Self-Hosting like it's 2025

Hmm, my first guess would have been that you have been a target of "brushing" [1]. In a Reddit thread from 2020 [2], multiple people mention that they received surgical masks they did not order.

[1] https://www.bbb.org/article/news-releases/20509-amazon-brush... [2] https://www.reddit.com/r/tulsa/comments/hpe8s1/just_got_a_su...

It's always scary, no matter how innocuous. I'm glad it did not escalate into something else for you!

Without getting too deep into it, there are some things I know how to do with computers that I probably shouldn't, so my thought is this; if I, a random idiot who just happened to learn a few things, can do X, then someone smarter than me who learned how to attack a target in an organized way probably has methods that I cannot even conceive of, can do it easier, and possibly without me even knowing. It's this weird vacillation between paranoia and prudence.

For me, it's really about acknowledging what I know I don't know. I do some free courses, muck about with security puzzles, etc, even try my own experiments on my own machines, but the more I learn, the more I realize I don't know. I suppose that's the draw! The problem is when you learn these things in an unstructured way, it's hard to piece it all together and feel certain that you have covered all your vulnerable spots.

I do something similar with my home server, but with a WireGuard split tunnel. Much easier to set up and keep active all the time (i.e., on my phone).

Nginx handles proxying and TLSing all HTTP traffic. It also enforces access rules: my services can only be reached from my home subnet or VPN subnet. Everywhere else gets a 403.

Maybe try running your services in docker, I don't know how difficult that would be to implement for you, but if you run it in containers you can get it to start up after an outage pretty reliably.

I suppose also no public IP on your home connection?

Because since my new provider only provides cg-nat, I've been using a cheap server, but actually having the server at home would be nice.

You'll have a hard time hosting websites/projects meant for the public to view, if you don't allow public internet traffic :)

I think they want to host public websites.

What's the 5% that's not blocking ports for services you want to expose?

Ensuring your infra is built in a secure way is as important as ensuring your service is built in a secure way.

I shared this sentiment. But since I just host some personal fun projects and I got really lazy when it comes to self-hosting, I found great pleasure in just creating the simplest possible docker containers. It just keeps the system super clean and easy to wipe and setup again. My databases are usually just mounted volumes which do reside on the host system

If it wasn't for Kubernetes we'd need 1/3rd of our operations team. We're keeping unemployment down!

I'd love to use Kubernetes for my self hosting. The only problem is it's too expensive.

> You shouldn't be running multiple instances of Postgresql, or anything for that matter, at home.

It's not uncommon with self-hosting services using docker. It makes it easier to try out a new stack and you can mix and match versions of postgresql according to the needs of the software. It's also easier to remove if you decide you don't like the bit of software that you're trying out.

I'd be interested. Might be a strange question but I'll throw it out there, I seem to have a hard time finding a good way to define my self hosted infrastructure nodes and which containers can run on them, have you run into/have a solution for this? Like I want my database to run on my two beefier machines but some of the other services could run on the mini pcs.

> I deploy to single node swarms, and it's a zero boiler plate solution.

Yup, it's basically like a "Docker Compose Manager" that lets you group containers more easily, since the manifest file format is basically Docker Compose's with just 1-2 tiny differences.

If there's one thing I would like Docker Swarm to have, is to not have to worry about which node creates a volume, I just want the service to always be deployed with the same volume without having to think about it.

That's the one weakness I see for multi-node stacks, the thing that prevents it from being "Docker Compose but distributed". So that's probably the point where I'd recommend maybe taking a look at Kubernetes.

I just want to add that I also have a Docker Swarm running, with four small nodes for my personal stuff plus a couple of friends' companies.

No issues whatsoever and it is so easy to manage. It just works!

I moved us off docker swarm to GKE some years back. The multi node swarm was quite unstable, and none of the big cloud providers offered managed swarm in the same way they offer managed k8s.

It's a shame I agree because it was nicely integrated with dockers own tooling. Plus I wouldn't have had to learn about k8s :)

I am very interested. I tried to migrate to Swarm, got annoyed at incompatibility with tons of small Docker Compose things, and decided against that. I'd love to read about your setup.

Would love a blog post on how you're using Docker Swarm.

bugs in it's infancy is what killed swarm for users.

Yep. I run a small swarm at work and have a 5-node RPi-4 swarm at home. Interested in why you'd run a single-node swarm instead of stand-alone docker.

Since I've migrated our company to Kubernetes, I almost stopped to worry about anything. It just works. Had much more troubles running it with spaghetti of docker containers and host-installed software on multiple servers, that setup definitely breaks like every week or every month. With Kubernetes I just press "update cluster" in some saturday evening once or twice a year and that's about it, pretty smooth sailing.

All my "smart home" stuff needs is mosquitto on a OpenWrt router and bunch of cgi-bin scripts that can run anywhere. I already went through a phase of setting up tons of services which ended up being turned off when something changed in my life (moving, replacing equipment etc.) never to be resurrected as I couldn't be bothered to redo it without the novelty effect, so I learned from that.

I am quite happy even without Docker, but I can see the appeal in some cases.

Indeed. I run a setup as you mentioned, with the various daemons in their own jail. Super simple set up, easy to maintain.

Lord knows why people overcomplicate things with docker/kubernetes/etc.

Same here. I've had the same setup for decades: A "homelab" server on my LAN for internal hobby projects and a $5 VPS for anything that requires public access. On either of these, I just install the software I need through the OS's package manager. If I need a web server, I install it. If I need ssh, I install it. If I need nfs, I install it. I've never seen any reason to jump into containers or orchestration or any of that complex infrastructure. I know there are a lot of people very excited about adding all of that stuff into the mix, but I've never had a use case that prompted me to even consider it!

I only host 3rd party daemons (nothing custom) and only on my local network (plus Tailscale) so Docker’s great for handling package management and init, since I get up-to-date versions of a far broader set of services than Debian or ubuntu’s repos, clean isolation for easy management, and init/restarts are even all free. Plus it naturally documents what I need to back up (any “mounted” directories)

Docker lets my OS be be boring (and lets me basically never touch it) while having up to date user-facing software. No “well, this new version fixes a bug that’s annoying me, but it’s not in Debian stable… do I risk a 3rd party back port repo screwing up my system or other services, or upgrade the whole OS just to get one newer package, which comes with similar risks?”

I just use shell scripts to launch the services, one script per service. Run the script once, forget about it until I want to upgrade it. Modify the version in the script, take the container down and destroy it (easily automated as part of the scripts, but I haven’t bothered), run the script. Done, forget about it again until next time.

Almost all the commands I run on my server are basic file management, docker stuff, or zfs commands. I could switch distros entirely and hardly even notice. Truly a boring OS.

I totally agree! Containers are nice when your installation is ephemeral, deploying and updating several time in a short period. But using the package manager is as easy as you get.

Anyone with experience to compare Coolify vs. Dokku? (and maybe something else?)

I think GP miswrote; Dokku does not host, it manages containers and makes deployment easier. It's like a self-hosted Heroku.

Yes, it's self hosting. You have access to the machine.

> How could anything be enforced on user-controlled servers?

New laws comes to mind. If a government decides to try to outlaw encryption again, cloud/hosting companies located there wouldn't have a choice but to comply, or give up on the business. The laws could also be made in such way that individuals are responsible for avoiding it, even self-hosters, and if people are using it anyways, be legally held responsible for the potential harms of it.

The problem lies with people who are technical enough to self-host, but might not be confident enough to fork/make changes. Maybe you could switch services, but there's still just enough friction/soft-lock in to actually migrate.

You are right though, it gives significantly more control to users. It's just realising 100% of the benefits that might be trickier.

I didn't have any problems creating wechat account. May be I was lucky, I don't know, I just typed my phone number and it went pretty smooth, like whatsapp. Also was able to connect my visa card. I did it in the Kazakhstan and then was able to pay in China, no problems. May be they got exception for Kazakhstan specifically, we recently got visa-free travels there.

Also your home modem/router is often tied to your ID and then there is ofc the firewall. IIRC You can get vos hosting and ICP code through Ali Cloud somewhat automagically. Agree it would be nice to give it a try some time.

Did you try? It's a few years ago when I had to create one, but it was just as simple as WhatsApp (just a few more CAPTCHAs). And no VPNs or whatever, straight from a Swiss IP.

[dead]

Jurisdictional arbitrage.

Just a single host. The main thing that I couldn't figure out is how to turn off "bootstrap" mode, so I've just left it on.

I manage about 500 servers. Critical services like DNS, mail, tftp, monitoring, routing, firewall... are all running openbsd in N+1 configuration, and in 15 years we had zero issue with that.

Now most servers are app servers, and they all run archlinux. We prepare images and we run them with PXE.

Both those are out of scope for self host.

But, we also have about a dozen of staging, dev, playground servers. And those are just regular installs of arch. We run postgres, redis, apps in many languages... For all that we use systems packages and AUR. DB upgrade? Zfs snapshot, and I follow arch wiki postgres upgrade, takes a few minutes, there is downtime, but it is fine. You mess anything? Zfs rollback. You miss a single file? cd .zfs/snapshots and grab it. I get about 30minutes of cumulated downtime per year on those machines. That's way enough for any self host.

We use arch because we try the latest "toys" on those. If you self host take an LTS distribution and you'll be fine.

That’s when you favor stability and use an LTS OS. You can also isolate workload by using VMs. Containers is nice for the installation part, but the immutability can be a pain.

Containers are fine. Run them on a Linux host to save yourself some headaches