kbin.life

jon , 1 year ago to selfhosted in Help with Routing and Securing Homelab?

I run all my lab servers/services/etc in their own /16 on my home net. Nothing is publicly routed in over my WAN IP- if I want to expose a service, it goes through Nginx Proxy Manager to my local service via a ZeroTier tunnel.

I would strongly encourage you to not expose any of the *arr services (particularly your download node) to your WAN IP. PIA’s desktop app does a pretty good job of forcing a full tunnel with a VPN kill switch, so you never have to worry about your ISP catching onto what you’re doing.

Viclan OP , 1 year ago

So you’re saying your services run on a separate subnet? 255.255.0.0? How would you connect from your home pc connected to your home WiFi? I assume have the vpn running on the machine on a different subnet and also have it running in front of the service, the vpn would give your home computer an IP on the /16 subnet range? Am I correct in that assumption?

I suppose I need to get OPNsense actually working and providing a different subnet in the first place before worrying about all this, I appreciate your input! I understand about exposing the WAN IP, I’m assuming VPN tunnel for those specific services would protect my WAN IP as it would just send all my traffic to the VPN provider and then out to the actual destination, again correct me if I’m wrong. I don’t think I understand how the actual routing would work, how to hook the services into nginx proxy manager and how to know which ports to close and what not, but I suppose I’m not at that step quite yet

jon , 1 year ago

Yes, I’ve got separate subnets & vlans for a few things. My PCs/phone/tablets/etc, homelab, IoT devices (i.e. loads of Govee bulbs/ropes, gaming consoles, oven, etc), Guest (all isolated from everything else internal) and one for my roommate. I’m on a Unifi Dream Machine Pro so setting up traffic rules to allow certain traffic from PC vlan to homelab (and the other way) was pretty straightforward.

As for the VPN, yes a full tunnel would force all traffic over the VPN, but for all but my *arr stuff that’s overkill. I just join all my VMs to Zerotier and force traffic from the public LB in via their VPN IP, but the VMs can still pull yum updates and anything else they want over my WAN link.

devrand , 1 year ago to selfhosted in What are YOU self-hosting?

I haven't had much time to setup my new server, which is a Dell Poweredge r720, but I will host plenty of stuff once I do get around to it! What I plan to host is pretty similar to what other people host.

outbound , 1 year ago to reddit in Is /u/spez really just incompetent

I think that /u/spez has his back against the wall. Reddit loses money - a lot of money - and there’s noone left to foot the bill. He’s tried everything: he’s tried advertising, sponsored content, and he’s tried premium memberships (and don’t forget coins!), but all this is simply a drop in the bucket. At this point, if nothing is done, Reddit will likely have to shut down - it probably has 8-14 months left.

Honestly, I think that /u/spez has given up; he sees that Reddit as it was originally envisioned is dead. So, he’s decided to make some superficial changes to polish it up and make it appealing to investors, make an IPO, and then cash out what he can out of it and leave.

aucubin , 1 year ago to selfhosted in [SOLVED] How to configure Lemmy instance nginx proxy for websockets?

The nginx config provided in the Docker installation part contains everything needed for nginx. If you are installing lemmy directly on the machine you may need to use different upstreams.

The websocket part is basically the

<pre style="background-color:#ffffff;">
<span style="color:#323232;">            # proxy common stuff
</span><span style="color:#323232;">            proxy_http_version 1.1;
</span><span style="color:#323232;">            proxy_set_header Upgrade $http_upgrade;
</span><span style="color:#323232;">            proxy_set_header Connection "upgrade";
</span>

part in the nginx config on that page.

penguin_ex_machina OP , 1 year ago

I seem to be having a lot of lag at the moment, and my post was created twice so I’m just going to delete the other one and start from here…

So I have this set up per the instructions. My instance is on a Digital Ocean instance, and I’m using nginx on the host to point to localhost:1235, but that’s about all that conf file is doing. Is there something else I need to do?

aucubin , 1 year ago

Ok, just to understand what you did. You got an Digital Ocean droplet with Docker and used the instructions in the link I posted or different ones?

If you are using the instructions from my link nginx will also run in a docker container, which means that your upstream will not be on localhost, but rather the lemmy and lemmy-ui containers.

If you did install it locally then localhost:1235 could be correct.

penguin_ex_machina OP , 1 year ago

I think this is where my lack of experience with Docker is showing.

I spun up a DO droplet and installed nginx, Docker CE, and Docker Compose. Then I went through the instructions on the page you linked to and it set it up just fine but when I went to my droplets IP address it wouldn’t connect. I had to add a config file that pointed traffic coming into the droplet on port 80 to redirect to the Docker container instead. Am I overcomplicating it?

aucubin , 1 year ago

No, you are right. If you are using the nginx container from the docker installation guide then you will also need to add port 80 atleast in order to see anything, as nginx will otherwise not listen on the port 80 of the droplet.

How does your nginx.conf look now?

penguin_ex_machina OP , 1 year ago

The one meant for the Docker container or the one on the host?

aucubin , 1 year ago

Ah, so you added another nginx on the host by installing it from the package store of the distro and have that proxy port 80 to the docker nginx?

If you do that then you also need to add the websocket settings I had in the first comment to the host nginx.

What I meant what that the nginx in the docker-compose from lemmy also listens to port 80 and you just need to add

<pre style="background-color:#ffffff;">
<span style="color:#323232;">server {
</span><span style="color:#323232;">    listen 80;
</span><span style="color:#323232;">    server_name my_domain.tld;
</span><span style="color:#323232;">
</span><span style="color:#323232;">    location / {
</span><span style="color:#323232;">        proxy_pass http://localhost:LEMMY_PORT;
</span><span style="color:#323232;">        proxy_set_header Host $host;
</span><span style="color:#323232;">        include proxy_params;
</span><span style="color:#323232;">    }
</span><span style="color:#323232;">}
</span>

to the nginx.conf of the container.

Then you should have it accessable from port 80 without the host nginx (of course you need to stop the host nginx then).

penguin_ex_machina OP , 1 year ago

So looking at this again now, am I taking that whole block and adding it to the container’s nginx.conf? If so, does that mean I have to change what port it’s currently listening to (because there’s already a rule in the file for port 80)?

There’s a comment in that server rule that says “this is the port inside docker” and a comment immediately after that says “this is facing the public web”, which confuses me.

Akasazh , 1 year ago to pics in The Reddit I Miss:

That is awesome. Shame that the corporate greed destroyed that spirit…

bobaduk , 1 year ago to android in What phone are you using?

Asus ZenFone 8.

I love it, it’s a nice bit of kit, and the few gimmicks it has are useful: scheduled charging for better battery life, digital well being stuff to stop me being glued to my phone.

Battery would be a problem for a super power user, but lasts me all day with commuting, reading the web etc. Camera is not on a par with flagships but I rarely take pictures.

Prior to this I had a Huawei until the battery died on me. I upgrade when I have to, I hate consumer upgrade cycles.

I have zero android ecosystem products.

I’m Android/Linux all the way unless work force me to use a Mac, which happens periodically, as part of the great cycle of life.

knr1651727105 , 1 year ago

I miss my Z8. It was 1 week short of 2year mark when it died last week. I would advise to you to turn on your auto backup just in case.

And if you use the tachiyomi app, back that up as well.

shertson , 1 year ago to sysadmin in Please don't zero out your account from *over there* if you've contributed answers or resources.

I initially agreed with you. I’d hate to see all of that communal knowledge lost.

Reading the other replies, I am not so sure. Do they deserve to continue capitalizing on other peoples knowledge? Yes and No. They did supply a service without which that collection would have had to be assembled somewhere else. But I don’t think they should be able to capitalize on it forever.

With the archive team and their efforts, I am less worried about “Wisdom of the Ancients” situation.

PixxlMan , 1 year ago

I just hope the archives will be easily accessible and searchable, preferably without having to specifically leave the search engine to search them, otherwise the knowledge will still, in practice for most people, be inaccessible.

slashzero , 1 year ago to startrek in I think Voyager is underrated

Tuvix.

manitcor , 1 year ago to mildlyinfuriating in [Meta] - Cross Community Moderation & Community Announcement

Love it, I am looking for rulesets to adopt for my instance. I would love to incorporate your work!

ChoAlZu , 1 year ago to selfhosted in What are YOU self-hosting?

Here’s mine:

Unraid OS: Docker:

• cadvisor
• deluge
• FileZilla
• Firefox
• Fivefilters-full-text-rss
• FreshRSS
• Home-Assistant-Container
• Libreddit
• Microsoft-Edge
• pihole
• Plex-Media-Server
• Radarr
• Resilio-Sync
• Scrutiny
• Sonarr

Unraid OS: Virtual Machines:

• Debian VM
• Windows 11 VM

Unraid OS: Plugins:

• GPU Statistics
• Tailscale
• CA Mover Tuning
• Community Applications
• Dynamix System Temperature
• Intel GPU TOP
• NVTOP
• Unassigned Devices

My unraid server is my “jack of all trades” machine running the primary services apart from my Pihole instance (as below).

Ubuntu Server LTS:

• pihole
• pivpn
• emby

This is running on an old thin client machine and is my primary Pihole/VPN machine with a backup music/media server running Emby.

MorganCS , 1 year ago to selfhosted in What are YOU self-hosting?

In my homelab I have two main servers

**Esxi:**Opnsense VM –Running Wireguard VPN Docker VM –Vaultwarden –Portainer –FreshRSS –Heimdall Dashboard –SponsorBlockCast –Portainer Agent Home Assistant VM –Node Red –Frigate –DoubleTake –zigbee2mqtt –Mosquitto –ESPHome SecureVM –NGINX Proxy Manager –Portainer Agent

Ubuntu Media Server 40tb zfs Running Docker:–Scrutiny –Plex –YTDL Material –Lidarr –Radarr –Bazarr –Sonarr –Sabnzbd –Compfreface –Portainer Agent Cockpit

Sergio , 1 year ago to futurama in Which Futurama line(s) do you find yourself quoting for no raisin?

“The Original Party Worm”

Darkwraith , 1 year ago

Wiggity wam wam wozzle!

I’m gonna go lay down…

chaosppe , 1 year ago to ukcasual in What icon should we have?

Just for fun I asked gpt-4 what the most British thing is, I then asked it to make a prompt for midjourney. Here is the result. (Don’t question the alien hand)

https://lemmy.world/pictrs/image/8144a951-13fb-468b-a0f5-23e778ed94a9.png

GuinnessChocolates , 1 year ago

Ugh the hands. Always the hands.

sanguinepar , 1 year ago to youshouldknow in YSK how to correctly link to other Lemmy communities

Hi - just FYI, the Good link makes the app Jerboa crash (for me at least). Probably something needing changed in the app, but wanted to share anyway.

scrubbles , 1 year ago to technology in Megathread for Reddit Blackouts and News - Week 1

Reddit has been going through some issues for many on Monday, with the outage happening the same day as thousands of subreddits going dark to protest the site’s new API pricing terms.

According to Reddit, the blackout is responsible for the problems. “A significant number of subreddits shifting to private caused some expected stability issues, and we’ve been working on resolving the anticipated issue,” spokesperson Tim Rathschmidt tells The Verge.

https://poptalk.scrubbles.tech/pictrs/image/13d6a20c-b7e4-4ccc-ad4d-3f56f0782097.jpeg