I’m not sure which clients are used to connect. Perhaps some proof of work challenge for the connecting client to solve first? Anubis does this for http(s) and browsers. I’ve seen it in the wild quite often in the last weeks, so it seems to be effective (until the scrapers learn to use selenium to mimic browsers or so).

Thanks.

Since virtiofs has been developed for this scenario, it would be sane to use it for VMs. Thanks for the hint.

I will look into it. Some users had issues to get it running with incus - older unsupported libvirtd versions in the distri. Also dxa isn’t supported, yet. But maybe it is still better than NFS performance wise.

Moot point. I do not really need the distributed storage part for my scenario. Not right now.

Maybe I start with NFS and explore gluster as soon as storage distribution is needed. Looks like it could be a drop-in eplacement for NFSv3. Since it doesn’t access the block devices directly, I still could use the respective fs’ tool set (I.e. ext4 or btrfs) for maintenance tasks.

Thanks. I will take a closer look into GlusterFS and Ceph.

The use case would be a file storage for anything (text, documents, images, audio and video files). I’d like to share this data among multiple instances and don’t want to store that data multiple times - it is bad for my bank account and I don’t want to keep track of the various redundant file sets. So data and service decoupling.

Service scaling isn’t a requirement. It’s more about different services (some as containers, some as VMs) which should work on the same files, sometimes concurrently.

That jellyfin/arr approach works well and is easy to set up, if all containers access the same docker volume. But it doesn’t when VMs (KVM) or other containers (lxc) come into play. So I can’t use it in this context.

Failover is nice to have. But there is more to it than just the data replication between hosts. It’s not a priority to me right now.

Database replication isn’t required.

Thanks for asking. I left that detail out. An SSD which is attached to the virtualization host via SATA. I plan to use either a LVM2 volume group or a BTRFS with subvolumes to provide the storage pool to Incus/LXC.

Doesn’t work for me. Self inflicted DDOS?

Tripwire and auditd can monitor a filesystem and notify you about changes. I don’t know the tools myself, because i never needed them. Maybe these can give you a hint on the responsible service.

If you suspect a certain service to be responsible: what do the logs of the service say? If nothing: increase the loglevel to info or debug?

Sorry. No solution. Just ideas. Good luck.

Good.

Exposing Jellyfin/ plex through routing or SNAT plus dyndns would be a cheap option.

As soon as one rents a VPS (to expose the selfhosted at home service through routing/ tunneling) it would cost at least 2€/ month?

Damn. Another rabbit hole to dive into. Thanks… I guess. :)

The lua queries look promising.

Have fun. :)

Side note: Never look at LXC/incus or home assistant or esp32 to attach. Rabbit holes everywhere.

In your case: no need for a fw if you can trust your local network.

Generally: services can have bugs - reverse proxy them. Not everybody needs to access the service - limit access with a firewall. Limit brute-force/ word-list attempts - MFA / fail2ban.

If one must emphasize that the cheso is indeed cheesy, I would be suspicious.

One aspect is how interesting you are as a target. What would a possible attacker gain by getting access to your services or hosts?

The danger to get hacked is there but you are not Microsoft, amazon or PayPal. Expect login attempts and port scans from actors who map out the internets. But I doubt someone would spend much effort to break into your hosts if you do not make it easy (like scripted automatic exploits and known passwords login attempts easy) .

DDOS protection isn’t something a tiny self hosted instance would need (at least in my experience).

Firewall your hosts, maybe use a reverse proxy and only expose the necessary services. Use secure passwords (different for each service), add fail2ban or the like if you’re paranoid. Maybe look into MFA. Use a DMZ (yes, VLANs could be involved here). Keep your software updated so that exploits don’t work. Have backups if something breaks or gets broken.

In my experience the biggest danger to my services is my laziness. It takes steady low level effort to keep the instances updated and running. (Yes there are automated update mechanisms - unattended upgrades i.e. -, but also downwards compatibility breaking changes in the software which will require manual interactions by me.)

Let the patch be part of the code for one or two minor releases. Then revert the changes of the patch.

I assume you want to access a self hosted service on your local server from the Internet.

To make the service accessible from the Internet multiple things are required:

• the router can be accessed from the outside. Find your public IP in the router or use a find-my-ip website. Better: do both. This is the address you can use to access your router (or whatever service you choose to expose through it). Side note: If the Ip-adresses of your router and the one of the find- my- ip- site are different it could mean that your provider uses CG-NAT (because ipv4- addresses are scarce, the provider doesn’t give you a real publicly accessible address). This means you can’t access your router from the Internet. Try IPv6 or contact your provider to get a publicly accessible ipv4- address.
• because the above mentioned IP- address of your router might change, dyndns is used. Configure it in your router and test it. Test if the DNS- name you have set up resolves to your ip- address (nslookup or ping it).
• to make your service available to the Internet you need to configure port forwarding in your router (or add your server as exposed host - means all ports are forwarded to the Internet). This means the router passes request to itself on to your internal server. Careful: everybody can access whatever services you expose. Advice: it’s a good idea to use a VPN. Setup a VPN-server in your Lan and only port-forward its port in the router. Connect to the VPN from the outside - Afterwards use the internal services through the vpn- connection.
• scripts and the internal ip: the dyndns name needs to be used instead of the IP. Find a way to make the scripts use that name to resolve it to your external IP.