|
inkmoth posted:Any suggestions on which route I should take, other than "keep an eye on eBay and see what pops up?" Make sure you aren't spending $200 more to save $100 in electricity. Check your power bill and calculate how much a 1W device running 24/7 costs you every year. Maybe increase by 50% or so in the expectation that the energy prices will keep rising (depending on where you live). Now when comparing eg. a used PC vs a NUC, you can figure out how many years the NUC would need to run to break even.
|
#
¿
May 18, 2022 00:54
|
|
|
|
| # ¿ May 14, 2024 06:45 |
|
|
Pantsmaster Bill posted:Are there any self-hosted options for a daily journal/log? I’m currently using Day One but would ideally like to move to something I control myself. Bonus points for an API I can use for integrating other social media stuff (or baked in support). Quite a few, but for note-taking apps you really need to try them out and see which one fits you best. Some people write a lot, some people collect a lot of media, others need very quick tagging, etc. Some people use a phone, others a tablet, others a desktop. Some options: Obsidian, DailyNotes, StandardNotes, Trilium You could also run a Pleroma (Mastodon) instance and keep it private (either the whole instance or just all 'posts' by default), this gives you the option to publish things later when you want.
|
|
#
¿
Jun 8, 2022 17:46
|
|
|
mdxi posted:I love this stuff, so I could talk at great length about all the details, but I'll just stop here. Happy to answer questions here or in the project.log thread. Yes! Did you evaluate MinIO vs. Ceph, and if so, what made you choose Ceph? You mention Ansible so I'm guessing you used that to setup Ceph and wasn't interested in installing a container system, was there anything else? Also, are you aware of Garage? I would be hesitant to use it in a professional settings, but for (crazy nerd) home storage it looked attractive.
|
|
#
¿
Jun 20, 2022 09:23
|
|
|
Does anyone know of a ready-made Linux image (or BSD, I guess) for minimal bastion servers? Basically just wireguard + firewall + redirect all incoming requests to $real_server (except for SSH administration port). Nothing else, minimal attack surface. My current ISP offers free static IPs, so I've just been rawdogging my home connection for a while (with a DMZ, of course), but I'm moving abroad in a couple of months and I probably won't have that anymore. Hopefully I can find a ISP that provides IPv6, but if not, getting a $4/mo Hetzner VPS as a bastion server looks like the next best option. Managed bastion services also exist, but they appear to be oriented to enterprises at least in terms of prices (e.g. Azure Bastion is $136/mo plus egress bandwidth). (To be clear, I don't want to use Tailscale or other VPN services to connect - I want to keep my server publicly accessible. I'm sufficiently confident of the security of my Vaultwarden and Nextcloud installs, and some other services are intended to be shared with other people.)
|
|
#
¿
Aug 31, 2022 10:05
|
|
|
Mr Crucial posted:Does it have to be a VPS bastion host? I use Cloudflare tunnels to expose some of my services including Vaultwarden to the internet. In addition to the CDN stuff you don’t need to have a fixed IP (everything is established from an agent in your environment via outbound HTTPS connections) plus you get the benefit of Cloudflare’s WAF and intrusion prevention technologies as extra protection. No need to open any ports at all on your end of the connection, and no need for port forwarding. It’s also free. AFAIK Cloudflare tunnels always perform TLS termination, which I don't want. It might be irrational paranoia, but I don't want someone else's machine decrypting my traffic. I might as well run a cloud server in that case.
|
|
#
¿
Aug 31, 2022 11:21
|
|
|
Mr Crucial posted:If you don’t like Cloudflare you could use OpenSSH tunnelling to do basically the same thing to your private VPS. That has the same advantage of being an outbound-initiated connection so no need for a fixed IP or any ports opening. Because it’s just SSH you don’t need any special software on the VPS, pretty much anything Linux would work. You’d need some sort of reverse proxy web server on the VPS to direct traffic down the tunnel once it’s established but it sounds like you’re already anticipating that. I believe that this is one reason why Wireguard tunneling is pretty much recommended over SSH tunneling nowadays? Besides the (arguably) easier configuration, you can set a keepalive which helps when your home connection goes up and down. Anyway, to (begin to) answer my own question, it seems I should not have been searching for "hardened" or "minimal" linux distros (because then I get general-purpose stuff like Alpine that needs configuration), but I should have been looking at router- and firewall-oriented distros. https://en.wikipedia.org/wiki/List_of_router_and_firewall_distributions I need to dig further, but OPNSense and VyOS seem the most promising options. IPFire looked interesting, but they seem to have a strange beef against Wireguard and, in the security/cryptography space, I definitely don't want to go against the herd. e: yeah, replaced pfSense with OPNSense. I didn't know they were related, but from a quick googling OPNSense seems to be the consensus. vvvvvv NihilCredo fucked around with this message at 16:40 on Aug 31, 2022 |
|
#
¿
Aug 31, 2022 16:13
|
|
|
BlankSystemDaemon posted:Sure, it's just there used to be a kind of kayfabe around ProtonMail and ProtonVPN about them not logging IPs among all manner of other things. I went with Tutanota instead of Protonmail in part for this reason - they actively fought in court when asked to MITM one of their users (a drug dealer iirc), and they were very open about the outcome of the trial (they can be compelled by German courts to log unencrypted emails, but not to backdoor their E2E clients as the prosecutor asked).
|
|
#
¿
Apr 1, 2023 21:14
|
|
|
Nitrousoxide posted:IIRC, Tutanota has had issues with getting blocked by major providers as a valid signup email. So keep that in mind as a potential limitation of its viability as a primary email. I have a MS account with a Tutanota-hosted email, but I also use my own domain, so that's probably only an issue with the free @tuta.io addresses. By the way, that was another reason for going with TN, they have one of the lowest prices for using your own domain (like 12€/y I think). If you don't self-host, I think using a personal domain is super important and a good compromise, as it will let you switch providers in a minute. To complete the picture, IMO the biggest downsides of TN which you should know about are: 1) Mass exporting your emails is still on the roadmap after four years. There is a hacky third-party tool, and you can export individual mails just fine, but that's still a pretty important thing to leave on the backburner 2) Search is on local emails only (inevitable unless they figure out homeomorphic encryption) and fairly slow 3) No SMTP bridge at all, so no way to use Outlook or Thunderbird. I didn't care about this at all, but I know some people have cherished email client setups. Note that all TN clients are FOSS (and they hope to eventually open source their server software as well).
|
|
#
¿
Apr 2, 2023 17:56
|
|
|
Well Played Mauer posted:I have a Hetzner instance that I have thrown some public facing stuff for a group of friends I play tabletop RPGs with (a wiki, FoundryVTT install, group scheduling software). I do it because I don’t like exposing my home network and I wanted to learn remote hosting. I think it ends up being $20/month and if someone gets past the firewall and reverse proxy all they’re gonna get is an info dump on a fake World of Darkness city and a relatively underpowered bot net machine. TIL you can self-host Foundry. Gonna have to look into it.
|
|
#
¿
May 21, 2023 13:40
|
|
|
I would like to understand something about ActivityPub / Fediverse, in the context of self-hosting. I've self-hosted Pleroma for a while a few years back, but the fediverse has grown a fair bit since. There's a bunch of different AP-speaking apps with radically different purposes: Mastodon/Pleroma/Misskey ~= Twitter PixelFed ≃ Insta PeerTube ≃ Youtube Bookwyrm ≃ Goodreads Lemmy/Kbin ≃ Reddit WriteFreely ≃ Wordpress But the idea is that since they all speak ActivityPub, they can all follow and publish to each other. Alice has a Bookwyrm blog where she reviews books, Bob makes vlogs for his PeerTube channel, Carol shares dumb links on her Lemmy. If they all follow each other, each other's media will appear on their "feed" in a limited form - Alice logs in to her Bookwyrm instance and she will see that Bob published a new vlog, without needing a PeerTube account. (Though, on Bookwyrm she'll probably just see a short description and a link to the Peertube page, rather than a full embed.) Correct so far? Assuming so, let's say I have my own domain & server, and I want to run my own social presence. But I may want to put multiple different types of media out there. Sometimes I'll tweet dumb poo poo, sometimes I'll review a book, sometimes I'll upload a video. So I install Mastodon, Bookwyrm, and Peertube on my server. They're all single-user instances. Can I arrange them so that, to the outside world, I appear as a single person who just happens to publish on different media platforms? That is, some dude using e.g. Pixelfed sees one of my comments, decides to follow me, and he should be able to see all of my content regardless of where it was originally created, without having to hunt down and individually click on the three different pages. Is this possible?
|
|
#
¿
Jul 5, 2023 15:51
|
|
|
I'm currently using Nomad to run my home lab (it's basically a step up from Docker Swarm, but still wayyyy simpler than Kubernetes), and used to do it at my day job, and I hard agree too - in fact, I don't bother with HA at all despite using a tool that can provide it. There's a massive difference in required effort between "I want to be able to bring the app back online in a few minutes" vs. "I want the apps to go back online automatically", at least when the apps are stateful - and almost anything you'd care to self-host is going to be stateful. A better reason to learn an orchestration system is to have a few text files that describe the full state of the system, so you can easily put them in a git repo or just copy around, and then you can bring everything back online with "docker compose up" or "nomad run" or "nix something" I guess, even if it's two years later and you've forgotten a bunch of details.
|
|
#
¿
Aug 4, 2023 23:26
|
|
|
Warbird posted:Oh that remind me. I was dinking around with Girea the other day and had everything working except ssh authenticated repo stuff. How does that even work with a reverse proxy? I tried umpteen different ways of it and never had any success. What reverse proxy are you using? Most are HTTP/S reverse proxies, and may or may not support other protocols; I think nginx has a module for generic non-HTTP TCP connections. In SSH contexts, a "reverse proxy" is usually called a "jump box" and is just a regular SSH server that you happen to tunnel connections through The issue with SSH (and many non-HTTP protocols) is that it doesn´t have a "Host: someservice.somedomain.com" header - you just connect to a certain IP and port. So a reverse proxy can't just look at the incoming request and figure out it is meant for a certain service - you need to open a dedicated port and forward all SSH connections from that port to Gitea. IMO, git over HTTPS is gonna be much simpler unless some of your tooling doesn't support it.
|
|
#
¿
Aug 5, 2023 14:23
|
|
|
You get an error message because HTTPS doesn't work unless both sides agree to establish an encrypted connection, and with a normal client that means "the server must have a valid certificate for the domain my used asked for". If you don't write a domain but only tell the client "please connect to 1.2.3.4 with HTTPS", it's going to want the server to have a valid certificate for that IP, which I don't think is possible and in any case Let's Encrypt doesn't issue those. You would need to tell Caddy to generate a self-signed certificate, and then configure the client to accept it, which on modern browsers is made intentionally difficult for obvious security reasons. If you just want a catch-all, I think you can tell Caddy to force unencrypted HTTP in that :443 no-domain block? It's still weird and unexpected though, the connection error is the " normal " behaviour. NihilCredo fucked around with this message at 17:59 on Sep 23, 2023 |
|
#
¿
Sep 23, 2023 17:56
|
|
|
Warbird posted:Speaking of, the pattern “https to the reverse proxy and the http to the service” is largely fine, correct? Assuming the connection between the reverse proxy and the service is secure, yes. Even if it isn't, a reverse proxy is gonna be more reliable at managing HTTPS than whatever service you're running, so you'd want to keep the HTTPS termination there and just protect the backend connection with a VPN. The only time I would not want the reverse proxy to terminate HTTPS is if it's running on someone else's infra, eg Cloudflare.
|
|
#
¿
Sep 23, 2023 18:12
|
|
|
Quixzlizx posted:So I don't need to change anything to increase my security then, because I want all connections not through the domain to fail. I just didn't know if there were any edge cases where a theoretical attacker could get around the lack of a certificate, which is why I was contemplating a catch-all rule to block everything else. To clear a potential misconception: the standard purpose of HTTPS and certificates is a security measure against potential men-in-the-middle interfering in the communication between your server and a (legitimate) client. They are irrelevant against an attacker who acts as a client, because their purpose is to prove to the client that the server is really yours. If you want to use HTTPS to block unauthorized clients, you need to look into "client certificates", where you install specific certs on authorised client devices and the server validates that, and nobody else can use your services. Caddy supports them if you want. But a VPN like Tailscale is generally an easier way to get the same result.
|
|
#
¿
Sep 23, 2023 19:19
|
|
|
For those wanting a more barebones gallery, I've been shocked by how smooth PiGallery2 is. Unlike most of the other more featureful services, it doesn't need to take control of your photo uploads. Just give it read-only access to your pictures folder and it works, so you can replace it at any time. Upload your photos via whatever app you are already using to sync everything else (I use round-sync/rclone).
|
|
#
¿
Oct 4, 2023 19:36
|
|
|
spincube posted:Any suggestions for an Android RSS reader that'll sync up with a selfhosted FreshRSS instance? Feeder should do.
|
|
#
¿
Oct 13, 2023 22:25
|
|
|
SEKCobra posted:Is there a hands off nextcloud server yet? The Hansson IT guys seem to be purposefully breaking stuff on major releases so you have to use their IT services. Hetzner?
|
|
#
¿
Oct 16, 2023 07:43
|
|
|
Oysters Autobio posted:Sorry I probably should be more specific. I guess what I mean is what is the difference between a prebuilt NAS like synology and just any other small form factor PC? Yes. Modern Synology-type NAS products are literally just small PCs running Intel/AMD processors and a Linux-based OS called Diskstation Manager. Compared to a regular cheap PC, their main advantage is the design and volume efficiency. Despite having a lightweight CPU and RAM, they have plenty of storage and often extra Ethernet ports, and a custom case with small size and easily accessibly disk bays. Very few SFF PC cases have 4+ 3.5" bays, and retail ITX motherboards are oddly expensive. If you have room in your house and you're just stuffing the NAS in a closet or something, a normal-sized PC will do the same job for cheaper. Consider the cost of electricity where you live and do some napkin maths to figure out how much it is worth to you to save ~1W in power draw.
|
|
#
¿
Dec 30, 2023 19:59
|
|
|
cruft posted:Flatcar is the rightful heir of CoreOS. I think SuSE bought it? Maybe Microsoft? Flatcar was bought by Microsoft. I used it at my old job and I was very happy with it. Stable, minimal, excellent documentation, and it felt very well thought out for people running serious money on it. For example, here are the docs on reboot strategies: https://www.flatcar.org/docs/latest/setup/releases/update-strategies/ It's definitely aimed at production enterprise cloud usage, but I can't think of any reason it wouldn't make a good OS image for a hobbyist VM / container host. We ran it on a tiny scale, like a couple dozen VMs at peak load, and it never got in our way.
|
|
#
¿
Jan 10, 2024 21:31
|
|
|
cruft posted:I feel like that was the main thing. Databases want to do weird tricks with files, and adding filesystem abstraction is problematic. Yep, for example postgres on even NFS is a big no-no, and forget of course about S3-esque providers. The other things that containers are good at is horizontally scaling (databases need to use their own replication systems) and ephemeralness (databases have long starts and lots of long-running operations, and upgrades are typically one-way operations). That said there's nothing wrong in running your database process in a container as long as you lock it to one instance, on one machine, with direct disk mounting and never restarting. You don't get to use any container management tricks, but you still avoid having to deal with system dependencies directly, and more importantly you can integrate the database configuration in whatever tool you are using to manage the rest of your stack. Makes it easier to deploy multiple environments too.
|
|
#
¿
Jan 11, 2024 11:44
|
|
|
Mr Crucial posted:Going back to single container deployments and tolerating a few minutes of downtime whenever I need to restart something looks more appealing with every issue that I hit. I don't know what services you're hosting exactly, but I think most peeps in this thread are totally fine with like 66% uptime lol (auto-turn off the services at night).
|
|
#
¿
Jan 11, 2024 22:23
|
|
|
Variable 5 posted:Are people using torrents and not paying for VPNs? Most of the world doesn't give a poo poo about piracy. ISP letters are only a thing in the US, Germany, and a handful of other countries.
|
|
#
¿
Jan 12, 2024 21:45
|
|
|
cruft posted:I don't suppose anyone on here has experience with a CalDAV server that isn't NextCloud/OwnCloud? I do. Baikal works fine. I put it in a container and disabled the web interface after setting it up. I've got Davx5 syncing contacts and calendars, and jtxNotes syncing notes and to-dos.
|
|
#
¿
Jan 22, 2024 18:55
|
|
|
I went through a similar journey and tried many of the same things. I'm also running on low-power hardware, a Pi4 with 4GB and a USB HDD (though my desktop can also run services if needed via Nomad), and Nextcloud was getting too clunky. I eventually ended up with rclone running "serve sftp" in a `restrict,command` SSH key, so it's not even running when a client isn't connected and my clients don't have unrestricted shell access. On the desktop, I browse files with KDE Dolphin and sync with rclone. On Android, I do both with RoundSync (which is literally rclone in app form). I use PiGallery2 for photo and video albums, it's indeed as blisteringly fast as it claims. Since it's just a webapp/PWA, I added a basic auth with Caddy so I don't need to trust the authors' security. It lacks any ML-based autotagging capabilities like Immich etc., but my desktop has a LLM-capable GPU and it's a task I would like to eventually automate separately that way. edit: I didn't stick with it for reasons I now can't remember, but you may want to take a look at KaraDAV. It's fast and puts a real effort into being compatible with Nextcloud client apps. Main downside is it's a small project by a small company, so you may want to be careful with security. NihilCredo fucked around with this message at 10:26 on Feb 26, 2024 |
|
#
¿
Feb 26, 2024 10:16
|
|
|
You might have better luck with a Mastodon-Twitter crossposter, then you can use Mastodon's built-in RSS feed.
|
|
#
¿
Mar 2, 2024 02:35
|
|
|
|
| # ¿ May 14, 2024 06:45 |
|
|
Flyndre posted:Additionally, I'd like to share services like Jellyfin and Jellyseerr with a family member who might access them remotely, for example, through an Apple TV. However, I'm concerned that Authelia may not work well with such a setup? I'm not familiar with Apple TVs, but Authelia is a web-based authentication portal - it uses cookies and standard HTTP web page redirects to perform its job. So if the device they're using is a generic web browser, Authelia will work transparently; if it's a dedicated Jellyfin client like Findroid, it most likely won't.
|
|
#
¿
Apr 16, 2024 20:28
|
|