Tbh, at the moment the maintainer seems to be have gotten the message - or at least tries to make it seem so. I would give him the benefit of doubt at this stage, at least for a while now.

Without Synapse migration it’s sadly still hard for longer established servers to migrate/impossible.

Xwiki is missing.

For me after a similar search it is the current winner. Even though it has it’d downsides. We came from Confluence and tested a LOT of systems. My spreadsheet of systems we considered has around 120 rows by now. (Not all pure wikis as we also moved away from jira and considered going down a “put the wiki into the servicedesk” route)

Pro:

• It is well tested in a enterprise enviromentand mighty

• It has all the features I personally found important for a company wiki, e.g. approval, versioning, templates, collaboration, integration api,etc.

• It is fairly easy to extend it yourself

• It is easy to host subwikis within the same installation with a self defined grade of independence - which is great for customer facing things,large projects with externals,etc.

• The development community is big and enterprise focus and release cycles are good. (Not like a certain .js) There is very little chance it will stall suddenly as the wiki has been adopted by a lot of large companies which seem to support it.

• It’s truely free,no “pay to get custom fields” bullshit.

• It’s truely self hosted.

• it can be hosted system side, if you are not into docker.

Contra:

• It is written in bloody Java

• (even though this sentence is redundant with the one above) It is a resource hog

• The look and feel is a bit outdated unless you customise it yourself. Then it is reasonably good.But there are basically no paid templates,etc.

• Paid support is only available through third parties it seems.

• It can be, well, slow to update…like physically slow. It is not hard to update,not at all…press a few buttons…but sometimes it takes ages.

Personal recommendation: Start with a selfhosting support software like Casa, Yuno or (my recommendation) Cloudron. Start hosting the app there with frequent backups and occasionally export into regular Bitwarden as a failsafe.

And when you are comfortable switch over to properly self hosted Vaultwarden.

Just adding: Passkeys do migitate a lot of these issues as well.

At the point someone pulls off a valid MIM attack - which is basically a requirement here unless the whole BW/Vaultwarden server gets compromised- that is the least of someones problems. MIMs are incredibily hard these days.

We kind of selfhost almost everything - while we operate a small server ourselves, the main burden is on a dedicated server setup. Basically a FreeIPA+Authentik+OpenCloud Stack as a base,with Redmine, Kimai, Zammad, Matrix, Jitsi and a few more apps. (Moodle, Seed DMS, Netbox, Zabbix, OPNsense, Vaultwarden, Forgejo, Ansible). Additionally we use a fair share of software remotely via RDP.

Backups are done onsite and to three different offsites, including cold storage backups.

As we all work fully remote this setup is also fairly adaptable and the switch to a (almost fully) Linux shop went far better than expected - my staff is fairly content with their setup (afaik).

The only thing I refuse to selfhost are email and VoIP.

Still mediocre compared to OPN/pfsense, IPfire, VyOs,etc.

I must admit I can’t find the exact guide I used anymore. Especially not a English one.

But the official guide should help you: https://www.zabbix.com/de/integrations/proxmox

I think whatever I used was pretty close to it. If you have any issues send me a DM.

(And tbf, I use both the Agent2 and the API in a perverse mixture. And for some nodes IPMI on top of it. It’s really kinky,but it does the job)

Absolutely, but unlike Ubiquiti they did not keep them under the rug that long. (Nevertheless: Both are shit for firewalling. Put a OPNsense before it?)

Zabbix is extremly nice.

Why?

• API Monitoring for Proxmox and Docker/Podman. Aka "you don’t need to setup monitoring for every container/LxC/VM. Do it once for the host,then everything gets autodiscovered.

• Active and passive agents as well as SNMP, IPMI,etc. can be combined as you like. Also does Website/service/application/database monitoring, SSG/Telnet checks and nowadys can even do Prometheus and MQTT/Modbus

• The proxy is really really worth it. It collects data from nodes you do not want exposed and relays them to the server. This includes all kind of inputs and is really easy to setup.

• Due to it being around for two decades there are a shitton of templares for devices - and it’s fairly easy to do your own.

• Unlike other systems (cough checkmk cough Grafana) there are no features that are only available to paying customers.

The most major downsides are the fact that it’s moderately to fairly ressource intensive to run in a small setup(but does consume less than others in large Setups) and it’s far less flashy dashboards. (Which are still powerful,though)

Not a fan. Absolutely not.

They had multiple security incidents which they kept under the rugs for a long time, they have the tendency to EOL devices without warning (which then means you need to replace your sometimes 9month old device or your whole enviroment can’t be updated), their lock-in into their ecosystem is much more complete as they can’t be used properly without their enviroment.(e.g. Omada devices can work without the Omada stuff, with Unifi you will always need a controller for some functions).

So if you realy need SDN features like Unifi look at Omada,otherwise Mikrotik is a solid alternative. (And OPNsense for firewall)

My company is a part of critical infrastructure and we provide consulting in disasters (e.g. how to get a hospital back up and running). So we fall under European legislation to have certain precautions. And as I colocate in my companys rack…it’s easier. As the rack is in a room I rent to my company. (We are small and I am the founder,that makes it easier)

But yeah, we put a bit of thought in it. Waiting for Iris2 finally materialise so I can get rid of LTE finally.

I have a LTE Backhaul,but admittedly if the firewall itself craps out I would also be offline - but I can at least reboot it via a plain old GSM power plug. That thing does not directly reboot the firewall,though, but brings up a old raspberry (usb boot,I don’t trust sdcards) which then checks if outside connectivity is still available (so if the GSM power plug gets compromised it’s not an issue) and if not tries a shutdown or,if that is unsucessful, a powercut of the firewall. If that also doesn’t work it triggers a dry contact in the GSM plug which leads to the plug sending out a SMS so I know I am fucked and need to get someone with a key to the rack.

Datacenter heat is actually a very good source for local heating networks and a lot of European countries either already mandate to consider it when feasible, have introduced legislation that will make it mandatory over the next years or are at least supporting it financially.

It’s actually fairly common to do so for a long time here - from waste incineration, steel mils, nuclear plants, etc.

Personally I heat my office from my server rack and my old job did heat one of their office buildings from the heat generated by the data center in the basement. (And funny enough also did partially cool it from that source)

Have a look at open cloud.

Have a look at Agent DVR. Works locally and the “pro” features that one would need to pay for are basically just Plugins. Everything else works nice without it. Additionally it accepts basically everything you throw at it camera wise and is far easier to configure than frigate, also has a (good) HA integration and is extremly mighty if your system grows over the years.

The mobile app is nice, but it also works fairly well in a browser on mobile.

Did you just seriously recommend port forwarding to a NVR login? Even worse with a consumer grade router? With HTTPS,non Standard Port and a strong password as the only security tips?

Please,people,for the love of god: Don’t do that. Really. Don’t. This is really bad advice,sorry.

Unless you are very very sure that your NVR solution is impecable in terms of security (none are), you are 100% sure you stay up-to-date all the time (including reviewing updates for issues) and have additional measures like fail2ban, IDM/IDS,etc. in place this is a very bad idea. HTTPS is only helping in terms of password transmission/spoofing,which is an unlikely vector here, a non standard port doesn’t help one bit here(have a bit of fun with shodan and see yourself) and while a strong password helps it only helps if the auth of the system and the OS below itself is watertight - a hard task.

It is always a bad idea to port forward unless you really really cannot avoid it.

Use a VPN - as you said, wireguard.

Simply choose a private DNS server like mullvad,quad,etc. and it should work…

Absolutely the best.