After some research on here and reddit about 6 months so, I settled on Borgbase and its been pretty good. I also manually save occasionally to proton drive but you’re right to give up on that as a solution!

The hardest part was choosing the backup method and properly setting up Borg or restic on my machine properly, especially with docker and databases. I have ended up with adding db backup images to each container with an important db, saving to a specific folder. Then that and all the files are backed up by restic to an attached external drive at well as borgbase. This happens at a specific time in the morning and found a restic action to stop all docker containers first, back them up, then spin them back up. I am find the guides that I used if it’s helpful to you.

I also checked my backups a few times and found a few small problems I had to fix. I got the message from order users several times that your backups are useless unless you regularly test them.

Theres a lot of different things going on here although it sounds simple, you’re actually touching many different technologies. I started a few years ago to self host and it took me a while to get my head around these and still have issues so don’t worry too much!

Im not familiar with caddy but the ports look wrong. It would be looking for 80 and 443 presumably on the docker host (right hand side / “RHS Ports”. You could use any ports on the left hand side (“LHS Ports”).

The section “DOMAIN}:1443” might be telling caddy to be looking on port 1443 inside docker, which means the port need to be flipped around. The RHS Ports are what the service inside docker is looking to use (often these are set by the developer but they can be changed in settings, it’s easier to leave these as default and only change the LHS Ports). The LHS Ports are what you choose to expose on the actual server itself. https://docs.docker.com/get-started/docker-concepts/running-containers/publishing-ports/

Theres no mention of the router settings so the problem might be there. Are you forwarding the right ports through? You would need to forward ports 80 and 443 to the LHS Ports you choose for caddy. These port forwards would also need to point to your servers internal address. (Search “<your router name> port forward settings”)

What do you have on port 80 as I would recommend to change that to something else and have caddy on ports 80 and 443. I would also suggest trying nginx proxy manager which is available on docker, has a nice web interface to add reverse proxy’s, and can handle your SSL certificates (inc automatic renewals). This would replace caddy and would use ports 80 and 443 on your server. https://nginxproxymanager.com/

Also, just to mention, your safest option is not to expose vaultwarden to the internet unless your very sure you need to and add other protections (firewalls, fail2ban etc). If it’s just you/a few people, look into using a VPN like tailscale (easiest but relies on external party) or Wireguard (fully yours to control but pretty complicated).

You would still need an SSL cert but your can do this through DuckDNS using https://github.com/maksimstojkovic/docker-letsencrypt. You could also buy a cheap domain and never have to expose anything, as they would give you a certificate to download (cloudflare or porkbun are good - https://kb.porkbun.com/article/71-how-your-free-ssl-certificates-work) and you manually upload it to caddy or nginx proxy manager. the best option is to use nginx proxy manager or certbot to handle these as the certificates expire. You can set up “DNS challenge” in your SSL certificate manager which needs details from your DNS to obtain the SSL certificates on your behalf.

If I was you, I would search for online guides and setup in this order: nginx proxy manager, SSL cert (buying your own cheap domain from cloudflare and setting up DNS challenge in nginx proxy manager), tailscale, then vaultwarden.

Im using a free Mailgun account for all my self hosted services. Happy with it so far.

Proton only has SMTP on it’s business accounts, and you have to apply for one with a good reason (ie not for spam)

pastebin.com/DiHX2vg2

Hopefully this works and you can see the compose file. I’ve put a few things in [square brackets] to hide some stuff, probably overly cautiously. I have an external network linked to NPM and in that, I use nextcloud-server for IP address and 80 for the port (it’s the inside container port, not 8080 on the system - that took me a long time to figure out!). Add a .env file with everything referenced in the compose file, then (hopefully!) Away you go

RIP from England. Those scripts helped me through some tough times when first trying proxmox, I remember being so happy to find them. I wouldn’t have stayed on proxmox without them

Not sure if it makes a difference and not quite your question but I’ve just switched away from nextcloud-aio to just having my own docker compose, so I have better control and know what’s going on more. I always found it funny and when installing on a new VPS decided to try. It was surprisingly straightforward and Ive been able to install everything I need.

Let me know if my docker compose would help. I still need to add the backup solution but it’s going to be straightforward as well.

My experience has taught me not to ‘apt autoremove’ unless im really sure what they are!

Take it one software at a time. See it’s running fine then move on to another. You’ll often realise something down the line will be helpful so will go back to make changes.

Keep a running list of software and the ports used.

With docker, do not automatically do :latest on important software (nginx proxy manager, SSO software, password database, anything you use regularly, etc). I did that and was burned a few times.

Also that at some point you’ll either mess up or realise it would just be easier and start again with a fresh OS install. Keep copying data (docker compose files and persistent storage) on working software before starting a new one, or before installing anything directly onto the OS, or before major updates.

I would highly discourage getting a fire stick, they’ve locked it down so much its just annoying. Yes, you can get there but found it much easier on android tv boxes, specifically the Xiaomi Mii TV ones. Which one you get probably depends on whether you need 4K and/or dolby

I like the Mii TV 4k sticks. They run android tv and have the usual apps, or you can install your own launcher, apps (look into stremio!) and everything through downloader or adb. Then you can disable the bloatware through adb, theres a few lists online if you search. With a launcher manager app, mine loads straight to productivity launcher (I also like flauncher).

Do not try a firestick, theyre heavily locked down now.

I then just deleted the network on my smart tv so it can’t send anything. Along with my pihole, hopefully theres no telemetry getting out, although not checked it. Its impossible to find good TVs that aren’t smart anymore unfortunately, the data selling either subsidises the costs pricing out dumb TV’s, or more likely they make so much from the data selling that they only sell those.

I just started using some docker containers I found on Docker Hub designed for DB backups (e.g. prodrigestivill/postgres-backup-local) to automatically dump from the databases into a set folder, which is included in the restic backup. I know you could come up with scripts but this way, I could easily copy the compose code to other containers with different databases (and different passwords etc).

I would recommend it as it is fairly easy to understand and most Foss services give you an example to use. You can also convert docker run examples to compose (search docker composeriser) although it doesn’t always work.

I found composer files easier when learning it, to digest what is going on (ports, networks, depends_on etc) and can compare with other services to see what is missing (container name, restart schedule etc). I can then easily backup the compose files, env files and data directories to be able to very quickly get a service up again (although DBs are trickier but found a docker image that I can stick on the compose files which backups the DB dumps regularly)

I am born and raised in England to Indian parents so always had some internal tension. Sometimes, I don’t understand my patents culture and sometimes I don’t understand English culture. However, I’ve realised I am who I am, and can take the best bits from both. There are some bits I don’t like so I’m the better for being / having that mix. I married an Irish person who moved over several years ago. Irish used to be the “other” and were screwed over, but now are sometimes considered “white”, so just shows the target moves.

There has always been racism in British society and unfortunately I have felt it pick up since the Brexit vote and Trump’s election (I think it empowered them). However, it is from a small minority of people. In some areas it comes from ignorance, which I can kind of forgive. Others will always see us as outsiders with our foreign names (and my brown skin) no matter what we do. I just think, screw them. I mean, can they trace themselves back before the Normans, the Romans or the Vikings etc? Where do you draw the line exactly?!? England has always been a mix of people and culture so they’re the ones missing out. I’m happy driving my Korean car to a German store to buy ingredients for a Thai green curry. Oh, I’ll grab a French pastry for breakfast, Chilean wine for the weekend and well, you get the idea! Let’s make the most of this multicultural place and ideas, and who cares about bigots who you can guarantee, like a cheeky korma and Belgian beer…

I use authentik but believe it’s similar. You can create accounts for people and give them passwords, or send a welcome email asking them to register to create one. I would warn you though, not every service has the ability to use it and it does take quite some effort to get it working! It’s interesting to learn about though

I tried the readarr and other options. They work sometimes but not enough to rely on it. As others mention, there’s no standard naming and also, lots of people use their library card for Libby access. I also think there’s a bit more of a direct link to authors so I’d prefer to buy the book unless theyre super well off anyway. To be honest, I can’t see the arr’s working with LibGen having looked at the open issues on integrating it, it just doesn’t allow for scraping in the same way.

For me, I self host openbooks (uses IRC) and select a download straight away, which to be fair, is about the same time as searching / finding a TV show if you are after one book. I have exposed it behind an SSO so can access it on my phone and download the book straight away when someone gives me a recommendation. Most of the time I just add to a running note on phone and go through it every few months when I need more books.

It’s fairly quick for multiple books but not sonarr levels of ease. The downloads go into a calibre monitored folder which then does the automation (naming, conversion if needed etc). I bulk email the new books to my kindle with one click. Calibre-web is on read only for a nice browsing experience and to read on other devices if I need to (althogh no page sync). It’s a bit of manual work but I find it is not too bad and in 10 minutes I can load up enough books for months.

Occasionally IRC does not have the book so try manually searching on prowlarr, and download on sab or transmission. The downloads are almost instant so I then just wait and copy them to my downloads folder (I could probably automate this step too with tags but it’s so infrequent).

I have dynamic IP and there are several ways around it. I use Cloudflared (updates DNS records regularly) and a script I found to update duck DNS as a backup. Both very simple.

Accessing the services is not the problem, the problem is keeping them safe. I’ve tried lots of different ways (although not tailscale yet) and have a few services exposed directly to the internet behind authentik \ NPM \ Cloudflare \ fail2ban \ ufw. Others, I access through my router openvpn server, with keys for my laptop and phone as clients. There are so many guides online for all VPN types. Its just finding the right approach between ease of use vs safety

I’m hesitant about it too for the same reason but not sure if I’m being unreasonable given that I rely on so many other free services. However, this is one that would potentially have access to everything I do.

I’m watching headscale with interest until its safe enough for me to try breaking it!

Would you trust rsync.net to be around for a long time? They’re doing a $540 lifetime 1TB offer which is interesting as I’m luckily in a position to do but would take 6 years plus to “pay off”.

I only use docker images supplied by the devs themselves or community maintained (e.g. Linux server.io) so they essentially tell docker what needs to be installed in the container, not me. It takes the hassle out of trying to figure out what I need to do to get the service running. If they update their app, they’ll probably know best what else needs to be updated and will do that in the image. I guess you are relying on them to keep everything updated but they are way more knowledgeable than me and if there is a vulnerability, it is only in that container and not your other services.

Lots of little things really. Obviously I couldn’t say for certain but they seemed to on top of it without causing us too much difficulty in doing our jobs.

Sometimes things were blocked like if a new email, or questioned after to check it was expected and followed policy. Policies were clear, and there were helpful prompts or warnings.

We were involved in something where we had to copy a sh*t load of files from a shared folder to a hard disk. There were like three automatic blocks that kicked in at different times, which was a pain at first to figure out but because we had a good reason, someone in IT just kept at it to get it done and looking back, that should have raised flags given the size of it all.

They changed from passwords changing every 6 months to no changes but had to be longer and mandatory 2FA. We were told to use keepass for all passwords for things that weren’t SSO for various reasons.

Don’t provide services to others, including your own family, actually especially your own family, until you are quite comfortable with what is going on and what might be causing issues. Focus on helping yourself or keeping whatever other services you were using before just in case.

Trying to fix something at night, with a fuming partner who’s already put up with a difficult to use service, because of your want for privacy even though they don’t care care, whilst saying “it should work, I don’t know what’s wrong”, is not a great place to be 😁.

Overall though, I found it so interesting that I am doing a part time degree in computer science in my 30s, purely to learn more (whilst being forced to do it to timelines and having paid for it).

I have a very comfortable and ‘forget about it’ setup my family are now using. Every now and then I add new services for myself, and if it works out, will give access to others to use, keep it just for me or just delete it and move on.