The thing that immediately came to mind was mailpiler.org. It’s been on my list to stand up for a while, but I’ve never got around to it.
You’ve got some decent answers already, but since you’re getting interested in ZFS, I wanted to make sure you know about discourse.practicalzfs.com. It’s the successor to the ZFS subreddit and it’s a great place to get expert advice.
I’ve never heard anyone else mention them, but I’ve had really good luck with https://www.ssdnodes.com for the past several years. I don’t recall ever using their support, but I did have a policy question before buying when I first signed up and they were pretty quick to reply. I think I found them on LowEndBox.
If you’re looking for something more or less in the same footprint, I understand those cheap Wyze cameras can be used. There are alternative firmwares available that can be flashed to them to open up the rtsp stream to whatever self-hosted recorder you’d like. Haven’t tried it, but have heard it mentioned on the Self Hosted podcast.
This is the route I went as well. I have a couple MPU2016s at different sites. Like, u/aodhsishaj indicated, they’re pretty cheap on the used market; just bear in mind that you’ll need a module for each machine. I think this makes sense if you have multiple machines, but I’m not so sure mine can power cycle connected machines (as in with AHCI controls). I can, however, reboot from the command line and interact with BIOS, etc.
Gotcha. That makes sense. My own thoughts are that if you mitigate all of the attack surfaces you can, it ends up coming down to the robustness of the particular app. I’ve never played with keycloak, so can’t speak intelligently about that, but I’ve got authentik setup in a similar configuration. I limit access so the only way in is via either the reverse proxy or the PVE console and basically keep an ear out for security and software updates.
As I type this, it occurs to me that perhaps there’s a fail2ban integration that could be added to limit credential guessing at the keycloak webui.
Encryption would be a good idea between the service and the reverse proxy. I’d also look into Proxmox firewall, which is pretty robust. Here’s the link to the documentation: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_pve_firewall. Definitely worth perusing.
Since you’re new to this and therefore probably haven’t set up too much infrastructure yet, let me put in a plug for ZFS for the file system underlying your data. That will unlock for you snapshots and the ability to send very efficient backups off site to another ZFS pool.
There are commercial offerings for all this (I think rsync.net will give you a ZFS target), but I essentially have a second NAS set up at another location for the purpose.
Beyond that, I’m also a big fan of BackBlaze B2, which can give you object-based online storage.
As far as what to back up, that’ll depend on your setup. I usually find it simplest to backup my entire VM and do recovery by restoring the VM.
If you’re not familiar with it, check out lowendbox.com. You can very often find good deals there; not all of them are reliable in the long run, but I’ve found several hosts that have been just great.
You can do this with something like Nextcloud. Just set up a folder shared by a link and you’re able to make it a drop box of sorts that anyone can upload to.
Obviously, be careful allowing arbitrary uploads from the whole internet. I’d set a time limit on the share so people can’t upload junk forever.
There’s not a lot of information to go on here, but my first thought is that you haven’t configured your VPN to route to the local network. So, while you may be getting a connection to the VPN server, your computer doesn’t know where to send traffic for Cockpit.
There is usually a way to push those routes to the client from your con server.
I think you can do this with key files and a systemd-timer at boot. I’m not near a machine right now to post how I’ve done it in the past, but I’ll try to remember to come back to this when I can.
It may be helpful to know that the former r/zfs community has migrated to a Discourse server at practicalzfs.com. Might be worth asking there for some expert advice.
There’s a pretty interesting series on the topic at Tall Paul Tech’s YouTube channel (here’s the most recent: https://youtu.be/WFso88w2SiM). He goes into quite a bit of detail over the course of a few videos about how he handled everything and highlights some of the trials and tribulations with the isp. It’s not a guide per se, but definitely stuff worth thinking through.
I think what you’re describing can be accomplished with docker-compose’s depends_on option. I’m not certain how it works across compose files, but that would be the first place I’d look.
I’m not familiar with the Ben Eater series, but there are certainly a couple options to check out.
Mark Ferneaux did a fantastic series on the workings of pfSense. It’s a little dated, but the core concepts are still sound and apply to networking generally.
There are also several sites that do in-depth networking topics with a focus on certifications. My favorite of the bunch is Viatto.
I also quite like The Network Berg, though his videos are specifically focused on Mikrotik.