Just rebuilt onto Ceph and it’s a game changer. Drive fails? Who cares, replace it with a bigger drive and go about your day. If total drive count is large enough, and depends if using EC or replication, it could mean pulling data from tons of drives instead of a handful.

Yea that’s the whole trusting trust thing. You can theoretically set up hour browser to only trust your private CA and not trust any of the publicly trusted CAs. Depends on your threat model I suppose.

Because a private CA allows you to create a certificate and nobody else has the ability to create certificates unless you give them the keys or a signing CA. With Let’s Encrypt, you are trusting every major certificate authority to not create a cert on your domain; coupled with DNS poisoning means you would end up on a legit-looking but counterfeit website of yours.

You’ll have to explain that one to me.

1. Never host anything that is externally accessible
2. If you have to, put it behind a VPN (OVPN, Wireguard, IPSec, Tailscale, etc.)
3. Certificate based authentication is preferred for VPN tunnels
4. Always TLS encrypt your actual endpoints. Private CAs are most secure but a pain in the ass. Let’s Encrypt is very simple to set up in most cases.

Just my 2 cents.