Pushed Wireguard back onto my network. I’ve been a Tailscale user for a couple of years, but never really saw the need for it for me as I’m the only user of the service. :)

I will freely admit though, there’s nothing wrong with the service and honestly is great if you are behind a CGNAT router or don’t want to use Cloudflare for your tunneling.

You said

I’m only really running a caddy reverse proxy on the VPS which forwards my home server’s services through Tailscale. "

It seems then that you are using a Tailscale Funnel to expose your services to the public web. Is this the case? I ask because the basic premise of Tailscale is that you have to be logged into your Tailscale network to access the services and if you are not logged in, then the site you try to access won’t even appear to exist. Unless it’s setup via the Funnel.

Assuming then that you setup a funnel, then you are now 100% exposed to the WWW. AI Bots and bots in general crawl the WWW daily and eventually your site will be found. You have a few choices here, rely on a Web Application Firewall (WAF) such as Bunkerweb which would replace Caddy, but would provide a decent firewall of sorts. Or…you can use something like Config Server Firewall but I’m not sure if they have AI Bot protection. The last I used them was before AI was a thing.

If hardware service counts. :) I have been fighting for the last few months with my Promxox server telling me a drive went read only , from a SSD and even a HDD, very odd behavior and it finally pulled the last straw with me last Thursday. I had a 4TB drive acting as my Storage/backup drive which this complained about so I put a 1TB drive in which is pretty much 2 yrs old so plenty of life on it.

I went through and tested the SSD with extended tests and it passed with flying colors, so it dawned on me, maybe it’s the SATA data cable, and sure enough, it was. When I had run the sudo smartctl -x -T permissive /dev/sdb it only presented very little information on it, swapping the cable and it now presents the full SMART data and stats as it should. Additionally, it’s been more stable with the performance so far. So I call that a win.

In the software side, I have been going through the Home Assistant instance and removing dead/old entities I never had gotten to removing

I’m not the host or author of this one, but I know it already covers what you are wanting to do. ;)

https://awesome-docker-compose.com/apps

https://github.com/ArabCoders/watchstate

I use this one for my Emby server and it keeps track of what we watch, and so far so good. I made it our Trakt.tv replacement and have no complaints so far.

For Home Assistant, I use the installation script from here, it works flawlessly:

https://community-scripts.github.io/ProxmoxVE/scripts

This group took over the project after the main developer passed on, they are quite easy to install and just need you to be in the Proxmox host shell (Once you install it, you will know where it is) :)

I moved my Home Assistant from Proxmox VM to a older Lenovo Laptop we had stored as we thought the charger wasn’t working. We are preparing to move so it was my job to check that laptop as well as 2 others. 2 I am not going to use and e-scrap those later this week after yanking the drives out (I don’t trust anyone with my old drives). It turned out, the charger works just fine! I just installed it early in the morning (Midnight) and so far, it seems just as responsive if maybe more than what I had on the Proxmox host so that’s a win on my end. Plus, I was able to give it the full 8gb of RAM it has instead of the 4gb I gave it in Promxox and somehow it’s showing lighter use than what I had in the VM. 2.8gb vs. 4-5gb it reported from the Home Assistant Hardware details when in the VM.

What limits do you set on yours?

I prefer the WYSIWYG get with Joplin and mostly because I’m stuck in my ways!! LOL
Nothing really wrong with it though, it’s just not for me. :)

To add to this, I have tried Obsidian notes which is super highly recommended by many. I also have tried self hosting Bookstack for logging my notes etc… But every time I tried it, nothing ever matched what I could do with Joplin which was exactly as what other said, rock solid and I have yet to run into any device which can’t handle the client. I will say that the launch time on the one on my machine (Arch Linux) is a bit slow, but after it’s launched, it’s very easy to bring up and use as needed. :)

I use Gotify I self host it and it uses an app on my Android, super easy to set up and use. I tie in Home Assistant and a few other setups with it and it runs great.

I’m about 99% sure it does, I don’t use it that way but It does allow DNS zones. For example:

It’s a lot more technical then Adguard Home for sure. Both work just fine though, I came from Adguard Home as I use a PXE server to provision some of my devices and Technitium is super easy to configure that.

I had to create an account as per the usual process for these types of apps, but it was all local. I never had to do one to connect to their servers. I know it generates a unique instance ID which I believe phones home to their servers but I don’t mind personally.

As for my experience, a lot of it is locked behind their paid plans, so I just keep it limited to what I use which is fine. I do like it as it does better than NocoDB for my needs (the input forms is what I needed) and it does better there. I don’t recall the other reasons for not using NocoDB otherwise, but it’s a long while.

Their pricing is here: https://baserow.io/pricing

So, that’s mostly what is locked behind. My sleep form I built which feeds the database:

Overall, it does meet my needs so that’s all I ask. :)

In no particular order, the most essential ones are those I constantly use throughout my day and also weekly.

Proxmox holds all of these in different LXC’s and VM’s

• Home Assistant
• Pocket-ID - https://github.com/stonith404/pocket-id (Exclusive Passkey login system as in -no un/pw just your Passkey which - doubles as an OIDC provider)
• Homepage (By Ben Phelps of gethomepage.dev)
• Vaultwarden
• TechnitiumDNS which handles all of my DHCP and Adblocking in a one system, extremely capable software especially useful for SOHO too.
• Baserow - Airtable alternative. It holds certain items of importance like what MAC address each device in my home network holds and what IP It uses in an intelligent view. I also was using it for a while to log issues with my sleep where I deal with insomnia, so I logged how well I slept, how many times I woke up, how long it took me to fall asleep etc. That was a simple form I created using drag/drop in Baserow and called by a URL.
• OpenVSCode server - makes editing my Homepage (above) yaml and my docker-compose files a breeze! It’s especially nice when you edit it something and it auto saves almost instantly. Makes some of my services change in real-time!
• UptimeKuma - Simply one of the best out there for me
• Gotify - I get alerted to my Tuya based dehumidifer tank being full via Home Assistant, Downtime alerts from UptimeKuma and a variety of other services which I deem higher priority alerts over “fix when you can” ones.

Aside from that, i do have other services I use every so often like Memos, Joplin Server (holds most of my notes), Pingvin and a few others.

Anxiously waiting for ARCH to update their repos, they YANKED it from the unstable repo so I can’t cheat and download it early. :)

I test installed it in Proxmox in a Debian 12 LXC for the sever part, it was fairly easy, just run three commands. The client was as well, but failed to do something with the email during registration. It has a while longer to go I think. But I put it in my bookmarks to visit every so often as well. :)

I use Technitium DNS as both my DHCP and DNS Server on my network. I then have my ISP Router’s DHCP turned off, and point the primary DNS IP To Technitium’s on my network. I have roughly 66-67 network devices at a given time on my network, mostly wireless. (Think wiFi locks, Lights, Outlets etc) then I have my phones and gaming systems an any given thing.

To manage my IP’s I use an Airtable type of database via BaseRow, also self hosted. Through my router’s records, I copied/pasted every single MAC address I found, into a column in my BaseRow table there, and then added the device name or friendly name to another with an assigned IP I want to use. I have a more organized system of ranges 192.168.1.1-10 is mobile devices, 192.168.1.11-30 is IoT etc…

By having my network setup in this fashion, I accomplish a few things, all new devices which power on or connect to the router to get their IP assignment fail to get it since it’s turned off there, and they search the network for an available DHCP Server which lands squarely on the TechnitiumDNS server and are assigned it through there. I also have adblocking enabled through the same server so I have a more home wide adblock which works. (You’d be amazed at how much Telemetry a TV Sends out for every single remote keypress!) I have been able to block those with the adblock enabled. With the DNS server, you can also assign DHCP ranges address, it is really an overly complex server and probably overkill for a home network. I’ve only scratched the surface of what it can do.

If you don’t want to fuss with TechnitiumDNS, there’s AdguardHome, or even PiHole you can use if you want to block Ads (or you can simply disable that function) and those also act as a DHCP Server.

Or, if you are wanting to spend a few hours configuring it, you could run your own DHCP Server in a VM or dedicated device such as a Raspberry Pi.

With all of these settings, it’s important to set your DHCP lease offer long enough that if you have to reboot the DHCP Server for kernel update, or it crashes, you won’t have any devices fail as some do regular polling to check for connectivity (My Linux computer does this a lot). I don’t remember if it’s KDE or Arch. Anyway, running the DNS Server also allows you to custom build your own “domain” system if you will. So could assign maybe your self hosted Calendar for example to http://calendar.local or http://calendar.internal.

By setting up a dedicated DHCP Server, using the manual method or one of the different AdBlock systems, you can also turn off DHCP registration for ‘foreign’ devices or those which aren’t in your DHCP table. This offers a small element of extra security for your WiFi, but it’s not 100% secure if someone knows your IP ranges and Subnet Mask. Also, this will make it easier in the future for you if you upgrade your router or replace it as there’s just two settings to change. (DCHP Server off and the optional self hosted DNS).

I’ve dabbled in it, but not really committed to it. It’s a great lightweight server of course. I am a KDE Plasma user so I did a quick test of that and was able to install it via Alpine, but at the time, the support for javaws was not there which I needed at the time for my job, so that killed my plans on using it. I may venture back to it later on .

I have been using Tailscale, connected it to my domain, I use Authentik for my OIDC/SSO Sign in and tied it that way for the MFA OIDC Login Tailscale let’s you use. All I needed to do is setup a webfinger for it and once it verified my domain, I was able to give them my OIDC settings for them. Tailscale so far for me in the last year or so has been quite simple to use. Plus, being able to log into my admin console and any devices I enroll through Authentik’s front end, has given me peace of mind knowing it’s quite secure. (All of this on a Proxmox server BTW).

One may argue about self hosting Wireguard and I agree, it’s quite easy to do if you use something like wg-easy which makes it simple to add phones to your network. My concern with it though was having to poke a hole into my firewall for the WG traffic to hit the server, once I got into Tailscale, it’s made it easier and I don’t have any open ports on the router now. I think this is primarily why the Jupiter Broadcasting guys push it so much on their podcasts, not to mention one of the hosts on his podcast is an employee for Tailscale as well, so that probably helps a bit.

As for funding for both Nebula, or Tailscale, they do cater to enterprise customers so you have the assurance that they do have to answer to them if they revoke a service or ruin it. :)

For Tailscale, it’s just a matter of them allowing you to add 100 devices for free and it’s simple command to install it on any client via the cli including Apple TV for example. For phones, I have Tailscale on my phone connected 24/7 to my exit node which is my Proxmox server which acts as one, and as a backup, my Raspberry Pi which acts as one as well. So, even if I’m on the road or away from home, I’m always on my home network (unless blocked by overzealous sysadmins on their public WiFi networks). There’s not much to manage via the phone, but I like to think it’s ‘set and forget’ really, once you have it all configured, it just runs in the background and they do not decrypt your traffic much less care what goes through it.

I took a quick read of the comments and I apologize in advance if this has been suggested already.

I use a self hosted DNS server (AdGuardHome) I was using TechnitiumDNS for a long while, but moved over to the other recently so I could do some more blocking as needed (adult special needs house dweller sometimes needs limited internet). It also acts as a DHCP Server so it takes the role of both the DHCP assignments away from the router. As it so happens, this week, I got to experience the benefit of having this setup live when my main router also went down, I was able to switch to a spare router (My ISP provided one) and all I had to do was turn the DHCP off and optionally point the DNS To my AdGuardHome address, set the SSID’s up and I was in business. All of my devices happily reconnected and grabbed their assigned IP’s.

In short, if you have a spare computer, SBC such as a raspberry PI or whatnot, you can easily host something like that and not have to worry about setting those again.