Thanks, I am trying both paperless and calkbre and see which works better for which tasks.

Thanks a lot! I will go with the blockinfile, sounds promising.

How do I keep some of the existing firewall rules (which is dependent on host) in the remote file, and change the other parts?

Thank you! Templating rules.v4 is a pretty attractive option. Though my VPS has some portions of the file which should be unmodified, so I would have to avoid this method.

Thanks, but I looked up and learned to prefer the idempotence to be handled by ansible. Ansible support iptables by default, while nftables need a plugin, so iptables it is for me.

Being concerned about security while using free VPN sounds like an oxymoron.

Wait. I got the format warning in caddy, so does this mean it could contain substantial error? I gotta check

Thanks! I gotta get my hands on Ansible, was reluctant as I’ve heard it can be complicated. Should see myself!

Codeberg sounds like a good way! I was concerned about server config being stored on self-hosted forgejo (which is configured by the very server config), turns out that need not be the case.

Fortunately my VPS (oracle) has set SSH authentication to be default. Disallowing root login sounds good, gotta try that as well.

Thanks, I will try fail2ban. I am using ED25519 for ssh keys, it seems like it’s the best defense on the ssh side. Do you happen to know why this kind of attack is so prevalent?

Thanks a lot! Geoblocking makes a lot of sense, will try!

Thanks, though Shorewall looks intimidating. Do you have any good resources to go over how to set it up?

It seems permanently unavailable, how did you get an instance?

Thanks, I am running rootful containers so I don’t think this applies.

Thanks, but I am worried about relying on small repo like this. EDIT: But it did made me realize Goodnotes support WebDAV, thanks!

I got

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
...
tcp       51      0 0.0.0.0:11000           0.0.0.0:*               LISTEN      155359/conmon

It is listening at the right port. But Recv-Q is nonzero, which seems quite strange.

Thanks for looking into it. I am not publishing any ports other than Caddy, and forgejo’s ssh port that I think cannot be forwarded. You mean I should block port 3000 from my VPS as well, right?

I am having trouble reading ss -nltp output, could you explain what each entry means?

Also I am concerned that allowing access to podman1 private network interface could be too permissive. How do you think?

Yes, they are running on the same server. I am hoping to communicate through host network, maybe that’s not working well

Thanks a lot for on-point answer! I wish the answered in the issue wrote a blog post, it would have been of great help.