PaulEngineer-89

I think you need a much better understanding of surge protection and lightning protection.

The first thing to look at is the passive protection. If you have a grounded metal structure anything within a 35 degree angle from the highest point is protected. It is slightly better, Google “rolling sphere” model. You need at least 2 ground rods and stranded grounding cables running to the ground rods. Do NOT share with the electrical ground and stay at least 10 feet away. Run fiber, NOT copper between buildings. If you can’t there are special surge arresters using PIN diodes or GDTs but it’s not ideal. Put one at each end.

That takes care of protecting against direct strikes. The rest is dealing with indirect strikes Put surge arresters on ALL attached lines…power or network. Keep in mind you get about 20 V of rise per inch away from the surge arrester so they really offer very little protection more than a few feet away. Standards test equipment against surges at a peak voltage equal to twice the nominal (marked) voltage plus 1,000 V

This also protects against switching surges that are far more common compared to lightning strikes.

Why not use Macvlan and join your Dockers to that rather than a bridge to Tailscale or Cloudflared? Then they are broken out so you can apply monitoring.

There are some ARM chips that go down to microamps in low power mode and draw only 1 Watt at full power but might drive you nuts trying to run Linux on them.

The cameras still need power so you are running cable anyway POE is a great technology since it powers the camera AND gets the data with just one cord. Battery stuff works but it’s always cheaply built and overpriced.

In large commercial systems the router is just a router. Internally you have a large Gigabit switch often running fiber. So a TP-Link TL-SG 24 port all gigabit and POE is $220 USD on Amazon. A smaller 8 port switch with 4 POE ports is $66 USD. Ubiquiti makes much nicer IT-grade switches for a bit more money. These should be the backbone of your system.

Fiber is nice because it is immune to lightning and electrical issues going forward between switches and you can go to 10 Gigabits.

Ubiquiti’s Airfi stuff can use antennas to literally do gigabit WiFi over several miles. In Western states it’s common for wireless ISPs to use these for wireless backhaul networks. But no matter what cables are much more stable no matter how good this gets.

I have denied all then only white listed US, US outlying areas, and Canada. I don’t do business outside those. This is at the firewall/IP level. Blocking outgoing DNS would probably only affect maybe Alibaba. TikTok for instance runs domestic servers so you have to explicitly block Bytedance.

The number of random attacks per day from China, Russia, and Singapore is hundreds. That’s what firewalls are for.

Pihole will integrate with unbound. Pihole already caches as well. The advantages of unbound are debatable.

OPNSense ban list is WAY too aggressive.

How much are you paying for Google storage? I have terabytes of photos and video, not a teeny 15 GB. Google ended unlimited photos about 2-3 years ago. Where have you been?

Bitwarden is annoying when they are down and as a personal account that’s one thing but it’s not free if you share a family group vault.

May want to look seriously at Pihole. Lots of other things like nocodb, excalidraw, private VPN (Tailscale). Also I’m an engineer so I have thousands of documents. I convert the raw PDFs with the OCR/PDF utility then Sist2 can search them in like 2 seconds. No way to do it manually. Been collecting since 1989 and a lot of stuff doesn’t exist outside my files. There is NO equivalent.

Plus when I run Google Photos on my phone, Google grabs my photos, location, and number and delivers it to every criminal spam/scam system in India. Within minutes I get spam calls. They can go fuck themselves.

Let it run. Just power off idle drives and such.

Disagree with 99% of the other posts. If you self-host your email it is archived on your system. So-called “private” email isn’t after 6 months in the US. And it is more stable and higher performance to run my own Roundcube webmail on my own server. And I can control the spam filtering. All reasons to host your own.

However there is some “maintenance” involved with unscrupulous black list sites and overzealous email filter software. Google likes to declare basically everything not coming from their buddies as spam Microsoft wants you to kiss the ring. On a work account just this week I tried contacting a German company called Beckhoff and after just 3 “dead” email accounts from previous contacts they decided to ban my entire company (about 100 employees, been in business over 75 years). They also don’t answer their phones. Not sure if they’re still in business or just being German jerks. As a result of their poor performance we may switch to a competitor. I do not put up with that crap.

Also I’m not sure how to phrase this politely but despite promises unless you are using PGP to end-to-end encrypt your email, and even then it’s not 100%, you can’t ever totally make it private. Also it is impossible to totally ensure identity of the sender although we’ve come a long way. Protonmail recently published how they delivered a criminal to the authorities using the small amount of public information they log.

As a result I do agree that you should let someone else deal with the black listers, bans, etc. But I strongly disagree with keeping it on a remote server more than about 10 minutes. That means one of three options (for receiving:

1. If you have a static ipv4 IP use the email service on Cloudflare to act as a mail relay and forward email to your server. Thus Cloudflare’s reputation not yours is what matters.
2. If you don’t have a static address, you can rent a VPS. Low end box (lowendbox.com) has some great coupons all the time. You can get easily under $12/year. In this case tunnel from your actual server to the VPS. We really don’t “need” the VPS.
3. Pay for a forwarding server. I used Dynu in the past. Never had an issue. It was I think $10/year. Again this assumes you have an accessible server on a static or dynamic ip. And you are basically paying for what Cloudflare does for free.
4. Pay for webmail. Again Dynu is $20. Then just program your local webmail to call imap and download everything say every 5 minutes. But it limits you to ONE user or each user doing their own thing.

On server dovecot and sendmail work well. Roundcube looks exactly like an improved gmail.

For sending I use smtp2go. At my low usage entire family is free.

Depends on if your ISP loses power.

Don’t backup the container!!

Map volumes with your data to physical storage and then simply backup those folders with the rest of your data. Docker containers are already either backed up in your development directory (if you wrote them) or GitHub so like the operating system itself, no need tk backup anything. The whole idea of Docker is the containers are ephemeral. They are reset at every reboot.

Here is the problem you face speaking very generically. If you cache everything on the clients access is fast but storage is an issue. If you cache on the LANs speed is an issue. You can try to store on an internet VPS but storage costs are high. You can cache just the index, “Google Drive” style and download/cache only as needed. This probably works the best because you control it down to the file level and speed is not an issue because you work iff local copies. Otherwise any scenario is going to be up against the bandwidth problem.