I haven’t used an out-of-the-box self-hosted solution for this, but I agree with others that blog or static site generator software could work. I think the main challenges you’ll find though are: 1. Formatting the content/site for long-form readability, and 2. Adding a table of contents and previous/next chapter links without a bunch of manual work.

Fortunately blog and static site software have plugins that can add missing functionality like this. Here’s one for WordPress (that I have no first-hand experience with): https://wordpress.org/plugins/book-press/

I also want to ask: What’s your plan for discovery/marketing? Because one of the benefits of the non-self-hosted web novel sites is that readers can theoretically discover your story there. But if you instead just post it on your own site, how will readers ever find it?

That’s unfortunate about NPM and Proxy Protocol, because plain ol’ nginx does support it.

I hear you about Traefik… I originally came from nginx-proxy (not to be confused with NPM), and it had pretty clunky configuration especially with containers, which is how I ended up moving to Traefik… which is not without its own challenges.

Anyway, I hope you find a solution that works for your stack.

I struggled with this same problem for a long time before finding a solution. I really didn’t want to give up and run my reverse proxy (Traefik in my case) on the host, because then I’d lose out on all the automatic container discovery and routing. But I really needed true client IPs to get passed through for downstream service consumption.

So what I ended up doing was installing only HAProxy on the host, configuring it to proxy all traffic to my containerized reverse proxy via Proxy Protocol (which includes original client IPs!) instead of HTTPS. Then I configured my reverse proxy to expect (and trust) Proxy Protocol traffic from the host. This allows the reverse proxy to receive original client IPs while still terminating HTTPS. And then it can pass everything to downstream containerized services as needed.

I tried several of the other options mentioned in this thread and never got them working. Proxy Protocol was the only thing that ever did. The main downside is there is another moving part (HAProxy) added to the mix, and it does need to be on the host. But in my case, that’s a small price to pay for working client IPs.

More at: https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address

Maybe…? I’m not familiar with that router software, but it looks plausible to me…

Since this is on a home network, have you also forwarded port 80 from your router to your machine running certbot?

This is one of the reasons I use the DNS challenge instead… Then you don’t have to route all these Let’s Encrypt challenges into your internal network.

It deduplicates aggressively at the block level. So if your files don’t change much, each additional backup takes very little space. And if a file changes a little, Borg only backs up what’s changed instead of the whole file again.

Borg also has a rich ecosystem of wrappers and tools (borgmatic, Vorta, etc.) that extend its functionality and make it easier to use.

Borg Backup would also fit the bill for backups going forward, especially if OP is still backing up to a local server (as opposed to cloud object storage).

Yeah, the constant Docker breakage was one of the main reasons I switched to Podman. FYI you can use Docker Compose directly with Podman.

Ehhh I would say then you have probabilistic backups. There’s some percent chance they’re okay, and some percent chance they’re useless. (And maybe some percent chance they’re in between those extremes.) With the odds probably not in your favor. 😄

That sounds like a good work-around!

I’m not sure that analogy quite holds (it’s not like the Ryobi tools are left connected to the building as a critical component of the HVAC system or something), but I like the image anyway. :D

Yeah, publicly accessible in that it’d be reachable over HTTPS from the internet (and not behind a VPN), but password-protected. Thanks for weighing in on this!

That all seems prudent and reasonable. I guess some of my own anxiety is about how exactly I’ll evaluate projects like you’re talking about. I can (and do) certainly look at whether a project is actively developed before selecting it. Not just for security reasons… I don’t want to bet on a horse that won’t get updated with fixes and features. But for security in particular, I guess I was hoping for ways to evaluate that for a project… without exhaustively poring over its source. Maybe, to your point, the other mitigations you listed should be sufficient, and I should worry more about that side of things than picking the perfect project.

Lol, I really appreciate your thoughts! These are exactly the sort of insights I came here for. I hope this is useful to others too who may be wondering about the same thing.

Good idea!

The app that comes to mind as having problems with changing IPs is the Home Assistant app. It would simply lose connectivity when the IP changed and never do another DNS lookup to connect again… I always had to restart it. The “solution” for me was not to change IPs and just leave Wireguard on. It’s cool that Ultrasonic handles it though.

Yeah, exactly.

One additional consideration that’s specific to Hetzner (which you may already be aware of): You can only scale down a server after scaling it up if you elected not to increase the (local) disk size. In other words, if you scale up a server with 40 GB storage to one that comes with 80, you can’t actually resize your storage from 40 to 80 if you ever want to scale the server back down later. Kind of obnoxious.

I don’t know about your particular use case, but I’ve found that some apps experience problems when the IP address of a resource they’re using changes out from under them. Like either they experience temporary connectivity issues during the transition or even just stop being able to reach the resource until restarted. However if your setup is working for you, that’s great!

Why not use Wireguard from your phones all the time, even at home? Just performance?

If Docker’s working fine for you and you’re happy with the trade-offs, no reason to switch.

I dunno, I think part of the trick is not learning every single new technology that comes your way. So much of tech these days is just fashion, and you can safely ignore most stuff until there’s a deafening drumbeat bashing down your door. And even then, you should ask if the drumbeat really suits your use cases or if everyone’s in such a fervor over it because it’s fashionable and they’re using it for things it’s not suited for.

Don’t give into the FOMO. Use your judgment. And don’t worry about Podman if what you’re doing now is working!

Do it! I think there’s a market there. Although the “Podman Compose” name is taken and you’ll have to think of something else…

Using Ansible to spew out systemd service boilerplate seems like a good idea. I’ll have to try that if I can ever give up my Docker Compose security blanket. And I wish you luck with your mega-container Podman conversion. That one sounds like it’ll be… a learning experience.