31 branches? uh… okay.

It’s in their docs. https://docs.nextcloud.com/server/latest/admin_manual/installation/index.html

Follow the pages one by one, (ie install php modules etc, edit settings, install apache2, edit settings, etc etc). Follow the recommendations (eg. PHP8.2, don’t try to use bleeding edge).

You’ll be running in no time, and have a properly updatable system using apt, and the nextcloud ./occ command.

I would recommend using Debian 12 over Ubuntu variants. There are other guides, like this: https://www.digitalocean.com/community/tutorial-collections/how-to-install-and-configure-nextcloud But you may have to “convert” some of the Ubuntu specific stuff to Debian, but actually there is probably no difference (php module naming convention maybe? Is that still a problem today?)

I find Joplin perfect for my needs. Markdown, embedding images, links etc. I sync to my selfhosted nextcloud.

I like tags, I would like them to add a “directory tree” type of view to help sort “folders” (the thing they call “notebooks”) but only because I am more used to just filesystem type structured filing. But the notebooks and tagging idea works for me too.

I strictly use it for notes/note keeping, in particular “HOWTO’s” and specific topic notes. So I dont even do a great deal of markdown in my notes, but I love the ability to add screen captures etc to them for clarity.

And being on nextcloud, I can access those notes anywhere on any device, PC, Android, Raspberry Pi!! Joplin has an app for all of them

Heimdall

https://youtu.be/GXnnMAxPzMc

Thats not how it works.

You have a LAN and hopefully you have a firewall that shields your LAN from WAN. Your fw is probably handing out DHCP lease IP (like 192.168.x.y)

When you “bridge” your VM looks like an independant device on you LAN. Nothing at this point has allowed it to the public. Your dhcp can even give it an IP (but its probably better to set a static ip). In bridge mode, a "fake mac is spoofed alongside you nic’s real mac, and only for said VM)

At that point the VM id accessible likr any other device on the LAN.

if you then want to use vpn, just connect to your LAN however that works(vpn to computer or vpn to firewall/vpn server) and access.

if you want to access from WAN without vpn, then you need to understand reverse proxying and youll need a full proper firewall\gateway device at the front of your network (like OPNsense).

deleted by creator

I run iRedMail (a collection of dovecot, postfix etc, plus sogo and roundcube web clients and managed by a nice web frontend, all open source and runs on any linux.

I’ve run for about 8 years, no dramas other than my isp technocally doesnt allow it. But they don’t block anything and occasionally they submit their ip ranges for customers to places like spamhaus, so i just script check every month to see if they added my ip back, then i just submit removal, it takes all of 30sec. (IP is semi static, probably changes once every 9 months or so, so not a drama to update dkim on my domain registrar.)

the biggest issue with N.switch is that it requires static outgoing ports.

i have not used pf in years (opnsense here so should be same) but what you need to do is set hybrid outgoing NAT, designate a static IP to the switch, and then tell outgoing NAT for that IP to use static ports, outgoing.

by default pf\opn randomises the outgoing NAT port and that messes up the Nswitch royally. (especially online like MK8deluxe)

most of what is being posted about uPNP and N.switch is not correct. As long as your firewall rules allow the switch to get out (lock ports if you want to, but its a console, so … why?)

Nintendo servers simply do not like you joining a game lobby on outgoing 34567, and then starting the game on 23456, and then turning a corner on lap 2 switching to outgoing port 18845.

It dropped today! I would not recommend rolling out to production immediately without testing first. There are some known issues that do need thought.

I’d also like to make those who use opnsense aware that there is a community that specifically targets it. Of course we are here in Selfhosted to help, and wouldn’t stop.

I replied to a nginx plugin question years ago on Reddit. Simple fact is, the plugin is really just designed to host a simple-ish webpage. https://www.reddit.com/r/OPNsenseFirewall/comments/klauwb/setting_up_a_web_server_on_my_opnsense_box_with/

I recommend you serve whatever you want to serving on vm’s/whatever on your internal network, and then use HAProxy (Built-in) to do the forwarding via opnsense. HAProxy is a High Availability and Performance proxy and load balancer, it does what nginx proxy manager does and more.

Mine is ~300w @ 230v most of the day. It varies only on what is being used.

when power fails and i have to switch to generator, the servers stay about the same but I can add about 250w to that for my PC, modem(nbn) etc . (which is why i know this info!)

This is a different problem. But when you configure a competent DHCP server, you tell it to give out a bunch of information to the client, not just an IP address. It should tell it IP, subnet, gateway, DNS server IP and default domain name. (in opnsense most of this is default so you dont have to actually configure it - hit the (i) button and it will tell you. Example for domain name: “The default is to use the domain name of this system as the default domain name provided by DHCP. You may specify an alternate domain name here.”)

Then on top of that google devices are notorious for ignoring DNS (ahem chromecast, etc) and want to use 8.8.8.8. This is because google does all sorts of non-DNS buggery on those devices, for example checking and pushing updates). Chrome on you PC could well be doing this as well, but it shouldnt it should be honouring your NICs config. However I don’t for a second doubt that Chrome is preferring DoH to somewhere like 8.8.8.8 first.

You will need to create a rule to enforce your local DNS server and block all other outgoing attempts.

To do this create a NAT rule port forward -> set the interface to LAN ,set the destination to LAN net and INVERT. Then destination port to DNS. Finally redirect target to your DNS server (127.0.0.1 for your opnsense) and DNS port (53).

This NAT rule says any DNS NOT headed to the LAN network must be redirected to the DNS server in your LAN.

Holy crap. Burn it with fire and make the switch.

A few weeks ago, I purchased a TP-Link AX53 for $200 AUD. Not the absolute bleeding edge for speed, but its WIFI6 does WPA3, mobile devices typically get 1Gb/s. More than enough for most use cases (Yes, you can get much faster but expect $$$$$)

Well yes. Normally you would put opnsense on 192.168.1.1/24 and then the wifi device on say 192.168.1.10/24. Then you allow opnsense to do the DHCP and disable DHCP on the wifi (they like to offer these services which can be nice for really simple setups).

What you are realistically running into is a DHCP war, and google will probably win over opnsense for wifi devices.

If what you actually want is to separate the devices to different subnets, then you really need to create a LAN / WAN and WIFI interfaces. And plug the wifi devices in the the WIFI interface (another network port on your opnsense box).

Then doing this, you can create a firewall rule(s) that allows data LAN <-> WIFI etc however you please. (or not even, maybe only WIFI <-> WAN and not let wifi devices access your LAN net).

Alternatively if you have a smart enough switch you could isolate with VLANs. But for a simple network, this isnt really necessary.

Well in Interfaces -> LAN go to where you set your static IP for opnsense and change that to 192.168.1.1/16. That should get you running. But the google device would probably need to be told that it is 192.168.866.0/16 as well so it can see the 192.168.1.0 subnet.

However it would probably be better to disable DHCP on the google device, but I don’t know anything about them. (I read that on some you cannot disable it, so set the DHCP pool to 1 and then assign that IP to some mac address. Essentially stopping the google device from handing out that address).

If this is what you need to do, then on opnsense set up your DHCP pool to say 192.168.1.100-250. Then set the google device pool to 192.168.1.251-251 and then set a static lease in the google 192.168.251 to MAC: de:ad:be:ef:ca:fe.

(That wifi sounds like a shit device - maybe consider a tp-link or something more configurable)

Can you selfhost? Does you ISP allow you to host a mail server? (and there is a difference between what they say, and what they actually do.)

I use iRedMail as a complete solution which is a mailserver, complete with server management and webclients sogo and icube.

The problem you may run into is if your ISP actively submits its customer email subnets to sites like Spamhaus. But if you dont get IP changes very often this might not be a problem. However you do also need to have a domain in your control and know how to do DKIM and SPF

I have used several distros on RPi4 8GB. This is what I learned: If you want some type of desktop, then RaspiOS is the most responsive out of the box and can be made even better. If your doing pure server stuff, I found Vanilla Debian, or even Ubuntu server are well done for RPi4 and just work. However their desktops are not optimised and way slower than RaspiOS.

Oddly, I have not tried Arch on RPi4, but since mainline 6(.1) kernel, I believe everything is supported including UEFI.

I have several RPi 3’s and 4’s (automated sprinkler systems and mini desktops like I’m using now in my lounge) all running UEFI, booting direct off USB disks (no sd card needed), no fsckery needed. (I do keep UEFI updated from github, but its honestly not necessary now - just how those devices originally were installed.)

I know this is not the answer you are looking for, but if they happen to have a spare Windoze license laying around (or willing to shell out) then all that stuff can be done on an OS they are probably comfortable with. Yes, it still means learning some stuff, but there is no overwhelming need to learn an entire OS to do it.

Another option is to use a Synology NAS. All those things you are talking about are packages, point and click install and setup from the NAS browser. Again pricey, but far more intuitive for non-techos. This also has an advantage of being able to upgrade as their media store gets larger.

(I don’t do either of these things, but I know we support a lot of people radarr/sonarr/lidarr/nzbget/plex/emby/HA/openHAB etc in a win environ.)

But I would teach them how to git gud, and learn FOSS and read HOWTO’s to install all that stuff (without the need for Docker, so they actually learn). Honestly after the first 5 installs on a VM (which can be deleted and recreated if fscked up) running sudo apt update && sudo apt upgrade and git clone … etc. with you looking over their shoulder while reading the HOWTO with them. That would be quite rewarding for them, probably make you feel good too.