I tried a few and eventually settled on commafeed. It has categories, can be executed from a single docker image (in other words, can run without the hassle of an external database), and the responsive UI works well both on pc and phone.
I remember this blog post (I cannot find right now) where the person split the decryption password in two: half stored on the server itself and half on a different http server. And there was an init script which downloaded the second half to decrypt the drive. There is a small window of time between when you realize that the server is stolen and when you take off the other half of the password where an attacker could decrypt your data. But if you want to protect from random thieves this should be safe enough as long as the two servers are in different locations and not likely to be stolen toghether.
TPM solves a sigthly different threat model: if you dispose the hd or if someone takes it out from your computer it is fully encrypted and safe. But if someone steals your whole server it can start and decrypt the drive. So you have to trust you have good passwords and protection for each service you run. depending on what you want to protect for this is either great solution or sub optimal
I use backblaze and rclone to encrypt and sync. It was the cheapest and most flexible solution when I checked a few years ago and I didn’t find any reason to change it so far
I use rclone, which is essentially rsync for cloud services. It supports encrypion out of the box.
I use https://mycorrhiza.wiki/ it is not very fancy but it is a single executable file and stores pages in a git repository, so no database is needed and doing the export is as simple as reading some files.
Yes, you are right, I already use DNS validation. But it is just it is easier to request a single wildcard certificate for my domain and have all the subdomains that I use for the local services defined only in my local DNS. I cannot fully automate the certificate renewal because namecheap requires to allowlist the IP that can call its API, and my ip is dynamic. So renewing a single certificate saves me time. Also, the wildcard certificate is installed on a single machine, so it is not the I increase a lot the attack surface by not having different certificates for each virtual host.
The advantage of wildcard certificates is that you don’t have to expose each single subdomain over internet. Which is great if you want to have https on local only subdomains.
https://shadowsocks.org/ should be a good option, easy to install, encrypted, and password protected
For a simple dynamic DNS, I have been using https://www.duckdns.org/ for a few years and been happy so far
I got a terramaster nas and I’m super happy https://www.terra-master.com/global/f4-5067.html
The main reason to choose it is that it is just a PC in the form factor of a NAS. You can just boot it from a pendrive and install your favourite operating system. I had a Qnap before, and while it was great to start, self hosting wasn’t the best experience on their OS.
this is a small form factor, it should be low power consumption (I’ve never measured to confirm it) and supports both nvme and sata drives. Currently I’ve an nvme for the OS and two sata for storage. CPU is powerful enough to run home assistant, vpn, pihole, commafeed, and a bunch of other Docker images. I just plan to increase the ram soonish because the stock feels a little constrained.