I’m trying to better understand hosting a Lemmy Instance. Lurking discussions it seems like some people are hosting from the Cloud or VPS. My understanding is that it’s better to futureproof by running your own home server so that you have the data and the top most control of hardware, software etc. My understanding is that by hosting an instance via Cloud or VPS you are offloading the data / information to a 3rd party.

Are people actually running their own actual self-hosted servers from home? Do you have any recommended guides on running a Lemmy Instance?

  • J_C___@lemmy.place
    link
    fedilink
    English
    arrow-up
    63
    arrow-down
    1
    ·
    1 year ago

    Selfhosting is the act of hosting applications on “hardware you control”. That could be rented or owned, its the same to us. You could go out and buy a server to host your applications but there a few issues that you might run into that could prevent you from simply standing up a server rack in your spare room. From shitty ISPs to lack of hardware knowledge there are plenty of reasons to just rent a VPS. Either way youre one of us :)

    • Auli@lemmy.ca
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      3
      ·
      1 year ago

      But you don’t control the hardware if you run it on a VPS?

      • J_C___@lemmy.place
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        1 year ago

        You control the hardware you are provisioned and the software you run on it, which is enough for me. Unless you’re looking for a job in the server adminstration/maintenance field the physical hardware access component of it matters less IMO

        • SatyrSack@lemmy.one
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          You definitely don’t control the hardware. Someone else at some remote server farm or something does.

          • jaybone@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Some of them offer what they call bare metal provisioning and I wonder if some even offer ILOM type access. That’s pretty much control of the hardware for me. Just that you can’t plug in a disk or a memory stick.

      • PorkSoda@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        If your server has IPMI, there’s little difference between being there in person and not.

  • space@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    40
    arrow-down
    1
    ·
    1 year ago

    Self hosting basically means you are running the server application yourself. It doesn’t matter if it’s at home, on a cloud service or anywhere else.

    I wouldn’t recommend hosting a social network like lemmy, because you would be legally responsible for all the content served from your servers. That means a lot of moderation work. Also, these types of applications are very demanding in terms of data storage, you end up with an ever growing dataset of posts, pictures etc.

    But self hosting is very interesting and empowering. There are a lot of applications you can self host, from media servers (Plex, Jellyfin), personal cloud (like Google Drive) with NextCloud, blocking ads with pihole, sync servers for various apps like Obsidian, password manager BitWarden etc. You can even make your own website by coding it, or using a CMS platform like WordPress.

    Check the Awesome Self-hosted list on GitHub, has a ton of great stuff.

    And in terms of hardware, any old computer or laptop can be used, just install your favorite server OS (Linux, FreeBSD/OpenBSD, even Windows Server). You can play with virtualization too if you have enough horsepower and memory with ESXI or Proxmox, so you can run multiple severs at once on the same computer.

  • capy_bara@lemmy.world
    link
    fedilink
    English
    arrow-up
    37
    ·
    1 year ago

    I’d say there are levels to selfhosting. Hosting your stuff on the cloud is selfhosting, but hosting it on your own hardware is a more “pure” way of doing it imo. Not that it’s better, both have their advantages, but it’s certainly a more committed to the idelal

    • Auli@lemmy.ca
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      8
      ·
      1 year ago

      I don’t know what hosting on the VPS should be called but it is definitely not self hosting. Since you are hosting your services on someone else’s servers. Didn’t it used to be called colo or something like that.

      • Buckshot@programming.dev
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        2
        ·
        1 year ago

        I thought colo was your hardware in someone else’s data center.

        For me though a VPS is still self hosting because you own your applications data and have control over it.

        You’re less beholden to the whims of a company to change the software or cut you off. With appropriate backups you should be able to move to a new cloud provider fairly easily.

      • PlexSheep@feddit.de
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        I disagree. Selfhosting is not specific to hardware location for me. My own git server is definitely selfhosted, VPN, and so on.

        I agree that having your own hardware at home is a more pure way of doing it, but I’d just call that a Homelab. I personally just combine both.

      • deur@feddit.nl
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        I’d like to pose the fact that VPSes and Hosted solutions are different as a rebuttle to what you’re saying. It’s pretty unreasonable to gate keep self hosting behind having the hardware running on a device you control.

      • lemcat@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        2
        ·
        1 year ago

        Of course it’s self hosting. The term “self hosting” just means being in control of the service or host yourself, as opposed to that being controlled by a third party.

        It doesn’t mean the hardware has to be in your house. It just so happens that that is the majority preference, because people value privacy, and are often hosting private data.

  • h3ndrik@feddit.de
    link
    fedilink
    English
    arrow-up
    37
    ·
    1 year ago

    Me, yes. But it’s still selfhosting if you do it on a VPS. And probably easier, too. I mainly do it at home, because I can have multiple large harddisks this way. And storage is kind of expensive in the cloud.

    • Retiring@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Depending on where you are, a hard drive that runs 24/7 can cost you quite a bit of money (6$/month or even more for just the hard drive). If you consider the upfront cost of a hard drive, the benefit of hosting at home gets even smaller. Nvme is where you really save money hosting at home. Personally I do both, because cloud is cheap and you can have crazy bandwiths.

      • h3ndrik@feddit.de
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        edit-2
        1 year ago

        I know. You pretty much need to know what you’re doing. And do the maths. Know the reliability (MTBF/MTTF) and price. Don’t forget to multiply it by two (as I forgot) because you want backups. And factor in cost of operation. And corresponding hardware you need to run to operate those hdds. My hdd spins down after 5 minutes. I live in Europe and really get to pay for electricity as a consumer. A data center pays way less. My main data, mail, calendar and contacts, OS, databases and everything that needs to be there 24/7 fits on a 1TB solid state disk that doesn’t need much energy while idle. So the hdd is mostly spun down.

        Nonetheless, I have a 10TB hdd in the basement. I think it was a bit less than 300€ back when I bought it a few years ago. But I can be mistaken. I pay about 0.34€/kWh for (green) electricity. But the server only uses less than 20W on average. That makes it about 4€ per month in electricity for me. And I think my homeserver cost me about 1000€ and I’ve had it since 2017. So that would be another ~15€ per month if I say I buy hardware for ~1100€ every 6 years. Let’s say I pay about 20€/month for the whole thing. I’m not going to factor in the internet connection, because I need that anyways. (And I probably forgot to factor in I upgraded the SSD 2 times and bought additional RAM when it got super cheap. And I don’t know the reliability of my hdds…)

        I also have a cheap VPS and they’d want 76,27€/month … 915.24€ per year if I was to buy 10TB of storage from them. (But I think there are cheaper providers out there.) That would have me protected against hard disk failures. It’ll probably get cheaper with time, I can scale that effortlessly and the harddisks are spun up 24/7. The harddisks are faster ones and their internet connection is also way faster. And I can’t make mistakes like with my own hardware. Maybe having a hdd fail early or buy hardware that needs excessive power. And that’d ruin my calculation… In my case… I’m going with my ~20€/month. And I hope I did the maths correctly. Best bang for the buck is probably: Dont have the data 24/7 available and just buy an external 10TB hard drive if your concern is just pirating movies. Plug it in via USB into whatever device you’re using. And make sure to have backups ;) And if you don’t need vast amounts of space, and want to host a proper service for other people: just pay for a VPS somewhere.

        • Retiring@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          You forgot something in your calculations, you don’t need a complete VPS for the *arrs. App hosting/seedboxes are enough for that and you can have them for very, very cheap.

  • NeoNachtwaechter@lemmy.world
    link
    fedilink
    English
    arrow-up
    34
    arrow-down
    1
    ·
    1 year ago

    actually have a server at home

    I haven’t got any piece of hardware that was sold with the firstname “Server”.

    But there’s this self-built PC in my room that’s running 24/7 without having to reboot in several years…

    • yeehaw@lemmy.ca
      link
      fedilink
      English
      arrow-up
      28
      ·
      1 year ago

      Well technically a “server” is a machine dedicated to “serving” something, like a service or website or whatever. A regular desktop can be a server, it’s just not built as well as a “real” server.

        • tristan@aussie.zone
          link
          fedilink
          English
          arrow-up
          11
          arrow-down
          1
          ·
          1 year ago

          Yeah I’d stay away from Mac too… but seriously most modern laptops can disable any sleep/hibernation on lid close

          My go to lately is Lenovo tiny, can pick them up super cheap with 6-12 month warranties, throw in some extra ram, a new drive, haven’t had any fail on me yet

          • Valmond@lemmy.mindoki.com
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            You should think before releasing dangerous information on the internet!

            You can get a 2core 8GB / 240GB for 75€!!

            Uh oh, I think I’ll have to buy one now…

            • tristan@aussie.zone
              link
              fedilink
              English
              arrow-up
              3
              ·
              edit-2
              1 year ago

              This is my little setup at the moment. Each is 8500t CPU, 32gb ram, 2tb nvme and 1tb SATA SSD all running in a proxmox cluster

              Edit: also check out Dell micro or the hp… Uh I want to say it’s g6 micro? You might need to search for what is actually called

                • tristan@aussie.zone
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  Thanks :D the frame and all parts are self designed and 3d printed… was a fun project

                  The whole thing runs from just 2 power cables with room for another without adding any extra power cables

              • Valmond@lemmy.mindoki.com
                link
                fedilink
                English
                arrow-up
                2
                ·
                edit-2
                1 year ago

                Not at all overkill? :-D

                Future proofing or is it really used ? I don’t know proxmox, is it some docker launcher thingy?

                Very cool anyways!

                • tristan@aussie.zone
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  Proxmox is like esxi, it lets you setup virtual machines. So you can fire up a virtual Linux machine and allocate it like 2gb ram and limit it to 2 cores of the CPU or give it the whole lot depending on what you need to do

                  Having them in a cluster let’s them move virtual machines between the physical hardware and have complete copies so if one goes down the next can just start up

                  It is a little overkill, I’m probably only using about 20% of its resources but it’s all for a good cause. I’m currently unable to work due to kidney failure but I’m working towards a transplant. If I do get a transplant and can return to work, being able to say “well this is my home setup and the various things I know how to do” looks a lot better than “I sat on my ass for the last 4 years so I’m very rusty”

                  This whole setup cost me about $1000aud and uses 65-70w on average

            • Synestine@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Only if you’ve got it cranking all day. I’ve got a couple of Tiny (they’re Micro, which is the same thing) systems that are silent when idle and nearly silent when running less than a load avg of 5. It’s only if I try to spin up a heavy, CPU-bound process that their singular fan spins fast enough to be noticable.

              So don’t use one as a Mining rig, but if you want something that runs x64 workloads at 9-20 watts continuously, they’re pretty good.

              • tristan@aussie.zone
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Even running at full speed mine are pretty quiet but I also have 80mm silent low rpm fans blowing air across them too which seems to help

                I also recently went through with fresh thermal paste

    • Nix@merv.news
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      How do you install security updates etc without restarting?

      Linux servers prompt you do restart after certain updates do you just not restart?

      • VonReposti@feddit.dk
        link
        fedilink
        English
        arrow-up
        16
        ·
        1 year ago

        Enterprise distributuions can hot-swap kernels, making it unnecessary to reboot in order to make system updates.

        • Pringles@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Microsoft needs to get its shit together because reboots were a huge point of contention when I was setting up automated patching at my company.

      • poVoq@slrpnk.net
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        You can just restart… with modern SSDs it takes less than a minute. No one is ging to have a problem with 1 minute downtime per month or so.

      • Avid Amoeba@lemmy.ca
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        1 year ago

        The right way ™ is to have the application deployed with high availability. That is every component should have more than one server serving it. Then you can take them offline for a reboot sequentially so that there’s always a live one serving users.

        This is taken to an extreme in cloud best practices where we don’t even update any servers. We update the versions of the packages we want in some source code file. From that we build a new OS image contains the updated things along with the application that the server will run and it’s ready to boot. Then in some sequence we kill server VMs running the old image and create news ones running the new. Finally the old VMs are deleted.

      • NeoNachtwaechter@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        install security updates etc without restarting?

        Actually I am lazy with updates on the “bare metal” debian/proxmox. It does nothing else than host several vm’s. Even the hard disks belong to a vm that provides all the file shares.

      • morras@links.hackliberty.org
        link
        fedilink
        English
        arrow-up
        10
        ·
        1 year ago

        First, you need a use-case. It’s worthless to have a server just for the sake of it.

        For example, you may want to replace google photos by a local save of your photos.

        Or you may want to share your movies accross the home network. Or be able to access important documents from any device at home, without hosting them on any kind of cloud storage

        Or run a bunch of automation at home.

        TL;DR choose a service you use and would like to replace by something more private.

        • tinysalamander@lemmy.world
          link
          fedilink
          English
          arrow-up
          11
          ·
          1 year ago

          Proxmox absolutely changed the game for me learning Linux. Spinning up LXC containers in seconds to test out applications or simply to learn different Linux OSs without worrying about the install process each time has probably saved me days of my life at this point. Plus being able to use and learn ZFS natively is really cool.

          • bender@insaneutopia.com
            link
            fedilink
            English
            arrow-up
            7
            ·
            1 year ago

            Ive been using esxi (free copy) for years. Same situation. Being able to spin up virtual machines or take a snapshot before a major change has been priceless. I started off with smaller nuc computers and have upgraded to full fledged desktops.

      • PlutoniumAcid@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        1 year ago

        The simple way is to Google ‘yunohost’ and install that on your spare machine, then just play around with what that offers.

        If you want, you could also dive deeper by installing Linux (e.g.Ubuntu), then installing Docker, then spin up Portainer as your first container.

    • HamsterRage@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Well, there are specific hardware configurations that are designed to be servers. They probably don’t have graphics cards but do have multiple CPUs, and are often configured to run many active processes at the same time.

      But for the most part, “server” is more related to the OS configuration. No GUI, strip out all the software you don’t need, like browsers, and leave just the software you need to do the job that the server is going to do.

      As to updates, this also becomes much simpler since you don’t have a lot of the crap that has vulnerabilities. I helped manage comuter department with about 30 servers, many of which were running Windows (gag!). One of the jobs was to go through the huge list of Microsoft patches every few months. The vast majority of which, “require a user to browse to a certain website” in order to activate. Since we simply didn’t have anyone using browsers on them, we could ignore those patches until we did a big “catch up” patch once a year or so.

      Our Unix servers, HP-UX or AIX, simply didn’t have the same kind of patches coming out. Some of them ran for years without a reboot.

  • Voroxpete@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    30
    arrow-down
    1
    ·
    1 year ago

    “Self-hosted” means you are in control of the platform. That doesn’t mean you have to own the platform outright, just that you hold the keys.

    Using a VPS to build a Nextcloud server vs using Google Drive is like the difference between leasing a car and taking a taxi. Yes, you don’t technically own the car like you would if you bought it outright, but that difference is mostly academic. The fact is you’re still in the driver’s seat, controlling how everything works. You get to drive where you want to, in your own time, you pick the music, you set the AC, you adjust the seats, and you can store as much stuff in the trunk as you want, for as long as you want.

    As long as you’re the person behind the metaphorical wheel, it’s still self-hosting.

  • ɐɥO@lemmy.ohaa.xyz
    link
    fedilink
    English
    arrow-up
    29
    ·
    1 year ago

    Are people actually running their own actual self-hosted servers from home?

    My lemmy instance is hosted in my basement

  • hitagi@ani.social
    link
    fedilink
    English
    arrow-up
    21
    ·
    1 year ago

    I’m sure the original spirit of selfhosting is actually owning the hardware (whether enterprise- or consumer-grade) but depending on your situation, renting a server could be more stable or cost effective. Whether you own the hardware or not, we all (more or less) have shared experiences anyway.

    Where I live, there are some seasons wherein the weather could be pretty bad and internet or electricity outages can happen. I wouldn’t mind hours or even days of downtime for a service whose users are only myself or a few other people (i.e. non-critical services) like a private Jellyfin server, a Discord bot, or a game server.

    For a public Lemmy server, I’d rather host it on the cloud where the hardware is located in a datacenter and I pay for other people to manage whatever disasters that could happen. As long as I make regular backups, I’m free to move elsewhere if I’m not satisfied with their service.

    As far as costs go, it might be cheaper to rent VMs if you don’t need a whole lot of performance. If you need something like a dedicated GPU, then renting becomes much more expensive. Also consider your own electricity costs and internet bills and whether you’re under NAT or not. You might need to use Cloudflare tunnels or rent a VPS as a proxy to expose your homeserver to the rest of the world.

    If the concern is just data privacy and security, then honestly, I have no idea. I know it’s common practice to encrypt your backups but I don’t know if the Lemmy database is encrypted itself or something. I’m a total idiot when it comes to these so hopefully someone can chime in and explain to us :D

    For Lemmy hosting guides, I wrote one which you can find here but it’s pretty outdated by now. I’ve moved to rootless Docker for example. The Lemmy docs were awful at the time so I made some modifications based on past experiences with selfhosting. If you’re struggling with their recommended way of installing it, you can use my guide as reference or just ask around in this community. There’s a lot of friendly people who can help!

  • MolochAlter@lemmy.world
    link
    fedilink
    English
    arrow-up
    17
    ·
    1 year ago

    Yep, big ol’ case under my desk with some 20TB of storage space.

    Most of what I host is piracy related 👀

        • bingbong@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Whoops that was backwards, my bad

          ~19.5 tb of hardcore whale porn

          ~500 gigs of midget sounds to help me sleep

        • Nik282000@lemmy.ca
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Whale sounds! Oh man, I’m gonna add that to ELF space radio and rain recordings!

      • MolochAlter@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        There’s about 3.5 TB to go out of an actual 18 in the server.

        I have another 2TB to install but it’s not in yet.

        I’m also transcoding a lot of my media library to x265 to save space.

        I don’t download for the sake of downloading, usually, and i delete stuff if I don’t see value in keeping it.

        • bender@insaneutopia.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          What is a good transcoder? I haven’t ran my media through one. Is the space saving significant? Did you lose video quality?

          • MolochAlter@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 year ago

            In order:

            FFMPEG, yes, no.

            I refer you to this comment for more info.

            I have seen a saving of 60-80% per file on lower resolutions like 720 or 1080, which makes the server time well worth it.

            A folder of 26 files totaling 61GB went down to 10.5, for example.

  • thisisawayoflife@lemmy.world
    link
    fedilink
    English
    arrow-up
    16
    ·
    1 year ago

    Some stuff is just better hosted in a proper data center. Like mail, DNS or a search engine. Some stuff, like sensitive data, is better hosted on your own hardware in your home.

  • Alvaro @social.graves.cl
    link
    fedilink
    arrow-up
    14
    ·
    1 year ago

    There are definitely benefits on running a server at home but you could say the same of a VPS. As long as you control it, it is self hosted in my book.

      • PeachMan@lemmy.one
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        Not really, you’re ideally paying for a server that you have complete control of. The differences are mostly just fundamental limitations.

        Example: if you’re hosting off site, you will always be connecting remotely, so your access depends on a network connection. If you’re hosting at home then your stuff is still accessible when your internet goes down

      • seshat@lemmy.963.pm
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        It is, if you can host at home and use a cheap vps as proxy is better in my opinion. Like it or not when you host something you will put sensitive info in your vps and ofc you should trust them. Exactly like the vpn providers, they will fight for your rights paying 5 dolars/months? For sure no.

          • seshat@lemmy.963.pm
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            My services are not accessible from my wan, i forward all my services to a cheap vps,using a proxy and trafic is encrypted. So i am not worried about my isp also my real ip is hiden. I use something like cloudflare zero trust… but is open source.

        • ProtecyaTec@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          I’m less worried aobut sensitive info and more worried about owning the data. I’m looking to avoid a sitaution where I offload all the data to a 3rd party and lose access or pricing get expensive (like a Reddit situation). I’m more worried by offloading the data to a 3rd party I can’t verify that they’re not reselling it. etc.

      • Alvaro @social.graves.cl
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        @[email protected] not sure what that means but I guess you can do certain thing in your home server not allowed on a VPS. OTOH, an email server at home for example is much more difficult to achieve because your ISP most likely won’t allow you to open port 25

        • ProtecyaTec@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I was just reading through Lemmy-Ansible Github docs and wasn’t sure if a 3rd party server or a home server was going to be better to run. The documentation doesn’t feel super user-friendly or maybe I’m just not as tech-savvy as I thought.

            • ProtecyaTec@lemmy.worldOP
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              This may be way of scope for this thread but I’m not sure a better place yet to ask and learn more about how all this works. Say I run my Docker Container from a home PC, how do I make my Lemmy Instance accessible to the public? I’m familiar with web hosting but only from hosting on a simple 3rd party, where you buy a domain.

              • cbAnon0@lemmy.world
                link
                fedilink
                English
                arrow-up
                4
                ·
                edit-2
                1 year ago

                Agree with the VPS in this case. For sure you can create public-facing services in a home server or home lab, but to do so you need:

                1. Domain name hosting.
                2. an Internet Service Provider who will allow you expose port 80/443 web services and on a Static IP (most do not, or paid extra on business plans). OR use a Cloud proxy like CloudFlare which your home IP can be updated through a DynDNS service and served on private ports.
                3. Setup NAT/Port Forwarding on your modem to route incoming requests to internal services. First to a firewall or threat gateway like PFSense, a web proxy like Traefik/NGinX, and security harden and maintain your modem, router, network and served applications.

                If you’re new to these things, Id start with something more mature for personal or family home use first. Like NextCloud, HomeAssistant or Jellyfin media server. Lots of YouTubers have covered how these can be set up as a reference.

                Lemmy is still alpha, full of bugs and security vulnerabilities and needs regular hotfixes and babysitting. Permitting Joe Public into your home services is ripe for disaster unless you have the time and expertise.

                • PuppyOSAndCoffee@lemmy.ml
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  Operating internet-facing services in the home, in my opinion, requires a layer-3 managed switch so that internet traffic is 100% separated from home traffic, w/attendant DMZ to bridge home<-> internet-facing services safely.

                  L3 managed is the simplest method to contain a penetration to just the internet-facing devices (which is still pretty bad). Cloud hosting is more manageable, but you must watch the spend.

                  The biggest issue is a DDoS attack on the home network, which could impact internet-facing services and home clients (streaming TV, gaming, email, etc.).

  • PuppyOSAndCoffee@lemmy.ml
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    2
    ·
    1 year ago

    Certain cloud providers are as secure, if not more secure, than a home lab. Amazon, Google, Microsoft, et al. are responding to 0-day vulnerabilities on the reg. In a home lab, that is on you.

    To me, self-hosted means you deploy, operate, and maintain your services.

    Why? Varied…the most crucial reason is 1) it is fun because 2) they work.

    • aard@kyu.de
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Listing Microsoft cloud after their recent certificate mess is an interesting choice.

      Also, the “cloud responds to vulnerability” only works if you’re paying them to host the services for you - which definitely no longer is self hosting. If you bring up your own services the patching is on you, no matter where they are.

      If you care about stuff like “have some stuff encrypted with the keys in a hardware module” own hardware is your only option. If you don’t care about that you still need to be aware that “cloud” or “VPS” still means that you’re sharing hardware with third parties - which comes with potential security issues.

      • PuppyOSAndCoffee@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Well with bare metal yes, but when your architecture is virtual, configuration rises in importance as the first line of defense. So it’s not just “yum —update” and reboot to remediate a vulnerability, there is more to it; the odds of a home lab admin keeping up with that seem remote to me.

        Encryption is interesting, there really is no practical difference between cloud vs self hosted encryption offerings other than an emotional response.

        Regarding security issues, it will depend on the provider but one wonders if those are real or imagined issues?

        • aard@kyu.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Well with bare metal yes, but when your architecture is virtual, configuration rises in importance as the first line of defense

          You’ll have all the virtualization management functions in a separate, properly secured management VLAN with limited access. So the exposed attack surface (unless you’re selling VM containers) is pretty much the same as on bare metal: Somebody would need to exploit application or OS issues, and then in a second stage break out of the virtualization. This has the potential to cause more damage than small applications on bare metal - and if you don’t have fail over the impact of rebooting the underlying system after applying patches is more severe.

          On the other hand, already for many years - and way before container stuff was mature - hardware was too powerful for just running a single application, so it was common to have lots of unrelated stuff there, which is a maintenance nightmare. Just having that split up into lots of containers probably brings more security enhancements than the risk of having to patch your container runtime.

          Encryption is interesting, there really is no practical difference between cloud vs self hosted encryption offerings other than an emotional response.

          Most of the encryption features advertised for cloud are marketing bullshit.

          “Homomorphic encryption” as a concept just screams “side channel attacks” - and indeed as soon as a team properly looked at it they published a side channel paper.

          For pretty much all the technologies advertised from both AMD and intel to solve the various problems of trying to make people trust untrustworthy infrastructure with their private keys sidechannel attacks or other vulnerabilities exist.

          As soon as you upload a private key into a cloud system you lost control over it, no matter what their marketing department will tell you. Self hosted you can properly secure your keys in audited hardware storage, preventing key extraction.

          Regarding security issues, it will depend on the provider but one wonders if those are real or imagined issues?

          Just look at the Microsoft certificate issue I’ve mentioned - data was compromised because of that, they tried to deny the claim, and it was only possible to show that the problem exists because some US agencies paid extra for receiving error logs. Microsofts solution to keep you calm? “Just pay extra as well so you can also audit our logs to see if we lose another key”

          • PuppyOSAndCoffee@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            The azure breach is interesting in that it is vs MSFT SaaS. We’re talking produce, ready to eat meals are in the deli section!

            The encryption tech in many cloud providers is typically superior to what you run at home to the point I don’t believe it is a common attack vector.

            Overall, hardened containers are more secure vs bare metal as the attack vectors are radically diff.

            A container should refuse to execute processes that have nothing to do with container function. For ex, there is no reason to have a super user in a container, and the underlying container host should never be accessible from the devices connecting to the containers that it hosts.

            Bare metal is an emotional illusion of control esp with consumer devices between ISP gateway and bare metal.

            It’s not that self hosted can’t run the same level of detect & reject cfg, it’s just that I would be surprised if it was. Securing self hosted internet facing home labs could almost be its own community and is definitely worth a discussion.

            My point is that it is simpler imo to button up a virtual env and that includes a virtual network env (by defn, cloud hosting).

            • aard@kyu.de
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              The encryption tech in many cloud providers is typically superior to what you run at home to the point I don’t believe it is a common attack vector.

              They rely on hardware functionality in Epyc or Xeon CPUs for their stuff - I have the same hardware at home, and don’t use that functionality as it has massive problems. What I do have at home is smartcard based key storage for all my private keys - keys can’t be extracted from there, and the only outside copy is a passphrase encrypted based64 printout on paper in a sealed envelope in a safe place. Cloud operators will tell you they can also do the equivalent - but they’re lying about that.

              And the homomorphic encryption thing they’re trying to sell is just stupid.

              Overall, hardened containers are more secure vs bare metal as the attack vectors are radically diff.

              Assuming you put the same single application on bare metal the attack vectors are pretty much the same - but anybody sensible stopped doing that over a decade ago as hardware became just too powerful to justify that. So I assume nowadays anything hosted at home involves some form of container runtime or virtualization (or if not whoever is running it should reconsider their life choices).

              My point is that it is simpler imo to button up a virtual env and that includes a virtual network env

              Just like the container thing above, pretty much any deployment nowadays (even just simple low powered systems coming close to the old bare metal days) will contain at least some level of virtual networking. Traditionally we were binding everything to either localhost or world, and then going from there - but nowadays even for a simple setup it’s way more sensible to have only something like a nginx container with a public IP, and all services isolated in separate containers with various host only network bridges.

              • PuppyOSAndCoffee@lemmy.ml
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                I like how you have a home smartcard. I can’t believe many do.

                Why do you think cloud operators are lying?

                • aard@kyu.de
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  I like how you have a home smartcard. I can’t believe many do.

                  Pretty much anyone should do. There’s no excuse to at least keep your personal PGP keys in some USB dongle. I personally wouldn’t recommend yubikey for various reasons, but there are a lot more options nowadays. Most of those vendors also now have HSM options which are reasonably priced and scale well enough for small hosting purposes.

                  I started a long time ago with empty smartcards and a custom card applet - back then it was quite complicated to find empty smartcards as a private customer. By now I’ve also switched to readily available modules.

                  Why do you think cloud operators are lying?

                  One of the key concepts of the cloud is that your VMs are not tied to physical hardware. Which in turn means the key storage also isn’t - which means extraction of keys is possible. Now they’ll tell you some nonsense how they utilize cryptography to make it secure - but you can’t beat “key extraction is not possible at all”.

                  For the other bits I’ve mentioned a few times side channel attacks. Then there’s AMDs encrypted memory (SEV) claiming to fully isolate VMs from each other, with multiple published attacks. And we have AMDs PSP and intels ME, both with multiple published attacks. I think there also was a published attack against the key storage I described above, but I don’t remember the name.

                  I agree that our stuff is unlikely to be victim of an targeted attack in the cloud - but could be impacted by a targeted attack on something sharing bare metal with you. Or somebody just managed to perfect one of the currently possible attacks to run them larger scale for data collection - in all cases you’re unlikely to be properly informed about the data loss.

    • spooksboots@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      I mean, as long as you patch regularly and keep backups, you should be good enough. That’s most of what responding to a zero day is, anyway, patching.

  • sparr@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    2
    ·
    1 year ago

    Most people who “self host” things are still doing it on a server somewhere outside their home. Could be a VPS, a cloud instance, colocated bare metal, …

  • niisyth@lemmy.ca
    link
    fedilink
    English
    arrow-up
    11
    ·
    1 year ago

    I have a salvaged HP 3500 Pro with an HTPC case and 8.5 TB storage. Started mainly for Jellyfin and now have half a dozen docker containers on it. Great test bed for getting used to linux before I slowly creep towards having it as my main OS on my PC.

      • funkmunki@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        That’s how it started with me. Now I have the arr stack and a bunch of other stuff running. It’s definitely been a fun learning experience. It’s a lot nicer just giving the wife a jellyseerr icon on her phone instead of her giving me a long list of stuff she wants and I have to find them.

      • tuff_wizard@aussie.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Me: I got a small plex server going to save money compared to steaming…

        Narrator: He did not.