Whoah, good initiative!

If you’re looking for any help, I’m willing.

I’m a Tempo user, and I love it.

If I’m understanding correctly, you are simply carrying on the dev work from Antonio Cappiello?

I’ve been through this, and they all suck.

I’ve been using an MT1064 - based one with an 8087 connector to save the wear and tear of multiple connectors. It’s definitely a better physical connection, but the performance is abysmal.

I can run app based routing and blocking on my router, but whether that would restrict DNS for those services I don’t know.

That’s the double-edged sword of DNS over https. It allows us to hide our DNS queries from local ISP and others, but it also allows applications to hide theirs also. It just looks like encrypted web traffic to your router.

Not sure what you mean by “network based dns”.

Hard-coded DNS is in the application, you cannot change this from any dhcp option. Browsers do it, lots of versions of prime video apps do it. Google nest and home devices are famous for this.

You can write a NAT rewrite rule at your router to catch any UDP or TCP request on port 53 and send it to your ad-blocking DNS server/forwarder, but you won’t be able to stop DoH (DNS over https), which just leaves the subnet encrypted on 443.

Yeah. Real DNS zones that transfer are a thing of beauty.

What’s the advantage of radicale over NC?

Functionally, they work the same. I got kinda tired of fixing NC every other upgrade, though. It was always some “occ add missing indices” or some similar garbage. Like just solve this, already. Make that part of the upgrade.

Certain apps do not allow one to use freeotp et al (o365).

I moved my calendar to Nextcloud, then radicale. My contacts too. Gmail is just a wean away.

My problem is how I’ll be able to deal with work apps like ms authentication. Even if I set up a 2nd “normal” phone for work only, I need to sign in to the play store to get the app… Its a chicken-and-egg problem.

I’m about 90% decoupled from Google, it’s been a journey.

I’m at the difficult stage of contemplating how to decom my gmail email, and the Google account itself.

I’ll throw my hat in the ring and offer any help if you need it. Similar to others here, I suggest you start with something discrete like photos.

Well, it wouldn’t hurt anything to install fail2ban and enable the popular templates, but it sounds like you might need to explain your service layout and how it’s exposed to the web before anyone can suggest a security measure.

Generally in the self-hosted space there are two common approaches: set up a VPN into your network for your trusted devices, or set up a reverse-proxy with a trusted tunneling proxy like cloudflare.

That you are seeing “attack attempts” in your caddy logs should be elaborated as well. What exactly are you seeing?

Not exactly sure what you’re looking for here; neither fail2ban nor crowdsec are firewalls by their strict definitions.

Are you looking for an IDS/IPS or other security measures? If so, what are you trying to secure?

That will unfortunately make any server-side improvements moot. You can scale up transcoding capabilities all you like, but the internet is made of Tubes.

Now if you could find some friends in telecom and have your server live at a peering point…

It never worked well for me. Not because it couldn’t fetch ebooks, but because it defaults to adding an author’s entire library, which was dumb for my reading habits.

I would search for a book, find it, only be able to add the author, and then have to uncheck almost all the books the author had written because I just wanted one.

Sorting by “books” just showed me a list of hundreds of books when I just wanted 7 of those.

If your workflow matched that for readarr, I’m sure it worked well, metadata problems aside.

There isn’t really an agreed-on metadata system for ebooks, which is surprising to me, considering the ISBN system is well-established as a credible source.

Uploading ebooks to my CWA instance is a guaranteed metadata edit on each one.

Oh, I missed that. My bad.

You can also approach this by blocking file types at the download client.

Glad you figured it out.

I know what you’re trying to do, and what those tutorials don’t tell you is that you are shortcutting normal DNS flow, which most apps are expecting.

DNS isn’t designed to work that way, so some apps (like Firefox) with internal hard-coded DNS functions are going to balk at private RFC ips in a DNS record. Or a lack of reverse record.

Again, slow down and think about what your trying to do here. You are complicating your stack for no reason other than you don’t want to set up a local DNS handler.

No, it is not fully working.

Many have tried to explain to you that your setup only works for YOU on YOUR subnet.

Your are then asking other public tools meant to lookup public ips with publicly-available DNS names to resolve your internal addresses, which they obviously don’t know anything about, and you’re getting those errors from tools that follow rfc because you are putting the equivalent of “bedroom” on the outside of an envelope and expecting the post office to know that it means YOUR bedroom.

For dns to work properly, the authoritative DNS server should be able to create a reverse lookup record for every a record that allow a DNS client to ask “what record do you have for this IP?” and get a coherent response. Since 192.168.10.0/24 is a non-routable network, you will never have such a reverse record.

Wolfgang has done you a disservice by giving you a shortcut that works as a side-effect of dns before you fully understood how DNS works.