I think you are overcomplicating and undercomplicating things at once.

Proper VPNs will allow split tunneling  —  only the traffic that needs to go through the VPN will go through the VPN.

So, the solution would be:

• Set up a VPN capable of split tunneling — vanilla Wireguard and tailscale should work
• Set up split horizon DNS so that you get are pointed to the internal/VPN-facing IP address of your server while connected to the VPN *???
• Profit

A few things, in no particular order:

• Docker interferes with user-defined firewall rules on the host. You need to expend a lot of effort to make your rules persist above docker. This functionally means that, if you are running a public-facing VPS/dedicated server and bind services to 0.0.0.0, even if you set up a firewall on the same machine, it won't work and your services will be publicly accessible
• If you have access to a second firewall device  —  whether it is your router at home, or your hosting provider's firewall (Hetzner, OVH both like to provide firewall controls external to your server)  — this is not the biggest concern.
• There is no reason to bind your containers to 0.0.0.0. You will usually access most of your containers from a certain IP address, so just bind them to that IP address. My preference is to bind to any address in the 127.0.0.0/8 subnet (yes, that entire subnet is loopback) and then use a reverse proxy. Alternatively, look into the 'macvlan' and 'ipvlan' docker network drivers.

Good luck

Ergo, formerly oragono, supports LDAP and possibly SAML. This is not something I have set up, but I have hosted a public ergo server before.

Good luck.

cc /u/badass6  —  no need to wait a day.

Could I set up WireGuard between the home server and VPS then have that handle sending out the email?

Yes, you can.

What software stack would I need? Would this be something like postfix to postfix or..?

I don't think you need postfix-to-postfix. You just configure your VPS server's VPN-facing IP address in your dovecot or mail client (instead of the conventual localhost address).

In no particular order:

• Price (if looking to host something low value)
• Price/performance (if longer-term)
• Details of Fair Usage Policy
• Bandwidth limits
• Overlimit pricing
• Location - proximity
• Location - creepiness of government / jurisdiction
• Reputation of the company - are they scummy? Do they oversell? Is their datacenter about to get yeeted? (cough Dedipath cough)
• Are they bullshitting me with RAID 100000 PURE SSD STORAGE!!!!!

In fact, I actually prefer HDD storage for most of my servers: for most websites, your bandwidth will be a bigger limitation than your data access speed.

This is a case of RTFM. Specifically, TFM says:

Please note that we do not support nor encourage the use of reverse proxies and container to run Headscale.

Notwithstanding the above, there is community documentation to run headscale behind conventional reverse proxies.

However, per the headscale discord, cloudflare does not work because tailscale/headscale utilize a non-standard websocket negotiation.

If you want an alternative to headscale without publicly exposing your home IP too much, I highly recommend trying something like innernet.

What I like about innernet is that the control interface is only exposed within the VPN network, so there is no big deal that your IP is internet-facing — all non-WG connections to the open WG port are dropped, and WG connections require authentication.

Are there any TOS considerations for using R2 instead of Cloudflare's Stream platform?

You are looking for VOIP.

Asterisk is the main goto, but it is still waiting for patches to some RCE vulns disclosed last DEFCON.

Your country might not support using a mobile number with VOIP providers, mine does though.

Good luck.

Where does one get help? IT consultants. Where does one get affordable help? Dunno, I don't use IT consultants.

Is there a particular reason you need to upgrade rather than back up your files, do a clean install of Alma, and then rsync your files back to the new host?

That's what I'd do. I also run a lot of docker containers, so I am not worried about nuking a system — I can rebuild in minutes on a new VM.

Look into Docker Networks.

You just create a VPN Network, and then attach containers to that network that need to go through that VPN.

With VPN containers things can be more funky, where you don't so much use a Network but rather you use "network mode" to copy the network mode of the VPN container, but you get the picture.

Having read your comment I think I understand what you are looking for: fancy dashes available to the public to serve as inspiration for your team.

In that case, let me suggest:

• Internet Traffic Trends: https://radar.cloudflare.com/
• "Cyberthreat" heat maps: https://cybermap.kaspersky.com/
• Airplanes: https://www.flightradar24.com/
• Ships: https://www.marinetraffic.com/
• Maybe some BGP routes?
  • https://lg.he.net/ or
  • https://as2914.net/#/galaxy/internet?cx=0&cy=0&cz=0&lx=0.0000&ly=0.0000&lz=0.0000&lw=1.0000&ml=150&s=1.75&l=1&v=2020-01-28
  • https://rex.apnic.net/as-interconnections?allocationType=ipv4,ipv6&economy=AU
• For weather:
  • https://openweathermap.org/
  • https://support.apple.com/en-us/102594
  • https://www.wunderground.com/weather/ca/vancouver/IVANCOUV64
  • https://merrysky.net/
  • http://pirateweather.net/en/latest/
• Public status pages:
  • https://www.githubstatus.com/
  • https://discordstatus.com/

Financial stuff is difficult  —  while there are many websites showing fancy websites, they don't exactly like to expose their data programmatically because of the API costs.

If you're a nerdy workplace, you can also look up satellite trackers, too.

If you want to go build a high-capacity all-SSD NAS, you need to decide how many kidneys you can part with.

The folks at /r/datahoarder will be the best to talk to about storage solutions. I prefer 7200 drives for use in my daily driver box, and I don't really care (but have them) in the NAS.

2.5GBe is overkill  —  don't forget you also need the cables that can support the throughput. But, even when you get the cables sorted, drive speed will be a bottleneck anyway.

I would not spend money on 2.5Gbe gear if your WAN is limited to 1gbps.

There just aren't many reasons in a small network context where having that kind of network speed will give you a tangible benefit. In those circumstances where it would make a benefit, you would already know and would not be asking this question.

When it comes to gaming, the speed of data transfer on your internal network will mean diddly-squat. Firstly, I am not aware of any games that will saturate a 2.5g link. That's because most online games are designed to be playable on ADSL+. There just isn't that much data transfer.

And if you are doing LAN party only type stuff, then you will likely want a switch with more ports than with more bandwidth per port.