|-- Album 1
||----Disc 1
||----Disc 2
|–Album 2
Artist 2
|-- Album 1
etc …

In my experience, if you try to organize based on genres, you need to have a very defined sense of what genres everything you have is. Either you stick with very broad genres (Rock, Jazz etc.) or you get tons of subgenres that you quickly lose control over if you don’t know exactly what is what. Since the clients I use have the possibility to sort by genre, I am planning on giving it an overhaul at some point, but then I will use very broad genres.

This is probably where my lack of knowledge in networking shines through more than ever, but I kinda thought that local IPs would be handled locally and not depend on which DNS servers I use? But I guess that if VPN is active and has not been explicitly told to allow local connections through split tunneling, then it actually do make that request with whatever DNS server I use, which obviously couldn’t resolve some random local hostname?

Thanks for the tip. I will be looking into setting up SSH keys fairly soon, and look more into strengthening ciphers et al.

From a practical point of view, what is the likelihood of a brute-force login attempt to succeed? There are plenty of login attempts, but most of them are for root, and as I’ve disabled root-login that will fail no matter what. Other attempts are typically for generic other names such as ‘admin’, ‘user’ and ‘test’ that has no associated user on the server, as well as some weird choices that I can only imagine comes from some database breach.

Thanks for your answers!

1. Alright, I guess I should also use the Cloudflare proxy. I could not find the reason I had not enabled it previously.
2. I’m a bit confused as to what a DMZ proxy server is compared to a reverse proxy. Is this a separate server you’ve set up specifically to handle inbound traffic where you’ve set up Traefik, or is this a container on your main server where you also host Nextcloud?
3. As I understand it, Authelia is a SSO solution that seems very beneficial for when I am running several services from the same server. Right now, I only run Nextcloud on the VPS - is there any added security benefit of running it there also, or is this mostly for convenience when hosting multiple services?

Setting up auto update and reboot once a week seems smart. Do you set this up with cron?