Do you want to prevent brute forcing or do you want to prevent the attack getting in?

If you want to prevent brute forcing then software like fail2ban helps a little, but this is only a IP based block, so with IPv6 this is not really helpfull against a real attack, since rotating IP addresses is trivial. But still can slow down the attacker. Also limiting the amount of sessions and auth tries does significantly slow down the attacker.

If you just want to not worry about it set strong passwords, and when it is a multi user system where other ppl might access it, configure Public Key Auth so you can be sure the other users have strong passwords (or keys in this case) to authenticate.

With strong passwords or keys it is basically impossible to brute force your way in with ssh.

You do not even need a port based firewall when the server is open on the internet.

When you configure the software to not have unnecessary open ports over the internet connected interface then a port based firewall is providing zero additional security.

A port based firewall has the benefit that you can lock everything down to the few ports you actually need, and do not have to worry about misconfigured software.

For example, something like docker circumvents ufw anyway. And i know ppl that had open ports even tho they had ufw running.

Yes thats why i said in theory. I doubt that many residential IPs are blacklisted, but still not optimal.

IPv6 only works but there are probably many Mail Servers that are IPv4 only, so you will not receive mails from them.

If you are serious about it, rent a VPS or get a static IP on your residential connection.

It would be more reliable to use a ‘clean’ not blacklisted static IP.

But in theory you could just use ddns and update the IP. But I actually never tried it.

Mailcow comes ready out of the box. Just change the DNS entries according to Mailcow and you are good to go.

This has been said over and over again. I have been hosting Mail now for over 2 years and have yet to encounter any problems. Although, i would not recommend to set it up manually and rather advise to use one of the ‘all in one’ suggested solutions here in the thread.

A project ending as abandonware is always a possibility. One reason projects get abandoned is losing funding, which can be secured by using dual licensing and selling some features to businesses.

That is not my point.

Having a CE or OS version and an Enterprise Version can lead to conflict of interest. Do you add a feature to the OS Version or do you spend time on the Enterprise feature? There are a lot of examples, Emby is one, others are escaping me right now.

There are other models that work well like paid support etc. Nonetheless i will stay away.

Looks amazing. But the dual licensing scares me. The open variant could be artificially limited in functionality or could end up basic abandon ware.

Mailcow is amazing.

Importing exporting i would just use any mailclient and drag-drop them over. Depending on how many Mailboxes you have to transfer.

I am not understanding the issue you have with DNS?

Just have a script that updates the DNS entry to your current public IP. If you do not like Cloudflare there are plenty of other services that offer a free API with their DNS service.

I think you are misunderstanding something here.

If i understand you correctly, your Server is accessing the VM disk images via a NFS share?

That does not sound efficient at all.

I assume you are referring to Filesystem Snapshotting? For what reason do you want to do that on the client and not on the FS host?

sshfs is somewhat unmaintained, only “high-impact issues” are being addressed https://github.com/libfuse/sshfs

I would go for NFS.

HA had 2 security audits. I would not worry too much. Always depends on what you can control with it. https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/

Just subscribe to the release channel. That varies from OS to OS or Software, but is worth it.

Use tools that are universal. For example, I have not used TrueNAS Scale because they did not support native docker at the time. OS specific solutions are more likely to break then universal once (truecharts vs docker)

To get up and running again after a complete failure i can just download the latest config and data from my backup and set up any distro that supports docker and my system is running again.

I do OS upgrades when they are available, usually within 1 or 2 days and containers are updated with watchtower daily.

The main difference i would say is the development and licensing model. Photo prism is forcing ppl who want to commit to sign a CLA to.give away their rights. Also the community is not really active it is mainly one dev that can change the code license on any given time.

Immich does not have such an agreement and has a huge active contributor community around it. Also Immich is backed by Futo which has its pros and cons.

Imho the biggest pain in self hosting is when a foss product turns evil towards its community and start to practice anti consumer/free selfhosters business practices.

Immich is far less likely to turn evil.

Edit: I think it is the biggest pain cause you have to migrate every device and person to the new service.

How are those devices affected by having no notification anymore? The manual labor exists anyway.

Most network switches and devices have a web gui to switch them out. Those can be automated.

Then swap you nameservers to a DNS provider that allows that?

Immich requires to be run on a server to function, but a lot of (or even all) of its functions are things that could reasonably done entirely on-device. Aves combined with some automatic backup solution such as Nextcloud gets (from what I can tell) most of the functionality Immich offers.

How would you backup Immich on device?

And if you backup to Nextcloud than you already have a served?

So you are arguing that having a file server is enough? And processing is done on client side?

That would be in this case very inefficient.

1. You would need to have all the data on the Client or transfer all the data to the client once you load it.
2. You device has to do all the processing which would lead to lower battery life.
3. How do you handle multiple Users? Giving partially access to the Filesystem?

I could come up with other points but this should give you an idea. Yes, for some use cases a server-client approach does not make sense but for a dedicated photo backup and indexer it absolutely does.

I am fully backing up my Mail Server with some exclusions like /tmp etc. with restic now for over a year, including updated binaries and docker images etc. and have about 16GB of data with hourly backups for over a year.

If you use any kind of deduplication and or compression, the system files do not amount to any meaningful size (assuming there is no additional encryption on the VM disks). Especially when you consider the size of OPs data, 1,5TB, then the couple of GB of system binaries etc. do not really matter.