• 5 Posts
  • 298 Comments
Joined 10 months ago
cake
Cake day: April 27th, 2024

help-circle



  • It’s a bit unconventional maybe, but I vote simple-nixos-mailserver - IF you are curious / willing to learn nix. It’s essentially just sanely configured dovecot, postfix, rspamd.

    My config for those three combined is about 15 lines, and I have never had an issue with them. Slap on another 5-10 lines for Roundcube as a webmail client.

    Since it’s Nix, everything is declarative, so should SOMETHING happen to the server, you can be up and running again super quickly, with the exact same setup.















  • A high-quality laptop without any branding.

    I’m currently using a 9-year-old, woefully underpowered laptop made by Xiaomi. Full aluminium unibody, and NO logo. Not printed on, not etched in, not glistening only in the right light. NO LOGO.

    I’m not a billboard. I’m not responsible for your brand recognition. Ironically though, far more people have come up to me and asked “hey, what laptop is that” than ever would have cared if there was a logo on it.

    It also just looks and feels fantastic, all-aluminium-no-logo just looks so sleek.

    So yeah. I will not be upgrading until I find another laptop of the same build quality, with no logo. Tuxedo has that option for most of their laptops, but for some reason not for their only current full-aluminium body -.-

    Oh, and don’t come at me with stickers.


  • We expose about a dozen services to the open web. Haven’t bothered with something like Authentik yet, just strong passwords.

    We use a solid OPNSense Firewall config with rather fine-grained permissions to allow/forbid traffic to the respective VMs, between the VMs, between VMs and the NAS, and so on.

    We also have a wireguard tunnel to home for all the services that don’t need to be available on the internet publicly. That one also allows access to the management interface of the firewall.

    In OPNSense, you get quite good logging capabilities, should you suspect someone is trying to gain access, you’ll be able to read it from there.

    I am also considering setting up Prometheus and Grafana for all our services, which could point out some anomalies, though that would not be the main usecase.

    Lastly, I also have a server at a hoster for some stuff that is not practical to host at home. The hoster provided a very rudimentary firewall, so I’m using that to only open necessary ports, and then Fail2Ban to insta-ban IPs for a week on the first offense. Have also set it up so they get banned on Cloudflare’s side, so before another malicious request ever reaches me.

    Have not had any issues, ever.