I switched from SWAG to Caddy. Its config file is much simpler, with many best practice settings being default resulting in each sites being like 3 lines of code. Implementing something like mTLS requires one line per site, just super nice to configure, and you’re not left without a template config for more obscure services.

That being said, SWAG does more than enough and Nginx is a powerful software so you really aren’t missing out on anything but more streamlined config.

Traefik is kind of just like, a nightmare that tries to sell you on it being “self configuring” but it takes some work to get to that point and the “self configuring” requires the same amount of time in a text editor as manually configuring Caddy does. I can see Traefik being powerful if you’re using it with actually clustered k8s and distributed workloads. If that’s not your use case it’s kinda just more work than it’s worth.

StaRSS

For you trekkies out there

I’m sorry to burst your bubble but:

https://dictionary.cambridge.org/us/dictionary/english/whodunit

https://www.dictionary.com/browse/whodunit

https://www.collinsdictionary.com/us/dictionary/english/whodunit#:~:text=(hudʌnɪt ) also whodunnit,[informal]

The mystery in question specifically refers to a crime, usually a murder specifically and who committed it. Hence the “who” in “whodunit”. Thats why they don’t call it a “Whoisit” or “howdoeshe”

It’s not a whodunit because the movie begins with you “knowing” whodunit, and then ends with the twist being actually “no one” dunit. Never at any point in the movie does the viewer wonder “whodunit”, which is literally the only requisite for a movie to be classified as a whodunit.

Two bonus points can be awarded for how bad it is as well. The first being that the answer to who the real villain is, is the only character in the movie who obviously presents from the start as the villain. The whole twist is “You thought the cartoonishly villainous person was an obvious red herring and that we have a much more clever villain in store, but nope. They just actually are the villain”. The second being that the ending monologue posits that Martha is not a killer because “She’s too good of a nurse”, when in reality she’s a horrible nurse with zero attention to detail and her horrible incompetence is the only reason she isn’t the killer.

I can’t think of any other whodunits where the twist is “Like a whodunit, but you aren’t even aware there is a mystery until after it’s solved, and the secret villain of the movie turned out to just be the person we introduced to you as the villain in the first act.”

I liked the second one, the first one I couldn’t stand. It was marketed as a whodunit but it just wasn’t.

As somebody who runs Ubiquity UniFi gear, it’s all flash and very little substance. Its dashboard will dazzle you with charts that either aren’t accurate, aren’t meaningful, or are generally unhelpful. It has a “new” (half a decade old now) and classic interface you can choose between, but neither interface gives you access to every setting you’ll need. I still to this day find myself swapping between them.

If you just need basic devices to make packets go, they do the job. But an average day in the life of a UniFi-enjoyer consists of things like trying to troubleshoot some kind of network issue only to find that the data collected by the devices doesn’t mathematically make sense, so you go to the UniFi forums just to find out it’s a bug that’s existed for years and has never been resolved. And on days like that, I find myself wishing I had something less flashy that would just allow me to see what’s going on with my network, accurately.

If you have an iPhone, it’s a pain over Tailscale because Tailscale frequently likes to disconnect for various reasons and this isn’t something Tailscale can fix, it’s something with the way Apple manages background processes.

If you’d like an alternative, you can host your services directly to the internet via a reverse proxy like Caddy or Nginx, and then use mTLS to secure that access with a certificate you load only onto your devices.

Perhaps some kind of teaser that hints at what your strategy is before going into full detail?

Well yeah “Dishwasher safe” is an endorsement. The lack of an endorsement is not an endorsement to the contrary. Something is only “dishwasher unsafe” if it says “Hand wash only”

There’s nothing wrong with just using a VPS for this. Despite what some mouth-frothing hobbyists will tell you, it’s still well within the realm of self hosting. There’s just no reason or difference for hosting a blog on your UnRAID server vs a VPS.

If you really want to be some kind of purist and only use your own hardware, then you could configure a web server that can reverse proxy on your UnRAID server and forward port 443 in your router to your UnRAID box, but you’d have to change your UnRAID access port to something else. You’d want to keep this web server docker container up to date, and preferably see if you can implement some kind of WAF with it or in front of it. You’d then forward the requests from this web server to your ghost container.

A better idea would be to use a different piece of hardware for this web server reverse proxy, like a raspberry pi or something, and put it on a different subnet in your house. Forward 443 to that, then proxy the connection back to UnRAID, in whatever port you bind the ghost container to. Then you can tighten access that raspberry pi has. Or hell, host the blog on that hardware as well and don’t allow any traffic to your main LAN.

There are half a dozen better ways to do this, but they all require you to rely on a third party service to some extent.

Years of ongoing issues with their metadata server bricking its ability to search for content. It wasn’t an issue with your setup, it’s an issue with Readarr itself. They always fix it, but it’s kind of a joke how many times they’ve had the same problem over the years.

Well, it would be if Readarr worked consistently.

The three main characters in this poster are all from Marvel movies.

Yes this. So many people don’t know that in all 50 states it actually becomes illegal to have fun after your 25th birthday.

Getting all the functionality of Pihole into Unbound would be a good deal more than “a little work” lol. And for no real practical reason when all you’re trying to do is set up secure DNS with some ad blocking on your network. And this is coming from a professional who wouldn’t have to “learn” anything to do it. If it was really that little work, Pihole + Unbound wouldn’t be the go-to solutions for so many people.

I mean if you want to build something around Unbound to do ad blocking and set up a monitoring stack for metrics and all that jazz that’s great, more power to you. But you already have two things built for purpose, there’s no reason to go out of your way to do that. And I don’t think OP here is prepared to do all that.

For the same reason you’re running AdGuard and not just pointing all your devices at the recursive upstream.

You’re using AdGuard / Pihole as an ad sinkhole, not just to cache and forward DNS requests. Like if you really wanted to you could hack together something in Unbound to do that, but why would you do that when Pihole already exists? You have two things built for purpose.

If you want to run your own recursive DNS server, why would you run two separate DNS servers?

I’m not sure I understand your question. A recursive DNS server and a local DNS cache/forwarder/are two different things with two different purposes. You will always need both. You yourself are using AdguardHome and that is just connecting to recursive DNS server upstream. In my scenario you’re just running both yourself instead of you running one and then letting a 3rd party run the other for you.

Your outbound queries will still be unencrypted, so your ISP can still log them and create an advertising profile based on them.

You can encrypt the recursive queries through your ISP if you want to. Though the effectiveness of any profiling your ISP would do to you are minimized by Qname minimization that Unbound does by default.

If you’re just using DoH then you’re just shifting who’s making that advertising profile on you from your ISP to whoever is hosting your upstream recursive DNS server. It doesn’t matter how much encryption you do because on the other end of that encrypted connection is the entity who you’re giving all your queries to.

I would say Pihole is a better choice than AdGuard home because PiHole just runs on top of dnsmasq. Throw Unbound on there too as your upstream recursive resolver and you’re set. You don’t even need to worry about an encrypted session to your upstream anymore because your upstream is now your loopback.

I think you are right but I wasn’t sure. Like technically you’ll still see the details if you open the certificate but… who’s doing that?