Unfortunately, I’m not a programmer. If I had more free time I could possibly help with your hosting infrastructure, but that’s a no-go too at the moment. I’ll keep your requirements in mind though, if I do find someone

Thank you for your hard work. I had come across your pervious post a while back; good to see it’s going well. Will try it, also looking forward to ARM support

Do you not need to update the firmware for newer versions of Zigbee?

Say, are you planning to update the stock firmware of the device with Tasmota? Will you keep on top of updates? Is there a need to?

Great setup

Reading is fine and all, but in my experience of learning about networking and security, I have always learnt the best when I have a need for it.

Let’s take the example you posted on your post. Now, we know that HTTPS is important so that nobody has access to the traffic you’re forwarding to the Internet. Encryption usually just requires two things: the data (your traffic) and a key to encrypt it.

When you’re visiting a website with a valid certificate, it sends its public key and the valid certificate to your browser. Your browser validates that the website you’re trying to visit seems OK (not sure about the internals of the process), and encrypts your traffic with the public key of the website.

The website can now decrypt your traffic with its private key. Nobody gets to snoop on your data (but they do get to snoop on your metadata, which I’ll come to in a bit). That’s how the process works, and I have essentially provided an overview of the TLS handshake in my explanation.

Why did I say that your data isn’t exactly secure even though you encrypt it? Well that’s because your metadata isn’t encrypted yet. It is only recently that the masses are picking up on ECH and ESNI (SNI - server name indicator; this is the DNS record of your request, which means your ISP knows which website you went to, but it doesn’t know what you did on said website). With that said, I was talking about the broader Internet, which seems to be out of scope for this discussion.

Let’s talk about another use-case of TLS in your homelab, since we’re on the subject.

Problem: you want to find the padlock symbol on your browser every time you visit an internal website, but since you’re using plain HTTP on your network, your browsers considers it fit to annoy you with a warning that your destination might be a malicious website (it’s not, unless you don’t know what you’re hosting).

Immediate solution: use a reverse-proxy! Most reverse-proxies have integrations with certificate automation software (certbot FTW) which handles TLS on the client side and deals with the warnings (if you have understood the paragraphs that I have written till now, you will understand why this is the case).

Background: Have you heard of reverse-proxies? If not, a bit of reading on Wikipedia should do the trick, but basically, reverse proxies map a subdomain (slight understanding of DNS is required for this since certificates and DNS are tied closely) to a specific IP and port. This is important if you’re hosting containers on a single machine since the only way to reach out a specific container is through the combination of IP:Port, but who wants to remember random numbers? Too lazy to do that.

Question: why not just use my DNS server to map subdomains and IPs? This might not be obvious to everyone if you don’t know about DNS and its limitations (in this scenario).

Let me know if you’re facing issues with anything that I typed here. It’s a long, long journey (I’ve been learning for years now and I still don’t get things right), but you’ll get there. Just take your time, make sure to not get overwhelmed, and you’ll make it.

Cheers

Is using WiFi on the ESP32 buggy?

Why is Zigbee rated to be better than WiFi?

Thanks. If I install tailscale on OPNsense I should be able to connect my IOT devices to the VPS.

I suppose you are right, but if I install a tailscale on my router like so, wouldn’t that work?

I see. Could you give me a few more examples on what could break if I go forward with this? Will I still need to consider multicast DNS if my DNS server is on-prem (Pi-Hole + Unbound)?

I remember that it was not possible to route multicast traffic through IPSec earlier, which is why people used to opt for GRE-over-IPSec. But just as IPSec supports multicast traffic now, doesn’t Wireguard too? Or am I missing something important as to why this is not supported?

What do you mean? Isn’t this supposed to work similar to a direct VPN connection to the VPS box, i.e. akin to the machine being in the same network? Am I missing something? What do you mean by “firewall” (on my side, or on the side of the VPS)?

I’ll likely be using Node-red and MQTT with some automation apps, probably. Not decided yet.

I plan to run a tailnet, which means the VPS box will be connected to my LAN using a VPN

This is software that aggregates results from other software engines whilst trying to keep you anonymous (if you have noticed, you are definitely not anonymous if you search using Google) and prevent fingerprinting. You need to be the one to run this software though. Search “client-server model”, and then imagine running both the server and the client at home

SearX is not maintained, it’s either SearXNG, this, or PreSearch

If the price is $100 lower if I shuck them, then I will take the slightly inferior warranty.

I don’t really like 7200 RPM drives, but I don’t have a choice if I’m looking at bigger drives.

Anecdotal evidence of people not really liking them in terms of reliability; also I can’t schuck them

Always purchase WD Red Pro Drives. WD drives aren’t bad, but their marketing is.

Oh, and Seagate isn’t the best company either with all of their failures. From now on, just stick to WD Red Pro and Ironwolf

I see. I do not want to spend $1000+ on a GPU, I suppose this will have to wait a few years

Lucky!