There’s no certificate at the VPS level. It forwards everything to and from the self hosted reverse proxy.

Now that you mention it though, there may be a slight complication with pinning the reverse proxy to the domain API for cert renewals. I’ll have to check how I have mine configured but I may have given my reverse proxy a IPv6 and configured that for cert renewals.

That would mean some down time as you update the IP if your ISP rotates it.

This is fine unless you have a slightly higher threat model.

Me personally, I dislike the idea that if someone (VPS provider or LE) were to snoop inside my VPS, they would have all of my unencrypted data where TLS ends and wireguard picks it up.

I don’t do anything illegal, but I do have photos, personal files, and deeply personal journals/notes for which I enjoy the comfort of mind when kept private and secure.

My recommendation is always to have your TLS equipped reverse proxy on your own hardware. Then use a VPS as a SSL passthrough proxy that forwards requests to the locally hosted reverse proxy. You can connect the two via wireguard.

This has a few benefits. It keeps encryption end to end. It also allows you to connect to your server via your domain name even in you LAN. You can hijack your domain at the router level DNS menu to reroute to your local reverse proxy. And it keeps the TLS connection.

This is fine if the post is something insanely low effort.

But I do worry if this ends up being too aggressive.

One of the things that made reddit so awful is how over moderated it was.

I don’t really take issue with dozens of posts by newbies asking the same basic question over and over. I used to be one and am occasionally back there again if I start a new hobby. Hopefully newcomers don’t get pushed off by overly sensitive moderation.

It would be helpful if you could provide a hypothetical example of what is considered a “low effort” post.

Your first suggestion is a clever one.

I can imagine writing a small script on the host machine to listen for subdomains, forward them to pfsense to update the aliases, and possibly set them to expire after a few days for security reasons.

Surely something like this exists. How to find it…?

This looks promising. I’m going to investigate further. Thanks!

Yeah the power usage is fairly high. But if you have solar it’s not a huge deal.

I like it for it’s various redundancies and the built-in RAID rebuild system has really saved my ass on multiple occasions.

If you do get a poweredge, don’t buy used HDDs. 75% of the used drives I bought failed within a year.