[scottlamb]

Kudos to the author!

I don't get this part:

> In 2021 I recently launched my newest product: It's called open3ABox and it's a raspberry pi with open3A pre-installed which I deliver to my customers who have not the technical skills for their own server but don't want a cloud version either. It's fully remote managed and monitored by me more steady income, yay

When people object to cloud (SaaS really), I tend to think it's about what you could variously describe as ownership, control, privacy, and security. They want to be the only ones who can access their data. They want updates to happen on their schedule. If you want the developer to manage and monitor your installation, why not use a hosted version?

Another reason is bandwidth, but I wouldn't expect that to be a significant consideration for invoicing software.

[bityard]

There are plenty of cases where I want to own a thing, but make someone else responsible for managing it. And if they fail or go away, I want to know that I can hire someone else to manage it instead.

If the app is hosted entirely in the cloud, _everything_ is gone if the provider pulls the plug suddenly. If the app is hosted on a device that I own and the provider goes away, it will probably still keep working for a while. Worst case, I still at least have the option of hiring someone to crack it open and extract the data to import someone else.

This is such an important concept that it even has its own field of study and practice called "business continuity." Many business have legal agreements with customers and partners _requiring_ this.

[scottlamb]

It's a given that you should have backups of your business data, no matter if you're using a hosted installation or a local one. With backups, if the hosted provider pulls the plug, you don't lose _everything_. You may be scrambling to set up the replacement but you have your data, and in this case you'd also have the source code, so you'll survive.

And keep in mind that "Raspberry Pi fails" is a more common scenario than "provider goes out of business", so from the perspective of minimizing the scramble, that's the one I'd be more concerned about.

A bit more about backups: for something truly important, you should have an offline copy, in case a malicious party compromises credentials that can be used to overwrite both the primary and the backup. I don't think you should depend on the vendor backing up your data. Some things you just have to do yourself, unfortunately.

[bigiain]

Another commenter mentions the setup involves a Pi with an SSD and two USB sticks. It might be configured so you're required to switch usb sticks for consecutive backups, so you'd always have at least your second most recent backup completely offline - or even have the system ensure there's only a backup usb stick instead while the backup is running (and either unmount it of nag you to take it out when the backup is done).

[nemiah]

I'll actually be sending out emails if there are more than 14 consecutive backups on the usb stick to remind the customer to switch them ;)

[bigiain]

> Worst case, I still at least have the option of hiring someone to crack it open and extract the data to import someone else.

Even that worst "single person provider got hit by a bus" case is already somewhat mitigated here - since the software is open source.

I'm guessing she's likely set this up so anyone with physical access and appropriate credentials (which the client has by default) and linux experience, could manage/maintain the RasPi box and/or migrate everything to a self hosted version on a more "regular" linux box.

[nemiah]

Everything important is backed up on the usb stick. The application can be set up on XAMPP or any other webserver with it.

[nemiah]

I offer open3ABox this way for the customers that have fewer technical abilities and don't want a cloud service.

They usually use the Windows version but don't do backups and if something fails it's a nightmare to support.

[outworlder]

> If you want the developer to manage and monitor your installation, why not use a hosted version

It's a pretty common use-case for companies. They want their stuff on premises(for a variety of reasons), but don't want to deal with maintenance.

[scottlamb]

> for a variety of reasons

To rephrase my question: what are those reasons?

[twodave]

My thoughts exactly--Having a fleet of client-side machinery open to the Internet sounds like a larger overall risk footprint than having one hosted solution. I'm guessing a bit part of this is just customer psychology and lack of education.

[imhoguy]

Why do you think it is opened to the Internet? May be just a box behind a NAT calling home and/or be part of closed VPN swarm.

I would love to hear how the management part got implemented.

[nemiah]

The management works like this:

Every open3ABox has an open websocket connection to my server. I do the monitoring over this connection and for updates and support I tell the box over the websocket connection to forward a port via ssh to my server. The port will be automatically closed by the open3ABox after three hours.

This means no constantly open port and an encrypted connection where only my server is allowed to do a remote function execution (get monitoring values, open port, etc.) on the box.

[imhoguy]

That is very clever, I like it. Especially dependency on proven and simple technology. VPN swarm like e.g. ZeroTier which I was thinking about would be too complex and thus harder to maintain.

Thank you for the explanation!

[bigiain]

Nice.

Reverse ssh tunnels are a really good way to manage stuff like that.

[nemiah]

Thanks :)