I guess your OPNSense rule from Edit3 is not working because the source is not your mailu instance, because connections are initiated from the outside and mailu only answers (TCP ACK). So you have asynchornous routing.

You may get this working if you set the “reply-to” option to the wg gateway on the firewall rule that allows VPS -> wg -> mailu traffic.

However there is a much cleaner solution using the PROXY protocol, which mailu seems to support: https://mailu.io/master/reverse.html

They are using traefik, but nginx also supports the PROXY protocol.

I’m surprised no one mentioned ansible yet. It’s meant for this (and more).

By ssh keys I assume you’re talking about authorized_keys, not private keys. I agree with other posters that private keys should not be synced, just generate new ones and add them to the relevant servers authorized_keys with ansible.

no, its personal preference

I’m using organizr, it embeds your apps in tabs/iframes and allows you to configure them in the UI.

deleted by creator

thank you, just subsribed

It matters only if “the docker hosts external IP” your dns resolves is a public IP. In that case packets travel to the router which needs to map/send them back to the docker hosts LAN IP (NAT-Reflection). With cgnat this would need to be enabled on the carrier side, where you set up the port forwarding. If that’s not possible, split-DNS may be an alternative.

If “the docker hosts external IP” is actually your docker hosts LAN IP, all of that is irrelevant. Split-DNS would accomplish that.

Are you hosting behind NAT / at home? If so, you may need to enable NAT reflection on your router.

If you only want online file storage and sync, you may want to try Seafile. It’s a lot faster and has been rock solid since 10+ years for me. Not viable if you need some of the many nextcloud exentions though