I wrote this ansible role to setup dovecot IMAP server. Once a year I move all mail from the previous year from various mailboxes to my dovecot server (using thunderbird).

I use the Netdata agent (with cloud features disabled). Easy installation, FOSS, 0 configuration required, tons of metrics.

I wrote my own ansible role to deploy/maintain a matrix server and a few goodies (element/synapse-admin). If you’re not using ansible you should still be able to understand the deployment logic by starting at tasks/main.yml and following includes/tasks from there.

host maps

It does require a beefy server (rendering tiles is CPU/RAM-intensive, storing pre-rendered tiles is expensive on storage) It should be doable on limited hardware if only a small area.

I think the better move would be keeping/distributing a local copy of the OsmAnd android APK and a few maps for the app. Because you’ll not be able to provide map access to people from your server if the Internet/local fiber/phone network is down - this way everyone can have their own full copy of the map.

I’m not sure about the method to extract map data from the app storage directory though.

Just download a copy of a recent wikipedia dump. You can open it in the Kiwix desktop application (work fine even on an old laptop), the android app (though I’ve never tried opening a full 100GB dump with a phone, not sure if it would work well), or install the kiwix-tool package and serve the .zim file with kiwix-serve (https://wiki.kiwix.org/wiki/Kiwix-serve). You’d also probably want a reverse proxy/usual basic web server/security setup around that.

Second this, always have a device preloaded with Kiwix and one of the wikipedia dumps. A new vesrion is uploaded every few (~6 months). The full English wikipedia dump with images (low-res versions only though) is only 103GB.

libvirt/virt-manager is a nice VM management tool.

Their cheap 1-6€/month VPS offers are actually fine. Not much to say about it, it just works.

https://awesome-selfhosted.net/ is hosted on a Ionos VPS.

I’m not using a private CA for my internal services, just plain self-signed certs. But if I had to, I would probably go as simple as possible in the first time: generate the CA cert using ansible, use ansible to automate signing of all my certs by the CA cert. The openssl_* modules make this easy enough. This is not very different from my current self-signed setup, the benefit is that I’d only have to trust a single CA certificate/bypass a single certificate warning, instead of getting a warning for every single certificate/domain.

If I wanted to rotate certificates frequently, I’d look into setting up an ACME server like [1], and point mod_md or certbot to it, instead of the default letsencrypt endpoint.

This still does not solve the problem of how to get your clients to trust your private CA. There are dozens of different mechanisms to get a certificate into the trust store. On Linux machines this is easy enough (add the CA cert to /usr/local/share/ca-certificates/*.crt, run update-ca-certificates), but other operating systems use different methods (ever tried adding a custom CA cert on Android? it’s painful. Do other OS even allow it?). Then some apps (Web browsers for example) use their own CA cert store, which is different from the OS… What about clients you don’t have admin access to? etc.

So for simplicity’s sake, if I really wanted valid certs for my internal services, I’d use subdomains of an actual, purchased (more like renting…) domain name (e.g. service-name.internal.example.org), and get the certs from Let’s Encrypt (using DNS challenge, or HTTP challenge on a public-facing server and sync the certificates to the actual servers that needs them). It’s not ideal, but still better than the certificate racket system we had before Let’s Encrypt.

Any of https://awesome-selfhosted.net/tags/personal-dashboards.html

Personally I use a static HTML page [1]. Ansible updates it automatically every time a service is added/removed.

get the certificates from Let’s Encrypt manually

https://httpd.apache.org/docs/2.4/mod/mod_md.html just add MDomain myapp.example.org to your config and it will generate Let’ Encrypt certs automatically

it’s kind of a pain in the ass every time I add something new.

You will have to do some reverse proxy configuration every time you add a new app, regardless of the method (RP management GUIs are just fancy GUIs on top of the config file, “auto-discovery” solutions link traefik/caddy require you to add your RP config as docker labels). The way I deal with it, is having a basic RP config template for new applications [1]. Most of the time ProxyPass/ProxyPassReverse is enough, unless the app documentation says otherwise.

safeguard our work from being used for profit by someone that did not contribute anything to it

AGPLv3 exists for this exact reason https://choosealicense.com/licenses/agpl-3.0/

https://lemmy.world/comment/5411224

Right now no major group or company wants it
most people beyond the tech field [don’t] know what Matrix is

Wrong

• Matrix.org - Matrix and Riot confirmed as the basis for France’s Secure Instant Messenger app
• Matrix.org - Germany’s national healthcare system adopts Matrix!

Amongst others…

get at least two drives in RAID or ZFS

Why do you think OP needs high availability?

In case of disk failure, simply redeploy and restore backups. Having an automated and fast redeployment procedure (and working backups) is a must-have, disk fault tolerance is not, IMHO (unless you have specific requirements).

Without more information, I’d say you’re looking for podman run --volume /mnt/sdb/:/path/inside/your/container. Check the manpage for podman run

Graylog and elasticsearch might fit on that, depending on how much is already used, and if you set the heap sizes at their bare minimum… but it will perform badly, and it’s overkill anyway if you just need this simple stat.

I would look into writing a custom log parser for goaccess (https://goaccess.io/man#custom-log) and let it parse your bridge logs. This is how the geolocation section looks in the HTML report (each continent can be expanded and it will reveal the stat by country).

I update the report every hour via cron, as I don’t need real-time stats (but goaccess can do that).

For HTTP/web server logs: goaccess using the free db-ip database will give you country-level geolocation info.

For other connections (SSH etc.), setup a Graylog instance, send all your logs to it using rsyslog over TLS, setup pipelines to extract IP addresses from the messages, and setup the GeoIP plugin (https://graylog.org/post/how-to-set-up-graylog-geoip-configuration/). It’s not a small task though. My ansible roles for goaccess and graylog.

you should really upgrade soon

Debian stable has podman 4.3 and 4.4 is not in stable-backports

how networks work

http://tcpipguide.com/free/index.htm and lookup terms/protocols on wikipedia as you go.

But as others said, I think you would learn faster if you pick a specific project and try to implement it from scratch. A matrix server is a nice project, but it will have you dig into matrix-specific configuration which is not particularly relevant if you’re just trying to learn system administration and networking.

I would start with a more “basic” project and ensure you got the fundamentals right, and document or automate (shell scripts, ansible…) all steps:

• install a virtualization platform (hypervisor)
• create a VM and install Debian inside it, using LVM for disk management, and a static IP address
• practice with creating/restoring snapshots, add/remove hardware and resources (vCPUs, RAM, disk storage) from the VM
• set up an SSH server and client using SSH keys
• setup a firewall with some basic rules (e.g. only accept SSH connections from a specific IP address and DROP all other SSH connections, forward all HTTPS connections to another IP address…)
• setup monitoring with a few basic rules (alert if the SSH server is down, alert if disk space or free memory is low…)
• automate security updates
• …

Then you can work your way up to more complex services, lookup security hardening measures on your existing setup (as always, document or automate all steps). To give you some ideas, you can find ansible roles I wrote for these tasks here. The common role implements most of what I listed above. The monitoring role implements the monitoring part. There are a few other roles for middleware/infrastructure services (web server/reverse proxy, DNS server, database services, VPN…) and a few more for applications (matrix+element, gitea, jellyfin, mumble…). Start at tasks/main.yml for each role, follow the import_tasks statements from there, and read at least the name: for each task to get a good overview of what needs to be done, and implement it yourself from a shell in the first time. If you break your setup, restore the initial VM snapshot and start again (at this point you’ve automated or documented everything, so it should not take more than a few minutes, right?) .

Each of these tasks will require you to research available software and decide for yourself which is best for your requirements (which hypervisor? which firewall frontend? which monitoring solution? etc)