Yeah I had SearXNG running via a Docker container and it was pretty good. I didn’t like having to use a domain name and expose it over the internet though, because Docker is running on my NAS. I guess I could give it another try using Cloudflare tunnels so I don’t have to open anything up.

Or else go back to Startpage.

My 100-search trial expired this week and I was literally planning on subscribing later tonight. This has made me think twice.

But it takes me back to why I tried Kagi in the first place: What else can I use that respects privacy?

I don’t think any of them do completely. DuckDuckGo uses Bing, so is Microsoft; Google is… well, Google; Brave is apparently really shady; I’ve never thought much of the results from Bing directly. Startpage seemed ok but apparently uses Google.

What else?

I also like something to be integrated into the browser. As a Mac user, I can’t add new search engines to Safari (and have actually switched to Orion, but may now switch to Firefox or back to Safari).

Sorry, I wasn’t classing Chrome and Chromium as the same thing. I’m a software developer of 20 years so I understand they’re not the same thing. I guess I just took that opportunity to state that I don’t use Google services/products if I can help it.

In work we’re a Windows house, but I’ve managed to get my hands on an M2 MacBook Pro. For now I’m still using Edge but would like to get my iCloud exemption so I can use some of the apps on my personal MBP for work, and I’m wondering whether I should continue using Edge for work and A. N. Other browser for personal (and mirror this on my iPhone); or whether to use profiles, for example, on Safari and split it that way. I might be limited to what I can download on the work machine, but I’d like to synergies everything as much as I can where possible rather than having two completely different Mac experiences with my iPhone sort of thrown in the middle of both.

Which browser do you prefer? I assume a Chromium-based derivative?

I have/had a ProtonMail account, and whilst it was great, I believe it was only end-to-end encrypted when sending emails to other people using ProtonMail…? Or at least that was my understanding at the time.

The apps back then weren’t particularly polished, so I ended up migrating everything back to iCloud.

To be honest, I don’t seem to have any issues with iCloud and everything just works. But that’s the problem with Apple, and how they “get” you.

And this, my friend, is exactly what I came here for. Very insightful, informative and measured answer. Thank you for taking the time 👍🏻

Fair enough 👍🏻

Tried it, kinda liked it, but then read a lot of shady stuff about them not being as privacy-focused as they’re made out to be.

I might give Arc a go, not sure how good/popular it is though. But I think anything other than Safari will be a compromise because of the Apple Pay/Touch ID/Face ID integration.

Yeah I know they’re all based on one of three, but they are all subtly different in what they offer.

So whilst there are three main engines, there are definitely more than three choices.

Bottom of the pile for me is Chrome - I don’t use anything Google knowingly/willingly.

The Apple integration is probably the main reason I use Safari I think; the likes of Apple Pay, Touch ID/Face ID all just works. I’d love that ability in Firefox and then I’d probably use it exclusively.

That wasn’t the OP 😂

I didn’t know they stored local copies — had a very, VERY quick skim through their privacy policy on their website and couldn’t see any reference to that (sure it’s there but I didn’t see it).

I’m not a Spark user btw, was just following the conversation. I use plain ol’ Apple Mail.

I could be misinformed, but this isn’t just limited to Spark as I understand it, I believe a lot (maybe all?) third-party clients do the same thing. They act as an intermediary between you and the server so they can deliver push notifications.

However, as I understand it, Spark’s privacy policy outlines that they don’t read/scan the contents of your emails, and the use of app-specific passwords rather than your email password ensures they only have access to emails and nothing else.

Pretty sure others such as Canary, Airmail, Edison, etc. all do/did the same thing, but it was the lack of clarity in Spark’s privacy policy that made them the main target for scrutiny. I think they’ve since cleared that up.

I could be mistaken, though.

Update from this morning.

So far I’ve got the Traefik dashboard and my Homepage container using subdomains. Pi-hole is still an issue that I need to figure out.

I’ve decided to start on the SSL certificates and am following a couple of guides. Once I have those in place, I’ll start moving more containers behind subdomains.

I might have to expose my NAS IP to the internet and link it via Cloudflare, because I use an ExpressVPN on my Mac at all times, and when it’s turned on I can’t access ***any ***of my subdomains - this is obviously because ExpressVPN use their own DNS entries and don’t use the ones I’ve set. That will probably prevent me from using Vaultwarden (which is the whole purpose for all of this in the first place) because if I’m on the VPN I won’t be able to access the Vaultwarden container.

Unless anyone knows of a workaround for that?

Next steps:

• Get SSL working
• Figure out how to access subdomains whilst on the VPN (or get a DDNS account, create an A record in Cloudflare and point it at the DDNS IP, and open up ports 80 and 443)
• Spin up a Vaultwarden container via a subdomain
• Put all my other services behind subdomains
• Figure out how to get Pi-hole working via Traefik and subdomain
• Figure out how to get Tailscale access to my containers when not on my LAN

Figured it out. It’s a weird setting on Netgear routers whereby you have to also update the MAC address. All been working well for the last few hours and getting queries running through Pi-hole.

I’ve also got my Homepage container setup at http://home.mydomain.com and configured Traefik a little further so it’s now accessible from http://traefik.mydomain.com (no port).

For the past few hours I’ve been struggling with getting Pi-hole behind Traefik and accessible using http://pihole.mydomain.com. Only works if I stick /admin on the end, which defeats the object of using a subdomain. Found a forum post suggesting to use Traefik’s addPrefix after declaring the Host as pihole.mydomain.com, which works great for accessing the login screen, but when you enter the password it just loops back to the login screen.

Also tried a few other things that ultimately broke the Pi-hole container and took out my entire connection, as everything is dependent on Pi-hole for DNS! So need to figure out some kind of resiliency/backup for that (my router is using the NAS IP as it’s primary and only DNS server).

So, some progress. I’ve set Pi-hope back to IP:port and I’m gonna focus on getting other containers behind Traefik and leave Pi-hole till last. Then and only then will I look at SSL certificates (unless it’s advised to do it earlier?)

Any pointers on any of the above would be appreciated! And thanks again for getting me this far.

I’ve just added in a macvlan network to my Pi-hole compose as well, not sure if it’s making any difference or not.

I wasn’t planning on using Pi-hole for DHCP - I have a LOT of reserved addresses on my network and I don’t fancy having to move them all over. My hope had been to use Pi-hole for DNS but keep the DHCP reservation with the router.

I’ve manually updated the DNS on my Mac to 192.168.1.116 and I can now access the Traefik dashboard via http://traefik.mydomain.com:8080 (so, getting there). So some kind of issue with the DNS on my router I think - caching maybe?

Actually, no I don’t see anything coming through.

So the IP address of my router is 192.168.1.1, IP of my NAS is 192.168.1.116.

Checked the DNS on my Mac and it’s 192.168.1.1. Checked the DNS on my NAS and it’s 192.168.1.1. I changed the DNS in my router to 192.168.1.116.

Have I missed a step somewhere?

OK so made a start with this. Spun up a Pi-hole container, added mydomain.com as an A record in Local DNS, and created a CNAME for traefik.mydomain.com to point to mydomain.com.

In Cloudflare, I removed the mydomain.com A record and the www CNAME record.

Doing an nslookup on mydomain.com I get

Non-authoritative answer:
*** Can't find mydomain.com: No answer

Which I guess is to be expected.

However, when I then navigate to http://traefik.mydomain.com in my browser, I’m met with a Cloudflare error page: https://imgur.com/XhKOywo.

Below is the docker-compose of my traefik container:

traefik:
    container_name: traefik
    image: traefik:latest
    restart: unless-stopped
    networks:
      - medianet
    ports:
      - 80:80
      - 443:443
    expose:
      - 8080
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /volume1/docker/traefik:/etc/traefik
      - /volume1/docker/traefik/access.log:/logs/access.log
      - /volume1/docker/traefik/traefik.log:/logs/traefik.log
      - /volume1/docker/traefik/acme/acme.json:/acme.json
    environment:
      - TZ=Europe/London
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.rule=Host(`$TRAEFIK_DASHBOARD_HOST`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.routers.traefik.entrypoints=traefik

My traefik.yml is also nice and basic at this point:

global:
  sendAnonymousUsage: false

entryPoints:
  web:
    address: ":80"
  traefik:
    address: "8080"

api:
  dashboard: true
  insecure: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    watch: true
    exposedByDefault: false

log:
  filePath: traefik.log
  level: DEBUG

accessLog:
  filePath: access.log
  bufferingSize: 100

Any ideas what’s going wrong? I’m unclear on why the domain is still routing to Cloudflare.

Absolute superstar, thanks for your help so far. I’ll make a start on some of this tomorrow and see how far I get — either with Traefik or NPM.

Do I need to do anything with the domain itself on Cloudflare at the moment? Or do I just leave it with its current A record pointing at an IP address (it was done as part of the setup in Cloudflare so I have no idea what that IP address is).

Obviously that domain in reality will just sit there doing nothing.

I don’t plan on exposing any of this stuff to anybody other than me. I do plan on spinning up SearX but it’ll only be me using it. I’ve given up trying to convince my family to move away from Google to even DuckDuckGo or Startpage, so there’s no way I’ll convince them to use SearX!

I think, therefore, for accessing away from home I’ll perhaps setup a subdomain that points to the IP of my Tailscale container — that means it’ll be accessible externally but only when I turn on the VPN.

When I’m on my home network I have a VPN on my Mac anyway.