Bazzite is awesome so far for me

Yeah what you’re talking about is a DMZ, it still won’t help a ton if you don’t have strict firewall controls inside your network too.

I just use wireguard with firewall rules to restrict to just my server with my docker containers on it and my DNS

I still use a reverse proxy, but to get into my network you need to be on VPN. It’s more secure for me I guess.

I use traefik forward auth, even inside my network on VPN, for an extra layer of security for some apps.

My opinion is that port 443 getting accidentally misconfigured by me is just too likely a scenario. With wireguard on my router I also am able to restrict traffic to ONLY my webserver and DNS servers for my devices.

So I guess that’s another positive of wireguard, you can use your own DNS servers for all your phones all the time and always have ad blocking with pihole or something similar, even on mobile.

By using VPN I don’t have to worry about accidentally exposing a website with a copy paste error or something over my reverse proxy. I can also easily restrict who has access to my VPN and do routing rules from my router per device or subnet (for people who aren’t in my family I have a separate subnet I assign with more strict firewall rules)

If this server is publicly accessible and gets pwned, they can use it as a jump box for your internal devices.

Just close 443 and use VPN with ACME DNS challenges for your certs. That’ll help make it even more secure, nothing is full proof though and a VPN is a good first step

Ofc, but then you now have a dependency on a specific version of ffmpeg for your root OS

Just had an example of this working for me. Parsec only publishes a .deb file, and the flatpak is out of date / unmaintained. They don’t have Nvidia decoding anywhere but Ubuntu. But with distrobox / boxbuddy I can get a fully-featured parsec install that runs on a distrobox. Works perfectly, and even has an application in my host application menu. It’s bad ass

I meant for bazzite. You can use an arch distrobox and it’ll be like you had arch installed already

Yup, but now I get to use whatever distro I want with distrobox. It’s awesome

I’ve installed .deb files before that fail or miss dependencies, then you get stuck in a half applied state and have to force fix your apt packages.

I’m not saying I’m doing it right, but its happened before more than a few times to me, but not on bazzite

Yeah, until that one time when you tell apt to force install a package and it fucks your entire system…

I’ve never used Garuda so I can’t comment on that. It just behaves like the steam deck but uses fedora

Only if you hook up a torrent client. There’s no requirement to do so

I believe bazzite is on btrfs by default. I just like the concept of a read only root filesystem. It helps make everything more stable so far for me personally

The root filesystem is immutable, not the entire filesystem. So when you do upgrades and things it’s super easy to roll back and you never need to rebuild your entire OS if a package is messed up or something.

Tbh I’m not great at explaining it, I’d just look up a YouTube video for it.

https://youtu.be/5w7gG0bMIeI?si=k1XGQDPbHxcborXe

Bazzite uses silverblue with other gaming related features

Just use distrobox with Ubuntu or Debian for your tools and such. It tightly integrates with your OS and doesn’t sacrifice the immutability

It’s awesome. The packages don’t matter because you use distro box if there’s not a flatpak that works already. I have an Ubuntu distro box for tools for things that don’t work on fedora.

It uses ublueos for an immutable which is rock solid. Idk how to explain it well, but it’s the only distro I want anymore.

If u do end up trying it and find a package that doesn’t work, ping me and I’ll get you a command you can run to do it

Use bazzite when you do. It’s awesome

For jellyfin/Plex you can try downloading everything with lidarr

Self hosting email is a terrible idea. Your Internet goes out? All your emails are black holed