Sell Meta to Elon Musk. Either Twitter or Threads will be shut down, and I have a feeling it will be Threads. This has the bonus of not owning meta, to prevent assassins from targeting me. muskrat has bodyguards, I do not.
I had been self-hosting stuff on my QNAP NAS for years before it died due to the infamous Intel clock drift issue and now I am in the process of making a DIY NAS (last few parts are coming in this weekend). I don’t have answers to all your questions but I’ll try my best with the experience that I have.
It is absolutely possible to mix your usecases on one machine, with the caveat that if you’re running on less-powerful hardware (like a off-the-shelf NAS), some of your services might be competing with each other for resources. CPU usage and disk access times (especially with a RAID 5 HDD array) can all impact performance. My QNAP NAS did start to bog down a few times with both Jellyfin and Nextcloud running at full tilt, but it was generally pretty usable.
Most NAS products support docker images so I wouldn’t worry too much about NAS vs PC in this case. Also, docker-compose is your friend. Write your yaml file once and it will make for easy setup and upgrading.
Dude, I am with you on dead-end products. The death of my QNAP NAS has caused me lots of headache and I basically swore off products that I can’t upgrade and fix myself. The problem is price. The cheapest x86 PC that I personally think will handle multiple usecases (media server, Nextcloud, SAMBA, maybe a Valheim server or a VM when I need it) costs roughly around $650-$750 depending on your build. You can probably find a Synology or QNAP NAS for about $500-$550. Granted, they most likely aren’t going to be anywhere near as powerful as a DIY x86 PC, so I think its worth going the DIY route. Those prices do NOT include the drives either, so be sure to factor that into your calculation. If you’re curious, here’s one of the cheaper builds I was considering building: pcpartpicker.com/list/rtqDbK. Ultimately I decided to go for a crazier build because I did not want slow HDDs anymore: pcpartpicker.com/list/Lm92Kp
You mean running a media server on your laptop, but pointing the media libraries to a Samba share on a NAS? I did that for years with my QNAP NAS and a little Intel NUC running Plex. The only issue is that you won’t get incremental media library updates whenever you add new files into the Samba folder. Usually, Plex (and Jellyfin) can detect file changes if the media library is local and automatically process only those files instead of rescanning the entire media library. Over Samba, there’s no such automatic detection so whenever you add a file, you have to manually trigger a full rescan in order for it to pop up in your media library.
I believe Unraid does this. I have not tried it myself and I plan on going with ZFS for my DIY NAS.
I don’t have any resource recommendations, but personally I’ve taken the docker-compose approach which helps quite a bit for isolation. For media servers, you only need to give read-only access to the volumes hosting your media storage. It is also recommended to put media servers like Jellyfin behind a reverse Nginx proxy because Nginx has been battle-tested in terms of security and Jellyfin’s web server has not. You can use docker-compose to easily spin up a Nginx proxy alongside your media server and have them contained in their own isolated network.
Do not open any more ports than is necessary to host your services. This means even remote administration should not be available via your public IP. Learn how to setup Wireguard so that if you’re away from home, you can quickly VPN into your network and do remote administration. If you’re using SSH, make sure you disable password authentication and only rely on SSH keys. I am sure other people can add more, this is just the basics.
The folks agreeing with you in that thread were much more toxic than the folks who offered legitimate rebuttals to your comment. Honest question, but what about any of those responses set you off?
Some browsers have an option for DNS over https, and might be skipping your system DNS settings. Other advice is right too: run this locally and don’t expose it to public internet queries.
When people say "fuck cars", they usually mean "fuck car-centric infrastructure" (though some do really hate cars).
Having a diverse set of options focusing on walkability and public transportation doesn't mean the elimination of cars. It just means that everyone isn't forced to use a car to do just about anything. As a car-lover myself, I hate sitting on traffic. Makes the car I carefully chose to be just a glorified AC box. I hate sharing the road with 90 year old geriatrics, kids taking their parent's car for a joyride, and bar-hopping drunk drivers. In a non-car centric neighborhood, they could all just walk/take public transpo to buy eggs, go to the arcade, or go home safely when they're drunk.
The little things that run off tiny button batteries? Almost certainly not. The bigger/more powerful ones might.
That said, don’t. It’s stupid to try, especially if you think it could. I mean think about it. You think it might blind a pilot? That’s a lot of lives your potentially putting at risk.
What possible motivation could cause you to want to risk it?
It was one of those tiny toy ones. Yeah, definitely still a dumb idea. Not condoning it or recommending it ever. It was just a dumb internet argument, but I second guessed myself, because people were insistent that it would still reach the plane
It is hard to adapt Windows habits to Linux for some cases. E.g. you sometimes use Adobe Photocrap for editing photos. Reasonable that ppl want to use what they know, so they will try to use it with WINE and obviously will fail. „Linux sucks, it cant run the properitary shit subscription software, going back to Windows!“ if someone really depends on such software then yes stay the fuck with Windows. For most other tasks there is a solution available. And for the fear of terminal: I bet most users never ever have to see or use it once since there are GUI tools available for such crucial tasks like updating. Mint does a great job in terms of windows like experience for beginners but also is a full fledged GNU/Linux distro. But yeah if you want to change to Linux it is not just the desktop that changes, it is a whole philosophy that opens up a new world if you are curious.
Is there a reason you can’t just VPN in and expose only the VPN gateway? My preferred security is not exposing a bunch of random applications to the internet and hoping each doesn’t ever have any vulnerabilities.
Yeah i could definitely do that, however would that cause much trouble regarding using the nextcloud android app, or my ereader which uses OPDS to get books from calibre? I get thatd id have to sign into the VPN, but i already use mullvad on everything.
As long as you’re connected to the VPN it probably shouldn’t. I use the automate app on my phone to automatically connect to my home wireguard server whenever I’m off my wi-fi, and it works great.
You’re going to run into an issue of only being able to have one VPN connected on Android at a time though if you’re already running mullvad on it, but as long as you have a decent connection at home and no data cap, you could just route all of your traffic through your home network, and then split tunnel your private IPs to connect directly, and anything else through mullvad.
Head scale would be a self-hosted way of doing this as well.
You’d install headscale publicly accessible on your VPS or port-forwarded server.
You’d configure your phone and any laptop you travel with using the tailscale apps with the special hidden setting to use your custom control-server.
Now any apps you want to access yourself but not for the public unauthenticated internet to see, you bind to tailscale/headscale interfaces rather than public interfaces.
Anything you DO want publicly accessible (for example immich for image sharing to friends who aren’t on your tailscale network) you host the normal way by binding to a public interface.
You could also do this with regular tailscale and cut the self-hosted headscale out of the picture.
But by doing this or another private VPN setup, you take the listeners for some of your apps off the internet and reduce your attack-surface. It obviously doesn’t help for WordPress or other stuff you actually want to share publicly, but it can give some peace of mind for personal services like bitwarden or Jellyfin.
I can’t answer all of it, but much of what you’re asking for can be accomplished with a simple samba share. If you can handle nextcloud, you can set up samba.
It’s perfectly reasonable to use the same device to run your web services and as your NAS. There’s no reason you can’t divide them up later if you want.
You’ll need to pick a file system, I suggest either BTRFS or ZFS though there are several options. BTRFS is neat because it’s flexible - you can make huge changes without ever dismounting. You’ll want to plan for a multiple-drive solution, and you’ll need to decide how you’d like to balance performance, space efficiency, and failure tolerance. Whatever you do, pick one single drive size and stick with it – different disk sizes xan work, but there are restrictions and they complicate things.
A good backup is automatic, versioned, and encrypted. You preferably want one offsite and one onsite for anything irreplaceable. Restic is a good tool, as is Borg backup, as are many other options. Personally I run a restic job nightly, with backblaze b2 as a destination. I also have a local backup on normally-unplugged drives that I run manually every couple weeks.
For plumbing, tailscale is really nice. Easy to set up, and you get remote access to everything with minimal config and no holes in your firewall.
Regarding hardware, you have many options. Old laptops actually make great homelabs:
energy efficient
built-in UPS
no need to drag a keyboard/monitor/mouse over when you can’t access via SSH for whatever reason
usually plenty performant for the task
Their biggest drawback is a lack expandability/upgradability, though you can get pretty good USB drive bays to partially address that. Another option is the intel NUC family and its competitors, basically tiny desktops built out of laptop parts. A third option is to build a normal desktop PC, either into a normal case or a rack-mount one if you have the space. The off-the-shelf options work, but are limiting in my experience. That said, they’re the way to go if you don’t want to do a lot of tinkering.
Whichever solution you go with, personally I wouldn’t start with any less than 4 drive bays. More is better, you can’t have too many. You should be able to shuck your old drives and put them into any 3.5" drive bay.
For reference, my setup is an intel NUC with a thunderbolt 10 drive bay plugged in. I have a mishmash of disks, ~48tb total in BTRFS raid 1giving me 24tb usable. Running a good handful of docker containers and a samba share, all accessible over tailscale.
Sorry for the info dump, happy to answer questions.
Security is a tough thing to give advice about. Different people have different levels of risk tolerance. It’s embarrassing to give advice about one’s personal views - tedious to write - and then get replies about how that’s too much security, too little security, etc.
Attackers can use tricks to enumerate dns subdomains. They can compromise one container and pivot to the container host.
You can frustrate automated compromises by putting up roadblocks or speed bumps they have to get through before seeing the stock landing or login pages for well known apps. That can buy you a little time if a serious exploit is discovered and you know you won’t be on top of container updates. But stay on your container updates.
I’m a bad one to get how-to advice from if you’re starting out. Not a fan of docker and I don’t know what watchtower is. I’m one of those electricity-wasting home labbers who loves ESXi, vlans, and /30 nets for each individual VM.
I’m also one of those who takes months to accomplish what someone competent can do in days. It’s taking me forever to get openldap, postfix, dovecot, and roundcube to all play nice. (Because I’m trying to “be like daddy” and mimic the security I see at work, I can’t follow normal walkthroughs, or just install an off the shelf container and make it someone else’s problem. But this way makes me read manuals and gain a deep, durable understanding of the technology. And it takes forever.)
I wish It could be so simple for everyone… Docker is great when you have an old spare laptop and want to self host a few nice things: vaultwarden, traefik, searxng… Sure it’s relatively new compared to VMs and is going to have some security flaws and reworks during the maturing process… But VMs had also their ups and downs long time ago before It got in a stable maturing state !
VM are nice but we (in my opinion) as human species need to find other solutions to get away from energy, rare metal hungry devices… something in between docker and VMs. But that’s just my opinion.
Plus, docker and derivatives are also really interesting technologies where you have to read manuals and gain deep and durable knowledge to understand the future of virtualization.
Totally agree. I think you’ve picked up on an attitude problem I need to fix, as that is keeping me from embracing a really useful technology. You caught me admitting to a bias that I know isn’t always true.
kbin.life
Newest