I’m not sure if this what you’re after, but it sounded to me that you were describing monitoring. Might be worth your checking out librenms or zabbix or checkmk. Those would give you a good overview of the health of your stuff and keep track of what’s where.
I’m not familiar with Zurg, but the WebDAV connection makes me recall: doesn’t LXC require that the FUSE kernel module be loaded in order to use WebDAV?
I’ve also seen it recommended that WebDAV be setup on the host and then the mount points bind mounted into the container. Not sure if any of that helps, but maybe it’ll lead you somewhere.
That’s a great tip. I’d completely forgot you can use telnet for that. Thanks!
Thanks for the response. I really should just dive in, but I’ve got this nagging fear that I’m going to forget about some DNS record that will bork my entire mail service. It good to hear about some working instances that people are happy with.
Tainted in that the kernel and ZFS have different licenses. Not a functional impairment. I have no way to check to check a system not using ZFS. For my use case, Debian plus ZFS are PVE’s principal features.
Have you by any chance documented your PMG set up? I’m also a very happy Mailcow user and spinning up PMG is something I’ve been meaning to tackle for years so I can implement archiving with mailpiler, but I’ve never really wrapped my head around how everything fits together.
Ceph isn’t installed by default (at least it hasn’t been any time I’ve set up PVE) and there’s no need to use ZFS if you don’t want to. It’s available, but you can go right ahead and install the system on LVM instead.
You ever see those Wired videos where they talk about a concept on five different levels ranging from beginner to expert?
The first level answer is likely that, yes, you’re reasonably secure in your current setup. That’s true, but it’s also really simplified and it skips a lot of important considerations. (For example, “secure against what?”) One of the first big realizations that hit me after I’d been running servers for a little while and trying to chase security is the idea of a threat model. What protects me from a script kiddie trying to break into one of my web servers won’t do much for me against a phishing attack.
The more you do this, though, the more I think you’ll realize that security is more of a process than an actual state you can attain.
I think it sounds like you’re doing a good job moving cautiously and picking up things at each step. If the next step is remote access, you’ve got a pretty good situation for a mesh VPN like Tailscale or Netbird or ZeroTier. They’ll help you deal with the CGNAT and each one gives you a decent growth path where you can start out with a free tier and if you need it in the future, either buy into the product or self host it.
There’s definitely nothing magic about ports 443 and 80. The risk is always that the underlying service will provide a vulnerability through which attackers could find a way. Any port presents an opportunity for attack; the security of the service is the is what makes it safe or not.
I’d argue that long tested services like
ssh, absent misconfiguration, are at least as safe as most reverse proxies. That doesn’t mean to say that people won’t try to break in via port 22. They sure will—they try on web ports too.