If you’re up for pgp and git, gnu password store is a killer app. There are a few guis, including Android and iOS, and if you use gopass there’s a nice plugin for browsers as well. And it’s ultimately just two tools that are both solid and generally well known.

My 3090 is a light flickering machine. Kind of annoying tbh.

I’m assuming OP wants to run on Linux and I’m not familiar enough with .NET Core to know how much or how easily you can run it on Linux. I know some things definitely run, I just don’t know how much.

For camera software, zoneminder is a classic, and frigate is probably the new kid in town. Web hosting will depend on your web developers but docker will have you covered for almost anything. Probably just steer clear of asp.net dev shops.

Mixing storage and processing is now cool again. It’s just called hyper converged infrastructure.

Personally I would strongly recommend learning how to do all of this. And then abandoning it for tailscale or something similar once you know what they’re doing behind the scenes. It’s incredibly useful knowledge but it’s also nice to have so much of the process automated and best practices like key rotation done for you. Plus unless your network is hugely crazy or enterprise, you can manage for the really great price of $0.

And if you really really want to self host (which I understand) there’s headscale for a lot of the features.

Right, but if I can’t redirect (ISP just drops packets afaict) and you don’t explicitly type https:// or use an https link, and I don’t have something like HSTS preload configured for that domain, your browser will just hang if it’s on my system. You can’t just type “lemmy.stuart.fun” and have it work unless you happen to hit my hairpin, i.e. be on my network.

Mostly I try to keep things I want publicly available on .dev and it just works thanks to the full .dev HSTS preload. But it’s still annoying.

Does your new ISP allow 80 and 443? I was under the impression that’s pretty rare for ISPs though I’m not sure that’s true in Australia. Mine only allows 443 but not 80 “to prevent Internet worms from spreading and to protect bandwidth.” 🙄

Oh man I read that as OMVS and thought you were homelabbing an IBM mainframe.

Having used Azure for a few years now I feel like that might not be entirely on Comcast.

Because of the way pictrs organizes photos, which I believe is by hash (could be random id but I suspect not), you should be able to share filenames for cleanup by neighbors without having to share the contents.

Even if it’s not organized that way automatically, though, you can pretty easily use sha256sum to get a shareable hash before deleting the content.

I think the biggest reasons for me have been growth and professional development. I started my home cluster 8 years ago as a single node of basically just running the hack/ scripts on my Linux desktop. I’ve been able to grow that same cluster to 6 hosts as I’ve replaced desktops and as I got a bit into the used enterprise server scene. I’ve replaced multiple routers and moved behind cloudflare, added a private CA a few times, added solid persistence with rook+ceph, and built my ideal telemetry stack, added velero backups into Backblaze b2, and probably a lot more I’m not thinking of.

That whole time, I’ve had to do almost zero maintenance or upgrades on the side projects I’ve built over the years, or on the self hosted services I’ve run. If you ignore the day or so a year I’ve spent cursing my propensity to upgrade a tad too early and hit snags, though I’ve just about always been able to resolve them pretty quickly and have learned even more from those times.

And on top of that, I get to take a lot of that expertise to work where it happens to pay quite well. And I’ve spent some time working towards building the knowledge into a side gig. Maybe someday that’ll pay the bills too.

AKS is a shame. Most of azure, actually. I do my best to find ways around the insanity but it always seems to leak back in with something insane they chose to do for whatever Microsoft reason they have.

My experience was that they were definitely overkill until they weren’t, and I was glad to be comfortable in the UI when I wanted to start playing with more advanced features. Something like the sameersbn/gitlab docker image can get you started and grow with you a ton.

I was already sold, you don’t need to keep pitching more reasons to check it out.

Yep, this is a root of trust problem. Your choice will ultimately come down to how much you want to invest and how much inconvenience you’ll put up with, measured against how secure you want it to be.

Personally, I go for full disk encryption and then just store things on the filesystem in secure (to the OS) ways. File permissions and users and groups, etc. Most other things boil down to that though something like vault adds a layer of access control in that you can seal it off in the case of a breach (if you care) and can get granular with authz permissions in a centralized place, only managing authn in your distributed tools.

There’s probably some ideal system out there like vault but with a plugin that can ping your phone for quick verifications that would likely be ultra ideal, but I haven’t seen that. Personally I’d love something like that.

Depending on how you set up your on-LAN tailscale hosts, you may have included --advertise-routes=<your lan CIDR> and then I think you need to --accept-routes on other clients for them to actually set up the local routes that use the wireguard connection, but that would likely explain the behavior you’re seeing unless the behavior was updated to make this automatic.

The reason being that federation means other instances send you things. It’s not pull-only, or else you could likely get away with private instances sitting behind NAT. But since activitypub involves publishing to inboxes from source to destination, they need some way to reach you. And since we want to validate that connection and that some external authority can vouch for ita ownership, we use TLS Certs with the DNS hostname that matches your server name.

I’m not sure, actually. My personal cluster is all x86 so I’m not usually that aware of the multiarch stuff. 😬