Thank you for the link. I've seen it posted a few days ago.

The caching proxy for this tutorial should easily work with any tile server, including self-hosted. However, I'm not sure what the benefits would be if you are already self-hosting a tile server.

Lastly, the self-hosting documentation for OpenFreeMap mentions a 300GB of storage + 4GB of RAM requirement just for serving the tiles, which is still more than I can spare

I can recommend some stuff I've been using myself :

• Dolibarr as an ERP + CRM : requires some work to configure initially. As most (if not all) features are disabled by default, it requires enabling them based on what you need. It also has a marketplace with a bunch of modules you can buy
• Gitea to manage codebases for customer projects. It can also do CI but I've not looked into it yet
• Prometheus and its ecosystem (mostly promtail and grafana) for monitoring and alerting
• docker mail server : makes it quite easy to self host a full mail server. The guides in their doc made it painless for me to configure dmarc/SPF/other stuff that make e-mail notoriously hard to host
• Cal.com as a self hostable alternative to calendly
• Authentik for single sign-on and centralized permission management
• plausible for lightweight analytics
• a mix of wireguard, iptables and nginx to basically achieve the same as cloudflare proxying and tunnels

I design, deploy and maintain such infrastructures for my own customers, so feel free to DM me with more details about your business if you need help with this

I really like the idea about grouped communities with deduplication

It's not that I don't believe you, I was genuinely interested in knowing more. I don't understand what's so "precious" about a random stranger's thought on the internet if it's not backed up with any source.

Moreover, I did try searching around for this and could not find any result that seemed to answer my question.

Sur mon instance (dans l'appli et version web) ça n'a pas l'air filtré. Tu es sur que ça ne vient pas de ton instance ?

What I did is use a wildcard subdomain and certificate. This way, only pierre-couy.fr and *.pierre-couy.fr ever show up in the transparency logs. Since I'm using pi-hole with carefully chosen upstream DNS servers, passive DNS replication services do not seem to pick up my subdomains (but even subdomains I share with some relatives who probably use their ISP's default DNS do not show up)

This obviously only works if all your subdomains go to the same IP. I've achieved something similar to cloudflare tunnels using a combination of nginx and wireguard on a cheap VPS (I want to write a tutorial about this when I find some time). One side benefit of this setup is that I usually don't need to fiddle with my DNS zone to set up a new subdomains : all I need to do is add a new nginx config file with a server section.

Some scanners will still try to brute-force subdomains. I simply block any IP that hits my VPS with a Host header containing a subdomain I did not configure

There is even a "Ignore cache" box in the devtools network tab

These services usually use either or both of passive DNS replication (running public recursive DNS resolvers and logging lookup that returns a record) and certificate transparency logs (where certificate authorities publish the domain names for which they issue certificates). A lot of my subdomains are missing from these services

Is named actually running as the bind user inside the container ? Maybe a USER bind line below the RUN lines will help.

It's the clients (web/android app, probably iOS too) that are making these requests.

To the best of my knowledge, the Immich server inside the container is not making requests to the outside. It is merely sending a style.json to the client displaying a map, which then fetches tiles from the Cofractal URL inside this JSON.

What do you mean ? Can you give me the exact link that's not working ?

Yeah, there is something oddly mesmerizing about projects that solve an "already-solved-in-a-more-efficient-way" problem in a weird way