I have an initramfs script which knows half decription key and fetches the other half from internet.

My threat model is: I want to be able to dispose safely my drives, and if someone steals my NAS needs to connect it to a similar network of mine (same gateway and subnet) before I delete the second half of the key to get my data.

How frequently do you send these updates? Most of dynDNS provider rate limit the updates you can send, so it is possible that you send a bunch of useless updates when the IP didn’t change and the actual update that is required gets discarded because you hit the limit.

Do you log your script errors somewhere? Are you sure that the IP changes so frequently?

I know at least 3 European fiber providers which offers static IPs. For broadband always on connections IP changes should be pretty rare

It is not just a matter of how many ports are open. It is about the attack surface. You can have a single 443 open with the best reverse proxy, but if you have a crappy app behind which allows remote code execution you are fucked no matter what.

Each port open exposes one or more services on internet. You have to decide how much you trust each of these services to be secure and how much you trust your password.

While we can agree that SSH is a very safe service, if you allow password login for root and the password is “root” the first scanner that passes will get control of your server.

As other mentioned, having everything behind a vpn is the best way to reduce the attack surface: vpn software is usually written with safety in mind so you reduce the risk of zero days attacks. Also many vpn use certificates to authenticate the user, making guessing access virtually impossible.

I’m not familiar with this setup. But do you want for the server to boot as soon as it receive any packet addressed to its IP?

You need to send the WOL packet to the broadcast address of your network, not to the machine IP address. It this way all the machines on the network will receive it, including the ones that have been powered off for a while

Just use the directory listing of your favourite web server. You have a HTTP read only view of a directory and all of its content. If you self host likely you have already a reverse proxy, so it is just matter of updating its configuration. I’m sure it is supported by Apache, Nginx, LightHttpd, and Caddy. But I would expect every webserver supports it. Caddy is the easiest to use if you need to start from scratch.

Linux from chromebook is just a configuration you enable from the settings menu. If offers you a shell which is similar to a Ubuntu and you can install standard Linux software using the “apt install” command. Said so, if they cannot even install chrome extensions this is likely disabled too.

They also says that installing a different os will invalidate the warranty. But their x86 models (I wasn’t aware of the arm) literally ship with a USB drive connected to an internal USB port which starts the setup of their custom Linux if it detects no OS on the internal drives. You just swap that pendrive and you install whatever you want. I cannot say it works for all the models, but I did a little research before buying mine and I can say it run debian for more that one year without any compatibility issue.

Terramaster is just a PC in a NAS form factor. You can install your favourite OS without any issue

I don’t have a testing environment, but essentially all my services are on docker saving their data in a directory mounted on the local filesystem. The dockerfile reads the sha version of the image from an env file. I have a shell script which:

1. Triggers a new btrfs snapshot of the volume containing everyithing
2. Pulls the new docker images and stores their hashes in the env file
3. Restarts all the containers.

if a new Docker version is broken rolling back is as simple as copying the old version in the env file and recreating the container. If data gets corrupted I can just copy the last working status from an old snaphot.

The whole os is on a btrfs volume which is snapshotted regularly, so ideally if an update fucks it up beyond recovery I can always boot from a rescue image and restore an old snapshot. But I honestly feel this is extra precaution: in years that I run debian on all my computers, it never reached the point of being not bootable.

If you want to encrypt only the data partition you can use an approach like https://michael.stapelberg.ch/posts/2023-10-25-my-all-flash-zfs-network-storage-build/#encrypted-zfs to ulock it at boot.

TL;DR: store half of the decryption key on the computer and another half online and write a script that at boot fetches the second half and decrypt the drive. There is a timewindow where a thief could decrypt your data before you remove the key if they connect your computer to the network, but depending on your thread model can be acceptable. you can also decrypt the root portion with a similar approach but you need to store the script in the initramfs and it is not trivial.

Another option I’ve seen suggested is storing the decryption key on a USB pendrive and connect it with a long extension cord to the server. The assumption is that a thief would unplug all the cables before stealing your server.

A more detailed guide for dropbear: https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/

If I remember correctly, the only outdated bit of information is that the IP configuration doesn’t happen anymore in the initramfs configuration but you must pass a parameter at the kernel by editing /etc/default/grub and passing

GRUB_CMDLINE_LINUX_DEFAULT="ip=192.168.x.x:::::"

where 192.168.x.x is the IP address that you want at boot

I’ve been using CommaFeed for a while and I’m very happy with it. https://github.com/Athou/commafeed/ plus it is actively developed. I’ve reported a couple of small feature requests and the author implemented them very quickly.

As far as I know there are many third party android apps that you can use, but its responsive webUI is good enough, once you install it it is essentially as good as an app.

As other mentioned, an advantage is that it blocks ads on phone apps too. My other use case is to add extra DNS entries to name devices on my local network. Finally, after using pihole for a while I switched to blocky. It has similar features but it lacks the UI and the dchp server, but in exchange it uses much less resources. Since I didn’t use either of these it sounded a good trade to me

Devices are named after characters from books I recently read, trying to match the name with the character of the book. But for virtual hosts for services I use their purpose (wiki, files, feed…) because I wasted too much time updating all the bookmarks last time I migrated to a new server.

I started using headscale (the opensource reimplementation of tailscale server) on a private vps. It is incredibly better compared to plain wireguard. I regret waiting so much before switching.

Something that really made my life easier: wireguard is poor at roaming: switching to and from my wifi created issues because the server wasn’t reachable anymore from its public ip and wireguard didn’t bother to query the DNS again to check the new IP. Also, configuration is dead simple because it takes care of iptables for you (especially good when you enables forwarding to a node).

Since the server just sends small messages for the control plane and all the traffic is p2p between the devices, the smallest vps with the smaller connectivity is more than enough to handle it.

If security is one of your concerns, search for “HTTP client side certificates”. TL;DR: you can create certificates to authenticate the client and configure the server to allow connections only from trusted devices. It adds extra security because attackers cannot leverage known vulnerabilities on the services you host since they are blocked at http level.

It is a little difficult to find good and updated documentation but I managed to make it work with nginx. The downside is that Firefox mobile doesn’t support them, but Firefox PC and Chrome have no issues.

Of course you want also a server side certificate, the easiest way is to get it from Let’s Encrypt