JustEnoughDucks

Not really self-hosted, but I set up obsidian with syncthing and am going to transfer all of my notes from book stack to it and let bookstack be more organized documentation and obsidian to be a big scattering of notes and tags and such. I tried it with bookstack, but the flow was too much of a barrier for me to use it consistantly

I am doing something similar. I use OIDC for everything possible.

Authelia is quite picky about everything being correctly populated, but if I remember right, the documentation doesn't do a great job of explaining different variables for someone outside of the security industry (similar with traefik). I found a good tutorial via search that got all of the defaults set up, then playing with the options to my liking and now it is just copy pasting the condiguration per app that I want to enable, generating an key and hashing it.

If you want, I can sanitize my config and share it?

Especially for jazz albums. Very difficult to find

Mealie is so underrated. They have meal planning, recipes, recipe parsing from the internet, grocery lists based on recipes and meal plans, like 4 different ways to organize recipes, and OIDC/SSO on top of it all!

The shed as an of site backup is a good idea.

We live in the shed (it is really its own entire stone building) during our full house renovation, so I have already run electrical and cat6a to the shed and have an old router in AP mode there.

Hooking up one of those NAS boards or a 2nd hand old PC there would be a good backup option.

Do you happen to know when the last time was that a rich company was prosecuted for this?

It seems a lot like the perjury laws: there to scare poor people into telling the truth because of almost non-existant prosecution of it.

And if it is a fine and not jail time (white collar crimes are almost never jail time) the fine would have to be much larger than the penalties they would not have to pay because of the crime, otherwise it is simply a net win for the company

You can also try out photoprism for that. Immich is best for an all-in-one solution as a replacement for google photos.

Photoprism also has face recognition, maps, and many more features geared towards photography than immich.

I realized after using photoprism that I am too basic for that haha

Also mealie supports SSO with OIDC so authelia/authentik can cover it and there is no need for separate accounts.

Also being a PWA on mobile instead of another electron app means that authentication in front of it doesn't break anything.

Yes,

https://www.silverstonetek.com/en/product/info/expansion-cards/ECS07/ https://www.amazon.com/Adapter-RIITOP-Expansion-Chipset-ASM1166/dp/B0D8BCWHPT

https://www.aliexpress.com/item/1005003335714128.html

Then you have 4 main plus these 5-6 extra. Just put your boot drive on a data drive instead of m.2 or get an adaptor and you are good to go. 8 data drives plus a boot drive

Syncthing also even has basic version control, just no "web file browsing" interface.

Dropping instead of blocking might technically be better because it wastes a bit more bot time and they see it as "it doesn't exist" rather than an obsticle to try exploits on. Not sure if that is true though.

For me:

• ssh server only with keys

• absolutely no ssh forwarding, only available to local network via firewall rules

• docker socket proxy for everything that needs socket access

• drop non-used ports, limit IPs for local-only services (e.g. paperless)

• crowdsec on traefik for the rest (sadly it blocks my VPN IPs also)

• Authelia over everything that doesn't break the native apps (jellyfin and home assistant are the two that it breaks so far, and HA was very intermittent so I made a separate authelia rule and mobile DNS entry for slightly reduced rules)

• proper umask rules on all docker directories (or as much as possible)

• main drive FDE with a separate boot drive with FDE keyfile on a dongle that is removed except for updates and booting to make snatch-and-grabs useless and compromising bootloader impractical

• full disk encryption with passworded data drives, so even if a smash and grab happens when I leave the dongle in, the sensitive data is still encrypted and the keys aren't in memory (makes a startup script with a password needed, so no automated startups for me)

For more info, I followed a lot of stuff on: https://github.com/imthenachoman/How-To-Secure-A-Linux-Server

Doesn't ucore also have to restart to apply updates?

Not super ideal for a server as far as maintenance and uptime to have unexpected, frequent restarts as opposed to in-place updates, unless one's startup is completely automated and drives are on-device keyfile decrypted, but that probably fits some threat models for security.

The desktop versions are great!