And as long as I'm asking ... nginx or Apache (or Caddy or whatever else you think is best).

I'm hosting a few web sites and services, but currently, everything is "out there" on VPSes. I want to bring it all in-house, go back to the old days of actually hosting websites out of my living room.

Towards that end, I am gradually upgrading and overhauling all the sites and services, fixing long-standing issues and inefficiencies in the config files, merging servers, etc.

I have never learned Docker. I've started to several times, worked with it a bit on a job once, used it a bit here and there; so I'm not clueless, but it would be a learning curve.

Also, I'm running one main service (Nextcloud) that officially, only supports Apache -- there absolutely are nginx setup guidelines and tutorials and such, but that's all unofficial, experimental setups.

And I'm running another major service (Synapse), on nginx.

And I want to merge the servers, and choose one web server to host both of them, and I don't know which way to go there.

Thanks for any feedback.

I will soon have a home and figured now's the time to do a proper home server, especially since it's going to come with cat 6 run from the main panel to just about every room. I code for a living, but at the same time network is a massive gap in my knowledge, as are servers, and I was hoping to use this as a learning moment as well as just a way to optimize things. I've been doing research for a few weeks now on and off and feel like I've got more questions than I started with, so I'll just vomit them out and if anyone has some guidance I'd really appreciate it.

Some information:

1. I'm willing/able to spend to get quality/simplicity. Time is the much bigger crunch for me right now, and I'd much rather buy something that works even if it costs more than cobbling together some deals.

2. Related to 1, I'd like this to not become my fulltime second job/hobby. I will at some point try to expand to a full home lab, and do want to use this to learn about things I feel I should understand better for general knowledge and my career, but i'd love for core functionality to mostly "just work" after configuring so when I don't have time to do that I'm not stuck telling everyone "oh yeah it'll be broken until I find time to fix it".

Things I know I want-

1. Some sort of NAS. From my research Synology comes up a lot as the "it's expensive but it'll just work" option, and I probably want something like a 4 bay of NAS specific several TB HDD's in something like raid 5/6/10. Pricey as hell but I'm most willing to spend on this as the cost might very well be split by the family members who want me to guinea pig all this.

2. I will have a camera system and would prefer to not have it sending data outside my network. This is the area i've looked at the least, as it's a little farther down the road, but I know others who have things like Arlo and lets just say i'm not super impressed. Obviously this brings up question like remote access to said camera's and where I'm storing the data (nas? Somewhere else?)

3. I'd like to mess with a media server. Plex/Jellyfin constantly come up in my research, so I'll be looking into those, but I've also got a bunch of audiobooks that I'd love to be able to easily share, and I think there's software for that stuff as well.

4. Pihole strikes me as the other "well if you're going to do this, you might as well" option that i'm aware of. Realllly need to better understand networking in general, but I hear these days it can kinda be installed and quickly configured and then left to do its job.

5. Related to all of this, Casa OS keeps coming up as a very good tool for a beginner like me, since it streamlines the handling of docker containers and also file sharing. However it's not really an OS, since it must actually run on Debian (i think?) for now (zima OS still in testing?).

Stuff I'd like to mess with but doesn't have to happen right away.

1. Eventually the aforementioned NAS would be backed up offsite to another NAS at another family members house, once I know what the hell I'm doing.

2. Proxmox constantly comes up as THE tool to use, but it leaves a lot of questions for me. Obviously if I start trying to do lab environments and screw with VM's it's going to be great, but my understanding is that I probably don't, as a beginner, want to say load up a device with proxmox and then have it host debian which installs CasaOS as it'll get a little more tricky to have everything talk right? Unsure on this part.

3. Anything else I'm forgetting. One issue I keep having with this is a LOT of the information out there is either too complex for me to really grok or just says "well yeah you could do ANYTHING with this" and it just sorta assumes I know what the options are. If there's anything else worth checking out I'd love to know.

Hardware I've come across-

1. Synology - Already mentioned but seems like they're a common go to for a "more money than skill/time" situation like mine.

2. Zimaboard - My understanding is it's underpowered for its price, but the main draws are that it's VERY low power, small, and quiet. What it could actually do from my list above is where i'm unsure. I see people are supposedly using it for Plex servers and what not, and I'm pretty sure it's not going to make any kick ass lab environments, but being quiet, small, and maybe a bit closer to plug and play seems tempting (I know they make the blade and a few other products but it all seems greek to me).

3. Various mini computers - I've got a minisforum machine from several years ago that I currently use as a living room computer for light gaming and mostly playing movies and the like. Not sure if i could just wipe it and convert it to be the starting point (more on that later). I know used 1 liter mini pc's from companies like HP are also popular.

4. The MS-01 - Similar pile as the last one but my understanding is this is the kind of thing that's probably really cool if you actually know what the hell you're doing. I'm 99% positive it is vast overkill for my purposes, but I'd like to eventually get to the point where I could understand why I might want something like this. My understanding is if I knew what I was doing I could probably drop proxmox on this and do everything I could ever want and more, but I feel quite far from that.

Some general questions I have -

1. The thing that kicked this all off is my new place likely having fiber, and cat 6 drops throughout the building. Architecture is something I'm still a little shaky on. I assume i'm going to need my own modem/router (just because the cox routers are meh and not really configurable from last I checked), and then that routes to the server first???...or something(seems like a must if you want the pihole to do anything)? I've seen lots of niffty network diagrams at this point but they're all from people WAAAAAAAAY beyond my skill level doing much more ambitious stuff, so it gets hard to understand. If anyone has a simple home network diagram/guide to look at I'd really appreciate it.

2. I'm just in general going to need to learn more about networking, especially in a home environment. Should I eventually get those camera's set up, I want to understand how to let them talk to internal storage and what not ,but not get out to the web...or..something (again remote access seems nice, but also like a massive security concern). I know speed is also a big factor i'm going to need to better understand. Having a fiber connection in only to be bottle necked by a crappy router or a 1gigabit port is just a waste of money, so that's something else I'd like to better understand.

3. I'm a little unclear on how to deliver the media in a media server to the various screens throughout the building. I've got cat 6 to all of them, but I suspect i'm still going to need, at the very least, a cheap computer to hook up to it and then display the image to the monitor/TV? This is why I assume I can't just wipe my current mini PC and reuse it as a server, because I still need it to receive the data from the home server (or at least a web browser?). A part of me feels like if I got a powerful enough server it should be able to server the media direction to the screen, but then you'd need some sort of HDMI/DP drops as well from the server to all your screens?...or something?

Sorry for all the rambling but I've got an odd mix of knowledge and ignorance so it's been a little difficult to research when half the video is stuff I already get, and the other half blows past me or just assumes I know about the parts i'm trying desperately to learn about.

I've been slowly fiddling around with setting up a little homelab and media server for the last few months. As a web developer, I've always wanted to learn a bit more of the infrastructure side of things, hence the homelab part. The deteriorating quality of major streaming services finally pushed me to set up a media server as well.

Right now, my setup is very basic. I've been using an old repurposed office laptop. It's a simple dell latitude 5540 I got ridiculously cheap due to it's barely usable crusty keyboard, but since I mainly SSH into it that's not really an issue. I formatted it, doubled the ram, and installed the latest stable Debian release. (Headless)

After that, I chose to install yams which was recommended here. Definitely saved a lot of time there! Finally, I added an old unisex raspberry pi I had lying around. The idea is that it's the only part of the setup that is on 24/7, since it has an almost negligible footprint. Whenever I want the main server running, I SSH into the raspberry and use wakeonLAN to start the main server. I'm probably gonna make a tiny web interface for that soon.

Now on to the part I need advice for. The laptop and attached HD are quickly running out of space. I know just slapping on extra hard drives has a limit, and am vaguely aware of things like unraid existing, but am a bit overwhelmed right now with all the information and options in this space.

Does anyone have some advice on something I can tackle for a reasonable amount of work/budget? Something basic, but with the possibility of expansion in the future?

Any other tips on where to go next in general are of course also appreciated. (On that note, I'm right now not opening up the server to ingress from outside. I only interact with it on the home network, as I primarily work from home)

I'm attempting to provision two mirror staging and production environments for a future SaaS application that we're close to launching as a company, and I'd like to get some feedback on the provisioning script I've created that takes a default VPS from our hosting provider, DigitalOcean, and readies it for being a secure hosting environment for our application instance (which runs inside Docker, and persists data to an unrelated managed database).

I'm sticking with a simple infrastructure architecture at the moment: A single VPS which runs both nginx and the application instance inside a containerised docker service as mentioned earlier. There's no load balancers or server duplication at this point. @Emerald_Knight very kindly provided me in the Tildes Discord with some overall guidance about what to aim for when configuring a server (limit damage as best as possible, limit access when an attack occurs)—so I've tried to be thoughtful and integrate that paradigm where possible (disabling root login, etc).

I’m not a DevOps or sysadmin-oriented person by trade—I stick to programming most of the time—but this role falls to me as the technical person in this business; so the last few days has been a lot of reading and readying. I’ll run through the provisioning flow step by step. Oh, and for reference, Ubuntu 20.04 LTS.

First step is self-explanatory.

#!/bin/sh

# Name of the user to create and grant privileges to.
USERNAME_OF_ACCOUNT=

sudo apt-get -qq update
sudo apt install -qq --yes nginx
sudo systemctl restart nginx

Next, create my sudo user, add them to the groups needed, require a password change on first login, then copy across any provided authorised keys from the root user which you can configure to be seeded to the VPS in the DigitalOcean management console.

useradd --create-home --shell "/bin/bash" --groups sudo,www-data "${USERNAME_OF_ACCOUNT}"
passwd --delete $USERNAME_OF_ACCOUNT
chage --lastday 0 $USERNAME_OF_ACCOUNT

HOME_DIR="$(eval echo ~${USERNAME_OF_ACCOUNT})"
mkdir --parents "${HOME_DIR}/.ssh"
cp /root/.ssh/authorized_keys "${HOME_DIR}/.ssh"

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chown --recursive "${USERNAME_OF_ACCOUNT}":"${USERNAME_OF_ACCOUNT}" "${HOME_DIR}/.ssh"

sudo chmod 775 -R /var/www
sudo chown -R $USERNAME_OF_ACCOUNT /var/www
rm -rf /var/www/html

Installation of docker, and run it as a service, ensure the created user is added to the docker group.

sudo apt-get install -qq --yes \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo apt-key fingerprint 0EBFCD88

sudo add-apt-repository --yes \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"

sudo apt-get -qq update
sudo apt install -qq --yes docker-ce docker-ce-cli containerd.io

# Only add a group if it does not exist
sudo getent group docker || sudo groupadd docker
sudo usermod -aG docker $USERNAME_OF_ACCOUNT

# Enable docker
sudo systemctl enable docker

sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
docker-compose --version

Disable root logins and any form of password-based authentication by altering sshd_config.

sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
sed -i '/^PasswordAuthentication/s/yes/no/' /etc/ssh/sshd_config
sed -i '/^ChallengeResponseAuthentication/s/yes/no/' /etc/ssh/sshd_config

Configure the firewall and fail2ban.

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw reload
sudo ufw --force enable && sudo ufw status verbose

sudo apt-get -qq install --yes fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Swapfiles.

sudo fallocate -l 1G /swapfile && ls -lh /swapfile
sudo chmod 0600 /swapfile && ls -lh /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile && sudo swapon --show
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

Unattended updates, and restart the ssh daemon.

sudo apt install -qq unattended-upgrades
sudo systemctl restart ssh

Some questions

You can assume these questions are cost-benefit focused, i.e. is it worth my time to investigate this, versus something else that may have better gains given my limited time.

1. Obviously, any critiques of the above provisioning process are appreciated—both on the micro level of criticising particular lines, or zooming out and saying “well why don’t you do this instead…”. I can’t know what I don’t know.

2. Is it worth investigating tools such as ss or lynis (https://github.com/CISOfy/lynis) to perform server auditing? I don’t have to meet any compliance requirements at this point.

3. Do I get any meaningful increase in security by implementing 2FA on login here using google authenticator? As far as I can see, as long as I'm using best practices to actually ssh into our boxes, then the likeliest risk profile for unwanted access probably isn’t via the authentication mechanism I use personally to access my servers.

4. Am I missing anything here? Beyond the provisioning script itself, I adhere to best practices around storing and generating passwords and ssh keys.

Some notes and comments

1. Eventually I'll use the hosting provider's API to spin up and spin down VPS's on the fly via a custom management application, which gives me an opportunity to programmatically execute the provisioning script above and run some over pre- and post-provisioning things, like deployment of the application and so forth.

2. Usage alerts and monitoring is configured within DigitalOcean's console, and alerts are sent to our business' Slack for me to action as needed. Currently, I’m settling on the following alerts:
   1. Server CPU utilisation greater than 80% for 5 minutes.
   2. Server memory usage greater than 80% for 5 minutes.
   3. I’m also looking at setting up daily fail2ban status alerts if needed.