I also use restic for backups. I actually switched from Borg because it kept getting stuck and failing but couldn’t work out why. Not had issues with restic (so far, touch wood!).

I use resticprofile with yaml configurations though (https://github.com/creativeprojects/resticprofile), which made it much easier for me to figure out.

I use borgbase for offsite backups.

They really push you to install the aio container so it’s not surprising to me.

If you’re comfortable in the terminal you’ll be fine just starting out and figuring it as you go. Be ready for a few reinstalls but it becomes part of the fun, albeit sometimes frustrating! Go for a mainstream server os like Ubuntu or Debian (as if you google them with any issue you’re likely to find at answer). Get SSH up and running with keys for security, install tailscale and don’t expose to the internet until you feel more comfortable. Install docker then start on one software you think will be useful, get it up and running then move onto the next. I would recommend homepage as a front end then keep it up to date with new software so you can quickly see what you have and what ports are in use. Vaultwarden is useful for the admin passwords. I use authentik for sso but would try caddy if I was starting now.

For personal stuff, i use an external email, and borgbase for backups (highly recommend them if using Borg or restic).

To be honest, you would get frequent notifications for updates that are probably more often than just to remind you. If you’re like me, you’ll just end up ignoring them anyway! There are a lot of small updates to a lot of software, most often not from a security point of view but just as people develop their projects. I update every week if I can but can be a couple of weeks, in which I start to feel “guilty” so when it builds up I know I have to do it

Sorry this doesn’t answer your question really but I’ve had issues when I used to auto update containers so stopped doing that. Some things have breaking changes, others just had issues in that release that caused me issues accessing stuff when not at home. I update every so often when I have ten minutes to do updates, check release notes and deal with any issues if they arise or roll back to that version. I spin up what’s up docker to see what’s changed then when finished, stop the container so it doesn’t keep on polling docker hub using my free allowance.

In short, it could be an option to spin it up, let it run, then stop the container so theres less risk it could be used for an attack.

I bought a new domain for my business and there was no trace of any old business name when researching connected to that domain. After about 6 months I received some data from an old client of theirs. It had a company name so I was able to let someone from that company know, as well the sender and I deleted the data before reading it. I guess you have to think what did you use it for, who might send data that identifies you etc. You never know who might buy it.

I remember reading an article but can’t find it now. A researcher bought tons old domains from government and local departments that had shut down or changed names, and managed to get some interesting information!

You are amazing, thank you so much! It all worked apart from the last one, which said it needs an output file specified so added -o after a quick search. I really appreciate the quick response to, I got in very quickly but only just managed to respond here.

Before you go too far into it and spend lots of time, I think most VPS services let you installed a new OS on their admin site so you can start again from scratch. If you’re not sure that is the right linux flavour, go for something else more mainstream so you can find lots of support online. Looking at the OS, I’m sure it might be good but I’m also sure you can install all the features very easily yourself, especially if it’s just using docker mainly.

I second UFW. I found this guide useful: https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands. You might want to try tailscale as others use it for easily setting up vpn access but not used it myself. Also go for fail2ban or, for more assurance but harder work, try crowdsec too.

You could also use cloudflare dns and add IP and/or country restrictions to block all traffic before it gets to your VPS. I have a country filter and it’s crazy how many bots get blocked from all over!

I don’t use the docker labels feature so it doesn’t really matter to me but can see why you would want this to be implemented if you did. Hopefully they can figure it out.

I have a “local” version with every prod service on. It’s only accessible on my home network with a pihole dns resolver. I just add the services manually to the services.yaml file, which doesn’t take long at all. I then have a “remote” version which is a much smaller with only services accessible outside my home network and is behind nginx/authentication software/cloudflare. Again, it doesn’t take long to add services really. Two different docker compose files, volumes with the settings, and ports makes it work fine for me. I guess depends how often you’re adding services.

I have two homepages, one for local and the other for remote (behind nginx and my authentication software). I also have one on a vm i use for testing before deployment. They are different docker containers but don’t see why you couldn’t have separate ones given they are just websites.

Yes, I have it under a subdomain I own on cloudflare. Then it’s behind nginx proxy manager on my server which takes care of the ssl too. I have fail2ban too so consider it enough security for if the user passwords are long enough. You can set minimum lengths if letting others use it, or in my case I helped family set it up and made them have strong passwords.

Like others have said, the apps cache everything locally. I have used it without issues with no mobile Internet (e.g. for my cc pin numbers I store on there when i was out in the country with crap reception). I guess you’re more likely to create accounts at home anyway but if you have to when out, it would sync whenever you have it back on the lan.

I imported my keepass database into vaultwarden with no issues

I switched from keepass to vaultwarden (self hosted bitwarden) and am glad I tried it out as am finding it so much better on all my devices. I definitely recommend giving it a try if you’re just looking to tinker with things