Selfhosted

Hi everyone, I decided there simply were not enough docker apps for downloading Youtube videos, and so I made the situation worse :p

In all seriousness, I couldn't find one that fulfilled all my desires in a YT downloader, so I wrote my own in python using pytubefix and streamlit. It's still fairly rough, but it works, and i'd love to get your feedback. Installation is just a simple docker compose.

services:
    pytube-gui:
        container_name: pytube-gui
        image: artisanbytecrafter/pytube-gui:develop
        ports:
            - 8501:8501
        volumes:
            - /path/to/downloads:/app/downloads # set to where you want downloads to go

Please let me know if you run into any issues, or have any feedback. I do still have a long list :)

Source code: https://codeberg.org/ArtisanByteCrafter/pytube-gui

Hi, how do you run forgejo under a reverse proxy while using an ssh channel to pull/push commits?

From what I understand caddy is only able to proxy http traffic.

So i've been hosting a modded Minecraft server for my friends and me on weekends. While it's been a blast, I've noticed that our current setup using LAN has its limitations. My friends have been eagerly waiting for their next "fix" (i.e., when they can get back online), and I've been replying with a consistent answer: this Friday.

However, exploring cloud providers to spin up a replica of my beloved "Dog Town" Server was a costly endeavor, at least for a setup that's close to my current configuration. As a result, I've turned my attention to self-hosting a Minecraft server on my local network and configuring port forwarding.

To harden my server, I've implemented the following measures:

1. Added ufw (Uncomplicated Firewall) for enhanced security.
2. Blocked all SSH connections except for the IP addresses of my main PC and LAN rig.
3. Enabled SSH public key authentication only.
4. Rebuilt all packages using a hardened GCC compiler.
5. Disabled root access via /etc/passwd.
6. Created two users: one with sudo privileges, allowing full access; the other with limited permissions to run a specific script (./run.sh) for starting the server.

Additionally, I've set up a fcron job (a job scheduler) as disabled root, which synchronizes my Minecraft server with four folders at the following intervals: 1 hour, 30 minutes, 10 minutes, and 1 day. This ensures that any mods we use are properly synced in case of issues.

any suggestions of making the computer any more secure, aswell as backup solutions? thanks!

--added note, what hostnames do you guys call your servers? I used my favorite band albums and singles for hostnames.

What do you recommend for an at-a-glance access log dashboard? Kibana and Grafana seem cool but overkill.

All I want is a dashboard that can ingest and parse syslogs from various services and neatly display a list of currently connected IPs and usernames if applicable as well as a IP connection history.

I’m running opnsense on proxmox with some lxc containers and docker hosts.

I’ve never done internal DNS routing, just a simple DMZ with Cloudflare proxies and static entries for some external services. I want to simplify things and stop using my IPs from memory internally.

For example, I have the ports on my docker hosts memorized for the services I use, only a couple mapped hosts in opnsense, but nothing centralized.

What is the best way to handle internal DNS name resolution for both docker and the lxc containers? Internal CA certs? External unroutable (security)?

Any tips and setups appreciated.

(I'm not affiliated with them, I just saw a post about the update)

What it is:

The Open Source Alternative To Notion

and for those not familiar with notion:

Notion is a collaboration platform with Markdown and including kanban boards, tasks, wikis and databases. It is a workspace for notetaking, knowledge and data management, as well as project and task management

About the update:

New Features

• Added a new property type, 'Files & media'
• Supported Apple Sign-in
• Displayed the page icon next to the row name when the row page contains nested notes
• Enabled Delete Account in Settings
• Included a collapsible navigation menu in your published site

Bug Fixes

• Fixed the space name color issue in the community themes
• Fixed database filters and sorting issues
• Fixed the issue of not being able to fully display the title on Kanban cards
• Fixed the inability to see the entire text of a checklist item when it's more than one line long
• Fixed hide/unhide buttons in the No Status group
• Fixed the inability to edit group names on Kanban boards
• Made error codes more user-friendly
• Added leading zeros to day and month in date format

I just setup a minecraft server on an old laptop, but to make it acessible i needed to open up a port. Currently, these are the ufw rules i have. when my friends want to connect, i will have them find their public ip and ill whilelist only them. is this secure enough? thanks

`Status: active

To Action From

22/tcp ALLOW Anywhere Anywhere ALLOW my.pcs.local.ip`

also, minecraft is installed under a separate user, without root privlege

Hi guys!

Back in the day I used to have a VM holding nginx and all the crap exposed...and I did set it up with fail2ban. I moved away from it, as the OS upgrade was turning messy, and rebuilt onto an LXC container. How should I use fail2ban/iptables in order to protect/harden my LXC container/server? Do the same conditions apply, or will I have any limitations/issues due to the container itself?

Thanks!

Hi. I am currently using google drive mounted with rsync (encrypted) to stream files over my VPS since my VPS provider charges a lot for extra storage compared to google. I have offline backups of the said data at home

I currently have a 100GB google drive plan and it's working suprisingly great. Also it's cheap in my country due to regional pricing

Now, as I learned, Google keeps your files for 2 years after you cancel your extra storage subscription. It also doesn't allow you to upload anything which locks up Gmail but that doesn't matter if it's an alt account. So, can I just create an alt account, buy a 1 month subscription, upload everything, cancel it, then read it using rclone? Does Google restrict api access (for rclone) on drives with expired subscriptions?

Yeah I know I'm stretching this a bit too far but I just wanna know

So, I have a rpi4b that's currently running a VPN for family abroad. I'm just finishing setting up Ubuntu server 24.04LTS(I have limited number of USB sticks, and the largest is only 8gb, so this choice was one of size, I can go into ones I had considered before) on an old laptop. For my small business I've also bought a domain for a work email, and eventually a website both are/will be hosted externally as I don't want to faff about with securing those aspects on my home network. The VPN though, that is currently pointing to no-ip dns service, and I want to migrate that to both the laptop and my own registered domain. What's best practices here? I do need the VPN to exit through to my network, so that my MiL can watch UK streaming from abroad(TV licence shenanigans).

I'm syncoiding from my normal RAIDz2 to a backup mirror made of 2 disks. I looked at zpool iostat and I noticed that one of the disks consistently shows less than half the write IOPS of the other:

                                        capacity     operations     bandwidth 
pool                                  alloc   free   read  write   read  write
------------------------------------  -----  -----  -----  -----  -----  -----
storage-volume-backup                 5.03T  11.3T      0    867      0   330M
  mirror-0                            5.03T  11.3T      0    867      0   330M
    wwn-0x5000c500e8736faf                -      -      0    212      0   164M
    wwn-0x5000c500e8737337                -      -      0    654      0   165M

This is also evident in iostat:

     f/s f_await  aqu-sz  %util Device
    0.00    0.00    3.48  46.2% sda
    0.00    0.00    8.10  99.7% sdb

The difference is also evident in the temperatures of the disks. The busier disk is 4 degrees warmer than the other. The disks are identical on paper and bought at the same time.

Is this behaviour expected?

I am trying to not use any Google services for notifications and so I'd like to make a script to send notifications via ntfy based on discord messages.

How would I get access programmatically to my own discord account? Do they even support it? They have bots, but is their api for DMs?

Edit: the solution may just be a bot in servers, then not responding to DMs unless they use signal

I developed an app in Laravel that uses Google authentication, it works perfectly on my localhost. When I deployed it in my nginx server (ubuntu 24.04) I get the Google login correctly and it proceeds to my main page as expected. But after that, no route is accessible. All of them throw me a 404. I've been googling it for ages but I can't for the life of me find the solution for this.

EDIT: The 404 comes from Laravel, not nginx. The weird part is if I try php artisan route:list on the ser the routes are indeed missing but on the localhost they all show. The code is pretty much the same.

Here's is my app conf file:

server {
    server_name partituras-cmcgb.duckdns.org;
    root /var/www/html/partviewer/public;

    index index.php index.html index.htm;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~ /\.ht {
        deny all;
    }

    error_log /var/log/nginx/partviewer-error.log;
    access_log /var/log/nginx/partviewer-access.log;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/partituras-cmcgb.duckdns.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/partituras-cmcgb.duckdns.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = partituras-cmcgb.duckdns.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name partituras-cmcgb.duckdns.org;
    return 404; # managed by Certbot


}

Is there any service that will speak LDAP but just respond with the local UNIX users?

Right now I have good management for local UNIX users but every service wants to do its own auth. This means that it is a pain of remembering different passwords, configuring passwords on setting up a new service and whatnot.

I noticed that a lot of services support LDAP auth, but I don't want to make my UNIX user accounts depend on LDAP for simplicity. So I was wondering if there was some sort of shim that will talk the LDAP protocol but just do authentication against the regular user database (PAM).

The closest I have seen is the services.openldap.declarativeContents NixOS option which I can probably use by transforming my regular UNIX settings into an LDAP config at build time, but I was wondering if there was anything simpler.

(Related note: I really wish that services would let you specify the user via HTTP header, then I could just manage auth at the reverse-proxy without worrying about bugs in the service)

These seem to be purpose built for home servers. Is there a benefit to using one of them?

This is a decent writeup on applying "Zero Tust" principles to a home lab using mostly open source tools. I'm not the author, but thought it was worth sharing.

I'm looking at getting a gateway device to replace the ISP router that sits between the internet connection and the mesh WiFi.

I am running pi-hole on a (very old) raspberry pi, but I know some gateways get quite fancy so I'm wondering if it's possible to have pi-hole on the gateway itself, to run as DNS and DHCP servers?

Other things I'm looking for in a gateway are VPN as a client (preferably Wireguard) and PoE ports for cameras.

If it's possible to host something like pi-hole directly on the gateway then hardware recommendations are appreciated!

Hi there self-hosted community.

I hope it's not out of line to cross post this type of question, but I thought that people here might also have some unique advice on this topic. I'm not sure if cross posting immediately after the first post is against lemmy-ediquet or not.

cross-posted from: https://lemmy.zip/post/22291879

I was curious if anyone has any advice on the following:

I have a home server that is always accessed by my main computer for various reasons. I would love to make it so that my locally hosted Gitea could run actions to build local forks of certain applications, and then, on success, trigger Flatpak to build my local fork(s) of certain programs once a month and host those applications (for local use only) on my home server for other computers on my home network to install. I'm thinking mostly like development branches of certain applications, experimental applications, and miscellaneous GUI applications that I've made but infrequently update and want a runnable instance available in case I redo it.

Anybody have any advice or ideas on how to achieve this? Is there a way to make a flatpak repository via a docker image that tries to build certain flatpak repositories on request via a local network? Additionally, if that isn't a known thing, does anyone have any experience hosting flatpak repositories on a local-network server? Or is there a good reason to not do this?

This seems like a solid choice for those of use looking for a obsidian-like replacement. Personally tried all editors out there, but nothing is able to defeat my love for obsidian. However, i look forwards to trying out Haptic when it comes to Linux. Currently it only supports Web and Mac. But state Linux and Windows support is on-the-way.

Kudos to selfh.st that provides consistent updates within this community and who shared this among other cool projects this week -> https://selfh.st/newsletter/2024-09-06/?ref=this-week-in-self-hosted-newsletter

Hi!

I have setup ScanServJS which is an awesome web page that access your scanner and let you scan and download the scanned pages from your self hosted web server. I have the scanner configured via sane locally on the server and now I can scan via web from whatever device (phone, laptop, tablet, whatever) with the same consistent web interface for everyone. No need to configure drivers anywhere else.

I want to do the same with printing. On my server, the printer is already configured using CUPS, and I can print from Linux laptops via shared cups printer. But that require a setup anyway, and while I could make it work for phones and tablets, I want to avoid that

I would like to setup a nice web page, like for the scanner, where the users no matter the device they use, can upload files and print them. Without installing nor configuring anything on their devices.

Is there anything that I can self-host to this end?

So we're starting a general contractor company and i I'm wondering if anyone else did that and had general advice? Its with someone else that is not really technology savy.

Currently we're using:

• WordPress for website
• OpenProject for project related task
• InvoiceNinja for invoice purposes

Any advice and comments would be appreciated!

So, I'm selfhosting immich, the issue is we tend to take a lot of pictures of the same scene/thing to later pick the best, and well, we can have 5~10 photos which are basically duplicates but not quite.
Some duplicate finding programs put those images at 95% or more similarity.

I'm wondering if there's any way, probably at file system level, for the same images to be compressed together.
Maybe deduplication?
Have any of you guys handled a similar situation?

I'd like to get to a docker swarm sort of situation where I have 3 identical docker VMs, running 3 identical Caddy configurations, with 3 identical Apache VMs, and requests load balanced across them. And then I want a shared filesystem so the users can upload the files for their web sites to one location, and it's made available to all the web front ends.

I'm currently in a mixed environment:

• #xcpng on bare metal
  

• FreeBSD VMs running important services (bastions, email, DNS)
  

• #AlpineLinux VMs running docker for all my container-based stuff
  

So I'm trying to do the shared, highly available FS part of this design and I'd stay with FreeBSD if I could. #selfhosted