• 1 Post
  • 150 Comments
Joined 1 year ago
cake
Cake day: July 3rd, 2023

help-circle
  • Unfortunately not as self hosting is really just an amalgamation of a number of different technologies, concepts, groups of best practices, and there are nine and a half viable ways to do any given thing you’ll want to do. For my day job I manage several public systems that serve millions of requests a day and even I can’t really give you a “One definitive way of doing things”, but I have my preferences.

    I think if you wanted a rough plan of what would be the most valuable things to learn in which order it would be

    1. Docker, especially persisting your storage and also how its network works. Use containerized services only on your local network at first to get a feel for things, and give yourself the ability to screw things ip without putting yourself in any danger.

    2. VPNs and how they work. You can start with a direct stupid simple VPN like WireGuard, or Tailscale if you want a mesh-VPN. This will allow you to reach your services remotely without having to worry too much about security and the micromanagement that can sometimes come with it.

    3. Reverse proxies for things you’d like to expose to the public. At this point you want to learn as well about things like server hardening, have a system in place to automate software updates etc. there’s a common misconception that using a reverse proxy is innately much safer than port forwarding directly to your services. It can help by obscuring your home IP, and if you pair it with a WAF of some kind that’ll help you with much of the chaff attacks that get tossed your way, but at the end of the day in both cases you’re exposing the web services on your local network to the internet at large, so you have to understand the risk and reward of doing this.



  • Believing that either the Reddit exodus was negligible to that community, or that it was entirely decimated and left to Lenny are both inaccurate opinions. There was a very tangible effect on the selfhosted subreddit specifically when many left for Lemmy, and now both communities both feel like two halves of the same whole. Enough people moved over to lemmy that I truly don’t feel the need to open reddit hardly ever, but I do from time to time. I think lemmy also has a benefit that other fediverse sites like Mastodon don’t, in that Lemmy is not quite as allergic to the concept of discoverability, and the fact that Lemmy is inherently based around communities means that you don’t have to do the Mastodon thing where you spend the first month having to go out and follow a ton of individuals. You can just follow a couple communities and the content flows in.


  • I switched from SWAG to Caddy. Its config file is much simpler, with many best practice settings being default resulting in each sites being like 3 lines of code. Implementing something like mTLS requires one line per site, just super nice to configure, and you’re not left without a template config for more obscure services.

    That being said, SWAG does more than enough and Nginx is a powerful software so you really aren’t missing out on anything but more streamlined config.

    Traefik is kind of just like, a nightmare that tries to sell you on it being “self configuring” but it takes some work to get to that point and the “self configuring” requires the same amount of time in a text editor as manually configuring Caddy does. I can see Traefik being powerful if you’re using it with actually clustered k8s and distributed workloads. If that’s not your use case it’s kinda just more work than it’s worth.



  • As somebody who runs Ubiquity UniFi gear, it’s all flash and very little substance. Its dashboard will dazzle you with charts that either aren’t accurate, aren’t meaningful, or are generally unhelpful. It has a “new” (half a decade old now) and classic interface you can choose between, but neither interface gives you access to every setting you’ll need. I still to this day find myself swapping between them.

    If you just need basic devices to make packets go, they do the job. But an average day in the life of a UniFi-enjoyer consists of things like trying to troubleshoot some kind of network issue only to find that the data collected by the devices doesn’t mathematically make sense, so you go to the UniFi forums just to find out it’s a bug that’s existed for years and has never been resolved. And on days like that, I find myself wishing I had something less flashy that would just allow me to see what’s going on with my network, accurately.



  • There’s nothing wrong with just using a VPS for this. Despite what some mouth-frothing hobbyists will tell you, it’s still well within the realm of self hosting. There’s just no reason or difference for hosting a blog on your UnRAID server vs a VPS.

    If you really want to be some kind of purist and only use your own hardware, then you could configure a web server that can reverse proxy on your UnRAID server and forward port 443 in your router to your UnRAID box, but you’d have to change your UnRAID access port to something else. You’d want to keep this web server docker container up to date, and preferably see if you can implement some kind of WAF with it or in front of it. You’d then forward the requests from this web server to your ghost container.

    A better idea would be to use a different piece of hardware for this web server reverse proxy, like a raspberry pi or something, and put it on a different subnet in your house. Forward 443 to that, then proxy the connection back to UnRAID, in whatever port you bind the ghost container to. Then you can tighten access that raspberry pi has. Or hell, host the blog on that hardware as well and don’t allow any traffic to your main LAN.

    There are half a dozen better ways to do this, but they all require you to rely on a third party service to some extent.


  • Encrypt-Keeper@lemmy.worldtoSelfhosted@lemmy.worldDNS?
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 months ago

    Getting all the functionality of Pihole into Unbound would be a good deal more than “a little work” lol. And for no real practical reason when all you’re trying to do is set up secure DNS with some ad blocking on your network. And this is coming from a professional who wouldn’t have to “learn” anything to do it. If it was really that little work, Pihole + Unbound wouldn’t be the go-to solutions for so many people.


  • Encrypt-Keeper@lemmy.worldtoSelfhosted@lemmy.worldDNS?
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    2 months ago

    I mean if you want to build something around Unbound to do ad blocking and set up a monitoring stack for metrics and all that jazz that’s great, more power to you. But you already have two things built for purpose, there’s no reason to go out of your way to do that. And I don’t think OP here is prepared to do all that.


  • Encrypt-Keeper@lemmy.worldtoSelfhosted@lemmy.worldDNS?
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 months ago

    For the same reason you’re running AdGuard and not just pointing all your devices at the recursive upstream.

    You’re using AdGuard / Pihole as an ad sinkhole, not just to cache and forward DNS requests. Like if you really wanted to you could hack together something in Unbound to do that, but why would you do that when Pihole already exists? You have two things built for purpose.


  • Encrypt-Keeper@lemmy.worldtoSelfhosted@lemmy.worldDNS?
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 months ago

    If you want to run your own recursive DNS server, why would you run two separate DNS servers?

    I’m not sure I understand your question. A recursive DNS server and a local DNS cache/forwarder/are two different things with two different purposes. You will always need both. You yourself are using AdguardHome and that is just connecting to recursive DNS server upstream. In my scenario you’re just running both yourself instead of you running one and then letting a 3rd party run the other for you.

    Your outbound queries will still be unencrypted, so your ISP can still log them and create an advertising profile based on them.

    You can encrypt the recursive queries through your ISP if you want to. Though the effectiveness of any profiling your ISP would do to you are minimized by Qname minimization that Unbound does by default.

    If you’re just using DoH then you’re just shifting who’s making that advertising profile on you from your ISP to whoever is hosting your upstream recursive DNS server. It doesn’t matter how much encryption you do because on the other end of that encrypted connection is the entity who you’re giving all your queries to.


  • Encrypt-Keeper@lemmy.worldtoSelfhosted@lemmy.worldDNS?
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    edit-2
    2 months ago

    I would say Pihole is a better choice than AdGuard home because PiHole just runs on top of dnsmasq. Throw Unbound on there too as your upstream recursive resolver and you’re set. You don’t even need to worry about an encrypted session to your upstream anymore because your upstream is now your loopback.



  • The point of paid SSL at this stage in the game are the higher tiers of verification. Instead of just verifying that you own the domain, you can verify that you are who you say you are. These are called Extended Validation and Organizational Validation certificates. This has historically been desirable by businesses. It used to be that these higher tier certs would not only give you a lock icon in the address bar of a web browser, but also a little blurb confirming your organization is legit. Not sure if this is still the case though. You will see the extended validation when you check the sites certificate though for sure.

    As far as encryption and security, there’s no difference. Also side note, the Comodo brand still technically exists but it was bought by Sectigo like 7 years ago.





  • Incorrect. It applies only to the forums. It does not apply in any way, shape, or form to your VPS or the content on it. It’s one thing to be mistaken, but let’s not spread misinformation on purpose.

    A Reddit post incorrectly took portions of our Terms of Service out of context, which only pertain to content provided to Vultr on our public mediums (community-related content on public forums, as an example) for purposes of rendering the needed services – e.g., publishing comments, posts, or ratings. This is separate from a user’s own, private content that is deployed on Vultr services.

    Since our inception, Vultr has been committed to upholding and adhering to the strictest data privacy and protection standards across the world (including HIPAA, GDPR, and DPDPA). Our customers own 100% of their content.