If the main site gets compromised the credentials there must be considered lost and known to che attackers.
with a pull backup that’s not an issue because the main site has no access to the remote system; it is a process on the remote site that has credentials to access the main site and not the other way around.
the remote system may receive retrieve a compromised copy of the data, but the attacker cannot tamper with previous backups so recovery is still possible.
Fifa Agent Platform -> FAP pun intended?
last thing missing in your post is a complaint for slow migration on a 1gbit link…
you can complain as much as you want because proxmox is not vmware or you can embrace proxmox and make the effort to move/update/refresh your knowlwdge on to the new environment.
This is the way. 🤭
The second install should be easier since is done just after a test one.
Add a second node using the new drive, move all vm to the new node, decommission old node, rebuild the old node with the new drive.
You can get away with a disk clone but in my opinion a vm move is the proper way to go.
Adding a new node you start with a clean install, any quirk you have on the old hw will be finally washed away (or will bite you back and be properly documented), you have a quick way back should anything go sideways (the clone too provides a quick way back, but i like this way much more ^^), you get some hands on multi node experience that will be useful for ha setup.
Normal background noise. ssh is a well known protocol/port and scanning is automated.
my home router is the stock one from my isp and have no vpn capabilities.
I put a port forward on the router and then configured everything on the internal node; in my case it is an opnsense vm running on proxmox.
I wouch for the VPN route… VPN servers are built to be exposed, are hardened/engineered to resist the harshness of the net and are somewhat safe even with default settings.
Should you publish on the wild a few web apps, you would have to harden, monitor and manage a bunch of environments and/or frameworks with a load of quirks each.
A VPN is easier to maintain and safer for your data with a lower effort.
The article is on a ‘pay or ok’ site.
Maybe there is some relation with orange man erratic behaviour, canadian pm speech in davos, europe considering to abandon usa cloud and other countries that may follow suit?
Just sayin’…
In proxmox you create a vlan on the physical interface and not on a bridge.
Once the physical port has tagged traffic for all vlan but LAN, leave vmbr0 alone, create the new DMZ vlan in proxmox networking and a new vmbr on that vlan, that’s it.
If your vps is a firewall, you could use it as an exit point for different private networks: ip1 to mask the traffic for a guest subnet that you don’t trust and if the ip gets blacklisted there are no issues for lan traffic behind ip2 while ip3 is reserved for server traffic with specific rulesets on supplier’s systems for updates/backup/whatnot. Should you have more than one mail server because of reasons, if one is blacklisted the other could remain clean (in this situation you usually put them on different subnets but whatever).
Mailu is a mail server so it is suitable for the task.
You need a mail server somewhere, a mail client cannot listen for incoming messages. A possible workaround: you could activate your own mail server accessible only inside tailscale and use it to send and receive your local alerts.
I’m doing something similar with an android tv, a raspberry 3a and my home wifi network. Antenna hooked to the raspberry using an usb dongle, tvheadend on the raspberry and kody on the android tv placed wherever you need it. Also added clipious on the tv to have no ad playback. I don’t need surfing so my setup is simpler and everything is controlled using the tv remote. Once you have the pi up and running, the bonus is that you can find a client to connect to tvheadend for any platform, so you can watch tv on a smartphone (android or apple), a tablet, a computer, another tv in the basement…
IMHO you should look/ask for such a feature in a google group because big g may have a business case for such a feature: it would pull back in those users who try to escape.
and that should not be an immich feature but a google one.
as a self-hoster I prefer to have control on my data; a solution to feed my data to google through a third party (that may do whatever it wants while performing the transfer) is the exact opposite of what i’m trying to achieve and would have little to no value for me.