I use SnappyMail. It’s a fork of Rainloop that’s actually maintained.

https://github.com/the-djmaze/snappymail

And unlike Rainloop, the Sieve filter editor actually works.

I have a single Nginx setup which is the frontend for all my web services. So I only need to deploy it there (and to its HA partner). My renewal script just scp’s it to the secondary and does an nginx -s reload on both.

I do generate separate certs/keys for my non-web servers, but there’s only two of those.

You could also, if you wanted, just generate one cert and distribute it and its key to everything with a script or other automation tool (Ansible is what I used to use).

Is there a way I can get Let’s Encrypt to dole out a wildcard certificate

Yep. Just specify the domains yourdomain.com and *.yourdomain.com in the certbot request. Wildcard domains require the DNS-based challenge, but you’ve said you’re already good there. You don’t technically need the apex domain (yourdomain.com) but I always add it since I do have services running there.

Any subdomains under the wildcard can use internal DNS or internal IPs on the public DNS (I do the former, but the latter works too).

I used to run an internal CA, and it wasn’t too hard to setup a CA and distribute my root cert. Except on mobile devices. On Android it was easy, but there was a persistent warning that my network traffic could be intercepted (which is true when there’s a custom root cert installed), but it since it was my cert, it got annoying seeing that all the time. Not sure if Apple devices can even do that, but regardless, it wasn’t practical for friends who wanted to use my self-hosted services to install a custom cert when they were over.

Is there EV support?

Looks like it, yeah:

The UI still shows Fuel, but it seems like you can enter the kWh and it should calculate. Maybe plug some values into the demo to be sure. If you do, let us know!

I use Fireflyiii for my money and budgeting.

I don’t see why not. I haven’t stood it up yet, but I’ve played with the demo. It does have a section for parts/repairs/upgrades.

Give the demo a try, and let us know.

Yeah, building a simpler version of something like that was on my ever-growing “to do” list but came across this today. Probably going to deploy it this evening or maybe this weekend (whichever day it’s supposed to rain lol).

Depends on what I’m transferring and to/from where:

• scp is my go-to since I’m a Linux household and have SSH keys setup and LDAP SSO as a fallback
• sshfs if I’m too lazy to connect via SMB/NFS (or I don’t feel like installing the tools for them) or I’m traversing a WAN
• rsync for bulk transfer and backups
• Snapdrop/Pairdrop for one-off file/text shares between devices with GUIs (mostly phone <–> PC)
• SMB if I’m on a client PC and need to work with the files directly from the fileserver
• NFS between servers
• To get bulk data to my phone (e.g. updating my music library), I connect via USB in MTP mode and copy from the server via SMB or sshfs.

I’ve always thought the firewall color codes were arbitrary, though I might just have not paid attention all these years lol.

Just to clarify: I meant connect your OpenWRT device to your hotspot instead of the AP you’ve been working with. Just to rule out multiple MACs being blocked on the AP.

Beyond that, I’m not really able to help troubleshoot further, but worst case and if all you need is internet, you can set your OpenWRT device up so that it just NATs your downstream connections. Double-NAT, in most cases, is fine.

Hmm. Is the upstream AP some kind of fancy deal or a run of the mill consumer router?

I’ve seen some Cisco APs configured to not allow multiple MAC addresses from the same station. Caused problems when trying to do VMs on my laptop that had the network in bridge mode.

Are you able to put your phone into hotspot, connect to that instead of the upstream AP, and see if it works?

I did that with a GL.iNet travel router after flashing stock OpenWRT, and used it as a wireless bridge for several years. It uses relayd to bridge the Wifi station interface and Ethernet. Once you have an ethernet bridge, you can connect another AP or do whatever from there.

If you create a second wifi interface in AP mode (in addition to the station/client one connected to the upstream), you should be able to add that to the LAN bridge alongside the ethernet interfaces. That bridge will then be part of the relayd bridge, and it all should just work (should, lol. I haven’t tested that config since I only needed to turn wifi into wired ethernet with this setup).

Interfaces:

LAN Bridge: Ethernet interfaces to be bridged to the wifi

I have both of its interfaces in this bridge, and it also has a static management IP (outside of the WLAN subnet). This management IP is a static out-of-band IP since the devices connected over ethernet won’t be able to access it’s WLAN IP (in the main LAN) to manage it. To access this IP, I just statically set an additional IP on one of the downstream ethernet client devices.

The LAN bridge is in a firewall zone called LAN.

WWAN: Wireless station interface that’s configured as a client to the AP providing upstream access. I have this configured statically, but DHCP is fine too. Firewall zone is WLAN.

WLANBRIDGE: The relayd bridge (Protocol: relay bridge). It’s interfaces are the LAN bridge and the WWAN interface.

Disregard the WGMesh parts; that’s separate and not related to the wireless bridging mode.

Nice! Yeah, I’ve been a big fan of it. Planning to eventually replace my custom Snapdrop with Pairdrop since they’ve made quite a few other improvements.

Pair Drop

Quickly send files, paste images/text snippets between devices.

I’m using the older Snapdrop (which PD was forked from) with some patches I made to:

• Work behind Authelia for SSO + 2FA
• Use the display name provided by Authelia instead of the random usernames it gives out by default
• Send transfers over the internet without dealing with the temporary “rooms” that Pairdrop uses (it’s behind Authelia, so only authorized users can get to it).

It has 100% replaced emailing things to myself or shuffling files to/from Nextcloud. I probably use it to send text (URLs, clipboard contents, etc) to/from my phone as much as I use it for sending files back and forth.

https://smallstep.com/docs/step-ca/index.html

There’s basically two executables involved:

• step is the CLI app used to request certificates
• step-ca is the server process the step client connects to

I’ve got the CA portion bundled into Docker. It can also run as an ACME server (and is compatible with certbot).

I run a custom build of Nginx with a few extra modules compiled in:

• ModSecurity
  • https://github.com/SpiderLabs/ModSecurity-nginx.git
  • https://github.com/SpiderLabs/ModSecurity
• Nginx GeoIP2 Module (https://github.com/leev/ngx_http_geoip2_module.git)
• OWASP Core Rule Set: https://github.com/coreruleset/coreruleset/tree/v4.10.0/rules

Some guidance can be found here: https://docs.nginx.com/nginx-waf/admin-guide/nginx-plus-modsecurity-waf-owasp-crs/

That guidance is for NginxPlus, but you can compile the dynamic module yourself with the community versions.

RCS is a whole can of worms. It’s presented like a carrier services (and carriers are in the mix, though often just for authentication), but it’s really a Google service. With Android, RCS connects directly to google’s mothership.

I believe on iOS those go to Apple’s servers which “peers” with google. Maybe search the RCS endpoint for Apple and see what comes up?

This is actually one of my New Year’s resolutions lol. Right now, my backups are local and my offsites are a hodgepodge of cloud services (basically holding encrypted container blobs of my stuff). Not ideal.

I’m looking at signing up for rsync.net since a lot of my backups are done via rsync anyway. Plan is to keep my local backups as-is and rsync them to rsync.net.

AI bots absolutely rip through your sites like something rabid.

SemrushBot being the most rabid from my experience. Just will not take “fuck off” as an answer.

That looks pretty much like how I’m doing it, also as an include for each virtual host. The only difference is I don’t even bother with a 403. I just use Nginx’s 444 “response” to immediately close the connection.

Are you doing the IP blocks also in Nginx or lower at the firewall level? Currently I’m doing it at firewall level since many of those will also attempt SSH brute forces (good luck since I only use keys, but still…)

Most containers default to UTC, and depending what you’re running, that may be fine.

I only mount /etc/timezone / /etc/localtime if I’m running a container where it needs to be on the same timezone as the host (DB containers, anything where I want the logs in local time, etc). Not all containers use the TZ env var, so bind mounting the timezone files from the host is a guaranteed way to sync them.

I always do some level of RAID. If for no other reason, I’m not out of commission if a disk fails. When you’re working with multi TB, restoring from a backup can take a while. If rapid recovery from a disk failure is not a high priority for you, then you could probably do without RAID.

Either way, make sure you test your backups occasionally.

Another way to put it: With RAID, a disk failure is like your Check Engine light coming on. You can still drive, but you should address the problem as soon as you can. Without RAID, it’s like your engine has seized up and you have to tow it for repair and are without your car until it’s fixed.