+1 to cockpit. My entire network is domain managed and cockpit makes managing everything so much easier

Tell me then why it took years for them to add a horizontal rule (literally just a horizontal line). I’m not kidding, it was only added in the last few weeks. How do I know? I commented on the github issue about like 3 or 4 years ago (the issue was already multiple years old) and have been getting notifications every time someone asks for it. And finally like a week or two ago I finally got the notification that it was added.

It’s not that difficult to get SELinux working with podman quadlets, especially if you run things rootless. I have a kerberized service account for each application I host and my quadlets are configured to run under those. I very rarely encounter applications that simoky can’t be run rootless but I usually can find an adequate alternative. I think right now the only thing that runs as root is one of the talk or collabora containers in my nextcloud stack. No selinux issues either.

Thank you, it’s a lot of work and I could get by with a lot less but I’d like to essentially have enterprise level everything for me to just fuck around with and provide to friends as i see fit. It’s a bit if a hodgepodge of well implemented stuff stuck together with duct tape and bubblegum but im refining it slowly all the time.

I fr hate using AI to troubleshoot because I can feel how it makes me lazy, but sometimes using AI is better than banging my head against a wall for 10 hours. And usually i stop once I find a productive line of research or investigation to follow.

For local DNS i run FreeIPA since everything in my network is domain controlled. I’m gonna look into adding filtering through that, but we’ll have to see how it goes.

Theres so much I end up handling manually with my UDM that at this point i might rather just install open source routing software on it atp. I don’t even use the web UI for wireguard because I can’t even specify the allowed IPs for a connection.

I just turned off ad blocking. I can set up network wide filtering without relying on proprietary incompetence.

I’m not entirely sure how I want to run my ad blocking yet. I left adblocking on for the wifi subnet because I don’t mind it there, and I have ublock origin on my PC. I might use PiHole but my DNS on my network is actually managed by FreeIPA so making sure everything works properly there is paramount. I’m pretty sure I can do that easily but I need to test it to make sure my forward zones work as expected and nothing breaks.

Yeah I found some documentation from Ubiquiti afterwards that said all DNS requests would get proxied, although it didn’t mention it wouldn’t forward dynamic updates.

I did use dig, but I didn’t do a trace which probably would’ve been helpful. I just didnt anticipate that id be getting MITM by my own infra.

Bitwarden as Vaultwarden enables TOTP.

I actually have a hybrid setup. My public DNS and my mail server are in the cloud as those are too important to risk going down. I also have a FreeIPA replica in the cloud to help manage them. Then I set basically everything else up in my homelab because I don’t care if roundcube goes down so long as IMAP and SMTP still work.

Thanks for the really helpful perspective!