this post was submitted on 13 Jun 2023
140 points (97.3% liked)

Selfhosted

40394 readers
380 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Is there any benefit to host my own instance?

you are viewing a single comment's thread
view the rest of the comments
[–] JCreazy@midwest.social 3 points 1 year ago (2 children)

I may go that route. I was wanting to host my own server but I feel like it would be easier to just use a cloud server

[–] UselesslyBrisk@infosec.pub 1 points 1 year ago (1 children)

I have a lab at home and do host some stuff for myself from there in a small DMZ (ie: Miniflux RSS readers, Plex through Reverse proxy etc).

But I used a linode for my lemmy/kbin stuff. Reason being is that the code is fairly new and there may be exploits bugs and

  1. I dont want to deal with my ISP made an instance is exploited and becomes some type of C2 box or spews out spam. Kbin specifically already has PRs to fix XSS and Sql injection stuff, the former of which is usually avoidable if you just follow some pretty basic principles. So its a concern.

  2. Linode has better bandwidth than my non-symmetrical ISP uplink and is on its own quota.

[–] JCreazy@midwest.social 2 points 1 year ago (1 children)

It sounds like linode is the way to go then and their prices seem reasonable. The funny thing is I've heard of linode before because Computer Clan uses it as a sponsor, but ever since I started using sponsor block I haven't really heard about it. I didn't actually know what they did.

[–] UselesslyBrisk@infosec.pub 1 points 1 year ago (1 children)

I’ve run linodes for years. My blog runs on them. I still host a variety of other services on them. They are good for everything from gaming servers to a blog etc.

They did get bought out by akamai a while back. And have raised their prices but they are still solid.

Nanodes are awesome deals frankly.

[–] JCreazy@midwest.social 1 points 1 year ago (1 children)

Is the 2GB the one you use for your Lemmy server? I'm getting ready to purchase one to see if I can figure it out.

[–] UselesslyBrisk@infosec.pub 2 points 1 year ago* (last edited 1 year ago) (2 children)

Im currently on the 4GB dedicated. However heres an htop of it.

https://imgur.com/a/NpEsw4t

I am currently the only user. Im considering opening it up to limited users but not really having communities once i get a lot of the instances cached and indexable.

Others like @leopardboy@netmonkey.tech are running on a 2GB shared just fine. I will likely move to that if i choose to keep it solo for sure, or under 100 users and no communities.

I dont have the time to really moderate others or content on the instance. So i dont think I plan to host any communities at all. I do wish you could federate/sync specific communities to your instance to make searching/subscribing easier.

[–] leopardboy@netmonkey.tech 1 points 1 year ago (1 children)

I do wish you could federate/sync specific communities to your instance to make searching/subscribing easier.

You mean something that populates your server with a history of posts and comments to communities before your subscribe to them?

[–] UselesslyBrisk@infosec.pub 1 points 1 year ago* (last edited 1 year ago)

Correct. Connect to for example connect to lemmy.ml and pull their communities so it shows in your communities page locally. Dont have to sync the posts etc. Just the base stats (subs, post, comments. Basically exactly what this is doing. https://lemmyverse.net/communities

note: I hadnt seen that page until after my comment... But im getting a lot of 404's on specific communities, so i have to put in their ! name in search...spam that, click to open the community and subscribe.

[–] JCreazy@midwest.social 1 points 1 year ago (1 children)

That's exactly what I'm wanting to do. Just have myself and maybe a few others with limited communities. Would you recommend using ansible to setup a Lemmy on Linode?

[–] UselesslyBrisk@infosec.pub 1 points 1 year ago* (last edited 1 year ago) (1 children)

Yes the ansible config worked fine for me. I worked for days to get an kbin instance up. Ansible worked first go.

I have yet to get email working but otherwise its solid. Linode will block email btw if you account is new (and frankly may be blocking mine now). You just have to put in a case and justify and it should be fine. My account should be old enough to be exempt but I will likely do it anyhow. Their support is pretty good.

Getting federation crawled and communities added is a bit slow. Mostly because the other instances are a bit slow.

A few pointers if you havent done admin yet.

  1. Put nothing in the federation allow list unless you want to go whitelist only. Over time as other instances hit yours and you search others, the linked list of instances will grow. Just use the blocklist if you want to block certain instances. I havent found a good way to block the growing number of instances in case they have some illegal content like CSAM. So...i may just go whitelist anyhow

  2. Searching for instances seems to be CPU heavy on mine. Its not a problem though. You just cant simply plug in a URL of a community in another instance if you havent linked. You will get a 404 if you do. So you have to go to search, looking for that community by hitting search a few times until it shows up, then you can join and it will start crawling

  3. I have no idea what "Private instance" does other than i believe it will keep your instance form starting in the future if you have it checked AND federation turned on. I saw some logs in dockers startup when i did it but nothing in the UI.,

[–] JCreazy@midwest.social 1 points 1 year ago (1 children)

Thank you for the information. I've signed up for a 2GB shared linode and it's running Debian 11. I assume I need to ssh into it, then run the ansible stuff. I have very basic knowledge of Linux and command line. I am not entirely sure how to fill out the config but I will cross that bridge when I come to it.

[–] UselesslyBrisk@infosec.pub 1 points 1 year ago* (last edited 1 year ago) (1 children)

Yeah how familiar are you with linux?

You dont run the ansible stuff on the instance itself. You do it from your personal machine or something with ansible installed.

Though I guess in theory you could run it on itself if you dont have another linux box, or something with ansible installed. https://www.middlewareinventory.com/blog/run-ansible-playbook-locally/

But I am happy to walk you though the basics of setting up a securing the box.

[–] JCreazy@midwest.social 1 points 1 year ago (1 children)

I'm not super familiar with Linux, I've installed it on machines in the past, I know some very basic command line stuff. I've done raspberry pi stuff. I have a mini PC running Ubuntu right now that I am not using for anything so I can use that to run ansible. I probably won't be able to work on it until after this weekend but once I get an moment to set down and do it I will shoot you a message if I have any questions. I really appreciate your help and I am excited to be a part of the fediverse.

[–] UselesslyBrisk@infosec.pub 1 points 1 year ago* (last edited 1 year ago)

that would be perfect.

WIth Debian I would install UFW for a firewall. Set SSH to whatever your home IP is. You can always use the Linode SSH console for external access.

UFW is easy to configure and just translates iptables.

sudo ufw allow from any to any port 80 proto tcp
sudo ufw allow from any to any port 443 proto tcp
sudo ufw allow from HOMEIP to any port 22 tcp

If you want leave SSH open. Then i would probably only do Key based auth in /etc/ssh/sshd_config

you also want to edit that file (sshd_config) to disable root access once setup. I often turn on the following

LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
MaxSessions 10
AllowGroups somegroupname

then create a user and a group and add the user to the group. This ensures only that user has SSH access.

sudo adduser someusername
sudo addgroup somegroupname 
sudo usermod -aG somegroupname someusername

You can also use visudo to edit sudoers. The first like will require a password. If you use the second line, you can sudo without a password. I would only do the latter if you only use key-based auth though.


someuser   ALL=(ALL:ALL) ALL
someuser ALL=(ALL) NOPASSWD: ALL

I also edit /etc/hostname to my server name. Update and reboot. From there run through ansible instructions and make edits as necessary.

[–] leopardboy@netmonkey.tech 1 points 1 year ago (1 children)

It's personal preference, but I find it easier, for sure.

[–] JCreazy@midwest.social 1 points 1 year ago (1 children)

I would assume it would be more secure as well

[–] leopardboy@netmonkey.tech 1 points 1 year ago (1 children)

Yeah, you generally wouldn't want to run a public Internet server on the same network as your personal systems.

[–] ChaosAD@lemmy.world 3 points 1 year ago (2 children)

With cloudflare tunnel it is ok

[–] UselesslyBrisk@infosec.pub 5 points 1 year ago (1 children)

mmm. thats debateable.

If theres vulnerabilities in the software, like RCE's or SQL Injections that can lead to access...Cloudflare wont do much for you. For example Kbin has already have PRs for SQL injections and even XSS vulns.

These will get flushed out with time and more people maintaining them of course. But I dont know if I would want that on my personal network even if on a DMZ. If for no other reason than if your instance starts spamming outbound traffic and you get flagged by your ISP.

Heck I had one of my domains flagged by my works Cisco Umbrella instance and the dang thing wasnt even in prod yet.

[–] ChaosAD@lemmy.world 2 points 1 year ago

Wow, I had no idea.

Thanks for your input.

[–] leopardboy@netmonkey.tech 1 points 1 year ago

Sure, it would keep the origin from being publicly accessible on the Internet, but you would want to put that server on its own network, anyway.