Desec.io is a solid option - it allows for various types of records like TLSA and SRV. It can also generate scoped API tokens e.g. for “only TXT records of the _acme-challenge subdomain of example.com” to use in automated cert renewals, so pretty good for granularity. It’s also a nonprofit.

I think selfhosting DNS is beneficial when you wanna control your own DNSSEC keys, but you’d need to account for high availability and safety. With that, you could do what’s called a “hidden primary + public secondary” setup to protect your master DNS data from the public prying. You can even use 3rd-party services like ns-global.zone as your secondaries for redundancy and to reduce load on your infra, too. I recommend Technitium and their guidance if you wanna get started

Those are not authoritative DNS providers where you can publish records…

Technically something like DANE can allow you to present DNSSEC-backed self-signed certs and even allow multi-domain matching that removes the need for SNI and Encrypted Client Hello… but until the browsers say it is supported, it’s not

I write homelab docs mostly for user guidance like onboarding, login, and service-specific stuff. This helps me better design for people by putting myself in their shoes, and should act as a reference document for any member to come back to.

Previously I built an Mkdocs-Material website with a nice subdomain for it, but since the project went on maintenance mode, I’m gonna migrate all docs back to a Forgejo wiki since it’s just Markdown anyways. I also run an issue tracker there, to manage the homelab’s roadmaps and features since it’s still evolving.

I find this approach benefiting compared to just documenting code. I’m not an IaC person yet, but I hope when I am, the playbooks should describe themselves for the nitty-gritty stuff anyways. I do write some infra notes for myself and perhaps to onboard maintainers, but most homelab developments happen in the issue tracker itself. The rest I try to keep it simple enough for an individual to understand

Panasonic Let’s Note, SV7 or SZ7 I think. Japanese domestic notebook for enterprises

Nextcloud forked from the old PHP-based ownCloud stack, while Opencloud forked from the Infinite Scale Go-based stack. It also by default preserves the filesystem hierarchy on your server without needing a database, using a storage driver called PosixFS.

The Windows clients currently do support selective syncing so it is on-par with OneDrive. Android client looks to be forked from old Owncloud, and has offline availability too.

Try Syncthing with IgnoreDelete but note that it’s unrecommended. Maybe use Syncthing as an append-only store

due to it missing ideal features

what features do you want? kindly elaborate

XMPP with Snikket could be an easy solution. If you don’t want to talk to the wider web make sure to disable federation.

Pihole runs on dnsmasq right? Maybe you could create a cronjob to copy the underlying dnsmasq.conf to other Piholes

Ah, I see. Well I’m glad you found PiHole useful and stick to using it anyhow!

What issues did you have reverse-proxying? For me it was just as simple as pointing to port 5380. Other ports like 53 could be passed on with a layer-4 router

What about the login issues? I’d hope they’ll be integrating with OIDC or some other auth mechanism, but for now managing 2FA creds should make do

Off the top of my head:

• Allows using DoH/DoT/DoQUIC/recursive upstreams without installing extra packages (unbound, cloudflared, etc)
• Allows acting as a DoH/DoH3/DoT/DoQUIC server alongside normal DNS over UDP and TCP
• Allows configuring SOCKS/HTTP proxies for forwarders
• Act as authoritative zone server with DNSSEC signing
• Allows custom responses via plugins (e.g. conditional responses based on client’s IP addresses)
• Accept PROXY Protocol to forward client IPs from trusted load balancers
• All the clustering and zone transfers magic
• DNS64

It really dives deep into the inner workings of DNS and does pretty much anything Pi-Hole does, with many more security and QoL features. Although the UI may feel a bit dated, I’d recommend it to anyone running their own homelab infrastructure beyond just adblocking

Just found out someone else has a similar thing too:

https://github.com/juhovh/tailguard

It seems more flexible and can be used site-to-site, for anyone interested

Thanks for posting this here. I’m not sure what to think about this, just set up mkdocs-material with huge customizations, including the macros plugin and tons of CSS. So it’d be tedious to eventually migrate to the new “component system” as they say.

Welp, should’ve gone with a barebone SSG and configured what I want. Feels like I’m kinda stuck in no man’s land now.

Hey, I’m glad you got it working, yeah Continuwuity is still a drop-in replacement right now so all is good. I also did a drop-in a few months back with zero hassle at all. Most env vars and config options weren’t changed, but I redid my continuwuity.toml file just to be sure.

I’d recommend joining the announcement room to keep track of updates, and the community room for support too

I find it odd that a report for the proprietary Github platform takes the newsletter’s spotlight, it’s not very relevant. I’d much prefer if the writer could expand his thoughts on those new version releases or featured blogposts, especially the ones he finds interested in.

To make it even simpler, apk -U upgrade

Hi,

The client IP problem is a longstanding issue in podman’s virtual bridge networks.

As a workaround I’d run HAProxy rootless, using the pasta networking mode as that one allows seeing native client IP. With pasta’s -T flag (see docs) I’d forward traffic to another caddy container binding to 127.0.0.1:8080 or something similar.

This would coincide with your firewalld/HAProxy port-forwarding setup, but it has more rootlessness to it. It’s still not perfect and you’d still need to tweak sysctls, but I hope it may be useful

You’ll need a TURN server to relay calls and provide signalling capabilities, which is needed most of the time. Here’s Synapse docs on it, and I’ll probably use coturn:

https://element-hq.github.io/synapse/latest/turn-howto.html

There’s also this new technology called Element Call, which uses a diffent tool called LiveKit. You should check it out too

https://github.com/element-hq/element-call/blob/livekit/README.md

You should add your DNS forwarder as its own node in Tailscale, and configure the tailnet to resolve DNS through it. That way you’ll be able to resolve both MagicDNS node names and your local domains, as well as being blocklist-enabled. Besides, I think you can also define custom A/AAAA records on your Tailscale console, skipping local records on Pi-hole altogether.

I’d also recommend Technitium for a new DNS solution, mainly because they’re going to add support for clustering soon. This could be highly useful if you want to configure blocklists once and sync them between different Technitium nodes. Should it works out, I’m thinking of installing it alongside every Tailscale exit node, for the benefit of synced blocklists, local domains, and exit-node geolocated IPs for external domains.