Selfhosted

I have had IPv6 off for a long time now, but it feels like now is time to actually try. I'm planning on setting the WAN side to DHCPv6 and the LAN side to Static IPv6 to match the IPv4 settings. https://docs.opnsense.org/manual/ipv6.html (I see people say "talk to your ISP about dynamic or static and what block size" but I would rather collapse into a singularity than contact my ISP unforced, so I shan't do that)

I've tried to read about IPv6 but I just don't have enough knowledge-ground to stand on to make sense of it in an actionable way.

From what I have read and (mildly) understood, I think I know that IPv6 addresses are directly identifying; no longer does everything on the internet see the IPv4 of your router only - now things see your specific device's IPv6 that's a... subset? of the router's IPv6 range (not single IP) assigned. https://superuser.com/a/1735921 People describe it as a different way to network, which I guess means no matter what I read I'm still not sure what to do.

I want IPv6 to work exactly like IPv4: router has WAN IPv4 address and masquerades for every device in the network. I don't want Google knowing exactly which computer contacted them from inside my LAN, I want them to put in the work to finger print my device with various ways that are likely illegal in the EU.

How do I prevent that IPv6 privacy issue, or did I misunderstand how IPv6 works?

I'm extremely interested in the prospect of self-hosted cloud gaming. Has anyone had any success with any specific platforms, such as Sunshine + Moonlight? Any ins/outs to the necessary software or hardware?

Plex has notified some of its users on Thursday to urgently update their media servers due to a recently patched security vulnerability.

The company has yet to assign a CVE-ID to track the flaw and didn't provide additional details regarding the patch, only saying that it impacts Plex Media Server versions 1.41.7.x to 1.42.0.x.

Do you guys expose the docker socket to any of your containers or is that a strict no-no? What are your thoughts behind it if you don't? How do you justify this decision from a security standpoint if you do?

I am still fairly new to docker but I like the idea of something like Watchtower. Even though I am not a fan of auto-updates and I probably wouldn't use that feature I still find it interesting to get a notification if some container needs an update. However, it needs to have access to the docker socket to do its work and I read a lot about that and that this is a bad idea which can result in root access on your host filesystem from within a container.

There are probably other containers as well especially in this whole monitoring and maintenance category, that need that privilege, so I wanted to ask how other people handle this situation.

Cheers!

For a couple weeks I've been struggling to get TLS over Caddy with DNS challenges. My ISP blocks incoming data on ports 80/443 and I was looking to use an uncommon port (5050) for my personal needs.

I've followed the instructions here and I've made sure to use the proper DeSEC.io module in my docker build.

When I start my docker container and check the logs, I get an error that says the challenge failed because of an incorrect TXT record. However when I check DeSEC.io's website, the TXT record that was created matches the Caddy log error message and even shows that the TXT record has been last touched "less than a minute ago."

I've tried minimizing my Caddyfile to the bare minimum and I still can't seem to get TLS working.

FROM caddy:2.10.0-builder AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/desec
FROM caddy:2.10.0

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

services:
  caddy:
    container_name: caddy
    build: .
    restart: always
    ports:
      - 80:80
      - 5050:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
      - /home/sxc-pi/shared/:/srv:Z
    networks:
      - reverse_proxy

volumes:
  caddy_data:
  caddy_config:

networks:
  reverse_proxy:
    external: true

{
        acme_dns desec {
                token "<DeSEC.io Token Number>"
        }
}

files.samplesite.com {
        root * /srv
        file_server {
                hide misc
                browse
        }
}

At this point I do not know what else I can try to get TLS working with Caddy. If I can't get this to work, I can use Nginx Proxy Manager as a tried and tested backup plan, although I prefer to use something that is terminal based because I don't want to use the Web UI that NPM uses.

Any insight or help would be greatly appreciated. I'm also not looking to use any tunnel services at the moment. I'd like to figure this way out so I have a fall back plan if I decide to use a tunnel in the future.

Morning troops, I'm looking for something that basically gatekeeps app updates for Android devices. Specifically:

• Watch sources (e.g. github repos, Fdroid app pages etc) for new releases of android app apk's
• Download the appropriate apk version
• Scan it for malware/generally check its legit
• Make it available for the client (e.g. Obtanium) on an Android phone

Does this exist? Or is there a stack that will do the job?

Edit: thanks for all your help and replies, this is a such a great community!

I would like to host a public service for some family, probably Peertube so we can share some videos. Invite only.

There's no way I'm going to get everyone onto a VPN, it's a non-starter though I would prefer it.

I am thinking to use a VPS with anubis and either crowdsec or fail2ban (or both?!) in front of Peertube. Will apply as much hardening as I can muster behind that: things in containers, systemd hardening, SELinux/Apparmor enabled/tuned, separate users for services, the usual. All ports shut except 80/443, firewall up.

Despite all this I expect it will get scanned and attacked as it will have to expose ports 80/443 to the world so for family it will just work.

Is there anything else I should consider for security? Is Peertube the weakest link in the chain? (a little concerned their min password length is 6 it seems and no 2fa). So long as I keep whole thing up-to-date is it as secure as anybody can manage these days (without resorting to VPN)?

Is it all too much hassle and I should look for a company that offers hosted Peertube so they can worry about it?

Thanks for any and all advice.

Afternoon y’all -

I just spent the last few days fiddling with Prometheus under the impression I could visualize Traefik’s access logs with Perses however, after finally getting these three to communicate with one another it seems that Prometheus lacks the capability to query access logs.

I don’t host my own html/php, I typically find docker images like Invidious or Redlib spin them up in a compose/yaml file and reverse proxy them, my knowledge towards html/php is very minimal so when I read about adding files to the root path of my domain it may seem straight forward for some people but makes no sense to me, apologies if that comes off as ignorant.

I digress, I stumbled upon GoAccess and gave it a shot but from what I’m reading it seems that it needs access to the html that these application use to display reporting in a web-browser which I genuinely got no idea on how to do, Traefik currently spits access logs in a .log file which I assume would be enough to visualize from?

I want to thank everyone for their responses, I’ve been so busy that I couldn’t respond right away but I got GoAccess running and reverse proxied!

I was trying to stay away from Grafana and their associating applications as I’m under the impression they’re moving more towards close-sourced software and seem to be partnering with Google which lead to concerns in regard to data collection.

When I sshed into my server today, it said I had mail. I checked /var/mail/{myuser} and got a mail from caddy. The title was "SECURITY information for {hostname}". The message was this.

caddy : user NOT in sudoers ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tee /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2025_ECC_Root_31435960950297150297199787413716908247066220.crt

I'm still learning this self-hosting thing, I know enough to set stuff up but I still know barely anything about security, and the message looks kinda scary, so I would like to know what it means, thanks in advance. Note that I was messing around with Caddy and stuff yesterday, so maybe that has something to do with it, but I'm not sure.

Hi y’all, thanks for the help with my question yesterday. I did a bit of homework, and I think I’ve got things figured out. Here’s my revised plan:

1. configure a cron job to update DuckDNS with my IP address every 5 minutes

2. use ufw to block all incoming traffic, except to ports 80 and 443, to allow incoming traffic to reach Caddy

3. configure the Caddyfile to direct traffic from my DuckDNS subdomain to Jellyfin’s port

Does this seem right this time? Am I missing anything, or unnecessarily adding steps? Thanks in advance, I’ll get the hang of all this someday!

I've been asked to set up a server for a research team at my university. I've already had the practice of setting a server at home, so I have a rough idea of how things should be done. Still, I wish to follow best practices when setting up a server for this use case. Plus I would prefer to avoid too much tinkering for the setup since I'm planning to keep the installation as simple as possible.

Following are some rough constraints and considerations for the setup:

• Server computer is a Mac Mini (latest model I think?). I've been told they would replace macOS with Linux, still I believe I should ready if they don't (I don't have experience with macOS at all)
• Server will be situated in university and provided a static IP address
• Team needs remote access to the server, presumably comfortable with using CLI
• I am unlikely to be permitted access to server myself after setup, so it should be ready to be managed by the team
• Extra hardware and/or paid software could be arranged but to a limited extent and within reason

I don't think they have really any requirement other than having remote access to the server. I think SSH should suffice, however I was wondering if I could also arrange for backups, GUI server panel etc.

I am looking to run a few root servers and my ideal was going to be Netcup's RS units cause they have a good rep and EU & US choices aren't bad. However, Netcup isn't currently offering them in Manassas VA (US), which was a requirement for me to kick-start it.

My project is already into the final line, and this was a bit of a bombshell, so I have to figure out who else offers near equivalents for the same thing.

One thing that is key is backup and their Snapshots (Copy-On-Write) were a big deal for me as I am dealing with 3rd party data.

Who else can offer the same in both EU/US with the same storage options and so on?

Appreciated

Edit*

I checked with OVH and at the moment, they only have Canada for options. US is sold out. Feels weirdly wrong. Netcup don't have a timeline for US updates.

Okay Kubernetes people. I am about to build my first cluster with 4 Raspberry Pi 4B 4gb models powered over POE.

I was going to host just some basic stuff on it (forgejo, a couple Ghost Blogs) and try hosting a Mastodon instance.

The documentation mentioned that I should not use the SD cards for database stuff. So I was going to get some super short thumb drives.

What is everyone else's set up look like with raspberry pis? And how important is matching hardware?

I'm sure I'll learn more from reading the documents but this is my concern right now.

(I was also required to upload a photo so have my Latitude D630)

This one is a little self-hosting specific, and more casual Linux best practices, but I've got a new blog post down for general security! Harden your systemd units (especially custom ones) for better peace of mind on the internet!

I've been using Backblaze B2 as "External Storage" connected to my Nextcloud on a vps, but it seems unreasonably slow. I've tried Linode/Akamai, and it seems faster, but it's more expensive. I've heard that Wasabi is fast, but they have weird terms and conditions where you actually have to pay for 3 months of data retention, which makes them sus.

I mention s3 compatible, but that's only because that's all I've known, so if there are other options that are relatively cheap, and are faster than Backblaze, I'm open to it.

I have Backblaze connected via the External Storage app in Nextcloud, cuz I'm running Nextcloud AIO in Docker. I know s3 storage can be setup as the main storage, but that requires setting things up manually. AIO is much easier, and I'm not a pro at this stuff. And I'm not sure how much of a performance increase it would even be.

Just for reference, I've set up a Nextcloud instance for work on a Linode vps at 2 cores and 4GB RAM, using their s3 compatible storage as external storage, and it's decently fast. My personal Nextcloud is a Racknerd vps at 4 cores and 4GB RAM, with backblaze as external storage, and it's slower than my work's instance. (both are AIO)

In terms of pricing Backblaze is $6/month for 1TB, while Linode is $10/month for 250GB, and about $20/month for 1TB.

Who knows, at the end of the day, I may just have to bite the bullet and pay more for Linode for the faster storage.

I've been configuring my own selfhosted Kubernetes cluster with various raspberry pis, and for applications that require persistence, I rely on NFS as a provider for Persistent Volumes.

Now I want to deal with backups of my data, mainly the multmedia library I'm building with Jellyfin.

I'm thinking about just doing something outside kubernetes that just copies the data from the directory that NFS provides to another storage.

If you've done something similar, what's your approach? There are solutions that can be done inside kubernetes?

SOLVED - THANKS EVERYONE

I have been hoping to figure this out by myself and a lot of reading, but so far I've either missed the obvious or something is blocking access. While searching, I've found a lot of threads and GitHub posts with similar issues, but none seem to apply for me, that I could find.

I have installed proxmox and docker etc. Following a couple of videos, initially I had Debian 12, then Nix and now Ubuntu, I get the same error every time.

I cannot access immich from web browser or my phone app. I can access and setup via localhost:2283

I am completely stumped as to where I should now be looking, would love if anyone could help me.

EDIT:

WOW!!! I wasn't expecting fast answers nor as many on Lemmy.

🤯

Thanks everyone for replying. Unfortunately I get the same error with or without /API at the end. I know it's something I'm doing/not doing, but I don't know what. I was hoping to learn by teaching myself as I went along, but this has me stumped.

NEW EDIT:

Thank you everyone. I am able to access the Immich app now. I was using the incorrect IP address. I was using my 'public IP address'. As a few mentioned, I used the command ip a in terminal and it gave me my public IP address, but further down another IP address that I hadn't seen before, and that one worked. beginning with 192.168

Again a huge thanks to everyone, Lemmy here was a great help and I found replies and information a great help. :D I am chuffed to bits, but very tired, and a bit worried about what lays ahead for me with what else I may get stuck on, as that seemed like something I probably should have figured out... But if I didn't know, I couldn't..

Immich is now 'building the timeline' after succesfully logging in, and I am looking forward to learning more tomorrow and hosting other apps. Also checking out the scripts for proxmox.

Goodnight all :)

Hi there,

I went through the documentation of GoToSocial and there are some pieces of information which confuse me. For example on the Deployment considerations, they state, that once you hosted a particular Fediverse service on your domain, you cannot switch to another technology. Further down in this article in the "Domain name" section it even gives me the impression that if you switch technologies on the same domain, this will in fact cause issues in the whole Fediverse.

Two questions came up when reading through this:

• Is the ActivityPub protocol and the technologies that depend on it that fragile? Switching technologies on the same Domain would be something I would have just done without a further thought until I find the technology I want to use for years (and which I might still switch out to another one many years in the future).
• It is not clear from the documentation if you can get around this by hosting the service I want to try under service1.example.com instead of example.com. The documentation states, that you can host your users under user@service1.example.com, but the API services still under example.com. This will not solve the root issue, right?

Getting a new domain for each Activitypub service I might try to implement and test / use does not really sound great to me. Maybe I just did not understand all of that properly and there is no issue?

Here’s my proposed configuration:

• OrangePi Zero 3 running DietPi
• Jellyfin with media libraries on an external hard drive
• Dynamic DNS from DuckDNS to access server remotely via Finamp

Is there anything I’m missing? Do I need Lets Encrypt or fail2ban?

I'm currently trying to install Docker on my old Raspberry Pi (3 Model B+) to host some personal projects. When I run docker run hello-world, I get:

Unable to find image 'hello-world:latest' locally
docker: Error response from daemon: Get "https://registry-1.docker.io/v2/library/hello-world/manifests/sha256:ec153840d1e635ac434fab5e377081f17e0e15afab27beb3f726c3265039cfff": dial tcp [2600:1f18:2148:bc00:eff:d3ae:b836:fa07]:443: connect: network is unreachable

My Internet connection does not support IPv6 at all, which would explain why this error occurs. But how do I force docker-pull to only use IPv4?

Flutter application for Android that uploads a single document to Paperless‑NGX directly from the system Share menu.

Features include:

• One-tap upload
• Tag Management (default, selection per upload)
• OIDC/OpenID