• 7 Posts
  • 43 Comments
Joined 1 year ago
cake
Cake day: June 12th, 2023

help-circle



  • I can recommend some stuff I’ve been using myself :

    • Dolibarr as an ERP + CRM : requires some work to configure initially. As most (if not all) features are disabled by default, it requires enabling them based on what you need. It also has a marketplace with a bunch of modules you can buy
    • Gitea to manage codebases for customer projects. It can also do CI but I’ve not looked into it yet
    • Prometheus and its ecosystem (mostly promtail and grafana) for monitoring and alerting
    • docker mail server : makes it quite easy to self host a full mail server. The guides in their doc made it painless for me to configure dmarc/SPF/other stuff that make e-mail notoriously hard to host
    • Cal.com as a self hostable alternative to calendly
    • Authentik for single sign-on and centralized permission management
    • plausible for lightweight analytics
    • a mix of wireguard, iptables and nginx to basically achieve the same as cloudflare proxying and tunnels

    I design, deploy and maintain such infrastructures for my own customers, so feel free to DM me with more details about your business if you need help with this













  • What I did is use a wildcard subdomain and certificate. This way, only pierre-couy.fr and *.pierre-couy.fr ever show up in the transparency logs. Since I’m using pi-hole with carefully chosen upstream DNS servers, passive DNS replication services do not seem to pick up my subdomains (but even subdomains I share with some relatives who probably use their ISP’s default DNS do not show up)

    This obviously only works if all your subdomains go to the same IP. I’ve achieved something similar to cloudflare tunnels using a combination of nginx and wireguard on a cheap VPS (I want to write a tutorial about this when I find some time). One side benefit of this setup is that I usually don’t need to fiddle with my DNS zone to set up a new subdomains : all I need to do is add a new nginx config file with a server section.

    Some scanners will still try to brute-force subdomains. I simply block any IP that hits my VPS with a Host header containing a subdomain I did not configure










  • Things have been going well for me, using docker-mailserver.

    I followed the setup guide, did everything in the DKIM, DMARC and SPF documentation page. The initial setup required more involvement from me than your standard docker-compose self-hosting deployment, but I got no issues at all (for now, fingers crossed) after the initial setup : I never missed any inbound e-mails, and my outbound e-mails have not been rejected by any spam filter yet.

    However, I agree with everyone else that you should not self-host an important contact address without proper redundancy/recovery mechanism in case anything goes wrong.

    You should also understand that self-hosting an email address means you should never let your domain expire to prevent someone from receiving emails sent to you by registering your expired domain. This means you should probably not use a self-hosted e-mail to register any account on services that may outlive your self-hosted setup because e-mail is frequently used to send password reset links.