Does it use http or MQTT?

Home Assistant uses HTTP for this. Realistically, you won’t see much difference between HTTP and MQTT for this use case.

MQTT is harder to secure than HTTP, and has some limitations (eg it normally only supports username and password auth - no SSO, no 2FA) so I’d avoid it for anything public-facing unless you have a specific reason to use it. Using it via a VPN is fine, but you’d still need to configure a separate MQTT username and password per user.

iptables should still work, but these days it gets converted to nftables so you may as well just learn nftables.

Having said that, I find it a pain to manually configure iptables or nftables. There might be a better way to do what you want.

If you see bad translations in open-source projects, please help by fixing them :)

It’s a straightforward way to contribute to open-source, even if you know nothing about coding, and it helps a lot. It’s hard for open source projects to find good translators.

The other thing that really helps is improving documentation. Developers hate writing docs :)

The end goal is to have no reliance on tailscale as i am preparing for the eventual enshitification.

Tailscale is mostly open-source. If they do anything bad then someone could fork the project. The coordination server isn’t open-source, but you could self-host Headscale as a replacement.

If it still doesn’t suit your use cases, there’s some alternatives.

I personally wouldn’t directly deal with iptables or nftables rules, and instead use some other software to deal with that.

iptables is deprecated… If you really do want to do your own custom thing you should learn nftables.

Alaska, California, Minnesota, Montana, Nevada, Oregon, and Washington state all have the same minimum wage for both tipped and non-tipped jobs.

A few other states have a tipped minimum wage that’s lower than their regular minimum wage, but still higher than the $2.13/hr federal minimum.

I’m from Australia and we very rarely tip. It’s just not part of the culture. It was one of the biggest changes when I moved to the USA.

businesses not paying their employees enough to make a living.

The thing I don’t understand is that even in states that have better minimum wages, the same tips are still expected.

California has the same minimum wage for both tipped and non-tipped jobs, yet one person working a minimum wage job can be paid significantly more than someone also working a minimum wage job, just because they work in a position that’s customarily tipped.

Only 5.5% of internet users are American. Don’t assume everyone follows US customs. Some countries actually pay waitstaff well.

Oh no. Not sure I want to look up what he did.

All the data gathered by Cambridge Analytica was gathered through the public API though, after users had consented to share it (by logging into a quiz app that requested the permissions). That’s why the API is very locked down now, and the approval process to get any sort of data access is very strict.

The main issue was that they gathered data from people whose profiles were set to be visible only to friends. If someone logged into the quiz and granted permissions, their friends’ data was also accessible via the API.

With your idea, you either have to list a local IP in your public DNS record, or highjack your local DNS to point to the local IP. Both feel inelegant

The DNS records for your internal servers don’t have to be public - they can be only on an internal DNS server if you want to do that. Only the _acme-challenge subdomain has to be public. Let’s Encrypt does follow CNAMEs.

And you have to give your NAS write access to your API key of your DNS registrar

You can use a separate DNS server just for Let’s Encrypt, as it follows CNAMEs. I use acme-dns for this. Let’s Encrypt supports IPv6-only DNS servers so I have my acme-dns instance listening on an IPv6 address in the /64 range on one of my VPSes.

Makes sense - thanks.

Debian is ready - as of Debian Trixie (released in August 2025), all software in the official repo is being compiled with 64-bit time. https://wiki.debian.org/ReleaseGoals/64bit-time

For your home NAS, I’d recommend using Let’s Encrypt with Certbot. You can use it for internal systems, as long as you have a real domain name. Use DNS verification instead of HTTP. Renewal isn’t an issue if it’s entirely automated.

Doesn’t the water evaporate and become part of the water cycle? Water can’t just disappear? Maybe I’m missing something.

It would be good to cut down water usage… Not just for data centers but also for things like lawns and golf courses.

aggressively guard

tbh it’s a hard balance for any social media company.

Guard content too little and you end up with Cambridge Analytica, which was literally because the public APIs allowed too much access (third-party apps could see any data through the API that you could see through your Facebook account, including friends profiles). You also end up with headlines talking about big data leaks which really just end up being compilations of public data (which has happened to both Facebook and LinkedIn).

Guard content too much and you restrict users’ freedom too much.

It’s not too bad if you use an outbound SMTP relay for sending. SMTP2Go is pretty good, and they have a free plan with 1000 emails per month. I use Mailcow and you can configure relays in their web UI, but it works just as well with the sender_dependent_relayhost_maps setting in Postfix.

Sure, it’s not fully self-hosted, but the interesting part to self-host is the storage of your emails, not the sending (which will just relay through other SMTP servers along the way anyways).

Yeah, there’s no risk of the mortgage falling through, and not as much dealing with banks. I don’t really know the specifics but it was something I had to be aware of when buying my house. Luckily I was buying while it was a buyers market a few years ago, so prices were lower, fewer people were looking, and there weren’t any competing all-cash offers.

It’s hard in nice/desirable areas because the rich people make all-cash offers, and sellers prefer that over people that will get a mortgage.

I’d make sure there’s an officially supported integration, or one that’s 100% local (no cloud needed).

It’d be frustrating to spend money and get everything set up only for Bryant/Carrier to decide that they don’t like Home Assistant any more and block an unofficial integration.

Maybe someone else has better advice for your particular setup.

For my house, it had central heating so I ended up replacing that with a central heat pump HVAC system that uses a regular thermostat (Gree Flexx with an Ecobee). I didn’t want to deal with anything proprietary. The Ecobee supports local control via HomeKit, which Home Assistant supports natively (no Apple device needed).