Setting up and securing Roundcube and going forward into a self-hosted future.
We load up OpenDKIM, SpamAssassin, ClamAV, and get Sieve filtering operational.
Gmail? Apple? The cloud? Forget ’em all—in this series, we take your e-mail back.
Our self-hosting e-mail series continues as we get our ducks—and doves—in a row.
For owners of the HP Microserver N36L/N40L/N54L/Gen8/Gen10. Reported hardware that works, known fixes and common questions/answers. Please feel free to contribute to this wiki.
OpenCloud
Immich
Vaultwarden
Docmost
HomeBox
What is HomeBox?
Inventory management for regular people
Homebox
Keeping track of everything I own
Home Assistant
My smart home’s true brain
Nextcloud
My digital filing cabinet
Firefly III
Building a stable financial home
KitchenOwl
My personal kitchen companion
Homarr
Bringing all my apps together
Gen7 (N54L, N40L, N36L)
The N40L comes with 1 × 2GB ECC RAM installed. It will accept up to 16GB (2 × 8GB) 240-Pin DDR3 SDRAM 1333 (PC3 10600) RAM [1]
Non-ECC RAM is compatible, but not recommended for mission critical servers. Most casual, NAS or home server systems do not require ECC RAM.[2]
Does not support registered (buffered) modules. Using registered modules will result in the server failing to POST/boot. ('blue light').
Capable of utilizing dual channel RAM, which results in marginally increased memory speeds when two matched DIMMs are installed.[3]
One of the most anxiety-inducing parts of self-hosting for me is ensuring that everything is as locked-down security-wise as possible. That's become even more critical as I increase my footprint, adding my own domain and subdomains that point to each service. I'm also a little particular, and while I could use a self-signed TLS certificate to ensure HTTPS for the services that need it, the reminder that it hasn't been done "properly" every time I access those services irks me.
And while there's any number of reverse proxies that I could use to access those services, few are as easy to set up and use as Caddy. //
Officially, Caddy is an open-source web server that can be used for many things. But because it's so easy to set up and includes built-in automatic HTTPS with TLS certificate management, it's often used as a reverse proxy for the home lab. That's because every domain, IP address, and even localhost are served over HTTPS, thanks to the fully automated, self-managed certificate authority.
The entire server is controlled by a single configuration file, the "Caddyfile," which is human-readable, and most tasks are handled with a few simple lines of text.
Direct, encrypted file transfers from your computer to anyone, anywhere — no signup, no cloud storage in between.
Think of it like AirDrop for everyone.
GitHub
Free & Open source
Portable file server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++ all in one file, no deps
The entire file server and all its features are compressed into one Python file. Drop the file into the root directory of the drive you want to use, and run it to start the server. That's it.
You can run it almost anywhere, including Linux, macOS, Windows, Android, and even Raspberry Pi. You can choose to run it with or without Docker, and the whole setup is incredibly portable. Yes, you can build your own Raspberry Pi cloud server with Nextcloud, but it won't get nearly the performance you would with Copyparty.
The simplicity also extends to what Copyparty actually does. It's a web-based file server where you can upload, download, share, and store files for as long as you need. No extra email clients, calendar apps, or fancy collaborative editing features. Just a simple file server that lets you manage your files with ease.
Call it a badge, sticker, button, or whatever you'd like. Create yours below. Pick some colors, enter some text, and you'll get a button you can download for your site.
There's no consumer more averse to DRM-adjacent restrictions on computer technology than the data hoarders who buy NAS devices. Synology's thinking here was close to incomprehensible. When I read about it I assumed it had been sold off to private equity or hired an AI trained on a remote learning MBA syllabus as CEO.
The basic key points:
10 inch 1U size rack system with 1 insert slot
19 inch 1U size rack system with 2 insert slots
modular insert system for easily push-in and pull-out
some pre-modeled inserts available at launch
2 blank inserts for customization: https://makerworld.com/en/models/1032228
The question seemed easy enough: We’ve dropped a user, now we want to change the DEFINER on all database objects that currently have it set to this dropped user?
This should be possible by checking the INFORMATION_SCHEMA tables of the appropriate object types (routines, triggers, views and events) and performing an ALTER on each of them that just modifies the DEFINER but nothing else, right?
Unfortunately it isn’t that easy, or at least not yet (see http://bugs.mysql.com/73894 and https://mariadb.atlassian.net/browse/MDEV-6731 ).
PsychoArs Ars Scholae Palatinae
20y
768
Subscriptor
jhodge said:
If your management network is accessible from the Internet, you're doing it wrong.It needs to be fixed, but this shouldn't be a full-on freakout for most shops.
Yes and no.
If your management network is accessible from your workload network, you're doing it wrong. All it takes is a compromised laptop/desktop/IoT device that's reaching out and lets a bad actor control it. Defense in depth. //
fuzzyfuzzyfungus Ars Legatus Legionis
12y
10,234
PsychoArs said:
Yes and no.If your management network is accessible from your workload network, you're doing it wrong. All it takes is a compromised laptop/desktop/IoT device that's reaching out and lets a bad actor control it. Defense in depth.
You also probably want 'your management network' to be internally divided to the degree possible. Ideally you'd like all your BMCs to work for you; but if one of them turns out not to you can't necessarily trust the remainder to protect themselves(and for newly added devices that aren't supposed to require hands-on provisioning more or less blind trust in the first thing that talks to you is a feature; so you really, really, want that to be you).
Not every wire can be cut, or you might as well just get an empty shed for much, much, less money; but there is often not much call for any two random devices on the management network to talk to one another, rather than a relative handful of monitoring and provisioning systems talking to otherwise solitary BMCs who have no excuse for knowing about one another. //
Little-Zen Ars Praefectus
24y
3,201
Subscriptor
Deny_Deflect_Disavow said:
“The vulnerability, carrying a severity rating of 10 out of a possible 10, resides in the AMI MegaRAC, a widely used firmware package that allows large fleets of servers to be remotely accessed and managed even when power is unavailable or the operating system isn't functioning.”I‘m not sure I understand how firmware can be manipulated if electricity is not available or the OS is not functioning. Secondly, these hosts may be physically wired to any network, yet how can a remote execution or procedure call be issued to the server if powered down?
If there's literally no power, like at all, then they aren't accessible, yes. But that's "no power" as in "the whole building's power is out."
If, however, it's just that the server has been powered off but is still plugged in, and the BMC is connected to a network, you can reach it. These are things like Dell iDRAC, HP iLO, Lenovo IMM, etc. They're designed to be always on, and they provide a way to access the server as though you were physically there, including a virtual console that acts like a connected monitor and keyboard, so you can even remotely power on/off a server if necessary. It doesn't use the installed host operating system - thing of it like a remotely accessible BIOS with a ton of other functionality that also lets you see what's happening on the system in real time. You can even virtually mount ISOs to remotely install an operating system.
It is extremely convenient and I'm sure anyone here who has worked in IT has stories about how iDRAC saved their life at one point or another. I certainly have a few.
However, I can also say - when I was managing servers, all my BMCs were connected to an isolated VLAN, in-building only accessible from another isolated VLAN and to only a very specific set of users with separate logins used solely for interacting with devices on the management network, and remotely over a VPN that only allowed that very specific set of users to access a jump box, which itself was accessible only with the separate management network logins.
You absolutely want to isolate and protect these interfaces specifically because of vulnerabilities like this one.
Clarity, at a glance
TRMNL is an e-ink companion that helps you stay focused.
Stay focused
Meet the world's first dedicated screen for things that matter.
This tool is useful to check if a given Network Time Protocol server is reachable over the internet using IPv4 and IPv6 connectivity.
It is also useful for knowing the resulting offset using the exact time of x1.ncomputers.org stratum 2 NTP public server.