sxan

I have a spelling checker enabled for most non-compiled files. Sometimes it really annoying, but sometimes it catches stuff like this, so I leave it on.

Is your server a dedicated server, or a VPS? Because if it's a VPS, you're probably already running in a VM.

Adding a VM might provide more security, especially if you aren't an expert in LXC security configuration. It will add overhead. Running Docker inside Docker provides nothing but more overhead and unnecessary complexity to your setup.

Also, because it isn't clear to me from your post: LXC and Docker are two ways of doing the same thing, using the same Kernel capabilities. Docker was, in fact, written in top of LXC. The only real difference is the container format. Saying "running Docker on LXC" is like saying "running Docker on Docker," or "running Docker on Podman," or "running LXC on Docker". All you're doing is nesting container implementations. As opposed to VMs, which do not just use Linux namespace capabilities, and which emulate an entirely different computer.

LXC, Podman, and Docker use the underlying OS kernel and resources. VMs create new, virtual hardware (necessarily sharing the same hardware architecture, but nothing else from the host) and run their own kernels.

Saying "Docker VM" is therefore confusing. Containers - LXC, Podman, or Docker - don't create VMs. They partition and segregate off resources from the host, but they do not provide a virtual machine. You can not run OpenBSD in a Docker container on Linux; you can run OpenBSD in a VM on Linux.

I mean, the basic config file for Caddy is 1 line, and gives you Let's Encrypt by default. The entire config file for a reverse proxy can be as few as 3 lines:

my.servername.net {
   reverse_proxy 127.0.0.1:1234
}

It's a single executable, and a single 3-line file. Caddy is an incredible piece of software.

Nope! No security concerns!

But, seriously, if one machine in the Wireguard network is compromised, attacks can be launched on any other machine in that Wireguard subnet. At that point, whether you're running Wireguard or not is irrelevant.

For your specific setup, the weak point is the VPS. Everything is good, but if someone successfully beaks into an account on your VPS with access to the Wireguard device (and almost nobody goes through the effort of constraining network devices by account, and of course there's always root) they can launch attacks on any machine in the WG subnet.

It's a little better if you're running containers and they're secure, but even then there are security considerations with containers. Still, that's about the best you're going to get: anything listening to any external internet port is running in a container with no resource runtime, and those ideally each only have limited access to the ports in the WG subnet that they need. Eg, something like:

In your diagram, your VPS is just a gateway. If the only way to log into the VPS is over WG; and if the reverse proxy is running in a locked-down container; then this is about a secure as you can make it and still allow public access.

Or: if the only way your VPS is at all accessible is over WG -- all clients have to be connected to it via VPN -- then it's reasonably secure as long as no client is compromised. Then your remote devices become the weak points.

Thank you. I may try it; postfix seems to give me grief ever other update, like they can't leave the damned config file alone.

I miss the old days, before you had to worry about spam.

I'm not OP, and I have everything set up fine now; Mailcow would replace what I currently have with the same software components, so I don't see any value there - for myself.

Something like Maddy is completely at odds with the Unix philosophy, and yet I've fought enough with postfix to dislike it enough to want to try an all-in-one. I dread the DKIM setup, though; that took so much time, and the mail server configuration wasn't the hard part. Maybe now I've got it configured for my domains, switching email server software will be easier.

I was going to ask if anyone had experience with Maddy, which is an all-in-one solution I've been eyeballing for a while.

Getting DKIM and postfix set up correctly was such a PITA, and then dovecot, I'm nervous about having to go through all that again and fretting about accidentally configuring an open relay, so I haven't tried it yet. But it looks nice, and has been around for a couple of years.

Yeah, so I dug into it, and it's definitely not offline. It uses gtts, which ultimately makes calls to google.com for the tts. You can track it down yourself, but you'll eventually end up here, which talks about how to change the google host name in case it's blocked.

I'm not sure why you believe not needing an API key means it isn't calling a Google API, especially in this case where it clearly states it's using an unofficial channel - which is the same trick third party YouTube clients use to access YouTube videos without using API keys.

👍 Thanks. I'm surprised, and still skeptical, but thanks.

The docs don't say it's completely offline. Can you turn off your LAN connection and it still works? Have you tried this? Or just firewall off out bound access to Google services?

This comment:

Contrary to what the name suggests, the integration only does text-to-speech and does not translate messages sent to it.

doesn't say it doesn't call out to Google services; it says only that it doesn't use translation services. I didn't see anything else that implies it doesn't send data to Google.

Google? Have you verified that?

DMCA is widely abused; it's a knee-jerk corporate reaction, and by now most DMCA notices are probably being sent out by LLMs. Very likely, a substantial percentage are not even valid - either targeting content that the requester has no claim to, is falsely identified, a form of harassment, or targeting content which is justifiably and legally fair-use.

Hosting services don't even try to validate these claims. You assume OP is asking for piracy reasons; we have no way of knowing, but I'm always going to side with the content providers against the gross abuse of DCMA by media corporations.