this post was submitted on 07 Jul 2023
26 points (93.3% liked)

Selfhosted

40152 readers
511 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi everyone, first time posting since the Reddit went nuclear on sanity. With the advent of Lemmy, I finally got around to booting my home-server back up and stood up my own instance :)

How do you all self host stuff? I've been happily running Nextcloud, Home Assistant, Plex, etc locally, but none of that has been internet facing. As I'm getting back into this I want to share stuff with my friends and family and getting them all to use a VPN seems like a stretch.

Wondering if the general consensus is that it's better to put shit on a VPS, on your own HW locally (with firewalls, safeguards, etc) or some combo of the two?

all 14 comments
sorted by: hot top controversial new old
[–] Wingy@lemmy.ml 4 points 1 year ago (1 children)

Cloud is best for reliability, but a good option that sacrifices that reliability but keeps some security benefits is to put a reverse proxy on a VPS and connect just your servers by a VPN.

[–] nick@nickbuilds.net 1 points 1 year ago

Gotcha that's fair. Everything I've previously had internet facing has always been behind a reverse proxy with Let's Encrypt, but it's been years since I did that. I'll look into the VPS reverse proxy option, thanks!

[–] dartanjinn@lemm.ee 3 points 1 year ago (1 children)

For public facing, I use Cloudflare tunnels. For VPN access from across the divide, I use tailscale and pivpn depending on use case.

Most of my servers are hosted locally on a separate vlan and firewalled off from my internal network.

[–] nick@nickbuilds.net 1 points 1 year ago (1 children)

How are those tunnels? Saw those in my dashboard last time when I was looking.

I've got Wireguard set up and that's been good and lightweight for me. Also have everything firewalled off onto it's own VLAN with ACLs so my data is locked down. That took forever to implement but loving it so far.

The internet facing stuff is on a completely separate box with read-only access to a pretty limited NFS share for retrieving content off the NAS :)

[–] dartanjinn@lemm.ee 1 points 1 year ago

I use them a lot actually. I really like them. It's really useful for things like vaultwarden access from any machine, anywhere. I also host a humhub instance for my mother's bible study group and a couple informational sites behind them. It pushes all of the traffic through 443 without having to fiddle with SSL. I wouldn't lean on it for major website without local SSL but for small use cases like mine it works great.

[–] outcide@lemmy.world 2 points 1 year ago

I have a small vps and a Nuc at home.

Vps is for things that are important enough that I want to be able to fix them if they break when im away from home (Vaultwarden, linkding, wiki, blog etc).

Server at home is for stuff that needs lots of disk (Jellyfin, gonic, AudioBookShelf etc) and is where I screw around and try new stuff.

Services at home are exposed to internet via cloudflare tunnels (grrr cgnat).

[–] Nibodhika@lemmy.world 2 points 1 year ago (2 children)

Things that I need to be internet facing run on an actual server, most of my stuff is hosted on a laptop in my living room and I use tailscale to access it from outside the house, but I mostly consider that a plus and wouldn't depend on it.

[–] NewDataEngineer@lemmy.world 2 points 1 year ago (1 children)

I second this. I only access anything internet facing via tailscale.

The only question I have now, is how do I let family and friends access certain services without tailscale?

I'm thinking a vps with something like authelia in the front that tunnels into my server via tailscale.

[–] Nibodhika@lemmy.world 2 points 1 year ago

I just give them access through tailscale, but then again I don't have many people who need access to what I host.

[–] nick@nickbuilds.net 1 points 1 year ago (1 children)

Gotcha, yeah this is running on a set of boxes that I've been using as my homelab for a few years. Some of those have graduated to homeprod and that's where I'm getting stuck. I want to share Plex and the like with my family who are 2500 miles away.

Definitely would setup tailscale or a VPN between the houses if I was closer. At this distance, maintenance would be a nightmare even though my dad and brothers are very tech savvy.

[–] Nibodhika@lemmy.world 1 points 1 year ago

I live in Ireland, I have family in Brazil that access my server via tailscale. It's not the best experience, but I think it's the best I can do with a home hosted server. Exposing stuff to the full internet is a security nightmare.

[–] dotslashme@infosec.pub 1 points 1 year ago

I run my self hosted stuff on a k3s cluster at home on bare metal, then use cloudflare to protect the IP and access only by VPN.

[–] silver@lemmy.brendan.ie 1 points 1 year ago

I have both a Hetzner root server (it's nicely beefy) where I host all my public stuff (website, api's, Lemmy instance etc) and my homelab which is more personal media (Plex, 'arrs, Gitlab, wireguard, dydns)

The Hetzner box is configured using NixOS (config).

Homelab is mostly configured with docker compose, though I have plans to switch over to nixos to nail down the config. I am using cloudflare for my dns and created a smol cli tool to update a record there with my public ip address (homemade dydns). This is used by Wireguard to give me access to everything hosted there. Even though everything is hidden away from the Internet I still have https on everything thanks to dns verification.

(hastially typed up over breakfast so it may be a tad disorganised, feel free to ask any question if ye have any)