Selfhosting Sunday - What's up?
-
In my experience mini computers don't handle power failures nearly as well as purpose-built hardware.
After several power failures the SSD on my Raspberry Pi became so corrupted it wouldn't boot, and I was 250 miles away at the time and lost access to my home network for weeks. Overlay file systems work but are a PITA to maintain. By contrast my routers have never had a problem even with repeated power failures, so instead of relying on the Pi I've moved my DNS and Wireguard servers to my router.
Besides adding a UPS, how do you deal with power failures? Are you somewhere where they're not much of a problem?
All of my remote routers are running RouterOS without anything on top of it. RouterOS is powerful enough for anything I throw on it. But I am using much beefier routers, I have 2 x 5009 and a HAP AX3 which have plenty of flash and ram ro run the additional packages I need.
As for normal computers, I have it on a UPS and I backup core files to off-site areas. Additionally, I buy SSDs that have a little bit of powerloss protection.
I've never had issues with mini PCs but I've had issues with PIs. I've since switched to high endurance SD cards for my Pis and they've been rock solid. One's actually semi exposed to the elements for about a year now without a hiccup.
With RouterOS you can still use DoH with either a self hosted list or a selected ad list. If you want to selfhost a DNS server I'd just host a Adguard Home instance on a VPS for all of your devices.
I also have 2 VPN system for my remote management on 2 separate systems. I learned that the hard way when one of my clients is 8 timezones away.
-
That really depends on your use case. I use very little transfer because most of my usage is within my LAN. I set up a DNS server (built in to my router) to resolve my domains to my local servers, and all the TLS happens on my local server, so it never goes out to the VPS. So I only need enough transfer for when I'm outside my house.
Here's my setup:
- VPS - WireGuard and HAProxy - sni-based routing
- router - static DNS for local services
- local servers - TLS trunking and services
My devices use my network's DNS, but if that fails, they fall back to some external DNS and route traffic through the VPS.
VPSs without data caps tend to have worse speeds because they attract people who will use more transfer. I think it's better to find one with a transfer cap that's sufficient for your needs, so things stay fast. I use Hetzner, which has generous caps in the EU (20TB across the board) and good enough for me caps in the US (1TB base scales with instance size and can buy extra). Most of my use outside my house is showing something off every now and them, or accessing some small files or uploading something (transfer limits are only for outgoing data).
Ok, didn't think about "unlimited" actually being slower - thanks for the insight.
I'm running a pfSense f/w at the edge, so split horizon DNS and haproxy are already sorted... I'll check out wireguard - should be straight forward
Thanks
-
I'm not the person you're replying to, but Authentik:
- Has a UI for configuring it, including adding users.
- Supports LDAP if you need it. Authelia needs a separate LDAP server.
- Supports practically every two factor auth protocol you'd need: OIDC (OpenID Connect), OAuth2, SCIM, SAML, RADIUS, LDAP, and proxying for apps that don't support any of them (which is getting rarer).
- Supports permissions and permission groups, i.e. only allow certain users to access particular apps.
- Can be used as the source of truth for Google Workspace and Microsoft Entra. Maybe not as relevant for home use.
I haven't tried Keycloak but I hear it's pretty good, albeit a heavier app to deploy.
I have tried Authelia, and it's much less powerful than Authentik. Authelia requires you to manually modify config files rather than using a web UI. It also only supports OIDC (which is in beta) and proxying.
Keycloak is very much lighter actually. Can run under half a gig ram whereas authentik uses about 1GB.
Authelia is king though in running with just about 30MB of ram.
-
What's up, what's down and what are you not sure about?
Let us know what you set up lately, what kind of problems you currently think about or are running into, what new device you added to your homelab or what interesting service or article you found.
Shoutout to @Estebiu for helping me appreciate the joy of docker compose. I got to set up Navidrome and it's been great!
With that said, I have a security-related question: at what point in self-hosting am I exposed to the outside internet that warrants things like reverse proxies and other security measures? I'm currently typing router IPs (e.g. 192.168.x.x) to access the services, so is my machine exposed if the only people intending to connect are local on our wireless network?
-
All of my remote routers are running RouterOS without anything on top of it. RouterOS is powerful enough for anything I throw on it. But I am using much beefier routers, I have 2 x 5009 and a HAP AX3 which have plenty of flash and ram ro run the additional packages I need.
As for normal computers, I have it on a UPS and I backup core files to off-site areas. Additionally, I buy SSDs that have a little bit of powerloss protection.
I've never had issues with mini PCs but I've had issues with PIs. I've since switched to high endurance SD cards for my Pis and they've been rock solid. One's actually semi exposed to the elements for about a year now without a hiccup.
With RouterOS you can still use DoH with either a self hosted list or a selected ad list. If you want to selfhost a DNS server I'd just host a Adguard Home instance on a VPS for all of your devices.
I also have 2 VPN system for my remote management on 2 separate systems. I learned that the hard way when one of my clients is 8 timezones away.
Power loss protection on SSDs is an interesting addition I hadn't come across before.
We live in a very windy area and power blinks are common. A high endurance MicroSD was in use the first time the Pi wouldn't boot, but I was in town and it was just annoying. It was a big issue when the Pi wouldn't boot from the SSD while I was out of the country.
We don't have high bandwidth demands so any decent OpenWRT router works fine and supports both Adguard Home and Wireguard. What I really like about putting WG in particular on the router is that if the router is up, WG is working, and the routers come back up without fail after every power outage. A 2nd Wireguard instance still runs on my Pi but since switching to WG on the router a year ago there hasn't been a reason to even connect to it.
My problems with the Pi had me looking for other solutions and I ended up with a mini Dell laptop running Debian. (Can't easily run WG on it due to some software conflicts.) It alleviates the need for a UPS and runs for 6+ hours if the power goes out, rather the minutes provided by my small UPS.
One of these days I'll find a bogus reason to talk myself into upgrading the router with more powerful hardware. Mikrotik looks like a great option and I'll take a look at RouterOS. Thanks for the info.
-
It's a complete experiment with cheap network gear from China. I have a HP T730 mini PC that serves as my router. I'm installing a cheap 2.5 Gbps NIC for LAN side. Then there's a switch with 4x2.5 Gbps Ethernet and 2xSFP+ ports. My two main machines (PC and home server) are getting 10 Gbps SFP+ cards that I'll attach with DAC cables.
OS is OpenWRT, because I've been connecting over WiFi to the Internet in both old and new locations. OPNsense just will not work with any wireless adapter I've tried. I will try agan once I route Ethernet to my room.
I'm curious if all of this works with cheap network gear. Today I'm configuring a fresh OpenWRT installation on the router.
Now it gets funnier. The new 2.5 Gbps NIC just randomly appears on boot or not. I've spent half of the day to troubleshoot this and can't figure out why.
-
What's up, what's down and what are you not sure about?
Let us know what you set up lately, what kind of problems you currently think about or are running into, what new device you added to your homelab or what interesting service or article you found.
A catalog for organizing various Roms you have. It can pull metadata from a number of courses and properly add all the details, cover art, and platform information to each game. It’s smart enough to auto-generate collections based on game series, and embed YouTube videos for gameplay of each one without even any configuration.
The best part? It has Ruffle and EmulatorJS built in so you can play any games supported by EmulatorJS in your browser. I tested games up to N64 and they all ran smooth as butter right in the browser with gamepad configurations built in. They even support local multiplayer.
-
I hadn't heard of it, and looking into quarkus just reminded me of how complicated the whole Java ecosystem is. Gross.
Hosting Go, Rust, etc stuff is dead simple, but with Java, there's all this complexity...
Nothing's as bad as trying to host and maintain a Ruby on Rails app
Docker has made a lot of it a non-issue though, since the apps are already preconfigured within the Docker image.
-
Keycloak is very much lighter actually. Can run under half a gig ram whereas authentik uses about 1GB.
Authelia is king though in running with just about 30MB of ram.
That's interesting... It used to be a lot heavier.
Authelia is definitely the lightest in terms of RAM, but it's also the lightest in terms of features. As far as I can remember, they only added OIDC support fairly recently - previously it only supported proxying.
-
Shoutout to @Estebiu for helping me appreciate the joy of docker compose. I got to set up Navidrome and it's been great!
With that said, I have a security-related question: at what point in self-hosting am I exposed to the outside internet that warrants things like reverse proxies and other security measures? I'm currently typing router IPs (e.g. 192.168.x.x) to access the services, so is my machine exposed if the only people intending to connect are local on our wireless network?
To expose your stuff to the outside internet, you need to actively set port forward in your internet router, you won't do that by accident.
-
Email...
My wife really wants to further de-google, this means moving custom domains off gsute.Do I move to proton/tuta or go back to self hosting email again like I did for years until about 2010?
If I self host, do I do it at home or on the server that runs my lemmy instance?
Don't go to Proton or Tuta - both are impossible to get out of basically, do not support free standards and Proton is scumy in terms of their marketing.
Mailbox.org
Infomaniak
Fastmail
PostedJust to name a few.
-
What's up, what's down and what are you not sure about?
Let us know what you set up lately, what kind of problems you currently think about or are running into, what new device you added to your homelab or what interesting service or article you found.
Debatting with myself and to a lesser degree what to do in terms of our homeserver situation.
While the proxmox node has more than enough CPU and RAM capacity left, the NAS, an older Synology, is full to the brim, EOL and needs replacement.And sadly being a mini PC the proxmox node is unable to get the HDs connected.So something new is needed and I would rather have my setup streamlined and combine the two.
But that is... More difficult than anticipated.
I really would like something power saving with ECC ram that can take at least two PCI-e (SFP+ and a potential graphic card for AI later on). That can take 4,better 6 HDs. And at least one,better two NVMe.
...that basically means self building which I am happy with, but all current builds I calculate come out somewhere south of 2000€ (including two new HDs, as two old ones need to go).
And that's sadly out of the financial possibility at the moment.If only the fucking Ugreen (DXP6800)would support ECC. While not ideal in terms of PCI-e it would be enough to do the trick.
-
What's up, what's down and what are you not sure about?
Let us know what you set up lately, what kind of problems you currently think about or are running into, what new device you added to your homelab or what interesting service or article you found.
I'm moving to Podman quadlets
-
What's up, what's down and what are you not sure about?
Let us know what you set up lately, what kind of problems you currently think about or are running into, what new device you added to your homelab or what interesting service or article you found.
Finally installed jellyfin when I realized I could use rclone to mount 10G of free disk space from box (with client side encryption using rclone) on my server.
Very easy to install on Debian, but the plugins are a security nightmare. Jellyfin devs are kinda dumb.
-
I've just set up Wireguard, so I can access my home network from everywhere, but the old laptop that I wanted to use as a server has just quit. So now I have to find a different machine
Any way to do this on Android when also connected to another commercial VPN? I want both, but where only 10.X traffic goes to my personal network and the rest goes out through commercial VPN/Tor.
-
The only feature I want that jellyfin doesn't have (or I haven't found it) is shuffle. Throwing on how it's made or mythbusters on shuffle is great background stuff.
Aren't there clients that support that?
-
Aren't there clients that support that?
Maybe, i haven't seen it yet though
-
Finally installed jellyfin when I realized I could use rclone to mount 10G of free disk space from box (with client side encryption using rclone) on my server.
Very easy to install on Debian, but the plugins are a security nightmare. Jellyfin devs are kinda dumb.
A LOT of plugins in many projects are a huge concern. I say this as someone who ran security for an OS for a while. It's just people making bad decisions for everyone and then hand-waving the risks when questioned.
-
Nothing's as bad as trying to host and maintain a Ruby on Rails app
Docker has made a lot of it a non-issue though, since the apps are already preconfigured within the Docker image.
Agreed, with the clear exception being PHP, which often requires configuring a web server.
-
To expose your stuff to the outside internet, you need to actively set port forward in your internet router, you won't do that by accident.
What a relief, thanks for the clarity! I have vague memories of doing that as a teenager to play various games with friends, which sounds like something risky a teenager would do
