You can dettach your headers with --header.

I’ve started putting the header and key on my boot partition on a USB key. Without the usb, the hard drives appear to be filled only with random data (plausible deniability). After booting, the USB can be removed to prepare for a panic shutdown.

I also want to be really sure that I don’t lose the encryption keys if I lose my phone and computer where I have my password manager.

Keep a copy on your (PIN-secured) phone and a copy on your PC and dont lose both at the same time.

Not 100% sure but I believe this is to prevent side-loading on stock android. That is, a normal android can only install from the play store. Graphene and Calyx should be unaffected.

Someone correct me if I’m wrong.

Try mumble if you just need voice. Just fire up a docker container and open a tcp and a udp port. The settings are under-documented so things like auth are tough to set up.

Like DAVx5?

Good, that’s probably the best you can do, I’m not an expert. I also meant, do you have a bulletproof upstream or are they going to terminate your service if you sent too many hacks?

There are a few monero vpns on kycnot.me… You should consider listing there when you feel ready.

Curious about your upstream… Are they going to send takedown letters for torrent seeding? Are you ready for users to hack with your exit nodes and get blacklisted?

This is the catch-22: non-kyc (anonymous) proxies get abused/blacklisted and become useless for anonymous browsing.

I think I have the same protectli as you and it is awesome. Need it for my 2.5gb uplink. I use openwrt on it… Didn’t really like opnsense. I am more used to linux than bsd.

I host lots of services and get bombarded by scrapers, scanners, and skids both at home and on my VPSs.

I use ipset for the usual blocklists which I download regularly. I also have tarpits on 22/tcp (endlessh). I pipe the IPs from the endlessh logs into fail2ban which feeds the ipsets. I have ipset blocks and fail2ban on my home firewall and all VPSs and coordinate over mqtt. So any fail2ban trigger > mqtt > every ipset block. Touch my 22/tcp anywhere and you get banned instantly everywhere. The program I use for this is called vallumd and it runs on openwrt.

I also put maltrail everywhere but I’m not totally sure how to interpret and respond to the results. Probably will implement a pipe from maltrail to my mqtt > blocklist setup.

I don’t do any network-level adblocking… Might be a future project.