Hey guys!

I want to convert my now corebooted Thinkpad T430 into a Nextcloud server and possibly more (Syncthing, maybe Tor, maybe more)

1 500GB SSD, 1 1TB SSD

Currently runs Fedora Kinoite, I could rebase to something like secureblue uCore, Fedora IoT, uBlue uCore, …

Not sure if those would have broken configs though.

Maybe I would prefer something with slower pace, but tbh the pace of CentOS bootc becoming a thing is quite frustrating. This would likely be the perfect ‘install and forget’ distro for many, a KDE Image would be there in no time.

I wouldnt want to use a traditional distro, even though a base Debian or AlmaLinux/ Rockylinux (what the hell was that of a hydra? Cut off one head, spawn 2? what are the differences??) could just be fine. I used Debian in the past, it really just works.

I would like

  • Nextcloud AIO docker image, maybe with podman? It is supposedly more secure but the world runs on Docker, and all is fine. Podman is a pain quite often.
  • some nice management like Cockpit
  • dyn DNS, for example with NoIP, best free
  • secure ssh, that should be no issue
  • btrfs? or zfs? with backups to a secondary drive
  • automatic updates with snapshot creation. Atomic system would be easiest here.
  • easy to use and secure reverse proxy, with DynDNS for reliable address on the internet. NGINX, Traefik, Caddy, what is the best here??

Here I am not sure if I should use 1TB + 1TB, or 500GB used and 1TB backup. BTRFS backups can be incremental.

while I made a list of BTRFS tools I still have no idea what the best tool for this job is.

  • poVoq@slrpnk.netM
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    2 months ago

    No the Nextcloud DB is not excrypted, but neither is your LUKS file system while the computer is running. Anyone getting access to the server while it is running, can access all the data unencrypted. For a server this is the much more likely scenario than for a laptop, which might get stolen while turned off.

    At-rest disk encryption is useful for servers in co-location hosting, where a 3rd party might be able to pull a disk from the system, or if you are a large data-center that regularly discards old drives with customer data, and you want to ensure that no 3rd party can access that data from the discarded drives.

    • boredsquirrel@slrpnk.netOP
      link
      fedilink
      arrow-up
      1
      ·
      2 months ago

      Yes the threat model is people pulling out the drive, of course.

      How should they get access to the server when it is running? You still need to connect to it and log in, which wouldnt be the case.

      • poVoq@slrpnk.netM
        link
        fedilink
        arrow-up
        1
        ·
        2 months ago

        It is possible that people get access to your server while it is running via known or unkown software vulnerabilities, but that isn’t really the point… all I am saying is that if you host your server at home, it is unlikely that at-rest disk-encryption does you any good and it certainly doesn’t help to protect against illicit remote access.

        What it does “help” is preventing you from remotely accessing your own server if it rebooted for some reason… and many other such footguns that you will experience sooner or later.

        • boredsquirrel@slrpnk.netOP
          link
          fedilink
          arrow-up
          1
          ·
          2 months ago

          Yes this is true. That is why a separate method would be needed, to log into and hand the password to the LUKS decrypt of the server.

          I heard Debian can do this with ssh in the initramfs?

          Sounds like a hella pain of course.

          Alternatively I thought about using a security key to unlock, and in scenarios where I am worried about getting hardware stolen, I can pull it out and need to manually enter the password.