Been there, done that and even bought the T-shirt!
I did 30 years ago what you did 15 years ago, but even then I had the fixed conception that a good IT guy is actually a lazy guy:
Too lazy to do the same job twice, that’s why it’s long been scripted.
Too lazy to visit a server unneeded, that’s why all have remote access.
Too lazy to daily change Storage Tape, or replenish the Cartridge changer for Backups, that’s why several generations of Backups In and Out of House are fully automated.
Too lazy to check for problems, get someone (better something) to do it for me.
The last item started with my own scripts/Batch Jobs, later Scotty/Tkined, Big Brother, Nagios a finally Zabbix…
A really good idea would be a “Delegate Authority” Button, or something similiar. If the company has someone to do the Job, that he can easily get auth for the server without too much trouble.
Been there, done that. And yes, the scripting part and automating as much as possible was there too. But in a pre-virtualization era having a safe patch process, you just can’t run the patch and hope and pray nothing breaks on mission critical servers. MS Windows Servers…
So we had the OS on a Raid1 volume and broke the raid prior to patching the server.
First some 10 less important servers as a testrun on friday after patch-tuesday. Then a week later, if nothing went wrong some 100+ other servers on the next friday.
Yes it meant to bring down all those servers one by one and reboot with broken raid1. And when they had ran the weekend without issues, raid was rebuilt by replugging the removed disk.
Today it would be much easier, just by creating a snapshot and update. In fact, I do that with my (subsciption) VPS now: before a major update I take a snapshot. Before I install a new service, I take a snapshot.
Experiences are interesting.
Needs and projects seems more interesting to help Nethesis to create a “path”.
If I can agree that the use of containers is quite useful addon and the ability to dev-ops some applications and installs (but this seems more Linux-related than NethServer), the strict connection of services to the server is still (IMVHO) a nice value for the distro.
Some things should not be virtual or into containers:
Firewall
Content Filtering
Protocol filtering
“simple” file and print services
reverse proxy
VPN
remote control tools (guacamole)
certificate management (should be aware of containered softwares)
ldap (which could or could not be uses as user repository for other sofware/services)
Some other tools may be containered:
mail server
webmail/groupware app (this leads to a bigger effort in configuration)
ticketing
monitoring (i prefere this on bare metal/out of container)
PBX and unified communication services
video-conferencing / chat (at least as server + webclient)
ERP/CRM
(surely i am forgetting something)
The idea of @Andy_Wismer might be a “killer app”, which could also being already used by other platforms: a “one shot” invitation with separate channel of comunication for allow connection to a system.
This could allow to easily and safely access to the server without give the “root” access" via SSH.
Also the biggest question to Nethesis should be: still sticking to “multi-user/mono-firm” (this leads to multi domain but without virtual domains)
I would also dare to suggest a “Multi-Tenant” Button during setup or later might also be a good idea. Include a warning that things might be a trifle more complex by activating this “button”. But, to keep things simple, make it more or less just one way…
If at some point later in time Multi-Tenant isn’t needed, a reinstall or manual cleanup would be needed. An option to save the data for migration / reinstallation would be a cool option. Keeps things simpler for Devs, but if needed or wanted, it could be there.
→ Open Pandoras box, if you want and need it, but be warned…
NethServer, as it stands, is a VERY usable general server, comes with engaged developers and supporters and one of the best forums in Open Source. Let’s keep things that way, while still moving on in life…
And remember: A general server like NethServer can easily run VMs, LXC and Docker, besides doing orchestration. And NethServer does a good job out of the box, secure & good enough even as a mail or web server for SME or home users without much IT know-how. On the other hand, trying to get a bunch of Docker Apps as well integrated as NethServer is entails more work than most imagine! (And a lot of great work has gone into NethServer!).
I would NOT object in a move to a Debian base, actually i would quite welcome it!
I think it’s worth pointing out that there are two orthogonal questions being discussed here:
What should Neth do?
“out of the box”
by way of “factory” module
by way of community module or other add-on
With what architecture should this be implemented?
I don’t think I’m qualified to have a strong opinion on the second question, other than that big changes from what we’re doing now will probably affect my ability to keep my modules going. On the first, for my needs, the bare minimum would be mail and web (LAMP) server. Ability to have webmail, Nextcloud, etc., running with a couple of clicks would be nice, but if I’m given a LAMP stack I can set those up myself if needed.
Putting words where comes from…
Only I nominee Debian as “option” for an possible (not considered) leap if CentOS 8 would not fit the needs of NethServer. Leaving behind a such a stable and well supported distro is not a thing that the devs would consider without deep thinking and evaluating. The distro arrival is surely good and well mantained, but it’s not the shortest step in the world.
Also, the most “not nice” thing of CentOS 7 is Kernel 3.10. I know, is mantained maybe from the largest community of “server interest” developers, but consumer Linux is on 5.4 and several advantages are achieved from Kernel 4.1x or 3.10. I’m asking myself if the 3.1x kernel could properly/fully use the capabilites of chiplet-based CPU, unlocking the “full power” could be delivered, and i also don’t know (it’s me lacking of info) if such interesting things like NVMe and PCIe4 are on board or not for stable performance improvement.
Getting on topic… ARM is a really nice toy, but Small Medium Enterprise servers will be x64-based for at least 5 more years. Maybe some ARM boards will be interesting for small use services or non-x64 appliances (bit more efficient) but with such a loss of computational power. (I am eager to see the first embedded AMD Zen-Based APU/CPUs)
Moving away from such a stable and well maintained distro isn’t the thing to do on an impulse, not even after a nights sleep.
But if pushed far enough, I tend to plan ahead and verify my options. If the day X comes, where a drop of water makes the barrel overflow, I’ll be ready long ahead!
Hardware / CPU:
At the moment, there’s no real alternative for Intel / AMD, both which use x86 compatibility. ARM is nice, I use Raspberries even professionally, but comparing the CPUs of x86 and ARM isn’t really a fair comparison. And a SOC, like the Raspberry uses, does have it’s IO issues, as all peripherals including LAN are connected via a USB3 (RPi4) hub internally. And even though that sounds not too bad, you need to take into account, that a Raspberry can’t reach full USB3 speed.
Very interesting reading, especially for me who is fairly new in this forum and setting up our infrastructure based on ProxMox virtualized nethservers, which will serve infra services for mostly windows clients. I am also very happy with the options nethserver provides, and would like to add one thing to the wishlist. If in the future there will be a possibility to have a backup domain controller for AD I would really appreciate it.
Besides nethserver itself, which I think will do a nice job for our company I am very happy being part of this very kind and helpfull community.
Quite frank I’m a bit disappointed in el8 (too…), It seems to geared up in a specific direction and sure if this fits (whatever) requirements NS8 would have…
OT because of the disappointment looked around for rpm-dnf/yum based distro’s and gave Mageia an try. Please try to install a system to build on as “bare” as this with el8:
Given: no services like a firewall and such, needed to be added;
But isn’t this a beauty ? (yeh, love minimalistic)
IMHO you should rethinking the firewall for the future. It’s not just what is coming in. With IOT you need to watch what is going out of unsuspected devices and isolate those. (believe me: designing the hardware of those devices)
Well i’m here because I’m cloud-phobic and to some extent probaly more nethservians are. Can not (=EDIT) judge if this can be a feasible business case.
However personally do not see the BIG difference from a user perspective between an user session and a (cloud) container providing a service. Probably from an admin point of view it’s different though…
For me the big is how would a hybrid-cloud approach look like
Then, the Email Aliasing is a Pain in the * for example, just in our company alone, we run multiple brands.
we can’t get just an email for that domain; it has to be an alias of an already existing domain.
We have scenarios whereby, A person managing brand B, is not associated with brand A. why do they need to have an email for both brand A and brand B?
So, how we handle this. We have nethserver with all the bells and Whistles, as the Main ldap provider and “internal” email but then we have another email system. where all the other brands email is hosted.
Finally, DNS management. it would be cool to have a full DNS manager. one that is able to handle A,AAA,MX,NS,CNAME and all manner of DNS records.
So that we stop having another separate system for managing our DNS records.
The fact that Nethserver already has user delegtaion, we can then have user assigned to manage DNS of only specific domains.
Nextcloud being available on multiple URLs can be done, but it takes tweaking to the templates. But I’d expect, then, that everyone would still log in with their own email address, and the rest of it ought to Just Work™.
Meaning, also a different login methods can be defined for each of those instances.
For smaller situation. a built in login can be used. but for larger. ldap/SSO/ other public providers.
Yeah, I’m pretty sure that would require multiple Nextcloud instances. Nothing stopping you from putting Nextcloud in a vhost, of course, but it would be a manual install.
It just dawned on me while thinking through this; although this question is valid to a certain extent - I would almost say that its the wrong question to be asking. And if one really wants to ask this question, it should only be asked after you have the answer to the question:
Is it time to redefine our of understanding and definition of what an All-In-One server is?
If I may also diverge on a slight tangent: if NS 8 installs the various features using containerisation and the All-In-One server solution is no longer the focus, this does not necessarily mean that an admin cannot achieve an All-In-One solution. All they have to install the various containerised features on a single installation of NS 8 as opposed to multiple installations.
So although its good to ask the question if the All-In-One server is still a valid solution, I think its being asked or approached in the wrong way. Okay - not sure if the work wrong is the correct word, just not sure how to better phrase this.
Think one needs to approach it all completely differently and ask: If we had to start everything again completely from scratch, what do we to achieve and how do we want to achieve it? I think if one had to approach it from that angle, it may help to not only better phrase the question, one may be surprised to have either a partial or complete answer to the question.
One little feature I’ve seen and used elsewhere is the possibility / option to restore parts / segments of the config.
This would be stuff like:
Users & Groups
DHCP
DNS
Firewall (Maybe more split up)
VPN
iBays
etc…
OPNsense comes with this feature, and it’s very nice and practical to use this function to build a “Master” config which can be used for almost all clients.
There are some “Gotchas”, I know, among them dependencies and so on, but should not be impossible or even very difficult to implement.
It would also be a boon for growing companies / institutions using NethServer, to eg split of the mail part to a second NethServer.
If Docker comes in in full force, this feature will make things even more useable!
we are not productive yet, but should go prod asap. What I have setup until now, is three local and one remote nethserver, namely one for just dc, the others joined to the domain as member servers, one for file and printservices and a third one as firewall with dpi, gateway with Threatshield, Proxy. On a hosted server there is a fourth nethserver acting as mailserver and also hosting nextcloud (mainly serving filesharing, small group video conferencing, calendar and contacts via cal-/carddav to domain users) and including firewall services including IPsec VPN. Once productive and everything up and running, I will also setup a asterisk server with freepbx
is how would a hybrid-cloud approach look like 
thanks for arguing this new point of view