When you get a 502 it usually means that your reverse proxy is unable to connect to your backend server. I’m not sure if you’ve obfuscated the URL in your post but 0.0.0.0 is not a valid IP (it just means ALL IPs). If you are attempting to connect on the same machine that is hosting use 127.0.0.1. if you are on the same network then use the local IP.

You can do this with a site-to-site wireguard VPN. You will need to set up the proper routing rules on each termination. On the Internet facing side you will want to do DNAT (modifies destination, keeps source) to redirect the incoming traffic to your non- internet facing side through the tunnel. Then on the non- internet facing you need to set up Routing rules to ensure all traffic headed for public IPs is traversing the tunnel. Then back on the Internet facing side you need to SNAT (modify source, keep destination) the traffic coming through the tunnel headed for the Internet. Hopefully this helps. People saying this goes against standards are not really correct as this is a great application for NAT.

Maybe not the lowest power possible… I wouldn’t recommend running your NAS on a raspberry pi even though plenty of people do

I’ve got a 3800x that has plenty of performance but also uses a lot of power and I’m seriously considering upgrading to a 5700G. It’s about 170 from Amazon right now.

Also, I don’t think you’re going to want your NAS to sleep/standby, that’s really not typical.

I wonder if this is the cause for the UI failing and showing a white page with “server error”. It has something to do with a failure to retrieve the site icon and if postgres is crashing that could explain why lemmy-ui is failing to retrieve the site icon.

My current “fix” for this is a script that runs every 10 minutes and sets the site image to NULL, curls the site URL, then sets the site image back to what it was. This does seem to work around the problem and if the UI does crash it’s only down for a maximum of 10 minutes.

Very nice walkthrough. Gonna bookmark this.

Port 8080 is where the Web-UI / Web-API is running. If you want to be able to upload data and not just leech you need to forward port 6881 (and probably also tell QBT to listen on that port)

Since 0 comes before 1 you’re probably gonna need to rename the files and possibly the metadata as well. Probably gonna need a custom numbering scheme to do what you want to do.

Not sure if you use OPNSense, but the acme plugin allows you to automatically upload certificates (via ssh) to the appropriate servers whenever the certificates are updated.

One other way would be to use a reverse proxy internally (if you only need SSL for web interfaces).

Packets initiated from the NAS to the Internet are allowed. Packets initiated from somewhere on the Internet to the NAS are not allowed.

If the NAS requests files from a download server they will be allowed to come through the firewall because the files are a response to a request and not unsolicited traffic. I hope that makes sense.

Vaultwarden password manager

You can do all of those things with wireguard as well… I’m not seeing any benefit to running Tailscale/headscale.

If you don’t have a static IP then you will automatically have a dynamic one. You don’t need to ask for a dynamic IP as that is the default. And I’m no idiot, I’ve used dynamic DNS services for for over 20 years.

If you’re going to do that you may as well cut out the extra server/service and run regular wireguard.

Tailscale is a service that relies on a third party to facilitate the VPN connection between your client and server. It is designed for people who don’t want to or cannot forward ports. Your server and your client both talk to the Tailscale servers and traffic is routed that way.

Dynamic IP is one that changes. I think you meant static IP.

Recently commented on a different post about setting up a VPN. Check out firezone

I don’t recommend using Tailscale or anything that relies on a third party.

I can recommend firezone as well. Served me well before I decided to host my wireguard server on OPNsense.

I still miss the super easy client setup from firezone! OPNsense really needs to make it easier.

Check this GitHub link for instructions. https://github.com/LemmyNet/lemmy-ui/issues/1530#issuecomment-1605781461

Once I get home from work this afternoon I will post my docker-compose.yml which has an extra container that automatically deletes the database entry then resets it.

EDIT: Here is the extra container from my docker-compose.yml

  icon-fix:
    image: iconfix:latest
    command:
      - /bin/sh
      - -c
      - |
        sleep 10
        # Remove Site Icon - be sure to set your postgres password
        PGPASSWORD=<POSTGRESS PASSWORD HERE> psql -U lemmy -h postgres -d lemmy -c "UPDATE site SET icon = NULL WHERE id = 1;"
        # Refresh Site - replace example.com with your sites domain
	curl -f -sS -H "Host: example.com" http://lemmy-ui:1234 > temp.html
        # Reset Site Icon - Set your postgres password and replace the URL with one that points to your icon
 	PGPASSWORD=<POSTGRESS PASSWORD HERE> psql -U lemmy -h postgres -d lemmy -c "UPDATE site SET icon = 'https://example.com/pictrs/image/2cc85182-5739-4c86-b982-94fc913e80d3.webp' WHERE id = 1;"
    depends_on:
      - postgres

And here is the Dockerfile for building the iconfix image

FROM docker.io/postgres:latest
RUN apt update
RUN apt install -y curl

This is an issue that has been present for a long time but recently came back worse with the 0.19 update. It is caused by lemmy-ui failing to load the site icon and it typically happens whenever the the docker container is started/restarted while you have a site icon set. The only fix at the moment is to manually delete the database entry which contains a link to the site image.