I know this isn’t what you’re looking for, but I got a family plan from Google for music and split it with 6 family members, which is probably the same as apple music I assume.

I don’t have to mess with download anymore.

Lidarr is only one I know.

One of the keys to selecting the solution from the provided answers is if you need this to be publicly trusted.

I use an internal openssl ca root, created intermediate ca for each active directory domain or Forest. Also, I wanted to create internal PKI smart cards with yubikeys and his c1150 cards. For you know, fun.

I didn’t care that other hosts don’t trust my stuff because all my hosts are configured with root ca, and I only use VPN for access.

You want external trust, must do some of the other suggestions. Setting up internal CA is a chore with understanding AIA, CDP points, line of sight to PKI urls for renovation checking, more…

I recommend look into managed, vlan capable switches after you get your firewall figured out. That will allow you to put hosts on different vlans and separate lab stuff from the rest of your home network stuff.

There’s a million videos.

Doesn’t tailscale retain closed source for the coordination server?

I think nebula mesh is totally open and you can run your own coordination server, lighthouse?

Nebula would need static IP, TS can do that part for $

You’re correct about vlan.

Think of vlan is a regular switch. Connect stuff, they communicate. Make two vlans in a switch, think of turning your physical switch into two separate switches.

Connect you switches to a router. Don’t want to waste two cables from your switch that’s cut in half? Do trunk port, with vlan tagged.

Lots of videos will explain better.

Best practice is to separate things of different trust levels into different vlans. You can filter and control the traffic between those vlans with your router.

As previously mentioned, in the Enterprise and business world, best practice is to separate and management from VMS and applications. We call this data plane and control plane. You would restrict access to your proxmox for other hypervisor interface from the VMS and applications. For small home setups and funsies, this gets a little complicated, but if it’s your career choice or interest, it’s a good thing to explore.

Key terms you can research: data plane, control plane, out of band management, air gapped.

Yeah, salt has SSH support and it supposed to be able to deploy without minion/target interaction, but it wasn’t very reliable or I was doing it wrong.

I started with SALT because of Security Onion, open source IDS. Only reason.

SALT can run master less, is that what you were after? Rather than having a single/central manager?

I really enjoy these type of conversations, learn a lot.

Since you’ve gotten lots of good advice on container manager, I’ll encourage your desire for IaC/DevOps CM, etc.

I believe all the leading CM choices support what you’re wanting to do. I can’t guide you on which one to chose, but just browse through the options or functions your favorite does for the Kx container solution you go with.

I use SALT because of Security Onion, and open source IDS. I have all my nix systems being babysat by SALT, and can have a new x-arr media server, NGINX, blog, etc running in the amount of time to deploy the template (I use vSphere) and salt applies the desired state. Back up and restore a mount folder, np. IaC is only limited by your imagination. I have salt also specifying all the containers I have running, defining the config files, etc. Basically poor mans/simpleton kub.

I suspect you already know this, but if there isn’t a module that directly does what you want like running SQL specific functions, you can just have it run programmatic CLI files on the host, or in the container for you.

I am in the process of moving my IaC code from manager file system to Gitlab. I imagine you’d do this from jump street. Have fun.

PRTG has a community edition Elastiflow for netflow has free/community edition Grafana and influxdb open source

You’re on the right track. As long as wiregurd on the VPS will allow an incoming connection from you home 4g, which will probably be CGNAT, it’ll work. Did you look into running the NGINX reverse on the VPS? I like terminating external stuff on cloud side, then only bring filtered or desired traffic over the tunnel.

Nice. Yeah, keeping in mind Google/Microsoft have their algorithm/ad stuff going through your messages, we usually just count on them not committing fraud directly against us :)

SimpleLogin

So people must also acknowledge and agree that the solution can read their messages. I guess your use case is junk mail. If OP is looking for an external email for regular use, this might not be a good solution?

Very interesting. How long have you used this? Has it been reliable the whole time?

What about using symlinks?

You creat a directory /media. Mount shares there. Your media application scans /media and just finds media files.

Still sucks because you have to mount each repo, /media/person1/movies, etc

But you don’t have to reconfigure media app anymore.

I don’t know what a pooled remote file system like what you’re wanting.

What’s the cumbersome part?

VPN? Mesh overlay VPN like tailscale/nebula mesh can do easy node add.

IPFS nodes might do the trick as mentioned.

Yeah, it’s a lot. It’s a very large field, and you’re playing in two or three areas here.

Look at a couple of overlay options. ZeroTier is the one I remember off top of my head. There are others, Google alternatives. These use a coordination server. Some are a hosted service, but there’s some that you host yourself. These are supposed to be pretty easy. You watch a couple of videos on these, I bet you’re be fine.

Wire guard offers more traditional VPN. You can tunnel your device back to your network. Some routers offer a VPN option. There’s open sense, ddwrt, etc. Again, lots of videos.

Since you said you mostly wanted remote access, I strongly suggest not opening services to public and use VPN.

You can still learn reverse proxy too, but just do it internally, even though it wouldn’t technically be needed. This will be much safer and learner friendly.

I have ridiculous amounts of services running, but I use gateway router VPN to access most of them.

What cert did you put on the proxy answering the inbound? Usually that error means either the browser doesn’t like the cert, or it’s connecting to 80, and modern browsers really fight you on that sometimes. Also, cache. Clear your cache if you’re bouncing between internal URL/IP and the public.

I assume you just want to expose to internet to learn art of reverse. Otherwise there’s better ways.

Yes, aggregate of all three hosts in cluster, sorry. Dual socket, six cores.

Yeah, the tunnel would annoy me unless it was open and I could scan the traffic as it went through my proxy. My OCD kicks in when stuff doesn’t do what it’s supposed to

You could always swap out that OPNS for Cisco, NBD. /Sarcasm

make some 1/2 to 2/3 of my power myself I’d have to :) That’s .66c US per. Mine is .11-12 US / .10 EUR. Mine is 6 times cheaper. `Merica

Insert rant about our power is probably a large percentage of coal and gas (cheap + super bad)

Do folks actually interact with all these services regularly?

Regularly, probably not, just depends. If you only spin things us to setup or learn something, no. https://infosec.pub/comment/5234431