I use a combination of netbox for the physical/logical network and server connectivity, and outline for text documentation of the different components.

This may be overkill for most use cases but you can use jcr.

The best reason to use it in my book is the garbage collection as the official registry doesn’t have that feature and can and will bloat over time.

You should look into GrapheneOS if you’re set on using pixel.

Looks good and I was able to get it on pretty quickly. I was about to post this from the app but saw it’s missing the web’s markdown shortcuts and image upload option.

Also looking at this post the screenshots are cropped and I didn’t see a straight forward way of looking at the whole image.

You may want to give this a quick read before using signal

https://dessalines.github.io/essays/why_not_signal.html

I personally haven’t verified the claims on there but I’ve been using a personal instance of Matrix for a while now and it’s been working great.

If you have a domain you own that’s the way to go, I went by your .home naming assuming that’s what you’re using. Since .home can’t be registered similar to .local, LetsEncrypt wouldn’t be an option.

I have a split DNS setup on my end so a service like jellyfin would resolve only internally since I want to limit it, but others would be both public and internal.

Shouldn’t be any risk if it’s all local.

For an internal domain you’ll need to set up your own internal CA to sign certs for your fqdns. The risk comes from any mishandling of that new CA since you’ll need to install it as a trusted root on all of your devices and if someone gets a hold of it nothing would stop them from creating a MITM attack for let’s say yourbank.com

If you have the CA’s key under lock then you should be good.

Funny enough I already made a few changes to the traefik configs, I saw someone else’s post and if it’s safe to assume that any request with Accept header starting with application/ should be routed to the Lemmy server, the following would work as well:

- traefik.http.routers.leddit-api.rule=Host(`leddit.social`) && (PathPrefix(`/api`, `/pictrs`, `/feeds`, `/nodeinfo`, `/.well-known`) || Method(`POST`) || HeadersRegexp(`Accept`, `^[Aa]pplication/.+`))

I’ve also added caching policies to make sure none of the API responses are cached and having the UI be cached explicitly since it’s not done today.

services:
  lemmy-server:
    deploy:
      labels:
        - traefik.http.routers.leddit-api.middlewares=no-cache
        - traefik.http.middlewares.no-cache.headers.customresponseheaders.Cache-Control=no-store
...
  lemmy-ui:
    deploy:
      labels:
        - traefik.http.routers.leddit-web.middlewares=cache-control
        - traefik.http.middlewares.cache-control.headers.customresponseheaders.Cache-Control=public, max-age=86400