I wouldn't.

Hey all you beautiful selfhosters,

What are your suggestions for frugally obtaining HDDs in the current economic climate? Specifically the EU (Netherlands).

I'm looking at second hand drives, but even those go for €100+ now, with bad sectors and all.

Can we organise a collective AI datacenter robbery and doll out some stolen drives? 😁

https://nodebb.org/
https://docs.nodebb.org/installing/os/ubuntu/

Self hosting: real game starts today

@selfhosted

So, it's done: my main domain has finally got its transfer to Hostinger, new provider where I have the VPS I'm experimenting in.

Real game with WordPress multisite/multilingual and self-hosted Fediverse starts TODAY!

#activitypub #selfhost #selfhosting #wordpress #yunohost

Hey Hosters!

Just wanted to share that I got Jellyfin installed and set up on my Windows 2022 Server, and it’s working great! I didn't even know there was a version for WIndows. How do you like that?

I know this is probably “the usual” for everyone here, but I’m genuinely excited that I managed to get it all running smoothly.

After getting the server up, I went through the basics (users/permissions, library paths, and making sure everything was reachable on the network) and it all just worked. The interface is super clean, playback is nice and responsive, and it feels like I’ve been missing out on this until now.

Huge thanks to the Jellyfin team and the community! This project is awesome!! If anyone is stuck, please don’t give up. keep poking at the configuration and it’ll pay off. Now I just need to spend some time organizing my libraries!

Happy Hosting!

I have a single Podman stack & Podman network - ingress via Caddy with crowdsec that forwards stuff to the various things I've got going. All self-contained in the Podman network.

I want to put Caddy in a VM to establish a "DMZ" (separate kernel) as I've seen recommended for directly internet-facing infrastructure. But to do that, I'll break my single Podman network across two "servers".
Because it is across two "servers", I need to publish the ports for the services on the non-VM server so that the VM can address them externally - which allows the services to talk to the internet (even if they don't need it) and allows the services to talk to each other on published ports (before I could have separate networks for each service, so BookOrbit can't talk to Jellyfin for instance).

How can I have the Caddy in the VM that deals with the WWW forward things to the server running everything but retain that closed Podman network topology?

And ancillary Q, what other things should be in that "DMZ" VM? Auth ODIC? Headscale? Just Caddy?
Edit: Caddy forwards everything to the Auth OIDC which forwards it along if the connection attempt is logged in. Will be adding mTLS to bypass that check eventually. That's why I'm thinking Auth ODIC should be in the "DMZ" VM too.

And lastly, Podman networking works just like Docker networking, so any topology is transferable if you've solved this in Docker!

WRT = with respect to

I have some subdomains that go to my home address (I know I should put it through a VPS first but I'll get to that when I have time).

If I connect to example.domain.tld and DNS records point back to my own IP, where does that data go to reach back to my device?

Edit: thanks for the responses everyone

Breaking change in #FreshRSS for those of you with feeds on your local network such as RSS-Bridge or RSSHub: for improving security (SSRF), local addresses must be added to your allowed list. There are a Web UI and an environment variable INTERNAL_HOST_ALLOWLIST, whichever is easiest. Breaking changes in FreshRSS are rare, but this has been made default since not everybody is able to properly isolate their services. This has just landed in the rolling release (edge). Tests welcome.

Tempus is an open-source and lightweight music client for Subsonic, designed and built natively for Android.

This app works with any service that implements the Subsonic API, including:

• LMS - Lightweight Music Server - personal fave and my backend
• Navidrome
• Gonic
• Ampache
• NextCloud Music
• Airsonic Advanced

https://github.com/eddyizm/tempus/releases/tag/v4.20.0

My last release post was for v4.12.0 so I've included whats changed since that post.

What's Changed

Highlighting these 5 features that people have wanted for some time and were well received.

• feat: tile size manager
• feat: Implement a sleep timer button to the currently playing screen
• feat: offline playlist in dowloads view
• feat: add to queue, edit playlist in main playlist page
• feat: local radio station management, directory search, and radio cover art

And a ton of bug fixes, performance improvements and other features -> Full Changelog: https://github.com/eddyizm/tempus/compare/v4.12.0...v4.20.0

note app-tempo* <- The github release with all the android auto/chromecast features

app-degoogled* <- The izzyOnDroid release that goes without any of the google stuff.

As usual, any dev contributions appreciated as I am not actually a java/mobile dev, so my progress is significantly slower than those who do this on the daily.

Big thanks to all the folks who have been contributing.

Does anyone know if it's possible to achieve this? Possibly with an external service that syncs the two?

Basically, the last feature immich can't do that google does is to share albums. Sometimes my family wants to have albums after events, and my ones live in a silo.

Recently, I saw icanhazip.com pop up in my pFsense firewall logs. It was immediately blocked but the name piqued my interest, so I did a little digging which revealed an interesting backstory.

It's owned by Cloudflare:

spoiler

spoiler

...but it hasn't always been theirs: icanhazip: How a simple IP address tool survived a deluge of users. Pretty interesting, at least to me as I have never encountered it before.

I have it still blocked as nothing I'm doing seems hampered by blocking icanhazip.com's ip range. Anyone else ever encounter icanhazip.com?

I think I found the source of the icanhazip.com block. From the Github Issues page:

2025-03-27 17:00:02] production.ERROR: Failed to fetch external IP address. [“cURL error 60: SSL: no alternative certificate subject name matches target hostname ‘icanhazip.com’ (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://icanhazip.com/%E2%80%9D]

ETA: Solved

I think I found the source of the icanhazip.com block. From the Github Issues page:

2025-03-27 17:00:02] production.ERROR: Failed to fetch external IP address. [“cURL error 60: SSL: no alternative certificate subject name matches target hostname ‘icanhazip.com’ (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://icanhazip.com/%E2%80%9D]

My old laptop for self hosting just croaked, and I'm thinking of buying a 2nd hand mini pc, but this time I want to do it proper. I want to optimize the electricity consumption and specs needed/ future upgreadability, considering how expensive everything is now.

My use case is just for self hosting files (infrequent access and reducing reliance to google drive), and occasional dev workload via ssh. I'm thinking of buying a used optiplex with at least i6 gen cpu (SFF or micro form factor), but I want to see if there are better options.

There was a link posted in this subreddit about power consumption comparison of different mini pcs (raspberry pi, n100, etc), and I regret not saving it.

If anyone could suggest me better options it would be greatly appreciated. Thanks!

This is an alternative to manually typing your password to decrypt your home server disks.

The idea is that you have a Tang server somewhere on your local network. When your server boots up, it needs to communicate with the Tang server to unlock the disk. Tang doesn't store the key and is stateless, but the client requires Tang's cooperation to compute the key.

For me, I'm thinking about someone breaking into my house and stealing my computer. Currently, I have LUKS read a keyfile from a USB drive... but I almost always leave it plugged in... so a thief would probably accidentally steal that too.

With this setup, I'm thinking maybe I could setup a Pi on the opposite side of my house, ideally hidden. And then if my home server gets stolen, LUKS wouldn't be able to reach my Tang server, and therefore not unlock anything.

In an effort to make the sidebar a bit cleaner, and allow for more thorough explanation of the rules, this post has been made. Comments are disabled, to start a discussion with the community about this post or the rules in general, please make a meta post. Please stick to one specific item to address as your post to keep discussions on topic.

If you see a rule violation, please report rather than interacting with the post/comment.

Rules:

1. Be civil.

This is a community of collaboration. We aren't here to put each other down, but lift each other up - helping to improve efficiencies, find the right solution to deploy, or work through bugs.

Disagreement and strong opinions are welcome, being degrading or disrespectful is not.

A good reference would be the Lemmy.world Terms of Service as well as the ACoC.

Sexism, racism, ethno-supremacy, homophobia, slurs for ethnicities, genders, sexualities, etc, will not be tolerated. If you see it, report it. Don't interact, as the comment chain will likely be nuked.

2. No spam.

Spam is not “I don’t like this”.

Spam would generally be considered:

• Mass-posting - Posting the exact same post across a bunch of of different communities, rapidly. Cross-posting is not spam, but cross-posting to communities where it wouldn't fit, is.
• Repetitive Content (aka karma farming) - repeatedly submitting old popular content. This is completely irrelevant on Lemmy,, but the behavior is still not permitted.
• Bot Activity / AI Abuse - Using scripts/bots/gen AI to automate posts and comments.
• Unsolicited DMs - Mass private messages or chats to users, completely unsolicited

Bots are allowed, but see the Rules of Use for Bots on Lemmy.World, where this community is located. Please be sure to review these rules prior to using a bot in this community.

3. Posts are to be related to self-hosting.

Please ensure it is clear in your post how it relates to self-hosting.

If you see a post where there is a more appropriate place for the discussion to take place, such as a linux or networking community, please feel free to recommend it to the user as well as report.

From a community discussion on this rule:

• Posts that are better off in a different community (not just intent, but also a community thats appropriately supported by activity) will be locked only after that community is noted. Posts will not be deleted though, only locked.
• If there is an influx of simple posts about hardware, pictures of setups, etc., then we can go ahead with a weekly sticky for that content.
• Low effort content is currently well managed with upvotes and downvotes. If there is an influx of low effort content, we can use a different approach.
• Repeated common questions, once enough of them are being seen, will go to an FAQ post or a wiki.

4. Don't duplicate the full text of your blog or readme if you're providing a link.

If everything you're posting is in the link, there isn't much value to adding that text. If you're going to add text, make it contextual. Summarize it, mention why selfhoster's might be interested in the news link, how you're using this software, etc.

5. Submission headline should match the article title.

Add supporting or related information in the post itself rather than the title.

6. No trolling.

Trolling is deliberately posting something offensive, nonsensical, or provocative to bait people into arguments or to get an emotional reaction. Its disruptive and manipulative, and is not permitted here.

A few key characteristics:

• Baiting: Comments / posts to make people angry or confused
• Derailing conversations: Ruining meaningful discussions by steering them off topic

Downplaying this behavior by claiming it was "just a joke" will not impact moderation decisions. See rule 1.

7. Promotion posts require your active participation in selfhosting or related communities, and your account must be at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See this link for further details.

• Active participation is defined by the 10% rule - no more than 10% of your posts or comments may be self-promotional, or your post will be removed. That is not per-project, but your account as a whole. If the entirety of your post and comment history is your blog and projects, then your post history is entirely self-promotional.
• Account Age has been added as a requirement to mitigate frequent posts that were being seen within the community. This rule applies in all cases, whether you intend to post about a paid or F/LOSS project. There are no exemptions from this requirement.
• F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, your post is exempt from the 10% requirement. The exception does not exempt you from the account age requirement.

This post will receive updates as rules are updated.

Apologies if this is a rookie question, but I keep wondering what the vulnerabilities section on DockerHub is trying to tell me. Take nextcloud images for instance: The most current images seem to list 3 critical and 22 severe vulnerabilities. Does that mean those vulns are part of the image? If so, why would anyone want to run this?

Hi everyone.

Given some recent.. issues with Bitwarden's leadership, I've been toying with Vaultwarden. It's been great, and supports pretty much everything I need.

I currently locally host the vault, but I'm realizing that this could cause problems for my family if something were to happen to me. While not technologically inept, if my server at home crashed they would have no idea how to access it, and they would lose all of the passwords.

I was thinking that a vps might be a better choice for this, possibly with some reboot automation in case of outages. That would allow them enough time to initiate the emergency access and import everything before anything happens to the passwords.

I've also got encrypted M-disc backups of the most important passwords with timestamps of when they were last set. I've demonstrated and written down instructions on how to decrypt these. Of course I also have other backups, but I doubt they'd be able to retrieve the non-physical copies of the backups.

Anyway, is that what most people here do with Vaultwarden, use a VPS with mTLS or VPN? To add, I would only use a tunnel for this if I go this route, so no open ports.

EDIT: turns out I needed to set mountpoint=legacy, (sudo zfs set mountpoint=legacy <filesystem>) which is the standard way to use ZFS on nixos. Legacy in this context means that the mountpoint is decided by the system rather than ZFS; I guess ZFS was previously refusing to receive the mountpoint because it already had one, but I didn't notice because they happened to be the same.

I'm using ZFS on nixos, with an ext4 boot drive, and a ZFS pool whose key is loaded from the boot disk.

Despite mounting correctly, zfs also causes the system to fail and go into emergency mode. Even if zfs were to fail though, things like sshd and dbus shouldn't depend on it.

In particular, the system waits for about half a second after

         Starting Mount ZFS filesystems...

and the next line is

[FAILED] Failed to mount /ZFSmountpoint.

and then

[DEPEND] Dependency failed for Local File Systems.

A few lines later I get

[  OK  ] Finished Mount ZFS filesystems.

The next line is about emergency mode.

How can ZFS both fail and finish? And why does this affect the remainder of startup?

I can't decide between these two used drives: https://www.cdw.com/product/solidigm-d5-p5336-122.88-tb-solid-state-drive-2.5-internal-u.2-pci-ex/8455168?pfm=srh

and

https://www.cdw.com/product/solidigm-d5-p5336-61.44-tb-solid-state-drive-2.5-internal-u.2-pci-exp/7785193?pfm=srh

sure 61TB doesn't sound like much these days, but I'm only going to be making word docs for a few centuries. Plus the drives are used and so they come at a great discount!

Green stripe, green, orange stripe, blue, blue stripe orange, brown stripe, brown, upvote.

And the savages who use orange stripe, orange, green stripe, blue, blue stripe, green, brown stripe, brown, downvote.

Post below for the slapfight.

I initially shared a my latest project with you here. A lot have happened in LaManager in the past 2 weeks so I though i would make an update post.

Reminder of what is LaManager: It's a services manager build to use copy on write to reduce downtime when doing offline backups while ensuring that all the data is in a coherent state. It can also create and manage it's own virtual disk images to allow it to work anywhere outside of supported COW filesystems.

First LaManager has now been put in production and as been working without issue since then.

Currently on my homelab it manages : caddy (with anubis), forgejo, jellyfin, jitsi, matrix (including frontend and bridges), nextcloud (including euro-office), pi-hole, qbittorrent, redlib and vaultwarden.

Changes and new features since last time :

• NEW FILESYSTEM SUPPORT: ZFS !
• moved development to my forgejo instance
• shell-completion for bash, elvish, fish, powershell and zsh
• mutithreading of operations applied on multiple services (start, stop, backups, restart, remove)
• new restart command for services
• better error handling with anyhow
• added a lockfile to prevent unmounting during backups or others combinations of incompatible operations
• Licensed under AGPLv3

The forgejo instance is open registration to allow contributions.

With all thoses services the total downtime when doing a backup is under 17 seconds and extremely consistent, even when the remote took more than 20 minutes to sync.

For the entire week since introduction of multithreading daily backups downtime never went bellow 16 seconds or above 18.

As i've seen the discussions around about AI, i can confirm that currently LaManager has been fully created without any use of AI.

A few months ago I decided to self-host everything for my software house instead of paying for cloud infrastructure. Here's what's running on a Raspberry Pi 4B (4GB) at home:

Astro static site + nginx Full mail stack (Postfix + Dovecot + Roundcube) in Docker MariaDB with automated backups GoAccess analytics with custom Python bot/human separation Dynamic IP blocklist generated at every deploy Certbot managed on a separate Orange Pi Zero 3 (HAProxy + SSL termination)

The Orange Pi Zero 3 as a dedicated HAProxy node was the best €25 I spent — SSL overhead completely offloaded from the Pi, all subdomains routed through one config, clean network separation between "what faces the internet" and "what runs the services." Storage: all boards boot from SSD via USB3. No SD cards in production. The ISP situation: Eolo wireless, 20Mbps down / 100Mbps upload. Yes, upload is 5x download. For a web server that's actually ideal. Real stress test — June 22, 2026 A post on r/italy hit 20k views in 24 hours. Numbers that day:

555 human visitors (vs ~180 daily average) 151 unique IPs 72.2% return rate 9.98 MB bandwidth 0 downtime 0 errors in the mail stack

PageSpeed from Google's infrastructure:

Desktop: Performance 100 / SEO 100 Mobile: Performance 97 / SEO 100

No CDN. No Cloudflare. No edge nodes. Just nginx on a Pi. The honest limitations:

Single point of failure — yes, if the Pi dies the site goes down Mail deliverability on residential ISP is hard (Brevo relay helps) No redundancy — we run backups, not replicas

All traffic data is live and public: stats.lake8.dev/geo.html Happy to answer questions on any part of the stack.

So...this is very tangentially related to Self Hosting, but hear me out...

We travel frequently, either for work or leisure. As a self-hoster, I always bring an Nvidia shield player on my travel bag, to connect to my Jellyfin host from whichever hotel we might be staying at, to watch at night for example.

But increasingly, this is becoming a pain in the butt. As most TVs aren't directly hooked anymore to just the antenna or the hotel's connection. No, they usually will be hooked to an Android box handling all sorts of crap, from the hotel welcoming screens to some info, to their pre-set channels. And the android remote works via HDMI-ARC to control the TV, of which they usually hide the damn OEM remote. So, if you unplug their android box to hook up your own player, you lose the TV controls. In some cases (Sony, mostly) you might be in luck finding the 3 physical buttons they include somewhere on the TV itself to navigate inputs and volume. But in some others, you might as well end up stuck in an Android app menu where you can't get out (I'm looking at you Phillips). So I think my next addition would be to get an universal remote to sort all these quirks when traveling. Anyone else went through these considerations? Any recommendations?