No, since at the moment it wants to manage certificates, but I don’t intend to run pangolin as my main reverse proxy.

Pangolin is the most user friendly self hosted alternative to Cloudflare tunnels. There are dozens alternatives, but none with that feature set and such a UI.

I would rather bet that most people have no clue what an operating system is and that the one they (unknowingly) use is made by Microsoft. On the other hand if they play games (on that PC), they will know Steam, because they actively had to install it and click its icon frequently.

Yes. You can simply not expose SMTP at all and just use the IMAP/JMAP part. Unless you need also JMAP, I am not sure it brings you a lot to the table you wouldn’t also get from a good old dovecot. IMO the big advantage of Stalwart is the all-in-one package it delivers plus the good defaults. It also shines when you want a multi node deployment. For a single node IMAP only it might not be the best choice, in my opinion. But it would work, if you want to.

We can ask, but the indicators are there:

• it has roadmap with bigger features that slowly shrinks as they get implemented
• new versions still bring big reworks (I think this is the third time now that the data structure is being migrated)
• optimizations happen between the versions
• benchmarks are still on the horizon

It aims at both, otherwise it wouldn’t ship with sqlite and rocksdb. Stalwarts default is clearly for single node setups and expanding it to clustering takes further steps. So while it supports large scale deployments, it should not be limited to it.

It’s a 0.x release. It makes sense building the intended features first before optimizing heavily. There’s no point having an optimized data structure that then falls flat once you need to add new features that brings new requirements to the data structure.

Once they label it 1.x (i.e. feature complete and production ready) I would expect it to be optimized. If it isn’t, criticism is warranted.

Well exactly as you say: it’s a single service instead of having to combine multiple. In my case dovecot was a lot faster for my mailboxes, but postfix was a piece of shit and I was happy to get rid of it and the many components (rspamd, dkimproxy, etc.) it required. It has far too many footguns, and I shot myself multiple times with them over the years. So the most important part (SMTP) is significantly simpler and IMO better with stalwart. And the mailbox part hopefully evolves as well (it already has JMAP, so that is already an advantage over dovecot as well).

Use Stalwart as mailserver. Besides coming with sane defaults, it allows to put hooks into almost every mail stage. Those hooks can be sieve scripts, local binaries or http calls.

It kind of is, unfortunately. Games are often developed with a lot of pressure and the constant dangling of the budget being cut off. I don’t think the devs are incompetent and think what they produced (code quality wise) would be the best, but what could they do if they need a result to present to the publisher end of week and then don’t get money (aka time) to clean it up but instead they get the next deadline.

On the other hand I am also not sure I can blame publishers. Things can easily spiral out of control if managed badly in the other direction… see Cloud Imperium Games (i.e. Star Citizen).

I talk fully about software. Add appropriate nftable rules to the container network and that’s it.

For me it’s not even about better or worse, but about different. For them it’s a nice iteration after many years, but for be it is one of the dozens of apps I use irregularly that suddenly behaves and works different and forces me to relearn things I don’t have any gain from. Since each of the different apps get that treatment every once in a while, I end up having to adjust all the damn time for something else.

I would really like we could go back to functional applications being sold as is without forced updates. I do not need constant changes all the time. WinAmp hasn’t changed in 20 years and still does exactly what it is supposed to. I could probably spin up an old MS Word 2000 and it would work just like it did 20 years ago.

Many modern apps however change constantly. No wonder they all lean towards subscriptions if they “have to” work on it all the time. But I, as a user, don’t even want that. I want to buy the thing that does what it’s supposed to and then I want it to stay that way.

Well, a big advantage of containers is, that you can isolate them pretty aggressively. So if you run a container that is supposed to serve content on a single HTTP port, expose only that port, mount no unnecessary volumes and run it on a network that blocks all outgoing traffic. Ideally the only thing left will be incoming traffic on the one port the service is supposed to serve.

Half off-topic, sorry: if you have some spare time on the weekend, you might want to take a look at nftables. AFAIK iptables is also just using nftables under the hood, so you are basically using a deprecated technology.

nftables is so much nicer to work with. In the end I have my custom rules (which are much saner to define than in iptables) in /etc/nftables.conf, then I have a very simple systemd unit:

[Unit]
Description=Restore nftables firewall rules
Before=network-pre.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/nft -f /etc/nftables.conf
ExecStop=/usr/sbin/nft flush table inet filter
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

and finally if I push updates via ansible I simply replace the file and run nft -f /etc/nftables.conf (via ansible; on-change event).

Edit: oh and as an example how the actual rules file looks like:

#!/usr/bin/nft -f

add table inet filter
flush table inet filter

table inet filter {
  chain input {
    type filter hook input priority 0;

    # allow established/related connections
    ct state {established, related} accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # core services
    tcp dport {80, 443} accept comment "allow http(s)"
    udp dport 443 accept comment "allow http3"

    # everything else
    reject with icmpx type port-unreachable
  }

}

and with that I have my ipv4+6 firewall that allows pings and http

The shopping list alone is beautifully done. Glad that I could help 🙂

There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors.

– Leon Bambrick

Regarding your requirement, you might want to take a look at KitchenOwl.

If you prefer freestyle notes/lists, Joplin can share and sync note collections as well.