Selfhosting Sunday - What's up?
-
A LOT of plugins in many projects are a huge concern. I say this as someone who ran security for an OS for a while. It's just people making bad decisions for everyone and then hand-waving the risks when questioned.
I dont mean the plugins themselves but the fact that there's no way to safely download a plugin.
Even if the plugin really is benign, jellyfin will happily download something inauthentic and malicious befuarse there's no cryptographic signature checks
-
Maybe, i haven't seen it yet though
I do it for music
-
What's up, what's down and what are you not sure about?
Let us know what you set up lately, what kind of problems you currently think about or are running into, what new device you added to your homelab or what interesting service or article you found.
I've been fending off AI bots the last week or so; wrote about it here:
https://gerowen.substack.com/p/the-ai-data-scraping-is-getting-out
-
I think so.
It is LXD + KVM, so way more and finer tune control on lxc instances. It can run OCI images as well, so for docker instances with only a few configs and no persistent storage, it is actually quite handy. For docker instances that need pretty complicated compose files, I just run docker inside an lxc for now, until I figure that out.
Does Incus allow you to use a VM with a GUI? One thing that's nice about Proxmox is I have one VM with a very basic lxqt setup for when I need that, and I can either use remote-viewer + the spice protocol to access it or access it through the Proxmox web ui. That's been very handy.
-
If at all possible see if you can do wireguard yourself. Tailscale is basically inserting a third party company for no reason as its just wireguard with their servers involved. For example if you can run opnsense its easy to get running via the GUI. Very rewarding!
Any resources you'd recommend?
-
Power loss protection on SSDs is an interesting addition I hadn't come across before.
We live in a very windy area and power blinks are common. A high endurance MicroSD was in use the first time the Pi wouldn't boot, but I was in town and it was just annoying. It was a big issue when the Pi wouldn't boot from the SSD while I was out of the country.
We don't have high bandwidth demands so any decent OpenWRT router works fine and supports both Adguard Home and Wireguard. What I really like about putting WG in particular on the router is that if the router is up, WG is working, and the routers come back up without fail after every power outage. A 2nd Wireguard instance still runs on my Pi but since switching to WG on the router a year ago there hasn't been a reason to even connect to it.
My problems with the Pi had me looking for other solutions and I ended up with a mini Dell laptop running Debian. (Can't easily run WG on it due to some software conflicts.) It alleviates the need for a UPS and runs for 6+ hours if the power goes out, rather the minutes provided by my small UPS.
One of these days I'll find a bogus reason to talk myself into upgrading the router with more powerful hardware. Mikrotik looks like a great option and I'll take a look at RouterOS. Thanks for the info.
RouterOS has WG built in as well as ZeroTier. RouterOS has become quite powerful lately, but make sure you have at least an ARM/ARM64 CPU for it.
-
What's up, what's down and what are you not sure about?
Let us know what you set up lately, what kind of problems you currently think about or are running into, what new device you added to your homelab or what interesting service or article you found.
I've setup Nextcloud on Hetzner, and have ordered a mini PC to run Immich and experiment with.
Still trying to decide on a good cheap email host that I can also move my family on to eventually.
-
Does Incus allow you to use a VM with a GUI? One thing that's nice about Proxmox is I have one VM with a very basic lxqt setup for when I need that, and I can either use remote-viewer + the spice protocol to access it or access it through the Proxmox web ui. That's been very handy.
It can manage KVM, so I don't see why not .
-
I've setup Nextcloud on Hetzner, and have ordered a mini PC to run Immich and experiment with.
Still trying to decide on a good cheap email host that I can also move my family on to eventually.
I recently moved from Gmail to mailbox.org with my own domain. Works as it should so far. And for 2.5€ per month I can't complain about the price either.
And switching email addresses has actually been less painful than I expected. Most services let you change the associated Mail easily.
-
Shoutout to @Estebiu for helping me appreciate the joy of docker compose. I got to set up Navidrome and it's been great!
With that said, I have a security-related question: at what point in self-hosting am I exposed to the outside internet that warrants things like reverse proxies and other security measures? I'm currently typing router IPs (e.g. 192.168.x.x) to access the services, so is my machine exposed if the only people intending to connect are local on our wireless network?
There's nothing wrong with making a reverse proxy only for use inside your homelab. It's one way to resolve internal DNS queries and give addresses to your services. It's perhaps the best, because it's the only way I know that doesn't necessitate remembering port numbers.
E.g. You are hosting something at 192.168.1.20 on port 3310. Even if you set a local DNS record for pihole.itjust.donn to resolve to 192.168.1.20, you'll still have to type pihole.itjust.donn:3310 to access it. The same isn't true with a reverse proxy.
-
I do it for music
Damn ok that sucks it doesn't seem available on the client for apple tv.
-
I see it in the default WebUI, perhaps whatever app you're using doesn't support it?
Ya I don't think it's supported on the apple tv app. Damn.
-
Damn ok that sucks it doesn't seem available on the client for apple tv.
Yeah I dont know why any Dev wouldn't choose a cross platform framework
-
What's up, what's down and what are you not sure about?
Let us know what you set up lately, what kind of problems you currently think about or are running into, what new device you added to your homelab or what interesting service or article you found.
Finished my migration from Plex to Jellyfin
-
Yeah I dont know why any Dev wouldn't choose a cross platform framework
I've never done dev for apple stuff, but I think it's probably just not that friendly with more open/cross platform frameworks
-
What's up, what's down and what are you not sure about?
Let us know what you set up lately, what kind of problems you currently think about or are running into, what new device you added to your homelab or what interesting service or article you found.
Was using realvnc to vnc from remote, it was easy and cloud driven.
Fully swapped to tailscale and normal VNC sever now.
Performance is good and works great for the troubleshooting and small GUI stuff I need to do.
-
Debatting with myself and to a lesser degree what to do in terms of our homeserver situation.
While the proxmox node has more than enough CPU and RAM capacity left, the NAS, an older Synology, is full to the brim, EOL and needs replacement.And sadly being a mini PC the proxmox node is unable to get the HDs connected.So something new is needed and I would rather have my setup streamlined and combine the two.
But that is... More difficult than anticipated.
I really would like something power saving with ECC ram that can take at least two PCI-e (SFP+ and a potential graphic card for AI later on). That can take 4,better 6 HDs. And at least one,better two NVMe.
...that basically means self building which I am happy with, but all current builds I calculate come out somewhere south of 2000€ (including two new HDs, as two old ones need to go).
And that's sadly out of the financial possibility at the moment.If only the fucking Ugreen (DXP6800)would support ECC. While not ideal in terms of PCI-e it would be enough to do the trick.
I use a little mini PC with a DAS connected via USB. So you don't need to go full server to expand the storage.
-
I use a little mini PC with a DAS connected via USB. So you don't need to go full server to expand the storage.
That's a bit below the level of reliability I need,sadly - before doing that I could also go for a non ECC solution.
-
I've been fending off AI bots the last week or so; wrote about it here:
https://gerowen.substack.com/p/the-ai-data-scraping-is-getting-out
Interesting writeup, thanks! I thought maybe dropping connections with those user agents would be the best but idk. My sites have not been targeted yet fortunately.
-
There's nothing wrong with making a reverse proxy only for use inside your homelab. It's one way to resolve internal DNS queries and give addresses to your services. It's perhaps the best, because it's the only way I know that doesn't necessitate remembering port numbers.
E.g. You are hosting something at 192.168.1.20 on port 3310. Even if you set a local DNS record for pihole.itjust.donn to resolve to 192.168.1.20, you'll still have to type pihole.itjust.donn:3310 to access it. The same isn't true with a reverse proxy.
This is good to know because I'm learning about nginx currently, so I'm glad it has practical use without opening up my network
