Terramaster is just a PC in a NAS form factor. You can install your favourite OS without any issue

I managed to remove all the kernels instead of all the old kernels. It was a good learning experience fixing it later, and now I pay much more attention when apt warns about “potentially dangerous operations”.

there is a feature request with a lot of good comments on their forum. The summary of the last time I checked it was on the lines: “it is a reasonable request but it is terribly hard to implement it correctly and since we currently have no capacity to do it we prefer leaving it not implemented instead of offering any alternative which could give a false sense of security”

If you want to encrypt only the data partition you can use an approach like https://michael.stapelberg.ch/posts/2023-10-25-my-all-flash-zfs-network-storage-build/#encrypted-zfs to ulock it at boot.

TL;DR: store half of the decryption key on the computer and another half online and write a script that at boot fetches the second half and decrypt the drive. There is a timewindow where a thief could decrypt your data before you remove the key if they connect your computer to the network, but depending on your thread model can be acceptable. you can also decrypt the root portion with a similar approach but you need to store the script in the initramfs and it is not trivial.

Another option I’ve seen suggested is storing the decryption key on a USB pendrive and connect it with a long extension cord to the server. The assumption is that a thief would unplug all the cables before stealing your server.

A more detailed guide for dropbear: https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux/

If I remember correctly, the only outdated bit of information is that the IP configuration doesn’t happen anymore in the initramfs configuration but you must pass a parameter at the kernel by editing /etc/default/grub and passing

GRUB_CMDLINE_LINUX_DEFAULT="ip=192.168.x.x:::::"

where 192.168.x.x is the IP address that you want at boot

I’ve been using CommaFeed for a while and I’m very happy with it. https://github.com/Athou/commafeed/ plus it is actively developed. I’ve reported a couple of small feature requests and the author implemented them very quickly.

As far as I know there are many third party android apps that you can use, but its responsive webUI is good enough, once you install it it is essentially as good as an app.

As other mentioned, an advantage is that it blocks ads on phone apps too. My other use case is to add extra DNS entries to name devices on my local network. Finally, after using pihole for a while I switched to blocky. It has similar features but it lacks the UI and the dchp server, but in exchange it uses much less resources. Since I didn’t use either of these it sounded a good trade to me

Devices are named after characters from books I recently read, trying to match the name with the character of the book. But for virtual hosts for services I use their purpose (wiki, files, feed…) because I wasted too much time updating all the bookmarks last time I migrated to a new server.

I started using headscale (the opensource reimplementation of tailscale server) on a private vps. It is incredibly better compared to plain wireguard. I regret waiting so much before switching.

Something that really made my life easier: wireguard is poor at roaming: switching to and from my wifi created issues because the server wasn’t reachable anymore from its public ip and wireguard didn’t bother to query the DNS again to check the new IP. Also, configuration is dead simple because it takes care of iptables for you (especially good when you enables forwarding to a node).

Since the server just sends small messages for the control plane and all the traffic is p2p between the devices, the smallest vps with the smaller connectivity is more than enough to handle it.

I tired the same, but my router wants to be smart by filtering DNS responses that points to local IP. I guess whoever designed it considered it a security feature. It is a stock router from the ISP, its configuration interface is minimal, borderline to non existent.

If security is one of your concerns, search for “HTTP client side certificates”. TL;DR: you can create certificates to authenticate the client and configure the server to allow connections only from trusted devices. It adds extra security because attackers cannot leverage known vulnerabilities on the services you host since they are blocked at http level.

It is a little difficult to find good and updated documentation but I managed to make it work with nginx. The downside is that Firefox mobile doesn’t support them, but Firefox PC and Chrome have no issues.

Of course you want also a server side certificate, the easiest way is to get it from Let’s Encrypt

I did some experiments in the past. The nicer option I could find was enabling webdav API on the hosting side (it was an option on cPanel if I recall correctly, but there are likely other ways to do it). These allow using the webserver as a remote read/write filesystem. After you can use rclone to transfer files, the nice part is that rclone supports client side encryption so you don’t have to worry too much about other people accessing files.

Back to the days I was fixing a lot of computers of friends and relatives, my Swiss army knife of Linux was https://www.system-rescue.org/

Very lightweight but with a full set of recovery tools. I’ve tried it recently and I still find it up to the expectations.

I’ve also used a fair amount of https://clonezilla.org/ to (re)store images of freshly installed OSes (mostly windows XP and 7 to give you an idea of the timeframe) for people who I know would have messed up faster.

A lot of technical aspects here, but IMHO the biggest drawback is liability. Do you offer free storage connected to internet to a group of “random tech nerds”. Do you trust all of them to use it properly? Are you really sure that none of them will store and distribute illegal stuff with it? Do you know them in person so you can forward the police to them in case they came knocking at your door?

Yes, you can do it on your server with a simple iptable rule.

I’m a little rusted, but something like this should work.

iptables -t nat -A PREROUTING -d [your IP] -p tcp --dport 11500 -j DNAT --to-destination [your IP:443]

You can find more information searching for “iptables dnat”. What you are saying here is: in the prerouting table (ie: before we decide what to do with this packet) tcp connections to my IP at the port 11500 must be forwarded to my IP at port 443.