What to people use and recommend for this? I've read a bit about portainer, but I'm still learning - and don't know what the best solutions are.

Today I have a handful of selfhosted services running on my home machine - mostly installed directly, but a couple running as docker containers. As the scale of my selfhosting has grown, I've realized that things would be a lot easier to manage if each service was run as its own container, so that installed services are isolated.

The solution I'm looking for would make it easy (possibly a web UI) for me to monitor, modify, update, and remove containerized services, including networking and storage.

I have always been intrigued by ExcaliDraw but it's a client side thing that don't store your drawings on the server, don't support authentication or multi user out of the box.

I came across ExcaliDash which embeds the tool In a fully self host able solution.

Loving it so far...

.... Not involved with the project, just a user

Hello everyone!

I did it. I reached a point where I got everything exactly how I wanted and now... Now I am dissatisfied as I look over my home lab's chaotic mess of a setup. This was my first time selfhosting things, and I learned a ton of stuff. I'll probably want to tear it down and start anew in the near future, being much tidier and mindful of what goes where.

Does anyone have any tips they want to impart to someone who's not an entire newbie but still learning stuff? Kind of a "If I could tell myself this before I set everything up, I would say..."

Hello all!

I’m one of the maintainers of Portabase, I share about it on Lemmy one month ago (https://lemmy.world/post/45042565) and I have some updates!

Repository: https://github.com/Portabase/portabase

Database homogenous migration is now built-in!

Previously, migrating meant:

• Download backup from the source DB
• Upload & restore it into the target DB

Now: no download, no upload, everything happens directly through the GUI.

It works with all supported databases, and migrations can be done within the same organization.

We also added support for Microsoft SQL Server! It still needs broader community testing to help identify bugs or edge cases we may have missed.

Quick recap : Portabase is an open-source platform for database backup and restore.

We now support 9 databases:

• PostgreSQL
• MariaDB and MySQL
• SQLite
• MongoDB
• Redis and Valkey
• Firebird SQL
• Microsoft SQL Server

What’s new since version 1.10:

• Healthchecks for both the database and the agent (with optional notifications)
• Homogeneous database migration
• Support for Microsoft SQL Server

If you’re using Microsoft SQL Server (or any other supported database), we’d really appreciate your feedback. Feel free to open issues if you find any bugs.

ONYX v1.5-beta

It is one of the biggest ONYX updates so far.

This update focuses on interaction, privacy and improving the overall feeling of using the messenger. Some parts of the interface were completely rethought from scratch, while others were redesigned to become more practical and flexible.

Account Graph

One of the biggest additions in open-beta 1.5 is the new Account Graph system.

Instead of navigating chats through a traditional static list, ONYX can now display your conversations as a dynamic orbital system.

Chats, groups and categories become connected nodes orbiting around your account like a living network. Online users are highlighted through presence glow, orbit speed can be customized, animations can be paused entirely, and the graph position can persist between sessions.

Surprisingly, this ended up becoming much more useful than we initially expected during development. It changes the way navigation feels and creates a completely different perspective on your conversations.

The entire system is optional and can be disabled at any time.

Emergency PIN & Decoy Environment

beta 1.5 introduces Emergency PIN support.

A secondary PIN can now open a completely separate decoy environment instead of your real account.

This environment can contain custom chats, avatars, names and manually configured content in order to appear believable and natural. The Emergency PIN can be changed at any time and always remains separated from the main unlock PIN.

This feature is designed for users who want an additional layer of privacy and control over access to their messenger.

Redesigned Media Cache Manager

The media cache management system has been completely redesigned.

Instead of separate buttons for local and server cache cleanup, ONYX now provides a unified “Manage Media Cache” interface with dedicated Local and Server tabs.

Users can:

• inspect locally stored files
• selectively remove specific media
• view categorized storage usage
• manage server-side files
• monitor storage quota usage through a visual progress bar

This makes cache management significantly cleaner and more practical compared to previous versions.

Redesigned Message Input

The message input field was rebuilt with a stronger focus on animations and interaction feel.

The new design introduces:

• smoother focus transitions
• animated voice recording buttons
• updated attachment button animations

While relatively small on paper, this is one of the most frequently used parts of any messenger, and improving it noticeably changes the overall experience of using the application.

Privacy & Security Improvements

Update also adds several new privacy and security related features.

Users can now:

• hide their account from global search
• manually lock the application through a dedicated Lock button
• receive explicit session expiration warnings when re-authentication is required

Interface & UX Improvements

Additional improvements in this update include:

• improved loading performance across multiple interface elements
• fixed opacity behavior for opponent messages
• ability to hide username/display name inside the account panel
• updated “Add Chat” button placement in Favorites and Groups tabs
• moved group/channel token actions into the overflow menu

Github - https://github.com/wardcore-dev/onyx/releases/tag/v1.5-beta

Always open to feedback!

I wanted to move away from Tailscale but found Headscale a bit too convoluted for what I actually needed.

Ended up with a simple WireGuard setup using two VPSes: one as a VPN hub, the other acting as a reverse proxy back into my home lab.

It lets me expose services publicly without any inbound port forwarding on my home connection.

Lots of layoffs ("re-evaluating our operational footprint") and switching to "agentic" processes. Target user is AI.

Anyone still hosting Gitlab?

except for nor using it at all, of course.

So I want to make my homelab IPv6 ready, because I have too much free time, i guess. There are two decisions that I'm currently unsure about:

1. ULA or not. Do you have local only addresses or do your clients communicate using the global IPv6 address? Does not using ULAs work without a static IP from the ISP?
2. DHCPv6 or is SLAAC enough?

For each question both options seem to be possible and I'm interested in your experience

Cheers

Hi!

Does anyone host SearXNG on a Proxmox container? I can get it to install and run fine. However all search engines return HTTP connection errors. I'm guessing it's an Apache misconfig perhaps. Could be something else.

This is using the manual install method. Followed it from their instructions. I'm a docker newb so chose the manual method with Apache and UWSGI instead.

The LXC config itself seems fine. Gave it 2GB RAM and swap. It can reach/ping google/bing etc. Having done a general search, I've not found something useful. :(

Hello all! I have never selfhosted before, but I have a pretty extensive digital library of videogames (ROMs from a couple dozen retro systems among other executables) that my friends have expressed interested in having access. What's the ideal software for giving them access to the library hosted on my drives? I'm picturing something like a selfhosted Steam where they see all of the games and can search via retro system, game tags, by name, etc. and each of could keep track of separate user accounts by playtime, favorites, recently played, etc. I use RetroArch and a few standalone emulators myself connected to RetroAchievements, so I figured they would need to download any emulators on their ends and then just pick and play the games as they see fit without having to have their own copies of the games.

NutriTrace is a self-hosted nutrition tracker (Docker on the server, PWA in the browser, native Android app). AGPL-3.0, no telemetry, no accounts on external services, your data stays on your hardware.

This release is the biggest one since the Android app shipped: the Wellness layer moves off the legacy Fitbit Web API (which Google is sunsetting in September 2026) onto the new Google Health API, the numeric Stress Score becomes Resilience (Optimal / Balanced / Low), Fitbit's new Sleep Quality sub-metrics show up under Sleep, and the Diary gets a Cronometer-style Split Recipe action.

What's new

Google Health migration — Wellness data now flows through Google Health instead of the deprecated Fitbit Web API. Existing Fitbit data still comes from the same device; only the connection method changes. Fitbit users will see a "Re-link required" notice in Settings → Wellness with the migration steps. Old tokens keep working through a transition window.

Resilience replaces the numeric Stress Score — Fitbit retired the 0-to-100 score and renamed it Resilience with three buckets (Optimal / Balanced / Low). The Wellness page reflects the change with a category badge, a one-line interpretation, and a breakdown of the three pillars Fitbit uses (Physical Calmness, Activity Balance, Sleep Patterns). Historical Stress values stay in the database for reference.

Sleep Quality sub-metrics — Time to Sound Sleep, Sound Sleep, Restlessness, and Interruptions appear under the Sleep tab when data is available. Restlessness under-counts vs Fitbit because Google Health doesn't expose the raw motion data Fitbit's app uses internally; the others track within a few minutes on most nights.

Split Recipe on the Diary — Long-press a saved recipe in your diary and tap Split Recipe to break it into its component ingredients in place. The recipe stays as the parent (so totals are preserved); a chevron expands to reveal each ingredient scaled by however much of the recipe was logged. Each child is editable (adjust portion, remove one) without touching the saved recipe in your library.

Info button on saved meals and recipes in the Foods picker — tap the i on any meal or recipe row to see the full ingredient list with portions and per-item energy before logging it. Mirrors the existing yesterday-meals expand pattern

Issues, feature requests, and integration test reports are all welcome on GitHub.

This docker overlay enable you to switch of screen resolution in your headless steam automatically by only choosing the moonlight resolution. So now you can play on all your screens in the steam headless docker.

(First blog post ever, would appreciate your input!)

Edit: Title was a lil clickbaity

I'm currently facing a dilemma. Right now, I have a synology NAS that I use to host my homelab containers (*arr, pi-hole, vaultwarden, Plex, etc).

I am planning to offload as much of that as possible to a dedicated machine, which hopefully will allow me to continue self-hosting even more demanding services (Immich, etc).

I was lucky enough to get a proper server - Supermicro, for free, with 64GB Ram DDR4 and 1TB. However, I plugged it in and that thing is NOISY.

My rack will be in the home office, where I will spend at least 8 hours a day, so I can't afford that level of noise.

What should I do? Should I try to sell the supermicro and buy something else with that money? Should I keep the RAM and SSD (and CPUs?) and build something else with them? Are there any quiet servers I could look into (I am guessing better performance but more expensive), or Should I go the MiniPC route instead (cheaper and smaller, but more limited specs)?

[edit] Solution

In addition to the instructions in the link, make the paths relative in frontend/config.json (in /srv/modoboa/instance)

{
  "API_BASE_URL": "/api/v2",
  "API_DOC_URL": "/api/schema-v2/swagger/",
  "OAUTH_AUTHORITY_URL": "/api/o",
  "OAUTH_CLIENT_ID": "blablabla",
  "OAUTH_REDIRECT_URI": "/login/logged",
  "OAUTH_POST_REDIRECT_URI": ""
}

and I also added this in the nginx conf, don't remember if all was useful. In mail.domain2.com.conf

    location ~ ^/(api|accounts|autodiscover) {
        include uwsgi_params;
        uwsgi_param UWSGI_SCRIPT instance.wsgi:application;
        uwsgi_param Host $host;
        uwsgi_param X-Forwarded-Host $host;
        uwsgi_param X-Forwarded-Proto $scheme;
        uwsgi_param X-Real-IP $remote_addr;
        uwsgi_pass modoboa;
    }

...

    location /radicale/ {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
...
}

As many have advised against it, I decided to start (almost self-)hosting my mail service.

I have tried with one domain, it has been running fine so far. I have not tested deeply but it works.

I want to host another domain, so I followed this guide which seems mostly still applicable: https://www.linuxbabe.com/mail-server/modoboa-multiple-domains

One thing though, with the current basic modoboa install, after following the steps in this guide, I can go to mail.domain2.com to access the webmail, however it is some kind of redirect and I end up on mail.domain.com. It must be on wsgi level because there is no redirect in nginx? So technically it's still working since it's what's actually under the hood. But would it be possible to stay on mail.domain2.com?

Or maybe I have missed something somewhere, because unlike mentioned in the guide, it seems I have to use mail.domain1.com to set up client IMAP and not mail.domain2.com.

I know this is not a modoboa support community but I am not going to create one (yet) and I am not going to reddit. And I can't open issues in Github. So live with it.

What is everyone else using for VPN solutions and what are the trade offs?

I want a VPN to access all my personal devices and use services like Syncthing. I use it on my phone so it can't use ungodly amounts of idle data.

I looked at Netbird but found the idle data usage almost 1GB per few days using JetBird with Lazy connections. I tried the default app but it makes me SSO login every day or two, it wouldn't stay connected, and it still used a reasonable amount of idle data.

I looked at Tailscale but I'm not going to lock access to all my devices behind a Google account login or some other third party service login for no reason. It seems like hosting my own auth server is too much additional risk as well. I tried self hosting headscale which worked well except that I have no decent front end to easily add devices. I have to log into a terminal, then execute docker commands which was a huge pain in the ass. I didn't even touch on any of the firewalling or routing that can be done because it was so much more complex in headscale then in a web interface. I tried hosting two or three headscale front ends but couldn't get one working that supported most of the available feature set. Usually I was given generic connection errors with no clear way to diagnose or clear troubleshooting steps so after a few hours I moved on.

Edit 2026-05-10:
Thank you for all the feedback.

Will try disabling expiry on SSO login for my phone via Netbird official app.
Will look into Pangolin.
May try Headplane UI for Headscale again though lower priority than Netbird because it's fully open source.

I have looked at paperless in the past and just asked why? I just spent a little time setting it up to see what it was about, then I spent hours configuring it and my email server creating paperless email addresses that other emails forward to! I cannot believe I have lived this long without it.

cross-posted from: https://awful.systems/post/8238756

Basically, STT quality has kept me from switching to HomeAssistant's voice assistant features. The default matcher (Hassil) is waaaaaaay to strict, and LLMs are slow, constly, and/or a privacy nightmare, plus I don't like them.

I really thought there would be something available that just matches your STT output to the configured intents, but apparently not, so I've built in myself.

Finally convinced my GF to throw Alexa in the bin :)

Here's an excerpt from the README, and feel free to AMA:

🌲 Problem statement and solution

Speech-To-Text (STT) output, especially fast and local STT output, is often simply bad. HomeAssistant's own Hassil is incredibly picky: your STT output must match exactly to one of the configured intents.

There's two paths forward from this: Upgrade your hardware to support better STT, or try to figure out what the speaker probably meant to say from the garbled output.

This project does the latter.

With this custom integration, "Lights on in live in room" will actually turn on the lights in your living room. So will, for that matter, "lighrts on inn livainriomm".

Short demo, first with closest-intent, then with bare Hassil:

 

📜 Highlights

• Pattern expansion. Expanding <expansion_rules>, (alternatives|to), and [optional|alternatives] all work, including on HASS-defined lists like your home's areas and entities!
• Slot extraction. Both for wildcard slots (like for adding something to the shopping list, where the {item} is a wildcard), and against slots like {timer_hours:hours} with a fixed set of possibilities.
• Fuzzy slot resolution. For list-like slots and expansion rules (including your areas and entities!), fuzzy match the slot values to the available options. Allows "livikroom" to be corrected to "living room".
• Actual intent handling still done by Hassil. closest-intent simply corrects your STT output or typos to the closest matching intent, and then forwards a nice, canonical sentence to Hassil, who then deals with the intent just like if you had spoken/typed perfectly.
• 100% LLM-free. Just uses relatively simple fuzzy matching of the input against your intents, plus some clever-ish (well... working, at least) tricks to improve the results.
• Fallback agent support. OK, I said 100% LLM-free, but if you absolutely want to, you can use one as fallback. More on this below.
• Is fast :) (as in: basically instant for a couple hundred configured custom intents).

Note: closest-intent is completely language-agnostic. All the examples in this README are in English, but you can use it with any language you like; personally, I use it in German.

 

📋 Examples

Here's some examples of things I said, what my STT (wyoming-faster-whisper-base) understood, what HomeAssistant was able to do/answer after passing the STT output through closest-intent, and what the same STT output would have resulted in with just bare Hassil.

Note: These are actual results I got when speaking the "what was said" sentences in my phone. I'm a native German speaker, and so I do have an accent, but this pretty closely matches my experience when using the German-language version of whisper. The "bare Hassil" responses are what I got after 1:1 pasting the STT output into the voice assist chat window with closest-intent disabled.

| what was said | STT output | with Closest Intent | bare Hassil | |

|

|

|

|

| start cleaning | Star cleaning. | ✅ Cleaning started. | ❌ Sorry, I couldn't understand that | | stop cleaning | Stop clenching! | ✅ Cleaning stopped. | ❌ Sorry, I am not aware of any device called clenching | | vacuum the living room | Vacuum Believing Room | ✅ Cleaning the living room. | ❌ Sorry, I am unaware of any floor called Believing Room | | clean the office | King the Office | ✅ Cleaning the office. | ❌ Sorry, there are multiple devices called Office (author's note: no there aren't, wtf?) | | vacuum the kitchen | Back here in the kitchen. | ✅ Cleaning the kitchen. | ❌ Sorry, I couldn't understand that | | how warm is it in the bedroom | Our all is in the best room. | ✅ In the bedroom, the temperature is currently.... | ❌ Sorry, I am not aware of any area called best room | | add milk to the shopping list | Add milk to the chauvinist. | ✅ "milk" added. | ❌ Sorry, I am not aware of any device called chauvinist | | put call dentist on my todo list | put call dentist on my tudu list | ✅ "call dentist" added. | ❌ Sorry, I am not aware of any device called tudu | | turn on the water pump | turn on the what her pump | ✅ Turned on the water pump. | ❌ Sorry, I am not aware of any device called what her pump | | play some music | Place on music | ✅ Playing music. | ❌ Sorry, I am not aware of any area called music | | resume the music | Renew Music | ✅ Resuming. | ❌ Sorry, I couldn't understand that | | pause the music | Post music | ✅ Paused. | ❌ Sorry, I couldn't understand that | | next track | next rack | ✅ Next track. | ❌ Sorry, I am not aware of any device called rack | | enable shuffle | an able shuffling | ✅ Shuffle enabled. | ❌ Sorry, I couldn't understand that | | disable shuffle | Disable to schaffen. | ✅ Shuffle disabled. | ❌ Sorry, I am not aware of any device called Disable | | restart the player | Reset the plan. | ✅ Restarting the player. | ❌ Sorry, I am not aware of any area called Reset | | play a random album | Player random album | ✅ Playing a random album. | ❌ Sorry, I couldn't understand that | | play a random artist | Player and Immartist. | ✅ Playing a random artist. | ❌ Sorry, I couldn't understand that | | play the latest tracks | Plan the ladder tracks. | ✅ Playing recently added tracks. | ❌ Sorry, I am not aware of any area called Plan | | play recently played songs | Player recently played so... | ✅ Playing recently heard tracks. | ❌ Sorry, I couldn't understand that | | play playlist NieR | Play playlist NEAR! | ✅ Playing the playlist NieR. | ❌ Sorry, I couldn't understand that | | play my daily briefing | and play my daily breathing | ✅ Here is your daily briefing: ... | ❌ Sorry, I am not aware of any area called and play | | what time is it | What the hell is it? | ✅ It is 16:36. | ✅ It is 16:36. (author's note: okay, know what? earned. did not expect that.) | | what day is it today | One day is today. | ✅ Today is Friday. | ✅/❌ May 8th, 2026 (author's note: that's the output for "What date is it?", but, eh, close enough) | | make the tv brighter | Make that CV brighter. | ✅ Screen is now bright. | ❌ Sorry, I couldn't understand that | | set the screen darker | The screen doctor. | ✅ Screen is now dark. | ❌ Sorry, I am not aware of any device called screen doctor | | what's the weather today | What's the matter with you? | ✅ Today, the weather is... | ❌ It is 16:36. (author's note: wait, WHAT?) | | how's the weather tomorrow morning | How's the better tomorrow? | ✅ Tomorrow morning, it will be... | ❌ Sorry, I am not aware of any area called How's | | what's the weather this week | What's the matter this weak | ✅ Monday:..., Tuesday:..., | ❌ It is 16:36. (author's note: sigh...) | | how's the weather at 5 o'clock | cast the red there at 5 o'clock | ✅ At 5 o'clock, it will be... | ❌ Sorry, I am not aware of any area called cast | | how windy is it right now | how windy is IR low | ✅ The wind is currently blowing with... | ❌ No timers. | | how windy will it be tonight | How will you be tonight? | ✅ Tonight, the wind speed will be around... | ❌ Sorry, I couldn't understand that | | how hot will it get today | How hard will it get today? | ✅ Today, temperatures will reach up to... | ❌ Sorry, I couldn't understand that | | will it rain today | with it right today | ✅ No rain is expected today. | ❌ Sorry, I couldn't understand that |

...you get the idea.

 

💡 How it works

closest-intent is registered in HomeAssistant as a conversation agent. On startup, it parses (by default) all user-defined intents (or optionally, also the builtins ones). In this process, it also expands all rules, like <expansion_rule>, (alternatives|to), and [optionals], and notes where {slots} are located, and whether they are wildcards or belong to some list (like areas, entities, or the numbers 1-100).

When a user request comes in (via voice command or the chat box), closest-intent fuzzy-matches that request against those expanded rules. If the rule does not contain a slot, it is picked immediately. If it does contain a slot, closest-intent performs a sequence of fancy magic steps to find the best-fitting slot value among a range of possible positions within the top-scoring matched sentences. In practice, this often means "smallest slot-value on a word-boundary", but the extraction is not limited to that.

With the best match found, we then reconstruct the "canonical form", i.e. a sentence that Hassil will actually understand. If in your configured intents, "Play some music." exists, and closest-intent got "Place on music" and matched that to the intent, it will simply forward "Play some music." to Hassil. If the intent contained a slot, the extracted value will be substituted.

This guarantees that the sentence passed to Hassil will actually be understood, and allows us to not have to worry at all about performing actions, running scripts,...

If no matching intent could be found, we pass the exact input we got to the configured fallback agent. By default, that is simply Hassil (which again allows us to be lazy and not worry about proper error responses), or another agent, like a LLM.

cross-posted from: https://lemmy.world/post/46584454

Local Privilege Escalation "Dirty Frag" made public

• https://www.openwall.com/lists/oss-security/2026/05/07/8
• https://thehackernews.com/2026/05/linux-kernel-dirty-frag-lpe-exploit.html
• https://safecomputing.umich.edu/security-alerts/linux-kernel-vulnerability-%E2%80%9Cdirty-frag%E2%80%9D
• https://www.bleepingcomputer.com/news/security/new-linux-dirty-frag-zero-day-with-poc-exploit-gives-root-privileges/

To the people here that host a synapse server, how do you handle registration?

Do you use the new matrix authentification server? How does that work?

If not, registration works via element web, where you can have a captcha to avoid a bot swarm. However the only accepted captcha in the synapse config is recaptcha. Have you read the news? Well, we will have to change the captcha method. I think I read somewhere it was possible to use hcaptcha on elementweb however the setting does not exist in synapse, or I did not find it.

How do we do?

So it's my first time setting up a VPS. Is it to be expected to ban 54 IPs over a 12h timespan? The real question for me is whether this is normal or too much.

$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 3
|  |- Total failed:     586
|  `- Journal matches:  _SYSTEMD_UNIT=ssh.service + _COMM=sshd
`- Actions
   |- Currently banned: 51
   |- Total banned:     54
   `- Banned IP list:   [list of IPs]

fail2ban sshd.conf

$ sudo cat /etc/fail2ban/jail.d/sshd.conf 
[sshd]
enabled = true
mode = aggressive
port = ssh
backend = systemd
maxretry = 3
findtime = 600
bantime = 86400

I have disabled SSH login via password. And only allow it over an SSH key.

$ sudo sshd -T | grep -E -i 'ChallengeResponseAuthentication|PasswordAuthentication|UsePAM|PermitRootLogin'
usepam no
permitrootlogin no
passwordauthentication no