stratself
@stratself@lemdro.id
- Comment on Question about accessing my services from corporate Network 1 day ago:
Beat me to it. This is likely the best way as 443 is ubiquitously unblocked on most networks
- Submitted 2 days ago to selfhosting@slrpnk.net | 0 comments
- Comment on Self-hosting with an old laptop 3 days ago:
That doesn’t seem to be too old of a laptop at all. One thing I’d say is to use an SSD as the main partition you run your apps on, as HDDs might be quite slow.
If you wanna keep the VPS, you can use it as a public inbound gateway + outbound VPN for your homeserver, so traffic looks like it comes in and out of your VPS. I wrote some notes on setting up Tailscale in such a manner, but there’s plenty of other options.
If you don’t wanna keep the VPS, you can front your inbound traffic with Cloudflare Tunnels, and use a VPN for outbounds. If you don’t have any apps that make frequent network requests (e.g. a Matrix server), then a VPN may not be necessary
You should leave SSH on, especially if if you wanna run it without a monitor, but use key auth and limit it to your LAN only
- Comment on Unintended Proxy or Intermediary ('Confused Deputy') and Improper Input Validation in Conduit-derived homeservers 4 days ago:
Thanks for posting here. I’ll update to continuwuity v0.5.0 immediately when I come back to Matrix
- Comment on Suggestions for Community Organizing 1 week ago:
Non-federated Matrix server with rooms bridged to Discord/Whatsapp/Slack/whatever, so everyone can join.
Use standard webapps for other stuff like polls, surveys, events etc and send the URL to an announcement channel. Not sure of exact solutions but if one app can do it all and send email reminders for them, thatd be great. Same can be done for VoIP with Jitsi links, or even Z**m links.
Backup the databases if you need the chat logs. All of this should be doable with a small VPS, but a mini PCs cluster could be better
- Comment on Router VPN? Express put to rest 1 week ago:
How did you exactly install Express on the router? Did you use an app or something of that kind?
If the VPN provider has WireGuard support, you may wanna use a wireguard client software to connect to it. Flash OpenWRT on the router, install and configure a wireguard interface that connects to Express, then forward packets from behind LAN to that interface so they go through the VPN tunnel. A bit tricky for beginners, but I hope you can make it.
Since OpenVPN protocol seems to become unsupported in the future, Wireguard should be the way to go. Mullvad/IVPN should also support it, and once you know how to set it up it should be usable across many services and devices.
Do you recommend installing VPN apps on separate devices instead of the router?
For flexibility I’d do this. In case I’d wanna switch upstream servers for a single device without affecting others.
- Comment on Recommendations to replace AWS DNS? 1 week ago:
Desec.io is a solid option - it allows for various types of records like TLSA and SRV. It can also generate scoped API tokens e.g. for “only TXT records of the
_acme-challengesubdomain of example.com” to use in automated cert renewals, so pretty good for automation. It’s also a nonprofit.I think selfhosting DNS is beneficial when you wanna control your own DNSSEC keys, but you’d need to account for high availability and safety. With that, you could do what’s called a “hidden primary + public secondary” setup to protect your master DNS data from the public prying. You can even use 3rd-party services like ns-global.zone as your secondaries for redundancy and to reduce load on your primary, too. I recommend Technitium and their guidance if you wanna get started
- Comment on Recommendations to replace AWS DNS? 1 week ago:
Those are not authoritative DNS providers where you can publish records…
- Comment on Decreasing Certificate Lifetimes to 45 Days 3 weeks ago:
Technically something like DANE can allow you to present DNSSEC-backed self-signed certs and even allow multi-domain matching that removes the need for SNI and Encrypted Client Hello… but until the browsers say it is supported, it’s not
- Comment on **How** should I properly document my homelab? 4 weeks ago:
I write homelab docs mostly for user guidance like onboarding, login, and service-specific stuff. This helps me better design for people by putting myself in their shoes, and should act as a reference document for any member to come back to.
Previously I built an Mkdocs-Material website with a nice subdomain for it, but since the project went on maintenance mode, I’m gonna migrate all docs back to a Forgejo wiki since it’s just Markdown anyways. I also run an issue tracker there, to manage the homelab’s roadmaps and features since it’s still evolving.
I find this approach benefiting compared to just documenting code. I’m not an IaC person yet, but I hope when I am, the playbooks should describe themselves for the nitty-gritty stuff anyways. I do write some infra notes for myself and perhaps to onboard maintainers, but most homelab developments happen in the issue tracker itself. The rest I try to keep it simple enough for an individual to understand
- Comment on Self hosted Onedrive alternative 5 weeks ago:
Nextcloud forked from the old PHP-based ownCloud stack, while Opencloud forked from the Infinite Scale Go-based stack. It also by default preserves the filesystem hierarchy on your server without needing a database, using a storage driver called PosixFS.
The Windows clients currently do support selective syncing so it is on-par with OneDrive. Android client looks to be forked from old Owncloud, and has offline availability too.
- Comment on Looking for a selfhostable chat service that people on phone and computers can log onto 1 month ago:
due to it missing ideal features
what features do you want? kindly elaborate
XMPP with Snikket could be an easy solution. If you don’t want to talk to the wider web make sure to disable federation.
- Comment on Local DNS on Pihole 1 month ago:
Pihole runs on dnsmasq right? Maybe you could create a cronjob to copy the underlying dnsmasq.conf to other Piholes
- Comment on Technitium DNS v14 is released with support for clustering 1 month ago:
Ah, I see. Well I’m glad you found PiHole useful and stick to using it anyhow!
- Comment on Technitium DNS v14 is released with support for clustering 1 month ago:
What issues did you have reverse-proxying? For me it was just as simple as pointing to port 5380. Other ports like 53 could be passed on with a layer-4 router
What about the login issues? I’d hope they’ll be integrating with OIDC or some other auth mechanism, but for now managing 2FA creds should make do
- Comment on Technitium DNS v14 is released with support for clustering 1 month ago:
Off the top of my head:
- Allows using DoH/DoT/DoQUIC/recursive upstreams without installing extra packages (unbound, cloudflared, etc)
- Allows acting as a DoH/DoH3/DoT/DoQUIC server alongside normal DNS over UDP and TCP
- Allows configuring SOCKS/HTTP proxies for forwarders
- Act as authoritative zone server with DNSSEC signing
- Allows custom responses via plugins (e.g. conditional responses based on client’s IP addresses)
- Accept PROXY Protocol to forward client IPs from trusted load balancers
- All the clustering and zone transfers magic
- DNS64
It really dives deep into the inner workings of DNS and does pretty much anything Pi-Hole does, with many more security and QoL features. Although the UI may feel a bit dated, I’d recommend it to anyone running their own homelab infrastructure beyond just adblocking
- Submitted 1 month ago to selfhosted@lemmy.world | 25 comments
- Comment on Made an alternative to Tailscale + Gluetun 1 month ago:
Just found out someone else has a similar thing too:
It seems more flexible and can be used site-to-site, for anyone interested
- Submitted 1 month ago to selfhosted@lemmy.world | 5 comments
- Comment on Material for MkDocs is getting rid of MkDocs. Now: Zensical - A modern static site generator 1 month ago:
Thanks for posting this here. I’m not sure what to think about this, just set up mkdocs-material with huge customizations, including the macros plugin and tons of CSS. So it’d be tedious to eventually migrate to the new “component system” as they say.
Welp, should’ve gone with a barebone SSG and configured what I want. Feels like I’m kinda stuck in no man’s land now.
- Comment on Self-Host Weekly (31 October 2025) 1 month ago:
I find it odd that a report for the proprietary Github platform takes the newsletter’s spotlight, it’s not very relevant. I’d much prefer if the writer could expand his thoughts on those new version releases or featured blogposts, especially the ones he finds interested in.
- Comment on Is (Matrix) Element Server Suite overkill for a dozen users? 1 month ago:
If it ain’t broke, don’t fix it. I think it’s better hooking up Element Call to your current setup, and remove Element Web if you can BYO client.
For a more lightweight alternative, I personally find continuwuity to be reasonably stable for the specs you mentioned. It does admin tasks in an #admins room, use an embedded database, and has no client UI so less containers needed. So continuwuity + EC should be able to run under the constraints you mentioned
The lightest would still be any XMPP server, though its functionality does differ from Matrix overall
- Comment on How often do you update software on your servers? 1 month ago:
To make it even simpler,
apk -U upgrade - Comment on Assign privileged port to caddy running with rootless podman 2 months ago:
Hi,
The client IP problem is a longstanding issue in podman’s virtual bridge networks.
As a workaround I’d run HAProxy rootless, using the
pastanetworking mode as that one allows seeing native client IP. With pasta’s-Tflag (see docs) I’d forward traffic to another caddy container binding to127.0.0.1:8080or something similar.This would coincide with your firewalld/HAProxy port-forwarding setup, but it has more rootlessness to it. It’s still not perfect, but I hope it may be useful
- Comment on Setting up VoIP on my matrix server 2 months ago:
You’ll need a TURN server to relay calls and provide signalling capabilities, which is needed most of the time. Here’s Synapse docs on it, and I’ll probably use coturn:
element-hq.github.io/synapse/…/turn-howto.html
There’s also this new technology called Element Call, which uses a diffent tool called LiveKit. You should check it out too
- Comment on Beyond Pi-Hole 2 months ago:
You should add your DNS forwarder as its own node in Tailscale, and configure the tailnet to resolve DNS through it. That way you’ll be able to resolve both MagicDNS node names and your local domains, as well as being blocklist-enabled. Besides, I think you can also define custom A/AAAA records on your Tailscale console, skipping local records on Pi-hole altogether.
I’d also recommend Technitium for a new DNS solution, mainly because they’re going to add support for clustering soon. This could be highly useful if you want to configure blocklists once and sync them between different Technitium nodes. Should it works out, I’m thinking of installing it alongside every Tailscale exit node, for the benefit of synced blocklists, local domains, and exit-node geolocated IPs for external domains.
- Comment on [deleted] 2 months ago:
Missed the chance to call it Jelloseerr
It’s Jellover now
- Comment on 2 months ago:
Rsync depends on OpenSSH, but it definitely isn’t SFTP. I’ve tried using it against an SFTPGo instance, and lost some files because it runs its own binary, bypassing SFTPGo’s permission checks. Instead, I’ve opted for rclone with the SFTP backend, which does everything rsync do and is very well compliant.
In fact, while the main developer published a fix for this bug, he also expressed intention to drop support for the command entirely. I think I’m just commenting to give a heads up for any passerby.
- Comment on Reducing buffering when accessing Jellyfin via Tailscale 2 months ago:
Hi, I think OP wants their sibilings to directly connect to their PC, skipping any relays, even if it’s their VPS.
But if you are comparing setting up your own VPS instead of relaying through Tailscale’s DERP, then the answer is… it depends on the distance and whether you can establish VPS->Local VM direct connections.
I found opening a specified port for Tailscale on the VPS to help with direct connections with CGNAT’d peers. I’m not familiar with Pangolin, but I think the same principle applies as long as at least one address:port combination is agreed between Wireguard peers.
If I’m being honest though, before doing all this, try asking your ISPs for IPv6 to avoid these cumbersome things together.
- Comment on Reducing buffering when accessing Jellyfin via Tailscale 2 months ago:
If both your Jellyfin server and your siblings are behind residential CGNAT, then high chance your connections are relayed through Tailscale’s DERP servers. You can check with
tailscale ping-ing your sibilings’ nodes.If this is the case, you may consider selfhosting your own DERP somewhere close to you, but I’d argue the performance gains are minimal compared to the extra costs. Another solution may be to enable IPv6 for both you and your siblings, skipping NAT traversal.
This is all assuming you can direct play (i.e. not transcoding) your media. If you’re transcoding, then it’s good to look into hardware acceleration like the other comment mentioned, too