Selfhosted

H A R V E S T E R

Lol

But honestly got all of nodes (some new hardware, some minipcs, some old laptops, some ewaste servers, some raspberry pies, a VM off my Macbook), all in my harvestet cluster. I got Rancher running as a vcluster as well so messed some with Rancher provisioned rke2 clusters too.

Played some with nutanix as a vm in that cluster (what a fing nightmare, anr not virtual hardware just Nutanix ...). Playing with ESXI now (its not happy about my amd chips so far...). And also my virtual harvester cluster. Easy so far but i want to get more ambitoius in creating a mock deployment, network and all, so i can test crazier configs without losing a day to rebuilding a cluster via thumb drive again...

Also managed some risk and got my ISP to let me do dual modems on the same bus and configed OpenWRT to load balance between them and via usb my wifi hotspot. Still working with them to try and get more IPs so can use the 4 total ports on my modem stacks to attach to both of my routers.

I like tinkering with junk, so the other half of my hobby is just risk mitigation (which i also enjoy).

I spent some time last week learning both Ansible and Podman Quadlets. They are a powerful duo, especially for self hosting.

Ansible is a desired state system for Linux. Letting you define a list of servers and what their configuration should be, like "have podman installed" and "have this file at this location with this content".

Podman quadlets is a system for defining podman containers as a service. You define the container, volumes, and networks all in essentially Systemd unit files.

Mixing the two together, I can have my entire podman setup in a format that can be pushed to any server in seconds.

And of course everything is text files that git well.

I finally set up Jellyfin and Sonarr! I've been using Plex and manually managing torrents for a while now, recently found the *arr services and they are very impressive. Got the Jackett - Sonarr - Jellyfin - Nginx stack set up, now working on getting SSL + DynDNS so I can make it available remotely. Also accidentally blasted my ratio downloading a bunch of TV shows all at once so gotta seed up for a bit before i fill it out more. But so far the setup has been pleasantly breezy for how complex a setup it is ❤️

I'm trying to find a reasonably priced used rack mount computer to move all my containers to. I have a rack in my house but measuring the depth between posts only gets me around 17.5". Recently deployed paperless-ngx and decided it would be too much to add onto my poor little NAS which hosts everything else so its deployed on my main computer and I want to avoid that strategy.

Challenge is that being new to rack servers and all of this (the NAS was a great intro box) I've got a large learning curve ahead of me.

For privacy reasons, I have finally fully disabled dynamic dns updates and closed the last holes in the home firewall, moving to 100% proxying via a VPS for publicly available stuff, and a tailnet (headscale) for everything private. The only real cross-over is Nextcloud - mountains of private data, but I want it publicly available for file shares. Fortunately, Nextcloud has a setting to whitelist IP addresses that allow log-in, so I can restrict that to just the non-VPS tailnet addresses. From the public internet, only public shares are accessible.

I set up a L4 proxy so that the encryption for Nextcloud happens at home and the VPS just passes encrypted packets. Then it occurred to me that a compromised VPS could easily grab a SSL cert for my Nextcloud subdomain via a regular-old http-challenge and MITM access to all my files, defeating the point.

Then I found a neat hack that effectively disables http-challenge certs for subdomains by requiring a wildcard certificate - which can only be created with a dns-challenge. I was able to also disable all other certificate authorities. Obviously, I have /some/ trust in the VPS I administer - it's on my tailnet network - but no longer have the concern that it could easily MITM Nextcloud. https://www.naut.ca/blog/2019/10/19/mitigating-http-mitm-possibilities-with-lets-encrypt/

I'm a newbie to the whole selfhosting thing. Been doing NAS+minipc for past 6 months with a few services running. 2 days ago I embarresed myself.

So, I been running 5 services on nginx proxy manager. But I heard that NPMplus is slightly better and can renew certs automatically. I had transferred settings from NPM to NPMplus by hand off the photo and for some reason NPMplus couldn't work with services ran on NAS. I went back to NPM and haven't touched the issue til last Sunday.

During troubleshooting I found out that my dumb ass didnt pay attention and put '':'' instead of ''." . So 192.168.xxx.xx became 192:168:xxx:xx and that was the reason I spent whole day troubleshooting the issue.

Next goal: go back to my homeland and set Pi3 at my parent's place to be my VPN so I can setup an arr stack and automate media downloads in a way that govt. of my current residence couldn't put a deep hole in my wallet.

I've been on full maintenance mode for spring/summer, those are the times to be going placed and doing things. Autumn I'm going to write my winter goals for the server.

I have another n100 box that I'm going to dedicate to immich, I have 7 users now, so when they all upload on a night my current n100 has a little bit of a cry.

Security is always a big one. I'm currently relying on tailscale (limited to necessary lxcs), reverse proxies, Https, and app 'sign ins'. Not bad (it's bad) but not good either.

For new projects, I want to integrate Audiobookshelf with Hardcover. I've got a project installed but it didn't work on my first attempt so I gave it up for winter.

I'd like to set up a virtual DosBox, accessable by a browser, for my 1000s of dos games. Again I've found a few projects, none worked out of the box so have been given up for winter.

Other than that all my front end services are working well. *arrs are becoming a pain for all the malware named as good files confusing rad/sonarr. Qbit knows not to download .exes, and the like, but sonarr doesn't know to delete them and look again. Lazylibrarian accepts no shit though, if things aren't going as expected LL very quickly deletes and goes again. I might try vibecode a script for that.

I'd like to break out my storage into a dedicate box. Probably get some e-waste to fill with drives. Currently I have a n100 running network, storage and virtualization, it's a little cramped.

It's probably smarter to break out networking first, build a little router/firewall box (the above n100 mini would be perfect). But, I don't get along with networking, I find it challenging in an unsatisfying way. When I'm done banging my head against the wall and things work I'm just relieved I don't have to do it again, instead of feeling accomplished. New projects are fun, Storage I get the feeling of accomplishment from doing the thing. Networking is a dark art full of black boxes I don't understand that sometimes play nice together and mostly fuck my shit up.

I want to move over to IPv6, not for any other reason than it's probably a good idea to progress to the 2000s. If I can move everything over to Hostnames however, that'd be the dream.

Moving from Docker to Podman is probably smart.

Lots to do over winter... I'm probably gonna build a fish tank instead

Considering switching my Forgejo to a Tangled.sh knot. Their easy self hosted CI option is appealing

but mostly itd be easier to collaborate than opening sign ups on my instance of forgejo

I finally got around to setting up my internal services with TLS. It was surprisingly easy with a Caddy docker image supporting Cloudflare DNS challenge.

I did this because various services I use are starting to require https.

Now everything is on a custom domain, https, and I can access it through Tailscale as usual.

Just got a domain and started exposing my local jellyfin through cloudflare, mostly wanting to listen to my music on my phone when i'm outside too.

I followed some guides that should make it fine with cloudflare's policy, video doesnt work when i tried it but otherwise its been fun despite me feeling like im walking on eggshells all the time. I guess time will tell if it holds up

Just ordered a used HP EliteDesk 800 G3 SFF (3.6GHz Intel Core i7-7700, 8GB DDR4 RAM, 256GB SSD) off EBay to replace my Apple Mac mini "Core i7" 2.3 (Late 2012/Server). Hoping to put 32GB of RAM in it, 1TB NVMe boot drive and maybe a 3.5” HDD for media instead of using an external drive. Might move to NixOS (I’d like to learn how to administer Nix even though it’s very complicated sometimes) and Podman, instead of using Proxmox and Docker Debian VMs and LXC containers.

Any advice and guidance appreciated!

What is beets, hobbits?

I have a couple pis that run docker containers including pihole. The containers have their storage on a centralized share drive.

I had a power outage and realized they can't start if they happen to come up before the share drive PC is back up.

How do people normally do their docker binds? Optimally I guess they would be local but sync/backup to the share drive regularly.

Sort of related question: in docker compose I have restart always and yet if a container exits successfully or seemingly early in it's process (like pihole) it doesn't restart. Is there an easy way to still have that restart?

Trying to figure out how to drop my energy requirements and still keep ~100TB running.

Right now it’s 12x 10TB drives in a RAID 6 with ~8TB still available; it might be time to bite the bullet and upgrade to 20TB drives. Problem is, if my calculations are correct, I’d still need 7 drives - 5 X 20TB=100TB and then two more drives for “parity”.

The server I have lined up already has a PERC in it.

Just discovered TinyAuth and it is fantastic. I am replacing Authentik with it because it has what I want but is much faster, smaller, and simpler. Also, the license is FOSS.

I feel like my little Pi server is set up nicely now. At least I'm at the point where I'm not concerned about technically maintaining it. It's as secure as I want it to be and I've tweaked my maintenance scripts slightly to avoid any unexpected issues.

I tried installing snikket but I couldn't figure out how to get it to work with my Caddyfile using my current wildcard domain cert configuration. I'll try again another time when I'm motivated again. It's a low priority to me.

The last changes I made were adding logs and making them accessible to myself. So far they are all boring and predictable. Which is good news. It's also nice to see that I'm the only person accessing it. The bots haven't found my little corner of the internet yet.

Right now I'm taking a break from self-hosted stuff to work on my gardens and two artsy projects. A wooden carving for a friend's birthday and an overly complicated shell script that has no real purpose. Although I've learned lots from it already so it's not a complete waste of time.

What's the best ACME server?