I’m working on a project to host bits of Lemmy on peer cache devices run by the community – if you’re interested to take a look or help test/code, I should have code for some of the caching bits within a few days.
Cloudflare fronts all of my webserver traffic, and I have firewall rules in Cloudflare.
Then I have an OPNsense firewall that blocks a list of suspicious ips that updates automatically, and only allows port 80/443 connections from Cloudflare’s servers. The only other port I have open is for Wireguard to access all of my internal services. This does not go through Cloudflare obviously, and I use a different domain for my actual IP. I keep Vaultwarden internal for extra safety.
Next I run every internet facing service in k3s in a separate namespace. This namespace has its own traefik reverse proxy separate from my internal services. This is what port 80/443 forwards to. The namespace has network policies that prevent any egress traffic to my local network. Every container in the WAN facing namespace runs as a user with no login permission to the host. I am also picky about what storage I mount in them.
If you can get through that you deserve my data I think.
Unfortunately no guide, just things I’ve pieced together myself over the years.
Cloudflare is probably the easiest and most intuitive part of the setup though, you can setup dns/proxy/firewall rules very intuitively, and I’m sure there are plenty of guides out there.
My general rule is to not self host things that are good enough / free (as in $$ not FOSS). So I don't host email or music. I'm not a huge music person so spotify does the job, and gmail's been great since it started.
Things I do host
media server (jellyfin + sonarr/radarr etc)
stable diffusion image generation server
games (starbound mostly, killed minecraft after microsoft takeover)
I have an HP DL380 Gen8 and then a PC I bought from the local university and use as a server.
My DL380 runs ESXi. My PC runs Ubuntu on bare metal.
All of my apps are either fully VM-based (Home Assistant OS) or run in containers. Containers are far easier to build, upgrade, and migrate, and also make file management a lot easier.
I use Docker Compose. No Swarm or Kubernetes at this point.
Hopefully this is at least a good start! Let me know if you have any questions.
A combo of both. I group all my media apps like Sonarr, Radarr, SABnzbd, etc together in one compose since I consider each of them to be a part of the same “machine”, but most of my apps have their own compose.
Yep I’m still working on a helm chart. Currently, each service is deployed with the bjw-s app-template helm chart, but I’d like to combine it all into a single chart.
The hardest part was getting ingress-nginx to pass ActivityPub requests to the backend, but we settled on a hack that seems to work well. We had to add the following configuration snippet to the frontend’s ingress annotations:
<pre style="background-color:#ffffff;">
<span style="color:#63a35c;">nginx.ingress.kubernetes.io/configuration-snippet</span><span style="color:#323232;">: </span><span style="font-weight:bold;color:#a71d5d;">|
</span><span style="color:#183691;"> if ($http_accept = "application/activity+json") {
</span><span style="color:#183691;"> set $proxy_upstream_name "lemmy-lemmy-8536";
</span><span style="color:#183691;"> }
</span><span style="color:#183691;"> if ($http_accept = "application/ld+json; profile="https://www.w3.org/ns/activitystreams"") {
</span><span style="color:#183691;"> set $proxy_upstream_name "lemmy-lemmy-8536";
</span><span style="color:#183691;"> }
</span><span style="color:#183691;"> if ($request_method = POST) {
</span><span style="color:#183691;"> set $proxy_upstream_name "lemmy-lemmy-8536";
</span><span style="color:#183691;"> }
</span>
The value of the variable is $NAMESPACE-$SERVICE-$PORT.
I tested this pretty thoroughly and haven’t been able to break it so far, but please let me know if anybody has a better solution!
That’s awesome! I love his Helm chart. It’s the most impressive Helm library I’ve ever seen. I maintain a bunch of charts and I exclusively use his library chart :)
I just mentioned in a response to @seang96, but I feel like deploying a separate nginx is probably cleaner, I just didn’t want another SPOF that I could break at some point in the future.
We’ve evolved to spend more energy on our brain and intelligence. Animals can have better immune systems, plus they’ll build up a resistance to the pathogens.
People who constantly drink dirty water will also develop resistance
I just tried to click on a couple links formatted in various ways from a “jerboa for lemmy” app and it redirected to a browser (where I am not logged in).
Is there a format friendly to the app, or is there a app config that needs to be updated?
I have never used the Jerboa app so take this all with a grain of salt, since it may be different than the website. The link with the [link text](/c/[email protected]) should only work if the community is already linked with your instance, the two other formats can be put in the search bar, and after the instance fetches it, it should show up, but not sure how this all works on the app version though
You can kinda make it bend a bit to your whim. While it is technically immutable if you don’t mess with it, it does have everything necessary for using pacman. It just all reverts next time steamos updates. Anything you install directly through the discover portal is permanent, but it does technically have access to anything in the pacman repos as well.
I unlocked mine long enough to download neofetch and take the screenshot for this. It’ll revert back soon, but I only needed it temporarily for imaginary internet points. :)
Part of my Reddit exodus plan was to get serious about my RSS setup.
I’ve settled on:
FreshRSS as my feed manager (supported by Reeder app in iOS and MacOS)
FiveFilters Full Text extractor
rss-proxy site scraper
I may experiment with some replacements for rss-proxy, as I’ve run into a couple sites it doesn’t scrape well, but FreshRSS and FiveFilters have been smashing successes.
Nice, RSS is great indeed. I use it extensively as well, but I didn’t even realize it was a thing people ran as a service on a server. I hadn’t heard of FreshRSS etc. I personally just run newsboat from my desktop/laptop, even my phone if need be.
Hey @ruud , thanks for chiming in here on /c/Sysadmin! I’ve been trying to figure out how to best manage the Sysadmin communities I’ve setup across different Lemmy servers, but it’s looking like lemmy.world might be my new home server since it appears to have the best uptime and stability. 😉
Thank you! If you have multiple Sysadmin communities, maybe it’s an idea to close all of them but 1. Just mark them as ‘only moderator can post’ and pin a post telling people to subscribe to the 1 community.
It’s a while since I’ve wild camped so not sure if the status has changed. When I did it was more ‘accepted’ than ‘permitted’. Also, the good spots are closely guarded secrets, so you’re mostly on your own there! I don’t know you’re experience, but for anyone else thinking about wild camping: You want water relatively accessible and depending on the weather, some shelter. (I’ve always drunk from fast flowing streams, never pools and survived without treating the water. You also want seclusion as you really don’t want to be getting any attention from walkers or land owners.
This time of year you won’t be getting much sleep, so decide if you want the evening or morning sun - I prefer the morning sun as it dries any dew off my kit. Looking at the map you should be able to plan a route and spot some quite nice spots if you think about the above. Only spend one night in a location.
I used to leave work early, drive down, get half a walk in, a night camp, finish the walk and be back to work for 9AM. One memorable morning was waking up on top of one of the Carnedds.
My preference was always to bivvi rather than tent as it was easier to carry and far easier to find a hidden spot. - The pleasure, as with most bivvying is generally retrospecive, but great fun. Pitch up at dusk and leave at first light, leave no trace bar some flattened grass and all is good. - Just make sure you pack enough calories and water.
The first wild camp I ever did was on the side of Tryfan in just my sleeping bag on a clump of heather. It would had been perfect if I hadn’t put my hand in goat muck earlier in the evening. - Took two days to wash the stink out.
We’re planning to make a little camp somewhere hiddin in a woodland hopefully, and do some walks from there, but not too much walking. Good point about the sleep… I had forgotten that.
Me too! I try to take a picture of some of the better ones I run into. Some that come to mind are a fully sealed individual size bag of chips that only had air in it, and an individually wrapped protein cookie that had two cookies jammed in it. Life evens out.
kbin.life
Top