I do the same. Fedora on my laptop because I want a balance of stability and having the newest features. Servers run Debian, because I don’t have time to fix and update things.

How do you upload a snapshot?

Basically, as you said. Mount the data somewhere and back up its contents.

I back up snapshots rather than current data, because I don’t want to stop the running containers that read and write from that data. I’d rather avoid the situation where the container is writing data while it’s being backed up. The back up happens shortly after the daily snapshot is made so the difference between current and snapshot data is small.

As others have said, with an incremental filesystem level mechanism, the backup process won’t be too taxing for the CPU. I have ZFS set up which makes this easy and I make hourly snapshots using sanoid which also get sent to another mirrored pair of connected drives using syncoid. Then, once a day, I upload encrypted daily snapshots to a bucket in the cloud using restic. Sounds complicated, but actually sanoid/syncoid and restic do all the heavy lifting. All I did is automate their schedules using systemd timers and some scripts to backup the right directories.

It’s worth noting that you don’t even need to still have the Kindle device physically with you. I had to throw mine out (I still had the original first ever model), but it’s still registered and the token is valid for Calibre’s DeDRM.

Looks perfect! Exactly what I was looking for. Thanks!

What about https://github.com/janeczku/calibre-web?

What benefit do you get from running a Cloudflare proxy if you’re directing it to a VPS? I used to run with a Cloudflare proxy when my reverse proxy was hosted at home. Since then, I’ve moved it to a VPS and I no longer use the Cloudflare proxy, because I only expose the IP address of the VPS which is fine. Arguably Cloudflare provides you with DDoS protection, but that’s so far never been a problem for me.

Maintaining legacy options is always maintenance overhead or things you need to work around when implementing new features. I suspect that they’ve concluded that not enough people use it anymore to justify the overhead.

Why not have the reverse proxy also do renewal for the SMTP relay certificate and just rsync it to the relay? For a while I had one of my proxies do all the renewals and the other would rsync it.

I deploy as much as I possibly can via Ansible. Then the Ansible code serves as the documentation. I also keep the underlying OS the same on all machines to avoid different OS conventions. All my machines run Debian. The few things I cannot express in Ansible, such as network topology, I draw a diagram for in draw.io, but that’s it.

Also, why not automate the certificate renewal with certbot? I have two reverse proxies and they renew their certificates themselves.

Plasma is amazing. It has been my DE of choice for years now. So happy I’m donating to the project.

That’s because podman-compose is not a goal for the project IIRC. Therefore, it will never be feature complete. They encourage using systemd or other tools to manage the pods. It seems that podman-compose is just not an enterprise use case.

Edit: so if docker-compose is important then yea, stick to docker. I moved to using systemd instead. Podman can generate the systems files for you.

Well, that’s just not true. WSL indeed is not Linux, but it does have several of the advantages of Linux.

It is not good if you want a home desktop solution, because that’s not what it’s there for. However, if you need to use Windows for something, e.g., at work to have full outlook MS office compatibility (access through the web is not great) but need Linux for dev work then WSL is great.

In short, I’d say WSL is there if you want to do dev work on Linux, but everything else on Windows.

ZFS send to a pair of mirrored HDDs on the same machine ever hour and a daily restic backup to S3 storage. Every six months I test and verify the cloud backup.

In addition to what you mentioned, setup logcheck to email you unexpected logs. It does require a bit of time and fine tuning to make it ignore expected logs, but in terms of security measures it’s very powerful. I get an email every time I log in, incorrectly type my sudo password, etc. Sounds very verbose, but it also means it’s verbose when something unexpected is happening which is what you want security-wise. A nice side effect of having to craft the regexes of what logs to ignore is that I know better what’s running on my server :)

I already posted that I recommend fastmail elsewhere in this thread, but you raised so many good points that it reminded me of some extra points :)

Fastmail offers granular, per-app passwords – I have a single password which has read-only access to IMAP in order to back up all the data on a timer. This feature is missing from many (many) other email providers - using the 80/20 rule, if they even offer it it’s a single password with full access (Mailfence, for example)

Since this community is about selfhosting I think it’s worth pointing out that this is AMAZING for selfhosting. I have all me selfhosted services sending e-mail via fastmail’s SMTP. With per-app passwords I don’t need to store my normal e-mail password and the apps can be limited to SMTP only (so no read access). And in case of compromise you can revoke permissions on a per-app granularity.

Fastmail offers full CardDAV (contacts) and CalDAV (calendar) access, which makes plugging it into any other app that supports this very easy - their DNS wizard helps you set up the service records. I use “DavX5” on my Android to sync all Contacts and Calendar outside of using the Fastmail app (which is a self contained app on Android, it’s not too bad)

Fastmail has become my contacts app now - it’s really great to have all your e-mail and contacts in the same place. The contacts don’t even need to have an e-mail address - I have a lot of contacts stored for whom I only have a phone number. I sync to android using the same DavX5 app and then immediately have these contacts in whatsapp and signal.

I recommend fastmail.com though they do have done shortcomings that you need to consider such as the fact that they’re based in Australia (five eyes country) and have servers in the USA. Their advantage is a slick interface, fantastic app based on JMAP, and just generally being super convenient. They allow catch all addresses, masked emails, custom domain etc. I find them super convenient.

Thanks for the suggestion! That is also doable with Nginx’s SSL pass-through. However, that is still vulnerable to the VPS provider obtaining a certificate. But indeed, it does appear that a combination of redirecting encrypted traffic (SSL passthrough or iptables) with cert monitoring appears to be emerging as a solution.

BTW, I prefer SSL pass-through over iptables, because I do keep one endpoint on the VPS and that’s my static website which also needs a cert. With SSL pass-through I can terminate connections to the static website while redirecting all other connections as it can pre-read the destination domain. With iptables I would need two IP addresses to distinguish the connections.

You can limit which CA’s will offer certificates for your domain with the CAA record in DNS.

Yea, I already have that.

You can also at least detect if someone else creates a certificate for your domain if you watch the certificate transparency logs.

Did not know this before today, but now I have it switched on!

Apparently yes! Based on another comment in this thread: https://certificate.transparency.dev/monitors/.