I think what you’re describing can be accomplished with docker-compose’s depends_on option. I’m not certain how it works across compose files, but that would be the first place I’d look.

This is great—I’ve somehow never noticed set -n before. Very helpful.

A couple thoughts for you. I have a wonderful local fiber ISP and when I got hooked up, I discovered they were doing CG-NAT on residential connections. I called up and asked if I could have a public IP to host services and they just immediately gave me one. Definitely not the stereotypical ISP interaction, but if you haven’t already tried asking politely, it might be worth a shot.

On the last item, yes, letsencrypt lets you get certs for the same domain from multiple hosts, but I’ll often use a self-signed cert on the host and then get the public-facing cert at the reverse proxy level. No need to coordinate copying certs over in most cases.

I agree completely with this. At my office, I’ve started installing Krita in place of photoshop for people who need to edit images. It has its own learning curve, but it’s been a wonderful alternative.

I would completely agree with this. I think Krita is a pretty good middle-ground for people who don’t need to do very intricate compositing.

I go a couple different routes: I have a Mailcow instance on a VPS for my personal email. For my business I use Zoho, which has been wonderful. Their basic plan is $1 a month per user and it should have all the features you’re looking for.

There’s a pretty interesting series on the topic at Tall Paul Tech’s YouTube channel (here’s the most recent: https://youtu.be/WFso88w2SiM). He goes into quite a bit of detail over the course of a few videos about how he handled everything and highlights some of the trials and tribulations with the isp. It’s not a guide per se, but definitely stuff worth thinking through.

Hey, as others have said, you can definitely set up OPNSense in a VM and it works great. I wanted to take a second and answer the first part of your question: it cannot run in Docker. Containers in Docker share their kernel with the Linux host machine. Since OPNSense isn’t a Linux distribution (it’s based on FreeBSD), it can’t make use of the shared Linux kernel.

I run my home firewall on an old thin client (an HP t730, if I remember right). That does the job well and is about comparable to a laptop (minus the screen) for power consumption.

Another more current option that sounds good is the Zimaboard. I haven’t touched one, but people are seemingly going nuts over it. It’s a little x86 single board computer (about Raspberry pi size) with two gigabit NICs.

Haven’t tried netbird, but I do like Tailscale and headscale. Last time I looked at all these, I landed on Netmaker, which might be worth a look. It’s WireGuard based and has a nice web ui for management.