Admittedly I’m paranoid, but I’d be looking to:

1. Isolate your personal data from any web facing servers as much as possible. I break my own rule here with Immich, but I also…
2. Use a Cloudflare tunnel instead of opening ports on your router directly. This gets your IP address out of public record.
3. Use Cloudflare’s WAF features to limit ingress to trusted countries at a minimum.
4. If you can get your head around it, lock things down more with features like Cloudflare device authentication.
5. Especially if you don’t do step 4: Integrate Crowdsec into your Nginx setup to block probes, known bot IPs, and common attack vectors.

All of the above is free, but past step 2 can be difficult to setup. The peace of mind once it is, however, is worth it to me.

This is excellent but alas I can’t get it to work in nginx-proxy-manager. Keen to see if anyone else can figure it out.

Make an offer of $0.01. Assuming the responses aren’t automated, every time they reject it, raise the offer by 1c. Keep doing it till you hit the $15 mark and then just stop. It could waste literal years of their time.

I’ll have to have a look when I’m next in the vacinity but I’m pretty sure I have an APC Easy UPS on mine and it works out of the box.

Let me get back to you…

Update: It’s an APC Back-UPS 850. No doubt the instructions banged on about requiring Powerchute but I just plugged it into the Syno and it worked fine. You do need to enable UPS support on the NAS itself of course, from Control Panel/Hardware & Power/UPS, and set it to USB UPS.

Dillon, you son of a bitch you piece of shit!

I have my dock plugged into a smart plug and the laptop set in the BIOS to turn on when it receives power. I have an NFC tag on my coffee machine that I bloop while I’m making my morning brew, and that turns the dock on so that everything’s ready when I move into the office.

For turning things off I have HASS.Agent installed and sending state updates (locked, unlocked, etc, which is useful for other automations) and when that sensor goes unavailable for 15 minutes it turns the plug off. I find that’s long enough to allow it to reboot for updates and what not.

The sensor does report shutdown, reboot, and sleep states but I found that it often happens too quickly to get the change sent, so the unavailable state is more reliable.

Unless you’re hosting VHDs and need maximum throughput (in which case use NFS), SMB is going to be the easiest to setup and maintain across those 4 platforms.

The Linux SMB implementation is decent and supports the latest version of the protocol (or close to, at least) whereas NFS in Windows ain’t so great and is a bit of a pig to get working in my experience.

Thirded. It’s helped me a lot with picking up the compose syntax, to the point that I’m now comfortable combining disparate services into their own stacks. And I can spin something up from an example compose in less than a minute.

Thanks, I’ll muse over this when I next get the chance!

Was looking into Docker volume backups just yesterday so this is perfect timing!

Yes please, I might revisit it with a fresh pair of eyes.

Thanks for the suggestion. I spent a good hour or two trying to make Wireguard work for me last night but failed. If I set it to only apply to Immich, nothing else would have Internet access at all. Likewise if I set the peer IP range to just my LAN subnet.

After pulling my hair out for a while I gave up and uninstalled.

Hmm I must be doing something wrong then because it doesn’t work for me.

If it was just me, or if Tailscale wasn’t such an insatiable battery leech then I’d absolutely do that but the wife (and kids) acceptance factor plays a big role, and they’re never going to accept having to toggle a separate service on and off to get to their photos.

Maybe I’m being overly paranoid but I work in IT and see the daily, near constant barrage of port scans and login attempts to our VPN service and it has an effect!

Very useful insights, thanks.

I do currently have external stuff running via a Cloudflare tunnel (which is why I need DNS based LE certs for the internal proxy) but I don’t know if it’s setup correctly (beyond doing basic reverse proxying) and the admin backend for it feels like massive overkill for a home setup. Plus with Immich I run into the issue of a) dire warnings about it being in active dev and potentially insecure and b) filesize limits making away-from-home backups difficult.

I could well be over thinking the whole thing.

Yeah I’m running a Cloudflare tunnel for external access (which is why I need DNS based LE certs), but that’s another thing that I don’t really know what it’s doing beyond basic reverse proxying.

I have a country-based whitelist for where my Immich instance can be accessed from but I find the Zero Trust admin backend to be massive overkill for my needs, and it doesn’t help that they’ve recently moved everything around so none of the guides out there point to the right places anymore!

Ah, that’s useful thanks!

it will either be underpowered or power hungry.

Or both!

Make sure to add The Wrong Guts to your list.

This looks neat, will definitely give it a go, cheers!