While I do not make heavy use of these two, I like having my contacts and calendar synced and accessible on both my PCs and phone.

I actually use the notes app, and have a yubikey. For notes, I could just use the regular markdown editor, but I like way the app lays everything out. For the yubikey, NC by default uses yubikeys for passwordless login. I use an app which uses them for 2FA instead. I also use apps which allow me to view hashes and metadata from the files tab.

All that makes me not want to switch yet. We’ll get there eventually since none of the features I want are ultra complex or super uncommon.

OCIS, last I tested it (a while ago), also lacked the ability to right click files, requiring you to select it with the checkbox and then select the operation at the top of the screen. I sure hope that they’ve added that feature by now.

I actually did not know this. Thank you! That was one of my more major gripes.

Nextcloud is more featureful (more apps like notes and hardware 2fa support). That is currently holding me to NC.

OpenCloud (fork of OCIS not original OC) is very similar when it comes to core functionality, but is missing those few apps I do not want to let go of.

Also note that nextcloud stores files in a very natural manner, where your file names and directories are stored the exact same on disk as on the interface. Opencloud does not do that. This is particularly handy if one day the app just explodes and refuses to run. With NC, you can just copy the files off the disk. Not so easy with OC.

As a heads up, almost all OpenWRT routers function as managed switches with vlan capabilities. Not truly all, but a very good number.

I agree that it is quite possibly related to the version of Podman moreso than an inherent issue. I am currently satisfied, however, and have no desire to fiddle with it any more… Or at least until Debian 13 gets released.

My use of PinP is almost entirely for cleanliness. It allows me to more easily wipe the build environment (clear out space, troubleshooting). It also mildly improves security as the ‘untrusted’ actions containers run on a separate environment from the important Forgejo container.

The workaround I use for the premade Docker actions not functioning is to simply install Podman as one of the build steps and use that instead, lol. (Some configuration required, but that’s the gist.)

Forgejo Actions is definitely not a turnkey idential-to-GitHub solution, but it’s quite similar and for most not-super-complicated setups it’s basically the same (for better or worse, depending on if you like GH’s Actions).

As far as I remember, everything that I need works out of the box, except for Docker. In fact, just about everything Docker is somewhat quirky in Forgejo Actions.

1. One mildly annoying quirk of Forgejo is that as of current, the token generated for each Actions run is not quite the same as GitHub’s token. For my specific use case, if you want to upload a Docker Image to the package repository, you can not use the standard auto-generated token, which GitHub does allow you to use. Forgejo instead currently requires you generate your own app token and use that instead, as the auto-generated one lacks permissions over packages. (https://codeberg.org/forgejo/forgejo/issues/3571)

2. Depending on your infrastructure, it might just be impossible to make the various Docker-related actions (such as https://code.forgejo.org/docker/build-push-action) work. As an example, my infrastructure outlined below is one such case where those actions simply do not work.

Bare Metal (Debian 12) /
├─ Rootless Podman/
   ├─ Forgejo
   ├─ Forgejo Runner
   ├─ Podman-in-Podman (Inner Podman also Rootless)/
      ├─ <Actions Containers Run Here>

* If you use rootful Docker with Docker-in-Docker, those actions will then work as expected. It is just that attempting to make them work with Rootless Podman (at least the version that ships with Debain 12) currently seems to be impossible.

For all intents and purposes, “gateway” just means “router,” especially in consumer/home networking. Routers act as a gateway, routing traffic from one network to another network. On one end of the router is your WAN (ISP / internet at large / etc.), and on the other end if your LAN.

Switches on the other hand are “dumb” and only act to expand a network. They basically act like a power strip does: What was one port is now more. (This example will probably upset someone for reasons, but they’ll also understand that it works well enough.)

Thought exercise: What happens if you plug the WAN cable from your ISP into a dumb switch (like https://www.amazon.com/dp/B00A128S24), and from there you plug in several devices (PC, printer, etc)? I am not answering that question because just about anything can actually happen. It depends on how your ISP is configured and will almost certainly not work 100% correctly.

Now onto the actual response: For the most part, every consumer router is a router/switch/wifi AP combo box, and are capable of being used for all or any combination of those features.

If you’re not planning to use your device as a router, then we’ll ignore the routing functionality. All prior points where I say “this happens at the router, not the switch” still apply. (Your device can still be called a router, as that’s what it’s sold as, but you’d be using it with the all routing functionality disabled, only using the switch and possible WiFi features)

If you do plan to use your device as a router, then the prior points where I say that now apply.

Anyway, you’re in luck since the switch built into your device is almost certainly VLAN-capable (it’s quite rare, but some devices are not capable of it). If you’re not using the device as a router, that’s where things probably end, since (at the switch level) VLAN support is pretty much the only thing of note.

I spent so long writing this I actually forgot what I was trying to say initially. I’ll likely draw a diagram to explain some things for you.

The important thing is that “switches” (or your device if you’re not using the routing functionality) are “dumb devices” that only do very simple tasks and generally aren’t capable of much in terms of advanced security features. “Routers” are smarter devices where the task they do is a bit more complex, and are where the advanced security features can actually be applied.

Building on the advice others gave:

1. Make a list of the precise goals you want to achieve. Even if you don’t know precisely what you’re trying to do, if you can describe the intent well, someone who does know can point you in the right direction.
2. Networking is not super hard, but it is not super easy, either. You should take note of every configuration change from stock, and you should optimally have an understanding of what a majority of those do. Ticking boxes at random will have results varying from “nothing happens” to “nothing happened… yet” to “the network is suddenly down” to “my switch is on but I can’t even ping it anymore.”
3. My advice is that routers, switches, and WiFi APs should remain as just routers, switches, and APs. I would not put services like networked storage on them, as that will significantly increase the complexity involved when you inevitably have to replace or maintenance them down the road.

Going off your response to foggy:

achieve better security through segmentation by isolating cloud-connected devices, guest devices from trusted devices.

You’re describing VLANs. VLANs are something that the OWRT documentation (last I used it) was simply very shit at. I’ll make the assumption you understand or are capable of learning about how VLANs work. (TLDR is that devices on different VLANs can not talk to one another without going through a router or a layer-3 switch, which I don’t think OWRT handles anyway. Once you know what tagged/untagged means, then you’re good to proceed.)

The way you access VLANs in modern OWRT is: Network > Interfaces > Devices (tab). From here, you may see different things depending on your hardware. In my case (I use consumer routers), I have several “network devices” which map to a physical port, and a single bridge device. From there, I can click on “configure” for the bridge device and select the “Bridge VLAN Filtering” tab to configure the vlans on the various ports.

Note that VLANs if incorrectly configured can easily make it impossible for you to access your device, requiring you reset it.

Being able to “pin” a Mac address to an IP, and being able to use internal network name resolution to reach those devices.

To my knowledge, OWRT lacks the ability to pin MACs to specific ports, at least in the web UI. It may be possible to do this manually in the configuration files, but I have never attempted to do so myself.

a blocklist for known ad-domains / malicious domains.

You generally do this on your (core) router, not the switch. (Unless your switch is doing some really funky behavior, in which case you’re not here asking questions.) Most devices OWRT runs on, however, have very little flash and not much RAM. While you can probably get Pi-Hole or Adguard Home to run on them, I do it differently.

I run Adguard Home on a device separate from my router, and on the router, I have set the AGH device as the first DNS sever (OWRT: Network > DHCP and DNS > Forwards (tab)), then I enable Strict Order (“Resolv & Hosts Files” tab).****___

a high level monitoring capability to seen what devices are communicating with what domains / IPs

I would do this on the router level, not switch level. That said you can actually just follow this tutorial here https://grafana.com/blog/2021/02/09/how-i-monitor-my-openwrt-router-with-grafana-cloud-and-prometheus/

An IDS capability of some sort to be able to detect anomalies in my LAN.

This is not something I’ve ever attempted or done, so I’m interested in hearing what you come up with when/if you ever get there.

The earliest thing I remember with certainty it’s correct was my friend across the street, who was older than me, asking me to look up “naked girls” for him.

I have one hen who is a cross of buff orpington, barred rock, and various random breeds. She is a pretty bird but that is a gorgeous one.

I currently (until I eventually get around to setting up a jump sever) use this exact setup. This is because CF tunnel is free, easy, and bypasses any ISP-level tomfoolery that blocks port forwarding, which the last being the most crucial to me.

I will eventually get around to setting up my own equivalent tunnel, however that’s not free and not as easy as CF tunnel.

This is literally the first post I saw when opening the app. I guess I’ll do something else.

Quick search to verify…

So this is how I learn. Wouldn’t have it any other way.

Docker, using the nextcloud:stable image (not-all in-one) with postgres, behind nginx, and finally ZFS with 2x modern HDDs for storage. I run the stock apps plus a small handful, and have carried the same database through many versions over the last 5 years.

It’s usable, but definitely not snappy.

The web interface for files is fine. Not instantaneous at all but not a huge problem. I have about 1TB of files (images and videos) in one folder, then varying files everywhere else. I suspect that the number of files (but probably not the size) is causing the slowdown.

Switching to, for example, the notes app is incredibly slow, and the NC Android app is just as bad.

Return for refund or replacement. If you’re even slightly concerned about WD giving you trouble, but know eBay/the seller won’t, just go that path since it’s still available.

Since you’re new, I’d recommend just using the old PC to start and get comfortable. Once you’re sure you want to invest some money, you can either build it buy yourself something more energy efficient if you’re super concerned about that.

As for the best OS, just any server OS will do. I run Rocky Linux which is a RHEL derivative, but you can also try TrueNas or anything else you want. Even Windows Server would work if you wanted to go that path.

There are many paths you can take, and which you go down depends heavily on personal preference and the desired use of your system.

I use KeePassXC, but am assuming KeePass is very similar.

You’ll have a single file on your machine that is your encrypted password database. Syncing is not handled by KeePass and is your responsibility.

If you want to sync only when you get home, as long as your sync app that is fine with it, KeePass won’t know or care.

Keep in mind if you make changes on two devices without keeping them in sync, one will probably get overwritten unless you take special care to handle it. (My sync app warns me, then I take both conflicting files and in the KeePass app, I can merge them to solve the conflict without data loss.)