Selfhosted

cross-posted from: !nostupidquestions@lemmy.world

Wplace is a freemium online game that lets anyone create pixel art on top of a map of the world. I got into it just yesterday (and started a community showcasing the stuff I found). But basically any places with human population are already densely drawn-upon, so I've kinda missed out on a lot of those. If I don't care about the entire world being able to see what I draw, and I just want to be able to collab with a couple of friends and maybe share screenshots, what would be involved in basically making my own private clone of it?

As of right now, I currently have a working Docker container for Caddy which can successfully get TLS certs and I am able to access my own test site with an external web browser.

What I want to do use the same files (Dockerfile, docker-compose.yml and Caddyfile) to do the same with Podman Compose. When I run podman compose up -d I am able to build the Caddy container and it will also successfully get it's own TLS cert.

services:
  caddy:
    container_name: caddy
    build: .
    restart: always
    ports:
      - 80:80
      - 5050:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
      - /home/sxc-pi/shared/:/srv:Z
    networks:
      - reverse_proxy

volumes:
  caddy_data:
  caddy_config:

networks:
  reverse_proxy:
    external: true

While on the same device, I can use curl localhost:5050 and get the message Client sent an HTTP request to an HTTPS server. which is the same result as if I were using Docker. If I try to access my site through my domain name or local network ip address from an external device, the connection times out.

I didn't make any changes to my firewall or router's port forwarding because I expect Rootful Podman Compose to work similar to Docker.

I checked iptables and below are the differences between using Docker and Podman but I don't really know networking enough to understand what it's really saying

sxc-pi:/srv/caddy$ diff ~/iptables-docker ~/iptables-podman 
***
/home/sxc-pi/iptables-docker
+++ /home/sxc-pi/iptables-podman
@@ -31,8 +31,6 @@
 
 Chain DOCKER (2 references)
 target     prot opt source               destination         
-ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:https
-ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:http
 DROP       all  --  anywhere             anywhere            
 DROP       all  --  anywhere             anywhere            
 
@@ -70,15 +68,20 @@
 Chain NETAVARK_FORWARD (1 references)
 target     prot opt source               destination         
 DROP       all  --  anywhere             anywhere             ctstate INVALID
+ACCEPT     all  --  anywhere             10.89.0.0/24         ctstate RELATED,ESTABLISHED
+ACCEPT     all  --  10.89.0.0/24         anywhere            
 
 Chain NETAVARK_INPUT (1 references)
 target     prot opt source               destination         
+ACCEPT     udp  --  10.89.0.0/24         anywhere             udp dpt:domain
+ACCEPT     tcp  --  10.89.0.0/24         anywhere             tcp dpt:domain
 
 Chain NETAVARK_ISOLATION_2 (1 references)
 target     prot opt source               destination         
 
 Chain NETAVARK_ISOLATION_3 (0 references)
 target     prot opt source               destination         
+DROP       all  --  anywhere             anywhere            
 NETAVARK_ISOLATION_2  all  --  anywhere             anywhere            
 
 Chain ufw-after-forward (1 references)

I've also rebooted after starting the Podman containers incase there were any iptables issues but that still didn't help.

I've searched what I can but haven't gotten anything to work or get me closer to finding an answer.

I'm hoping to use Rootless Podman if I can figure this out, if not I have Docker as a fall back plan.

Any help or insight would be appreciated.

With the recent Proxmox 9 release, many of us have the upgrade ahead or already done. What about you, and how do you generally approach updating your services? Which other updates are you looking forward to or is it just an annoying chore?

Also the usual - let us know what you are currently working on, what problems you are encountering and what you are excited about.

As for updates, I update my machines semi-regularly with Ansible. The Proxmox 9 update was unspectacular (good thing!), I just had to change some things in my Promox-post-install automation (nag bar removal and package sources). I still plan to get a merge request based update process for my containers as mentioned here but I'm just not there yet. That guide was also posted on reddit recently and got some traction.

I also spent some time yesterday to organize my nginx logs, they basically all got their own folder in /var/log/nginx with their own access log file by adding access_log /var/log/nginx/$server_name/access.log vhost_combined; to each config. Error log file paths can't contain variables so I kept them in the default file so far.

Recently enabled wireguard (easy setting in my FritzBox router) and stopped exposing some of my services to the internet. That process isn't finished yet though as I'll need to switch to wildcard certificates in order to keep valid SSL for the now local-only services.

Hello there,

Just want to preface that this is for selfhosted purposes, I may be routing my network in other way later.

I wanted to be able to setup a wireguard docker container with gluetun such that I can connect multiple devices to it at home, in order to minimize my "five device limit" with mullvad. I have the following docker compose:

  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun-wireguard
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - ./gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=#
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=#
      - WIREGUARD_ADDRESSES=#
      - SERVER_CITIES=#setup#setup
      # Timezone for accurate log times
      - TZ=#
      # Server list updater
      # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
      - UPDATER_PERIOD=24h
    ports:
      - 51820:51820/udp
  wireguard-server:
    image: linuxserver/wireguard
    container_name: wireguard-server
    network_mode: service:gluetun # << important
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000
      - PGID=1000
      - SERVERPORT=51820
      - PEERS=iphone
      - PEERDNS=auto
    volumes:
      - ./config:/config
      - /lib/modules:/lib/modules
    restart: unless-stopped

Whenever I try connecting to it by iphone, which is my first attempt for the peer, it doesn't quite work out. The packets are received by the container, and querying cloudflare as such works:

$ sudo docker exec -it wireguard-server ping -c 3 1.1.1.1

Is there any obvious error I've made?

If I'm making the XY Problem, please let me know. If there is a more apt community, please let me know.

I have 2 older iPhones. A 7 Plus and a 9. Idk what to do with them. Is it possible to self host on iPhones?

Edit. Not iPhone 9, iPhone 8.

Hi all, I'm looking for a one-stop selfhosted eBook software that can do the following:

• Easily import (or upload) files and scrape metadata
• Sync library and progress with web reader, eReader and android app(s)
• Support for graphic novels

Basically I'm looking for Audiobookshelf but for... books

Calibre Web Automated

• Can't sync progress with web

Kavita

• Can't upload files

Stumpapp any good? I heard you can upload files.

- I'm looking for a buddy to work through using #Proxmox to host a packaged / integrated solution to cover suite of self hosted applications together.

I'd like to find someone who is exploring this space and step through implementing a solution - rather than experience / guidance from someone who's already done it before so I'd just be asking them a heap of questions and being a general pain in the backside.

Sort of light fellow students learning a language I'd like to explore hosting friendica or a similar social media server, #homeassistant #nextcloud, a media server ( #jellyfin maybe), #email #personalfinance and other applications within a framework such as CoopCloud, Yunohost or something else) - I have some experience with #openwrt - which I use for VPNs

Is anyone else out there on a similar learning curve - Are you based in #Madrid, #Barcelona in Spain or #London, #Huddesfield in the UK or close by? I'd be up for some in person meets and chats as well as online. (Now I feel like I'm writing a profile for a dating site ) - Is this weird. I like my hobby but I'd like it to be more social - and develop, or more likely adopt some design patterns that can be used by others.

I have had IPv6 off for a long time now, but it feels like now is time to actually try. I'm planning on setting the WAN side to DHCPv6 and the LAN side to Static IPv6 to match the IPv4 settings. https://docs.opnsense.org/manual/ipv6.html (I see people say "talk to your ISP about dynamic or static and what block size" but I would rather collapse into a singularity than contact my ISP unforced, so I shan't do that)

I've tried to read about IPv6 but I just don't have enough knowledge-ground to stand on to make sense of it in an actionable way.

From what I have read and (mildly) understood, I think I know that IPv6 addresses are directly identifying; no longer does everything on the internet see the IPv4 of your router only - now things see your specific device's IPv6 that's a... subset? of the router's IPv6 range (not single IP) assigned. https://superuser.com/a/1735921 People describe it as a different way to network, which I guess means no matter what I read I'm still not sure what to do.

I want IPv6 to work exactly like IPv4: router has WAN IPv4 address and masquerades for every device in the network. I don't want Google knowing exactly which computer contacted them from inside my LAN, I want them to put in the work to finger print my device with various ways that are likely illegal in the EU.

How do I prevent that IPv6 privacy issue, or did I misunderstand how IPv6 works?

I'm extremely interested in the prospect of self-hosted cloud gaming. Has anyone had any success with any specific platforms, such as Sunshine + Moonlight? Any ins/outs to the necessary software or hardware?

Plex has notified some of its users on Thursday to urgently update their media servers due to a recently patched security vulnerability.

The company has yet to assign a CVE-ID to track the flaw and didn't provide additional details regarding the patch, only saying that it impacts Plex Media Server versions 1.41.7.x to 1.42.0.x.

Do you guys expose the docker socket to any of your containers or is that a strict no-no? What are your thoughts behind it if you don't? How do you justify this decision from a security standpoint if you do?

I am still fairly new to docker but I like the idea of something like Watchtower. Even though I am not a fan of auto-updates and I probably wouldn't use that feature I still find it interesting to get a notification if some container needs an update. However, it needs to have access to the docker socket to do its work and I read a lot about that and that this is a bad idea which can result in root access on your host filesystem from within a container.

There are probably other containers as well especially in this whole monitoring and maintenance category, that need that privilege, so I wanted to ask how other people handle this situation.

Cheers!

For a couple weeks I've been struggling to get TLS over Caddy with DNS challenges. My ISP blocks incoming data on ports 80/443 and I was looking to use an uncommon port (5050) for my personal needs.

I've followed the instructions here and I've made sure to use the proper DeSEC.io module in my docker build.

When I start my docker container and check the logs, I get an error that says the challenge failed because of an incorrect TXT record. However when I check DeSEC.io's website, the TXT record that was created matches the Caddy log error message and even shows that the TXT record has been last touched "less than a minute ago."

I've tried minimizing my Caddyfile to the bare minimum and I still can't seem to get TLS working.

FROM caddy:2.10.0-builder AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/desec
FROM caddy:2.10.0

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

services:
  caddy:
    container_name: caddy
    build: .
    restart: always
    ports:
      - 80:80
      - 5050:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
      - /home/sxc-pi/shared/:/srv:Z
    networks:
      - reverse_proxy

volumes:
  caddy_data:
  caddy_config:

networks:
  reverse_proxy:
    external: true

{
        acme_dns desec {
                token "<DeSEC.io Token Number>"
        }
}

files.samplesite.com {
        root * /srv
        file_server {
                hide misc
                browse
        }
}

At this point I do not know what else I can try to get TLS working with Caddy. If I can't get this to work, I can use Nginx Proxy Manager as a tried and tested backup plan, although I prefer to use something that is terminal based because I don't want to use the Web UI that NPM uses.

Any insight or help would be greatly appreciated. I'm also not looking to use any tunnel services at the moment. I'd like to figure this way out so I have a fall back plan if I decide to use a tunnel in the future.

Edit: thanks for all your help and replies, this is a such a great community!

I would like to host a public service for some family, probably Peertube so we can share some videos. Invite only.

There's no way I'm going to get everyone onto a VPN, it's a non-starter though I would prefer it.

I am thinking to use a VPS with anubis and either crowdsec or fail2ban (or both?!) in front of Peertube. Will apply as much hardening as I can muster behind that: things in containers, systemd hardening, SELinux/Apparmor enabled/tuned, separate users for services, the usual. All ports shut except 80/443, firewall up.

Despite all this I expect it will get scanned and attacked as it will have to expose ports 80/443 to the world so for family it will just work.

Is there anything else I should consider for security? Is Peertube the weakest link in the chain? (a little concerned their min password length is 6 it seems and no 2fa). So long as I keep whole thing up-to-date is it as secure as anybody can manage these days (without resorting to VPN)?

Is it all too much hassle and I should look for a company that offers hosted Peertube so they can worry about it?

Thanks for any and all advice.

Morning troops, I'm looking for something that basically gatekeeps app updates for Android devices. Specifically:

• Watch sources (e.g. github repos, Fdroid app pages etc) for new releases of android app apk's
• Download the appropriate apk version
• Scan it for malware/generally check its legit
• Make it available for the client (e.g. Obtanium) on an Android phone

Does this exist? Or is there a stack that will do the job?

Afternoon y’all -

I just spent the last few days fiddling with Prometheus under the impression I could visualize Traefik’s access logs with Perses however, after finally getting these three to communicate with one another it seems that Prometheus lacks the capability to query access logs.

I don’t host my own html/php, I typically find docker images like Invidious or Redlib spin them up in a compose/yaml file and reverse proxy them, my knowledge towards html/php is very minimal so when I read about adding files to the root path of my domain it may seem straight forward for some people but makes no sense to me, apologies if that comes off as ignorant.

I digress, I stumbled upon GoAccess and gave it a shot but from what I’m reading it seems that it needs access to the html that these application use to display reporting in a web-browser which I genuinely got no idea on how to do, Traefik currently spits access logs in a .log file which I assume would be enough to visualize from?

I want to thank everyone for their responses, I’ve been so busy that I couldn’t respond right away but I got GoAccess running and reverse proxied!

I was trying to stay away from Grafana and their associating applications as I’m under the impression they’re moving more towards close-sourced software and seem to be partnering with Google which lead to concerns in regard to data collection.

When I sshed into my server today, it said I had mail. I checked /var/mail/{myuser} and got a mail from caddy. The title was "SECURITY information for {hostname}". The message was this.

caddy : user NOT in sudoers ; PWD=/ ; USER=root ; COMMAND=/usr/bin/tee /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2025_ECC_Root_31435960950297150297199787413716908247066220.crt

I'm still learning this self-hosting thing, I know enough to set stuff up but I still know barely anything about security, and the message looks kinda scary, so I would like to know what it means, thanks in advance. Note that I was messing around with Caddy and stuff yesterday, so maybe that has something to do with it, but I'm not sure.

Hi y’all, thanks for the help with my question yesterday. I did a bit of homework, and I think I’ve got things figured out. Here’s my revised plan:

1. configure a cron job to update DuckDNS with my IP address every 5 minutes

2. use ufw to block all incoming traffic, except to ports 80 and 443, to allow incoming traffic to reach Caddy

3. configure the Caddyfile to direct traffic from my DuckDNS subdomain to Jellyfin’s port

Does this seem right this time? Am I missing anything, or unnecessarily adding steps? Thanks in advance, I’ll get the hang of all this someday!

I've been asked to set up a server for a research team at my university. I've already had the practice of setting a server at home, so I have a rough idea of how things should be done. Still, I wish to follow best practices when setting up a server for this use case. Plus I would prefer to avoid too much tinkering for the setup since I'm planning to keep the installation as simple as possible.

Following are some rough constraints and considerations for the setup:

• Server computer is a Mac Mini (latest model I think?). I've been told they would replace macOS with Linux, still I believe I should ready if they don't (I don't have experience with macOS at all)
• Server will be situated in university and provided a static IP address
• Team needs remote access to the server, presumably comfortable with using CLI
• I am unlikely to be permitted access to server myself after setup, so it should be ready to be managed by the team
• Extra hardware and/or paid software could be arranged but to a limited extent and within reason

I don't think they have really any requirement other than having remote access to the server. I think SSH should suffice, however I was wondering if I could also arrange for backups, GUI server panel etc.

This one is a little self-hosting specific, and more casual Linux best practices, but I've got a new blog post down for general security! Harden your systemd units (especially custom ones) for better peace of mind on the internet!

Okay Kubernetes people. I am about to build my first cluster with 4 Raspberry Pi 4B 4gb models powered over POE.

I was going to host just some basic stuff on it (forgejo, a couple Ghost Blogs) and try hosting a Mastodon instance.

The documentation mentioned that I should not use the SD cards for database stuff. So I was going to get some super short thumb drives.

What is everyone else's set up look like with raspberry pis? And how important is matching hardware?

I'm sure I'll learn more from reading the documents but this is my concern right now.

(I was also required to upload a photo so have my Latitude D630)

I am looking to run a few root servers and my ideal was going to be Netcup's RS units cause they have a good rep and EU & US choices aren't bad. However, Netcup isn't currently offering them in Manassas VA (US), which was a requirement for me to kick-start it.

My project is already into the final line, and this was a bit of a bombshell, so I have to figure out who else offers near equivalents for the same thing.

One thing that is key is backup and their Snapshots (Copy-On-Write) were a big deal for me as I am dealing with 3rd party data.

Who else can offer the same in both EU/US with the same storage options and so on?

Appreciated

Edit*

I checked with OVH and at the moment, they only have Canada for options. US is sold out. Feels weirdly wrong. Netcup don't have a timeline for US updates.