Introduction

Simple website for recommending Harry Potter fanfiction.

Built using mdbook and GitHub Pages.

Recommendations

Community Recs

Community Recs are fics I've prompted the community input from (or have wholesale copied recommendations lists from the community), so they might appeal more broadly.

These tend to follow the pattern of Longer, Shorter, One-shots, Ongoing, and possibly Unsorted. With:

  • Longer indicating fics with word counts greater than 80k
  • Shorter indicating fics with word counts between 4k words and 80k words
  • One-shots indicating fics with word counts less than 4k words
  • Ongoing indicate fics that are not finished and updating
  • Unorted indicate fics that haven't been sorted yet
  • chibipot - Gabrielle Delacour/Harry Potter
  • flowerpot - Fleur Delacour/Harry Potter
  • haphne - Daphne Greengrass/Harry Potter
  • harmony - Hermione Granger/Harry Potter

Personal Recs

Personal Recs are fics I've chosen and thus are all over the place in terms of "quality" and might not suit your tastes.

  • milfoy - Narcissa Black Malfoy/Harry Potter

Work in Progress Recs

Either I haven't started, or I need more fics before feeling confident in the recommendations.

  • hellatrix - Bellatrix Black Lestrange/Harry Potter
  • hinny - Ginny Weasley/Harry Potter
  • honks - Nymphadora Tonks/Harry Potter
  • huna - Luna Lovegood/Harry Potter
  • mult - Polyamory/Harem/etc.

Glossary

Acronyms

  • EWE - "Epilogue? What Epilogue?"; Fic is not compliant to the Epilogue
  • PWP - "Porn with Plot"; One of the tenants in writing the Fic is to write smut

Pairings

  • Bonks - Nymphadora Tonks/Bill Weasley
  • Chibipot - Gabrielle Delacour/Harry Potter
  • Flowerpot - Fleur Delacour/Harry Potter
  • Haphne - Daphne Greengrass/Harry Potter
  • Harmony - Hermione Granger/Harry Potter
  • Harrissa - Narcissa Malfoy/Harry Potter
  • Hinny - Ginny Weasley/Harry Potter
  • Hellatrix - Bellatrix Black Lestrange/Harry Potter
  • Honks - Nymphadora Tonks/Harry Potter
  • Huna - Luna Lovegood/Harry Potter
  • Milfoy - Narcissa Black Malfoy/Harry Potter

chibipot

Gabrielle Delacour/Harry Potter

Longer Fics

Shorter Fics

One-shots

Ongoing

flowerpot recommendations

Harry Potter/Fleur Delacour

Longer Fics

Shorter Fics

One-shots

Ongoing

haphne

Harry Potter/Daphne Greengrass

Longer Fics

Shorter Fics

One-shots

Ongoing

Unsorted

harmony

Harry Potter/Hermione Granger

Longer Fics

Shorter Fics (4k->80k)

One-shots

Ongoing

milfoy recommendations

Harry Potter/Narcissa Black Malfoy

NB: For the most part, these aren't shlocky "Draco did/said something bad post-war and now Narcissa will do anything to save him from Azkaban" fics. If they are, I'll mention why they are included.

Oh, other than having ongoing fics at the top of each section, there is no particular ordering.

Less Smut

"Wow! A Milfoy Story that isn't primarily focused on smut!"

Sadly, just entering this category means that the story is probably a cut above the rest of Milfoy fics. Shocking I know, not focusing on smut making the story better. That said, these still might have smut.

  • The gift of time and patience - Mei (Ima1)
    • 21k words, 2 chapters, slow burn, post war
    • nice and slow build up that just makes the relationship work so well
    • leaves off on a high note
  • Starry nights and sunny skies - Mei (Ima1)
    • 50k words, 10 chapters, time travel, post war
    • time travel fic with Harry travelling and dealing with the first war
    • Novikov self-consistency principle is strong with this one as it tries to keep itself consistent even if it ends up kinda weird
  • Laughing All The Way To London - AppoApples
    • 120k words, 30 chapters, time travel, pre first war, teacher Harry
    • time travel, dad!Harry, teacher!Harry? I'm game
    • the issue I have with this fic is that Narcissa is essentially an OC slotted into Narcissa Black's place, it works but it's not Narcissa Malfoy, ya know?
  • Whispers of a Raven - TheBlack'sResurgence
    • 347k words, 35 chapters, time travel, pre first war, TBR
    • TBR can be contentious, but personally I'm a fan of a more nuanced Black family so I generally enjoy his stuff
    • The story can feel a bit chuuni at times, but it doesn't fall into crack or shlock
    • same type of deal as Laughing All the Way to London, OC!Narcissa due to time travel which can be hit or miss. So if you want Narcissa Malfoy™, you might not enjoy it

Some Smut

"It's MILFoy after all"

Decent Milfoy stories that might contain some focus on smut. These aren't any worse than the ones above, just that they might delve into smut longer.

  • The Volunteer - mrs.milfoy
    • 26k words, 6 chapters, post war
    • Volunteering at the St. Mungo's leads to some interesting happenings in Harry's life
    • You can see the scenes play out and the detente between Harry and Narcissa is wonderful
    • IIRC, my first milfoy fic which opened the flood doors to the rest so kudos on that
  • Scorched Earth Survivor - gevaisa
    • 1k word, one-shot, post war, Narcissa PoV
    • Narcissa is thrust onto Harry to deal with in the aftermath of the war
    • short snappy and evocative; it'll make you wish this was longer and more fleshed out
  • Ladies and Gentlemen - mrs.milfoy
    • 4k word, one-shot, post war
    • Harry finds someone breaking the rules and it goes from there
    • not much opinion here other than it's well written and executed
  • The Favour - mrs.milfoy
    • 15k words, 2 chapters, post war, draco malfoy
    • Draco asks Harry to do him a favor so he can boing his fiancé, Draco gets more than he bargained for
    • not much opinion here other than it's well written and executed

Milfoy Adjacent

These are stories that aren't primarily focused on Milfoy but she plays a strong role within it.

  • Harry Slays Voldemort - StevenTLawson
    • 5k words/chap, ongoing, life debt, "harem",
    • Harry kills Voldemort and earns a life debt
    • life debts results with Harry getting a girlfriend
    • puts a spin on the shlocky milfoy trope leaving Harry with a "harem"
    • it's an interesting premise and I'm intersted to see how this premise would pan out
    • Milfoy is part of the harem, but, with what is out so far, it shouldn't be called a Milfoy fic
  • Hermione deals with this - Chubster23
    • 4k words, one-shot, post war, haphne, harry/astoria, offscreen smut
    • written as a homage of sorts to tie together a number of MayorHagger's works into a single story
    • "[an] intersection of plots into a cohesive smutty harem romp [is fire]" - me
    • the worst part of this is that it's so short, the story itself seems like something that could occur in a "Harry ended up with a Slytherin" AU
    • the milfoy aspect of this story is essentially Excuses and Distractions and Fast Times at Malfoy Manor but I think that the framing that this story builds makes the narrative more compelling

Prompts, Premises, and Other Ideas (for Milfoy)

Maybe you want to take a crack at writing something. Maybe you just need some inspiration. Here are some ideas.

  • Was it all Real or Just a Dream?
    • 5k words/chap, abandoned?, flowerpot, older!Harry
    • this premise is fire and I'm actually upset no one has taken it and used it
    • it's perfect for any cross-generational pairing because this ages Harry up while the rest of the cast stays the same making tricky age shifting easy
    • it isn't explicitly Milfoy, it can work for any pairing with an age gap
    • read it, it's only 5k words and I don't want to detract from the premise by explaining it
  • The Time Harry Stole Lucius's Wife - redowlf96
    • 6.2k words/chap, abandoned?, whiskey wedding challenge
    • sometimes it's not about the story, but the premise
    • the title makes you think netorare and smut, but it's actually more of a whiskey wedding challenge that someone accepted and tried to make it work with Narcissa
    • the story starts at a pretty high point for suspension of disbelief and only goes up
    • at least the title is fun

All Smut

I am including these because they are stories that have Harry/Narcissa, are longer than 80k words, and Narcissa isn't an also-ran or harem member in terms of her relationship to Harry.

This isn't to say that these aren't good, but smut is a heavy focus. Possibly to the detriment of the narrative.

  • Two Minds, One Wand - RobWilsonWriting
    • 4.5k words/chap, ongoing, smut, amoral OOC Harry, bonding
    • Harry gets the memories of Voldemort after the graveyard and decides to use his acquired knowledge to improve his chances at defeating him using said knowledge
    • lots of fridge logic here so the story might be a heavy miss for some with the "bonding"
    • smut gets in the way at times of an interesting premise and moral dilemma
    • I'd totally read this even if the smut faded to black
    • probably the one with the most plot out of the PWP fics
  • Whore Class - Riotstarter1214
    • 24k words/chap, ongoing, smut
    • there is no story here, there is only smut
    • probably not your cup of tea unless you are looking for smut with a hint of milfoy
    • there is actually a bit of a relationship between Harry and Narcissa in this work and it could be so much more, but...
    • Harry fucks nearly every female in the setting that could be construed as attarctive
  • A Vow of Control - MayorHagger
    • 12k words/chap, ongoing, smut, post war, amoral Harry, astoria/harry, harem
    • imagine someone who tries to take advantage of Harry after he's been lenient with them
    • then, instead of turning the other cheek, he then decides to takes advantage of them
    • then, instead of trying to stay away from Harry they come back for more
    • this is primarily smut, but it has actual character interactions and a semblance of plot
    • sure the characters are all OOC and smut reigns supreme, but the characters have agency and Milfoy is in the story often

Andromeda/Harry

Andromeda Tonks/Harry Potter

Unsorted

hellatrix

Harry Potter/Bellatrix Black Lestrange

Longer Fics

Shorter Fics

One-shots

Ongoing

hinny

Ginny Weasley/Harry Potter

Longer Fics

Shorter Fics

One-shots

Ongoing

Unsorted

honks

Harry Potter/Nymphadora Tonks

Longer Fics

Shorter Fics

One-shots

Ongoing

huna

Harry Potter/Luna Lovegood

Longer Fics

Shorter Fics

One-shots

Ongoing

mult

Multiple Partners, Polyamory, Harem, Coven, etc.

Assume it'll have smut.

Longer Fics

Shorter Fics

One-shots

Ongoing

Unsorted

Entirely Unrelated

This is a dumping ground for public-ish facing things to share that might be too large to just post into the nether that is Discord.

step-ca

I definitely have some knowledge that I haven't written down here, but I haven't set up another since the last one to validate the configuration. I originally used this article, Build a Tiny CA with Raspberry PI and YubiKey, which is good. You don't need the YubiKey and can just leave the key and cert on the local disk if your threat model is safe enough. But yeah, the tutorial definitely can help fill in any weird blanks I've left below. I'd even say read through the tutorial and then use this as a reference if this makes sense. That said feel free to ping me if you have questions.

install step-ca

# note the fingerprint value (sha256 checksum of the root.crt) as it's used by the step-cli client for bootstrapping
# I generally just download the root.crt and generate it (ie calculate the sha256),
# but you probably should have fingerprint via a separate channel and do it right.
step ca init --ssh --acme --password-file ${STEPCA_PASS_FILE} --provisioner-password-file ${STEPCA_PROV_PASS_FILE} --remote-management
step-ca $(step path)/config/ca.json --password-file ${STEPCA_PASS_FILE}

configuring step-ca

You can find the configuration file at echo $(step path)/config/ca.json.

Check out step's own documentation for configuring step-ca at StepCA Config docs.

Of note (for me) were:

  • ssh in general to configure ssh ca
  • passing the CA password via --password-file for the systemd service so it's not interactive
  • db if you want better support. (I'm currently just using bbolt, but probably should have spun up postgresql)
  • authority and specifically the provisioners subsection which sets up what things can talk to step ca and how
  • authority level policy which allows enough control to allow you to restrict who and what gets to create and be created.
  • I also tweaked ssh templates since I tend to run all my sshd on a non-standard port.

Read through CA Server Production Setup docs to make sure that you don't hit footguns.

SmallStep provide a systemd service unit for step-ca in this subsection of the Production Setup docs.

configuring remote clients to talk to step ca

Step CLI

CA_URL=""
CA_CERT_FINGERPRINT=""
# download the root.crt
curl -OJL https://example.com/root.crt
# if lazy
# CA_CERT_FINGERPRINT="$(step certificate fingerprint root.crt)"

# for the step-cli tool
step ca bootstrap --ca-url ${CA_URL} --fingerprint ${CA_CERT_FINGERPRINT}
# now install root crt to trust store
step certificate install ./root.crt
# or
#sudo trust anchor ./root.crt
# or
#sudo cp root.crt /etc/pki/ca-trust/source/anchors/example-com.crt && sudo update-ca-trust

caddy

I use caddy since it does ACME automatically without configuring extra side services or needed custom builds which bundle the side service (like nginx & co.).

See Step CA ACME client setup docs.

For mTLS shenanigans, here is the relevant caddy config changes I've done.

mtls caddy config

CA_URL="${CA_URL:-https://localhost:8443/acme/acme/directory}"
CA_ROOT_CERT=$(step path)/certs/root_ca.crt
sudo tee /etc/caddy/Caddyfile << EOF
{
  admin off
  email caddy-service-account@example.com
  acme_ca ${CA_URL}
  acme_ca_root ${CA_ROOT_CERT}
  renew_interval 16h
  debug
}
(common) {
  log {
    output file /tmp/caddy/access.log {
      roll_size 512MiB
      roll_keep_for 720h
    }
    format json
  }
}
(secure) {
  import common
  tls {
    client_auth {
      mode require_and_verify
      trust_pool file ${CA_ROOT_CERT}
    }
  }
}
some-service.example.local {
  # some low security service
  reverse_proxy http://someip:9999 {
    header_up Host {host}
  }
  import common
}
secure-service.example.local {
  reverse_proxy http://otherip:3333 {
    header_up Host {host}
  }
  import secure
}
EOF

Other services are described on the page though so feel free to configure and find what works for you.

But what about service discovery?!

Yeah that's one of the pain points here. Caddy technically can hit up some DNS and submit the DNS A (and/or AAAA) record for your service that just got a TLS cert assigned, but I never got around to host PowerDNS and the other DNS servers which support this type of configuration are a pain. Instead I just have a CoreDNS instance which wildcards a domain for each host which makes this very simple. So anything that is registered to example.com or *.example.com is routed correctly.

There are pain points, but I found this to works in a "good enough" manner to not matter.

CoreDNS Corefile

PROMETHEUS_SCRAPE_ENDPOINT="someip:9253"
sudo tee /etc/coredns/Corefile << EOF
(common) {
  loop
  header {
    response set ra aa
  }
  log . {
    class denial error
  }
  prometheus ${PROMETHEUS_SCRAPE_ENDPOINT}
  cache 300
}
example.local {
  import common
  file /etc/coredns/db.example.local example.local
}
EOF

example CoreDNS db.example.local

DNS_SERVER_IP=${DNS_SERVER_IP:-$HOSTNAME}
EXAMPLE_LOCAL_IP=${EXAMPLE_LOCAL_IP:-127.0.0.1}
sudo tee /etc/coredns/db.example.local << EOF
\$TTL 1D
\$ORIGIN example.local.
@ 3600 IN SOA ${DNS_SERVER_IP}. admin@example.local (
  202111111
  1D
  1H
  1W
  300
)
@ IN A ${EXAMPLE_LOCAL_IP}
* IN A ${EXAMPLE_LOCAL_IP}
EOF

SSH CA configuration

bootstrap base requirements

VERSION="0.28.2"
curl -OJL "https://dl.smallstep.com/gh-release/cli/gh-release-header/v${VERSION}/step_linux_${VERSION}_amd64.tar.gz"
tar xvf "./step_linux_${VERSION}_amd64.tar.gz"
CA_URL=${CA_URL:-"https://127.0.0.1:8443"}
sudo cp ./bin/step /usr/local/bin/step
curl -L "${CA_URL}/root.crt" -O- > root.crt

# bootstrap step-cli
step ca bootstrap --ca-url="${CA_URL}" --fingerprint="$(step certificate fingerprint root.crt)"

sshd configuration

Remember that principal files (ie /etc/ssh/principals/) are a mapping of filename (which is a user name) to the list of principals (or labels in this case) which are allowed to sign in. So you can use stuff like groups (eg. dev, admin, audio) or whatever really. So if I create a SSH cert with the zamu principal, I could to login to root if I had zamu as a line in /etc/ssh/principals/root.

NAME="${NAME:-$HOSTNAME}"
PRINCIPAL="${PRINCIPAL:-admin}"
USER="${USER}"
SSH_PORT="${SSH_PORT:-22}"
# get the right keys in the right place
step ssh config --roots | sudo tee /etc/ssh/ssh_user_key.pub
step ssh config --roots --host | sudo tee /etc/ssh/ssh_host_ecdsa_key
# configure your local user's ssh
step ssh config

# generate host keys and put them in the right place
mkdir /tmp/stepca/ && cd /tmp/stepca/
# unfortunately this generates multiple files and based on the key file name so unless you want to configure the
# root user to have step cli bootstrapped as well, it's best to generate them and then copy them into the right place
step ssh certificate "${NAME}" /tmp/stepca/ssh_host_ecdsa_key --no-password --insecure --host --not-after=87600h
sudo mv /tmp/stepca/ssh_host_ecdsa_key* /etc/ssh/

# enable base sshd config
# these are just my personal SSH configuration changes feel free to do what you want.
# this expects the first line in /etc/ssh/sshd_config to be an `Include /etc/ssh/sshd_config.d/*`
# you can instead just manually tweak the sshd_config file, but drop ins are nice
# also sshd_config drop-ins are first instance binding instead of last value in, so you might want to bind earlier.
sudo tee /etc/ssh/sshd_config.d/10-homelab.conf << EOF
Port ${SSH_PORT}
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile	.ssh/authorized_keys
AuthorizedPrincipalsFile /etc/ssh/principals/%u
PasswordAuthentication no
KbdInteractiveAuthentication no
GSSAPIAuthentication no
UsePAM yes
EOF

# enable ssh ca cert configuration
sudo tee /etc/ssh/sshd_config.d/11-stepca.conf << EOF
TrustedUserCAKeys /etc/ssh/ssh_user_key.pub
HostKey /etc/ssh/ssh_host_ecdsa_key
HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
EOF

sudo mkdir -p /etc/ssh/principals/
echo "$PRINCIPAL" | sudo tee /etc/ssh/principals/${USER}
sudo systemctl restart sshd

ssh user keys

PRINCIPAL="${USER}"
REMOTE_USER="${USER}"
SSH_PORT="${SSH_PORT:-22}"
HOST="${HOST:-localhost}"
# get the right local ssh key
step ssh login -n=${PRINCIPAL} # -n=${PRINCIPAL2} and so on
# then just ssh in
ssh -p ${SSH_PORT} -l ${REMOTE_USER} ${HOST}

Contribution

Contributions are welcome!

For the tech savvy:

Open an Issue on GitHub or even Submit a Pull Request.

For the lazy:

Message me recomendations on Discord (zamubafoo#4011).

Entirely Unsorted

Staging ground for lists needing to be sorted and possibly added to different pages. Might just be a URL, a proper link with the title and author, or all that plus the rough word count and a category or two.

Also none of these have been proofed for quality, people have just recommended them.