confusedpuppy

@confusedpuppy@lemmy.dbzer0.com

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨**How** should I properly document my homelab?⁩ ⁨⁨2⁩ ⁨days⁩ ago⁩:
I have two systems that sort of work together.

The first system involves a bunch of text files for each task. OS installation, basic post OS installation tasks and a file for each program I add (like UFW, apparmor, ddclient, docker and so on). They basically look like scripts with comments. If I want to I can just copy/paste everything into a terminal and reach a a specific state that I want to be at.

The second system is a sort of “skeleton” file tree that only contains all the files that I have added or modified.

Here's an example of what my server skeleton file tree looks like
___ . ├── etc │ ├── crontabs │ │ └── root │ ├── ddclient │ │ └── ddclient.conf │ ├── doas.d │ │ └── doas.conf │ ├── fail2ban │ │ ├── filter.d │ │ │ └── alpine-sshd-key.conf │ │ └── jail.d │ │ └── alpine-ssh.conf │ ├── modprobe.d │ │ ├── backlist-extra.conf │ │ └── disable-filesystems.conf │ ├── network │ │ └── interfaces │ ├── periodic │ │ └── 1min │ │ └── dynamic-motd │ ├── profile.d │ │ └── profile.sh │ ├── ssh │ │ └── sshd_config │ ├── wpa_supplicant │ │ └── wpa_supplicant.conf │ ├── fstab │ ├── nanorc │ ├── profile │ └── sysctl.conf ├── home │ └── pi-user │ ├── .config │ │ └── ash │ │ ├── ashrc │ │ └── profile │ ├── .ssh │ │ └── authorized_keys │ ├── .sync │ │ ├── file-system-backup │ │ │ ├── .sync-server-fs_01_root │ │ │ └── .sync-server-fs_02_boot │ │ └── .sync-caddy_certs_backup │ ├── .nanorc │ └── .tmux.conf ├── root │ ├── .config │ │ └── mc │ │ └── ini │ ├── .local │ │ └── share │ │ └── mc │ │ └── history -> /dev/null │ ├── .ssh │ │ └── authorized_keys │ ├── scripts │ │ ├── automated-backup │ │ └── maintenance │ ├── .ash_history -> /dev/null │ └── .nanorc ├── srv │ ├── caddy │ │ ├── Caddyfile │ │ ├── Dockerfile │ │ └── docker-compose.yml │ └── kiwix │ └── docker-compose.yml └── usr └── sbin ├── containers-down ├── containers-up ├── emountman ├── fs-backup-quick └── rtransfer

This is useful to me because I can keep track of every change I make. I even have it set up so I can use rsync to quickly chuck all the files into place after a fresh install or after adding/modifying files.

I also created and maintain a “quick install” guide so I can install a fresh OS, rsync all the modified files from my skeleton file tree into place, then run through all the commands in my quick install guide to get myself back to the same state in a minimal amount of time.
⁨Comment⁩ on ⁨Self hosting Sunday! What's up, selfhosters?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
I actually started with RPi’s. The first one, a used Pi 4b, is dedicated only to HomeAssistant. I don’t tinker with it anymore because it does what I want and I don’t want unexpected downtime when I have to use the bathroom or use the lights in my room.

I bought a used Pi5 with the intention of upgrading later. In life I am quite minimal and find a joy in using what little tools and material I have to create something new. That seems to hold true to technology and scripting too. The RPi5 with an old USB3 HDD is actually way more power than I can currently use and can imagine using for a long time. The extra room to work is convenient though.

I’ll have a look into some of the places you suggested, those seem like the places to draw good inspiration from, thank you.
⁨Comment⁩ on ⁨Self hosting Sunday! What's up, selfhosters?⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
I started out rewriting my network backup scripts only to realize I was adding functionality to a previous script I wrote to automatically mount and dismount luks encrypted volumes. I still want to type in my luks passphrase because I don’t want everything automated and prefer to include inconvenience as an additonal security measure in securing some of my data.

I also came to the realization recently that the reason I don’t relate strongly to other self hosters is because I’ve unknowingly been trying to create a minimal self hosted system that is more beneficial to small, low powered devices.

I’ve been using Alpine Linux, I install only the bare, older but well established tools and have been creating scripts soley based off those tools instead of seeking out bigger, more complicated modern tools. For example creating workflows by only using rsync or using github.com/RayCC51/BashWrite to create a blog that only uses bash and GNU sed to create a static blog site.

At least now that I’m aware of this, I can keep an eye out for such projects or communities and would hopefully be able to contribute something in that direction.
⁨Comment⁩ on ⁨Is self-hosting becoming too gatekept by power users?⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I’ve experienced gatekeeping issues long before I got into self-hosting specifically. Years ago I wanted to learn C++ for Arduino and I was constantly talked down for asking questions.

“Why don’t you just do …” in response to a question feels very rude as a newcomer because it feels like I am being talked down to for not knowing what others already know. Even when I made an effort to show I was making an effort to learn on my own, I was still belittled.

I’m all for hearing different ways of approaching my issue but from the replies, it often feels like other people insist there is only one true specific way to handle an issue.

When I first got into self-hosting, people kept pushing Cloudflare on me. When I expressed concern over a large centralized corporation having that much control and how they might have service issues, I was mocked really hard. Half a year later and there was a significant outage and suddenly there’s all this talk about how centralized the internet is and how that is bad.

After that I took it upon myself to find alternative ways to protect myself without Cloudflare’s services but every step of the way has been an isolating experience. Every step of the way has been full of people saying that my efforts are pointless and that the bots will win anyways so I shouldn’t bother.

I decided to try to secure myself through multiple layers of obscurity and every question in that direction has been full of people saying that obscurity is not security, the bots will find you anyways!

I’ve stopped myself from asking too many questions now. I still keep learning in my direction. I feel like I’ve managed to find multiple solutions that both obscure and protect myself. I’ve constantly check my logs for months now and the bot is less than I expected in places I expect them to be and completely zero in other places I thought there would be some activity.

I want to share what I have learned and my experiences but I know I will receive backlash for deviating from the norm.

I’ve spent a lot of my self-hosting efforts trying to find ways to protect myself with minimal use of third party services, documenting as much as I could only feel afraid to share what I have learned.

This comment may not be about learning self-hosting as a beginner specifically but the vibe has been pretty damn consistent throughout me learning C++, self-hosting, linux and shell scripting. All things I enjoy but all so full of people ready to talk down to someone who wants to learn.
⁨Comment⁩ on ⁨Backups of Backups⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I have three backups. One is my laptop where all the backups initially start. Then that gets copied to a plugin USB SSD. Then another copy goes to my server which has another USB SSD. That means I don’t have an off site backup.

I don’t have a place to host an off site backup and I’m not comfortable or interested in using cloud services. Instead I just decided that if it all goes up in flames. So be it.

It’s just data and backups are just nice a convenience. I’ll be upset but there’s more important things in life to worry about.

I’ve always lived a life of minimalism and to me stuff is stuff. None of it mattered before I was born and none of it will matter after I die. That happiest and most free feeling I ever experienced was when I spent years travelling with only a 34 litre backpack and that’s kind of been my baseline for happiness ever since.
⁨Comment⁩ on ⁨Fedfree – Federation of Freedom⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Skimming through the site, this seems like a project that aligns to what I’ve been doing with my self-hosted server over the past year.

I tried to go big by hosting a lemmy/piefed instance but later turned to a very minimal setup where I can just share my thoughts and projects hosted on a Raspberry Pi 5 using Alpine Linux. I’ve also been learning POSIX scripting on my own to create my own tools and workflow instead of relying on bigger projects with excess features.

I’ll join the irc channel in the near future because I think I might be able to share some of the things I’ve learned over the past year of learning self-hosting.
⁨Comment⁩ on ⁨Self hosting Sunday! What's up, selfhosters?s⁩ ⁨⁨3⁩ ⁨weeks⁩ ago⁩:
I bought a second USB SSD which has now become the second backup SSD. I ended up skipping my switch to Podman because I got invested in writing another script.

I’m not interested in having my backup drives automatically decrypt and mount at startup but those were the only guides I could find. I still want to manually type my password and wanted an easier way handle that.

I ended up writing this script which turned the 4 lines of code I was using before into a 400+ line single file script.

Once I pair it with my rsync script, I’ll be able to remotely, automatically and interactively decrypt, mount, update my backup, unmount and re-encrypt my USB SSD. The script also has tests to make sure the mount directory is ready for use and not sending anything with rsync if the encrypted SSD is not mounted. I just finishes writing the script and now I have to integrate it into my systems.

I was originally going to add the second backup to my local-only network Pi server but I think I’ll add it to my web facing Pi server so I am able to access it remotely. I would feel a lot more comfortable knowing that data on there isn’t easily accessible because it’s not auto-mounting.

Other than that, things are boring and boring is good.
⁨Comment⁩ on ⁨How often do you update software on your servers?⁩ ⁨⁨4⁩ ⁨weeks⁩ ago⁩:
apk seems to have some tricks in there that aren’t as well known.

I managed to catch in the IRC channel that apk add doc will automatically download any related man pages for packages with any future downloads through apk. That made life a bit more convenient instead of downloading all those packages separately.
⁨Comment⁩ on ⁨How often do you update software on your servers?⁩ ⁨⁨4⁩ ⁨weeks⁩ ago⁩:
My web facing server has just enough packages installed to (kinda securely) host a Caddy and Kiwix docker container to work with my domain name and make a comfortable work environment through SSH. My Pi for my HomeAssistant docker container has less because it’s locked down to just my local network.

I also wrote my own install scripts so reinstalling everything and getting it back to a running state would take about 15 minutes for each device.

And I also wrote my own backup/restore scripts that evolved over 3/4 of a year. I use them often so I have confidence in those scripts.

I personally don’t really care too much. I have multiple ways of dealing with issues for something that’s a hobby to me. Which is why I stick to simplicity.

I’m sure this is a thing for people to worry about when dealing with more complex setups. I just wanna vibe out in my tiny corner of the internet.
⁨Comment⁩ on ⁨How often do you update software on your servers?⁩ ⁨⁨4⁩ ⁨weeks⁩ ago⁩:
On Alpine Linux I update my two Pi servers at 2 in the morning daily. It’s simpler compared to Debian which needs unattended-updates. Just add apk update && apk upgrade to a cron job and you’re good to go.

I only have three docker services which is simple enough to update manually.

I like to keep things as simple as possible for my already chaotic brain.
⁨Comment⁩ on ⁨Selfhosting Sunday! What's up?⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
I’ve read about that and I already have that in my notes as well.

It doesn’t really affect my needs because my ISP blocks incoming on those ports anyways. Also I’m choosing not to use a tunnel at the moment so I’ll be using a higher port anyways.

The last time I asked about it, a few people seemed to agree it was something to do with the firewall settings. That seems most likely since I was able to connect when I disabled my firewall. I’m not a fan of working with iptables. The language for that type of networking is gibberish to me.

I had also tried going from docker compose to rootful podman compose and ran into the same issue. Although I’m trying to work away from podman compose in the future, just taking it in steps.
⁨Comment⁩ on ⁨Selfhosting Sunday! What's up?⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
Yeah, I mainly just want to move away to more open projects. When I first started, everyone kept suggesting using Cloudflare. After half a year using their service, I just felt icky the entire time.

In the past couple months I was able to move away and chose to protect myself by learning how to harden my server as well as hiding my server behind multiple layers of obscurity.

With my current setup, the only site traffic I get has only been myself and my custom ssh port only gets hit by bots about 3-10 times a week according to my logs. Only time will tell how effective my layers of obscurity will hold up but so far it seems to satisfy my needs better than I was expecting.

Once I get podman in a state I like, I’ll pretty much be all open sourced and all I’ll have to do for myself is be in maintenance mode unless I care to add a new service. I like to keep things simple so I don’t normally go crazy adding new services anyways.
⁨Comment⁩ on ⁨Selfhosting Sunday! What's up?⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
Thank you for the offer. I still need a bit more more time to experiment and zero in on the issue again. Fortunately my setup is quite simple and the only bottleneck will be Caddy.

I basically run Caddy which redirects to a static generated blog, simple file server page and a Kiwix instance. I’m mostly making a self hosted reference site of materials for Linux and Scripting resources.

One day I may add a Forgeo instance but currently my entire workflow exists around rsync. I’m happy just having my single file scripts hosted as text files and don’t really need the power of git. At least not at the moment.
⁨Comment⁩ on ⁨Selfhosting Sunday! What's up?⁩ ⁨⁨5⁩ ⁨weeks⁩ ago⁩:
I’ve been making another attempt to replace Docker with Podman. The issue is I can’t connect to my server through a web browser. I think it’s a firewall issue.

Networking and networking troubleshooting is a bit confusing for me and that’s the least favourite part about self hosting for me. Turns out I actually enjoy writing scripts more and the challenge of writing POSIX scripts especially.

If I can figure it out, I’ll probably write a guide for setting up Podman and Caddy on Alpine Linux since there isn’t a lot of recent information out there from what I found in my searches so far.
Big and Smellylemmy.dbzer0.com ↗
Submitted ⁨⁨1⁩ ⁨month⁩ ago⁩ to ⁨mycology@mander.xyz⁩ | ⁨1⁩ ⁨comment⁩
⁨Comment⁩ on ⁨⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I use rsync for many of the reasons covered in the video. It’s widely available and has a long history. To me that feels important because it’s had time to become stable and reliable. Using Linux is a hobby for me so my needs are quite low. It’s nice to have a tool that just works.

I use it for all my backups and moving my backups to off network locations as well as file/folder transfers on my own network.

I even made my tool (codeberg.org/taters/rTransfer) to simplify all my rsync commands into readable files because rsync commands can get quite long and overwhelming. It’s especially useful chaining multiple rsync commands together to run under a single command.

I’ve tried other backup and syncing programs and I’ve had bad experiences with all of them. Other backup programs have failed to restore my system. Syncing programs constantly stop working and I got tired of always troubleshooting. Rsync when set up properly has given me a lot less headaches.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I think I am already doing that. My Kiwix docker container port is set to 127.0.0.1:8080:8080 and my reverse proxy is only open to port 12345 but will redirect kiwi.example. com:12345 to port 8080 on the local machine.

I’ve learned that docker likes to manipulate iptables without any notice to other programs like UFW. I have to be specific in making sure docker containers only announce themselves to the local machine only.

I’ve also used this guide to harden Caddy and adjusted that to my needs. I took the advice from another user and use wildcard domain certs instead of issuing certs for each sub domain, that way only the wildcard domain is visible when I search it up at https://crt.sh/. That way I’m not advertising my sub domains that I am using.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I started with a local scan first, something like nmap 192 168.40.xxx for a specific device or nmap 192.168.40.0/24 for everything in your current network.

Nmap is quite complex with lots of options but there’s a lot of guides online to help out with the basics. You can press enter in your terminal while the scan is running and it should give a progress report.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
My ISP blocks incoming data to common ports unless you get a business account. That’s why I used Cloudflare’s tunnel service initially. I changed my plans with the domain name I currently own and I don’t feel comfortable giving more power and data to an American Tech company so this is my alternative path.

I use Caddy as my reverse proxy so I only have one uncommon port open. My plans changed from many people accessing my site to just me and very few select friends of mine which does not need a business account.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I get that.

I was generally speaking about all my devices. If someone stole my computer, the full disk encryption is more of a deterrence than the idea of my data being fully secured. My hope is that the third party is more likely to delete than to access. If I catch the attention of someone that actually wants my data, I have bigger issues to worry about than security of my electronic devices.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I agree with the last point, I only mentioned that because I don’t really know what other setting in my SSHD config is hiding my SSH port from nmap scans. That just happened to be the last change I remember doing before running an nmap scan again and finding my SSH port no longer showed up.

Accessing SSH still works as expected with my keys and for my use case, I don’t believe I need an additional passphrase. Self hosting is just a hobby for me and I am very intentional with what I place on my web facing server.

I want to be secure enough but I’m also very willing to unplug and walk away if I happen to catch unwanted attention.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Thanks for the insight. It’s useful to know what tools are out there and what they can do. I was only aware of nmap before which I use to make sure the only ports open are the ports I want open.

My web facing device only serves static sites and a file server with non identifiable data I feel indifferent about being on the internet. No databases or stress if it gets targeted or goes down.

Even then, I still like to know how things work. Technology today is built on so many layers of abstraction, it all feels like an infinite rabbit hole now. It’s hard to look at any piece of technology as secure these days.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I use a different port for SSH, I also have use authorized keys. My SSHD is setup to only accept keys with no passwords and no keyboard input. Also when I run nmap on my server, the SSH port does not show up. I’ve never been too sure how hidden the SSH port is beyond the nmap scan but just assumed it would be discovered somehow if someone was determined enough.

In the past month I did rename my devices and account names to things less obvious. I also took the suggestion from someone in this community and setup my TLS to use wildcard domain certs. That way my sub domains aren’t being advertised on the public list used by Certificate Authorities. I simply don’t use the base domain name anymore.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Early when I was learning self hosting, I lost my work and progress a lot. Through all that I learned how to make a really solid backup/restore system that works consistently.

Each device I own has it’s own local backup. I copy those backups to a partition on my computer dedicated to backups, and that partition gets copied again to an external SSD which can be disconnected. Restoring from external SSD to my Computer’s backup partition to each device all works to my liking. I feel quite confident with my setup. It took a lot of failure to gain that confidence.

I also spent time hardening my system. I went through this Linux hardening guide and applied what I thought would be appropriate for my web facing server. Since the guide seems more for a personal computer (I think), the majority of it didn’t apply to my use case. I also use Alpine Linux so there was even less I could do for my system but it was still helpful in understanding how much effort it is to secure a computer.
⁨Comment⁩ on ⁨Do bots/scrapers check uncommon ports?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
That’s been my main goal throughout securing my personal devices including my web facing server. To make things inconvenient as possible for potential outside interference. Even if it means simply wasting their time.

With how complex computers and other electronic devices have become, I never expect anything I own to be 100% secure even if I take steps I think will make me secure.

I’ve been on the internet long enough to have built a habit of obscuring my online or digital presence. It won’t save me but it makes me less or a target.
Do bots/scrapers check uncommon ports?
Submitted ⁨⁨1⁩ ⁨month⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨33⁩ ⁨comments⁩
⁨Comment⁩ on ⁨Looking for a simple personal homepage⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
I found BashWrite which is just a very simple static site generator written completely in bash as a single file script.

The only dependency is having an up-to-date sed command which most systems should have. I use Alpine Linux which comes with a minimal sed command so I had to download the full command through my package manager.

It’s simple, basic and had support for the majority of markdown formatting. There’s some limitations due to it being written in Bash only but I am personally okay with that.

I found it on this list of static site generators if you’re curious to see more options.
⁨Comment⁩ on ⁨Selfhosting Sunday! What's up?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
It looks interesting and seems like it would be easy to set up. I’ll play with it and see how I like it. Thanks for the suggestion
⁨Comment⁩ on ⁨Selfhosting Sunday! What's up?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Since my logs barely move, I just made aliases to where the logs are so it’s quick display and scan them within the terminal. I’m basically just viewing the system logs, fail2ban log and Caddy’s log so it’s fairly quick and simple for me.

The only change I’d like to do is change the output of Caddy’s log file so it’s not a long single line of information per output. I’ll have to do a bit more reading on that so I know what information I want to keep and how I want to visually organize it. At least for the moment, I am familiarising myself with what I am looking at and am slowly figuring out what information is relevant to me.

I like to keep my systems as simple and lean as possible which seems to strongly reflect my general approach to life. I find that kind of interesting.
⁨Comment⁩ on ⁨Selfhosting Sunday! What's up?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
I feel like my little Pi server is set up nicely now. At least I’m at the point where I’m not concerned about technically maintaining it. It’s as secure as I want it to be and I’ve tweaked my maintenance scripts slightly to avoid any unexpected issues.

I tried installing snikket but I couldn’t figure out how to get it to work with my Caddyfile using my current wildcard domain cert configuration. I’ll try again another time when I’m motivated again. It’s a low priority to me.

The last changes I made were adding logs and making them accessible to myself. So far they are all boring and predictable. Which is good news. It’s also nice to see that I’m the only person accessing it. The bots haven’t found my little corner of the internet yet.

Right now I’m taking a break from self-hosted stuff to work on my gardens and two artsy projects. A wooden carving for a friend’s birthday and an overly complicated shell script that has no real purpose. Although I’ve learned lots from it already so it’s not a complete waste of time.