Self-hosting is something that we should be constantly iterating on making easier; it's really the path forward for privacy centric folks. The main challenges are managing workload scheduling (SystemD is complicated for a layperson). Networking is another challenge; for instance, if you wanted all or part of these services to remain offline or on a Mesh VPN there's a lot of knowledge required.
There's some projects trying to tackle the workload orchestration piece; CasaOS (https://www.casaos.io/) being one of my favorites but there's also Portainer (https://portainer.io). TailScale and and ZeroTier are great for Mesh VPN networking, where you may need to run some workloads in the cloud but want them networked with your home applications (or just to keep them offline). They also allow you to access applications running on a home server that doesn't have a static IP. Cloudflare Access is okay; I haven't tried it because it deviates from the mesh VPN model significantly.
> Is it? It has clean and logical abstractions, and consistency. Services depending in each other isn‘t complex or difficult to understand.
For a technologist or engineer, yes. For a layperson, no. The average consumer who desires privacy is probably neither a technologist or engineer, so the longterm target is something that just works.
Laypeople also aren't going to entertain the kind of pedantry that is systemd vs systemD vs System D vs SystemD so making systems that abstract further away from those communities is beneficial.
Edit: Thank you for your correction, as a systems engineer, but I couldn't help but highlight this is a big hurdle even in the Linux communities that I've been a part of as desktop Linux as gained wider adoption by laypeople.
I'm certainly not a layperson, but systemd frequently confuses me.
I want to edit a service to harden it for example. Oh, wait I shouldn't edit it directly with vi? Because it gets overwritten by package updates. Okay, makes sense, I need to use systemctl edit instead. But that opens a file that has everything commented out. Do I uncomment the [Unit] heading? What do I need to keep and where do I add my additions? I recall there being a comment at the start of this file, but unless I'm misremembering it doesn't answer that.
All I ask of it to do one thing - start something.service after other.service. yet it just refuses to order them this way. Why? I have no idea. I also have no idea where to start debugging a problem like this. There's a billion ways to try and do this after all: do I add Before=something to other.service? Do I add After=other to something.service? Both? Wants=something?
Comments like yours are a great example of why Linux has a hard time being user friendly. You take something that's deeply technical but easy to understand for yourself, and somehow generalize it to everyone. "If it's easy for me, it is easy for everyone", without noticing that perhaps your expertise plays a big role in making it easy.
The better question is why should a layperson ever need to know about systemd in the first place.
I'm a technical person and I don't know about systemd, nor have I ever needed it.
When designing products for end users who are not technical, the overriding design goal should be easiness and reliability.
Easy: does not require special knowledge or expertise to operate.
For someone who just wants to self host, having to learn about systemd, by definition makes the product/system not easy.
Reliability: does the system implode in unexpected way based on the slight variations in the environment? If it implodes as such then it is fragile. If it does not, then it is robust and reliable.
For the end user, what matters is that the system is easy and reliable.
If the system is easy but not reliable, the user is effectively forced to become an expert in order to fix the system when it breaks. Thus, if a system is not reliable, then it doesn't matter that it's "easy".
Simple/Complicated only concerns the developers. It's important to keep systems as simple as possible under the hood, because a system that is simple is easier to make reliable than a system that is complicated. But for the end user it does not matter directly. Simplicity is about how many parts the system is composed of and how these parts interact. If there are many many parts that all have to interact with each other, then the system is complex.
Maybe once someone learns about systemd they can find it conceptually simple. But that's a moot point. The point is: they should not even have to learn about its existence.
A system where editing text files can make or break the system, is not a reliable system. It's easy to make mistakes in text files. Specially for users without expertise.
Imagine yourself a windows user. You edit a text file. Restart the machine, and now it doesn't boot, or boots in a special text-only mode. (This is not unheard of on linux based systems).
Technologists have a very skewed idea of what's complicated vs easy with computers. Things we think are absolutely trivial are often insurmountable hurdles for laypeople.
(This can, of course, happen if you put a technologist outside their element, too)
> Services depending in each other isn‘t complex or difficult to understand.
It is for me with Systemd - I had to spend hours (on two different occasions, if I remember correctly on Debian & Linux Mint) trying to understand how to set a dependency against an NFS filesystem mount so that a DB would not be started before that, and to make that work reliably => Systemd's docs & behaviour (& special distro settings related to systemD?) weren't that great for me.
What lay person does anything with systemd though? I have all my services in a docker-compose.yaml... Sure, I remember the days before systemd, I remember upstart, Gentoo's rc.conf. I still think it's useful I can find my way trough the internals of a Linux box, but for me all that stuff is far in the past. This is how it goes nowadays: Install the system in 20 min, clone the infra as code, put the data back, start the infrastructure... Where does the init system still play a role?
If someone says it’s complicated, then yes it’s complicated. It may not be complicated for you, but by definition someone finding it complicated makes it complicated.
I loved using LingonX on Mac, one of the things I'd really love to do is make that but for systemd stuff.
I think the abstractions are good, but there's a lot of terms that are needed just for the basic "Spin up this process on boot" (one might say that explicit is better than implicit, but I dunno).
> Services depending in each other isn‘t complex or difficult to understand.
I am not an expert here, but to the best of my knowledge systemd has no concept of inter-host dependencies, making it effectively useless for anything distributed. For example classic lb+app+db cannot be directly controlled by systemd.
Totally agreed, for the sake of humanity we should strive to make self-hosting as easy and as seamless as possible.
But why stop at self-hosting? Beyond self-hosting, it could be extended to local-first paradigm meaning that there's a choice to have a scalable on demand auxiliary cloud based for handling bursty access demands if you need it. In addition, you can have extra backup for the peace of mind.
I'm currently working on realiable solutions (physical wireless and application layers) to extend the local-first system to be automatically secured even you have intermittent Internet outage unlike TailScale and ZeroTier [2]. This system will be invaluable where Internet connection is not reliable due to weather, harsh environment, war, unreliable power provider or lousy ISPs [3].
[1] Local-First Software: You Own Your Data, in spite of the Cloud:
> I'm currently working on realiable solutions (physical wireless and application layers) to extend the local-first system to be automatically secured even you have intermittent Internet outage unlike TailScale and ZeroTier
Sorry but i don't understand what this means. Internet outage should not affect your LAN services, no matter what selfhosting distro you use.
Having started my career in hosting, I would suggest that this world is unlikely to come back except for exceptionally small applications with minimal business impact. What does self-hosting provide which end-end encryption does not?
Self-hosting means:
- Needing to know how to configure your linux host across firewalls, upgrades, backups.
- Negotiating contracts with network service providers. While verifying that you have the right kind of optic on the network line drop.
- Thinking through the order of operations on every remote hands request, and idiot proofing them so that no one accidentally unplugs your DB.
- Making sure that you have sufficient cold spares that a server loss doesn't nuke your business for 6-12 weeks depending on how the hardware manufacturers view your business.
- Building your own monitoring, notifications, and deployment tools using both open source and in-house tools.
- Building expertise in all of your custom tools.
- A 6-20 week lead time to provision a build server.
- Paying for all of your hardware for 3-5 years, regardless of whether you will actually need it.
- Over-provisioning memory or CPU to make up for the fact that you can't get hardware fast enough.
- Getting paged in the middle of the night because the hardware is over-provisioned and something gets overwhelmed or a physical machine died.
- Dealing with the fact that an overworked systems engineer or developer is never making any component the best. And everything you touch will just passably work.
- Everyone will have their own opinions on how something should be done, and every decision will have long term consequences. Get ready for physical vs virtual debates till the heat death of the universe.
I think there might be a vast gap between what what the article is talking about, and what you're suggesting. Somebody self-hosting their project management app on a LAMP server on some random web hosting company is one thing. What you're talking about is something else entirely.
And yes, having a web hosting company manage your server isn't "real" self hosting, for all the reasons you described, but it's a far cry from dumping all your data with a big data-guzzling giant. Your data isn't calling home, isn't being used by a company, it's sitting on your server under your control, and only you manage it.
I think the point is that most of this, other than buying extra hard drives, is solved by having a decent FOSS project.
For example, an OS that has a nextcloud-like suite of services, and a very easy to use GUI to enable a VPN / mesh network for all of your devices pretty much removes much of the concerns you mentioned regarding networking/firewalls/etc.
... so, basically, just how we ran an IT services department in the 1990s and early 2000s.
Except that:
Build servers took a day or so depending on the approval chain.
Hardware could be leased, or the capital expendite written off over 3 years, plus it came with a 4-hr onsite service warranty (if you worked with the right partners), and it being a capital, rather than operational, cost had bottom-line benefits.
24/7 service coverage for major incidents was very doable if you planned correctly, plus you owned the kit and so could control how you brought in resources to support incident recovery, rather thank waiting for your service provider to put the green dot back on their service status page.
//CSB The max total outage time for one corporate where I ran the IT dept was 12 minutes in 3 years, while we swapped out an HP battery-backed disk cache controller that took itself offline due to a confidence check failure.
i started self-hosting a bunch of stuff last month: Pleroma (like Mastodon/Twitter), Matrix (chat), Gitea (like Github) and Jellyfin (like Plex, a media server). AFTER i set up the hardware/OS, these each took about 1-2 hours to setup, and it gets faster each time as i get more accustomed to the common parts (nginx, systemd, Lets Encrypt, and whatever containerization you use).
today i accidentally nuked everything by not flushing the disk before rebooting and then naively letting fsck try to ‘fix’ it (which just makes things worse since it unlinks every inode it thinks is wrong instead of helping you recover data). now i’m manually dumping blocks and re-linking them in, supplementing whatever’s not recoverable with a 3-day old backup. that’s probably gonna take an entire day to fix up.
after this i have to figure out a better backup solution, because it costs me $5 of API requests every time i rclone the system to Backblaze, making frequent backups too expensive.
after that, i have to figure out the email part of things. AFAICT it’s pretty much impossible to 100% self-host email because of blacklisting. you have to at least proxy it through a VPS, or something.
and in between that i may spin up a DNS server to overcome the part where it takes 60min for any new service to be accessible because of the negative caching common in DNS.
no, this stuff is just way too involved for anyone who hasn’t already spent a decade in the CLI. i’m only doing this because i’m a nerd with time on his hands between jobs. self-hosting isn’t gonna catch on this decade. but maybe we can federate, so that you just need to have one friend who cares about this stuff manage the infra and provide it to their peers as a social good.
also, i don’t think privacy is the right angle for promoting self-hosting. a good deal of the things that people self-host have a public-facing component (websites; public chatrooms; etc). if privacy is what you seek, then you should strive to live life offline. the larger differentiator for self-housing is control.
After I've built a server for a purpose, the one thing I want most is a script that does it again. Spending another identical hour on a similar server just makes me sad.
> today i accidentally nuked everything by not flushing the disk before rebooting
What do you mean? Did you interrupt the reboot process (eg. repetitive ^C)? Otherwise the OS should flush everything properly.
> after this i have to figure out a better backup solution
If you have other friends doing selfhosting, giving them a HDD to put in their server so you can rsync your data is a good solution. Also, keeping another local backup is a good solution. Doing both is even better.
> AFAICT it’s pretty much impossible to 100% self-host email because of blacklisting
It depends. It's almost impossible with some bad-faith providers (google/microsoft) otherwise everything works well. And even with those bad-faith providers, residential IPs usually have better reputation (if only because your ISP likely blocks outgoing TCP 25 by default and you have to ask them to unfilter it) than VPS IPs which all have a long history of abuse.
> and in between that i may spin up a DNS server to overcome the part where it takes 60min for any new service to be accessible
If you didn't previously query that domain name on your resolver, it will not be cached and will resolve quasi-instantly. The question is how long does your authoritative name server take to apply your changes to the config: if it takes any longer than 10s you should consider switching providers.
> but maybe we can federate, so that you just need to have one friend who cares about this stuff manage the infra and provide it to their peers as a social good.
Very good point! That's the entire premise behind hosting coops like disroot.org or various members of the libreho.st/chatons.org federations.
For laypeople self-hosting is out of the question for now. I'd say the more immediate problem is that even for competent engineers this is a difficult task with all the artificial restrictions put in place in the name of security, anti-fraud, etc.
This. I think -- speaking for myself mostly -- folks move to cloud for the simplicity a web interface provides. If you like, there's usually a CLI that abstracts the compute and other things. Self hosting -- at least whenever I did it -- was always: start with a VM, install Linux, configure ports, configure security, install a webserver, deal with the security of that, manage conf files, deploy website, etc etc
Host a static page on github pages makes all that a ton easier and also free.
That's a trite example sure. But when I was at a previous company who did almost everything on premises I couldn't help but think if we had an internal portal/system a la GCP's console or that of Amazon's that could be a way for devs to spin up resources and have it all managed and even be a bit programmatic (no no K8s doesn't solve all of this it's its own bag of crazy) then we'd not need cloud much since we'd not need the almost infinite scale that cloud offers.
The problem is certificates and WAN access, and lack of MDNS on Android. There's basically no way to do anything that doesn't involve some manual setup, aside from developing a new purpose built app, and maintaining it in addition to the product, probably on two platforms.
If Mozilla still had FlyWeb things could be plug and play.
And some are considering the Tox protocol, but in general, we have not solved the most basic issue of self hosting. How do I connect to my device in a way that just works, LAN or WAN, without manually serting up the client or registering for a service?
The only model I've ever seen this work is the Mac/Windows model. You provide a standard installer for the server (or even distribute it via the app store). The user launches it through the standard graphical app launch model (Finder or Start Menu), the server displays a suitably user-friendly GUI configuration panel, and then minimises itself to the notifications tray.
The linux model of "first learn how to use a package manager, edit configuration files by hand, and configure init scripts" is never going to be something that I can comfortably explain to computer users like my parents...
Most consumer platforms don't have functional automatic backups, so this is a pie in the sky at the moment. Even for a proffesionsl, self hosting is kind of time consuming
You can still self-host and use external resources to manage network and system security. You would keep full control over the machine this way. Having professionals sensibly partitioning different resources in respective subnets is still one of the most valuable defense mechanisms against many threats.
Quite surprised at seeing CasaOS mentioned so often here. It's quite a young project & best as I can tell it was sorta a sideproject of the guys sitting on their hands while trying to ship Zimaboard kickstarter hardware during a ship shortage.
You don't really have control of any of the hardware on AWS, and therefore they can track everything you do. (If they say they don't, you just have to trust them - there's never a real way to verify)
If you're fine with that, then OK - but the public has been shown time and again this doesn't always end happily. So if they leak all of your life's passwords in plaintext, you have to be ok with that.
Which is exactly why OP pointed out this is where we should be headed if we care about privacy.
tailscale is strong for network-centric use cases.
openziti is strong for app-centric use cases - put the (programmable, zero trust) network into your self-hosted app (via SDKs for various languages), rather than putting the app on the network.
That’s pretty cool. So I could use Ziti two write a client-server app where the server is only accessible/visible to clients running Ziti with appropriate keys?
It's pretty easy to write a unit file for a service and install/use it. A layperson could easily follow a guide with just a few of the most common cases.
As a layperson, no I don't. You will be surprised how many of us couldn't easily follow and understands guides for self-hosting. It took me a while to set it up since the documentation expects me to know everything. Which that is fair because self hosting are technical and requires some knowledge to set it up properly. The challenge is that where I can learn this knowledge in condensed manner? There probably are something out there but they are not centralized enough to help laypeople to run it. Let alone trying to learn how to keep it secured.
If you truly believe that a layperson can "easily follow" a technical guide or that a guide with the most common cases is sufficient to maintain a webserver... then the only thing I can say is that your experience with both laypeople and webservers is worlds apart from mine.
First off it's systemd not systemD.
And it's not complicated, in fact it's simpler than writing shell scripts.
Portainer is a bad docker clone but more often than not doesn't work with docker scripts.
But containerization is the wrong way anyway.
If you can't setup a certain service on your machine you should not expose that host to the internet.
That might sound arrogant but only for the inexperienced mind.
Packaging everything in a docker package doesn't remove the burden of responsibility of operating an internet-exposed host.
Idk what you're even trying to say.
It feels like you're just throwing buzzwords out there without knowing what they mean or what they're for.
If you want VPN wireguard is your choice.
If you need a gatekeeper/firewall opnsense or openwrt.
This is why I'm building Timelinize [1]. It's a follow-up to my open source Timeliner project [2], which has the potential to download all your digital life onto your own computer locally, and projects it all onto a single timeline, across all data sources (text messages, social media sites, photos, location history, and more).
It's a little different from "self hosting" but it does have a similar effect of bringing all your data home and putting it in your control. We have to start somewhere, might as well start with bringing in all the data we've put out there. (It's not a replacement for self-hosted media servers, for example.)
The backend and underlying processing engine is all functional and working very well; now I'm just getting the UI put together, so I hope to have something to share later this year.
Probably out of scope for this project. But if this would include Browser history, and essentially include all the webpage you viewed, it would not just be Data you created ( which is currently the case ) but Data you consumed all on your computer.
Anyway I love this idea. Storing your data as Timeline, such as simple thing yet I never thought of it. Please submit shown HN when you are ready.
Edit: I was wondering why the username look for familiar, turns out it was the author of Caddy Server :)
Do you know some tool, to have all your feeds in one place.
I hate having to use Instagram, but a few friends post nice things.
Like timeline but with your own feed with only the things i want to see from the sources i want.
Like a daily "You missed this posts, images and ..."
I vividly remember talking to Eric Freeman at a conference (JavaOne?) about his LifeStream notion. I've wanted it ever since. (Freeman coauthored a book about JavaSpaces and IIRC had a booth demonstrating an implementation. https://books.org/books/javaspaces-principles-patterns-and-p... Another terrific idea ahead of its time.)
For instance, I'll remember where I was while listening to a podcast or song. But I won't remember which episode or the artist. I'd like to cross reference and search my listening history with my location tracking. Should be easy, right?
I've dabbled a bit with journaling, habit tracking, etc. I've created Shortcuts on my iPhone for quickly adding entries. When I circle back, I intend to add my location to each entry. Resulting in something like "20220324T120000 LAT/LONG I just saw a pair of bald eagles at the beach".
Another to do item is always tracking my location. One of the apps I've got installed is OwnTracks, but I haven't config'd the server stuff.
Any way, I'll definitely be trying your timeliner. Thanks for sharing.
Yeah, so that's kinda the idea. It's like an automatic life log from all your digital data. It can import Google Location History, for example, so you can see where you were at what time of day. Location History is kinda creepy with how accurate it is and how much data it contains (including mode of transport and device motion along with confidence levels!). So if we add a way to import your listening history, it will automatically cojoin with your location history and you'll have what you need.
This is nice, I've always wanted to build something like this, but it would integrate life choices and can show you where one's timeline "dead-ends," because you made the other choice.
The idea is inspired by the movie Bandersnatch. There's something so powerful about reflection with clarity.
I do have plans to add context to one's timeline; for example, to optionally overlay the weather on that day, or major world or local events. That might be helpful in understanding your own timeline entries in hindsight.
So the life choices thing is interesting. You're talking about divergence points, or nexus events (there are different terms in different literature/cinema), and charting your world lines, basically. (Some Loki and Steins;Gate would be recommended watching.) I am not sure how to do that, but would like to figure that out...
Not the first project of this kind, I see. But something we need more from.
But a kind of problem all those project have is their lack of modularity and thus their ability to integrate with other projects. For example, why are your sources builtin? Can you call external sources to allow any user usage of custom sources?
IMHO there are three parts for those tools. Fetching data, storing data and Letting People working with them. But most project I've seen so far for this, are doing all this together, instead of having individual parts, which would allow other people to build optimized parts for themself.
This looks very interesting. I see that Facebook is one of the data sources. Would you know if it’s possible to get posts and comments from Facebook groups (even if it’s just the ones by the user)?
Not sure actually... I'd have to look at what the Facebook API makes possible these days. It's been years since I've looked at the Facebook data source (I think it's pretty basic right now, just gets your own posts on your own wall/profile.)
very curious if you've come across prior state of the art here e.g. singly/the locker project... this stuff is annoyingly fiddly and standardizing it all seemed like tilting at windmills
Self hosting is hard. You need to take care of security, backups, software updates, software installation and so on.
Even on something like a QNAP (which can be compared to managed hosting) this can be hard. Flip the wrong switch and you expose something to the world. Missed a security update: your device is now vulnerable.
While I host a lot of things myself I can understand self hosting is not for everyone.
I used to love running my own servers with all the services etc. I’d manually write beautiful bash scripts to keep it all nice and easy to rebuild on the fly. My first job had 10 Ubuntu servers (on site) and I was the only guy who used Linux at home and had experience with sql.
I have never volunteered to maintain servers since, it was horrible and everything was always my fault (it kinda was, I was a hobbyist at best with no real production Linux experience.)
I do still end up as the dev ops/infra guy at every place I’ve worked but at this point I’m probably one of those stubborn senior guys who wouldn’t like the way the juniors went about it.
Yeah I tried self hosting everything. Getting it actually running is the easiest part. Its the maintenance, backups, and security that are 90% of the job. You can get it working pretty easily and forget about it and it will run for a while until something goes wrong or it needs to be upgraded.
Now I'd rather leave hosting to a someone dedicated to it who has internalized the latest state of things for all the relevant bits of software and is constantly keeping this knowledge in their brain. Set and forget self hosting can't work in the current environment we have where things require constant security updates and complex security hardening.
I used to backup to external drives. Now I use bare ones since finding big externals got difficult.
I use (and probably abuse) docker compose. K8s is great but compose is easier.
I use a single makefile. Kinda ugly but it's fine.
Bunch of friends and family use my "services". They usually chip in for hard drives and stuff.
I have a few central points of failure but it keeps things easy. My uptime still beats most big clouds - though I have it easier.
I accidentally took down my server for a few days from a botched hardware install. It's a bit funny because now we realize how critical the home server has become to us.. on the other hand, already got the spouses blessing to build a backup standby server.
Sounds like you might've had an unusually bad experience. Might've also been the distro; I don't like Ubuntu much myself. :P
Maintaining inherited environments is also much more painful than ones you get to design from the ground up. I work with varied environments, and one with ~250 RHEL / CentOS machines has approximately the same level of maintenance burden as another with a dozen or so Ubuntus because the first environment has had configuration management from the beginning and the second is a complete mess that I've slowly tried to reverse-engineer and clean up.
When your change management works, maintaining a dozen servers isn't all that different from maintaining a thousand or more; and the need for change management and automation doesn't really go anywhere even when you don't self-host things.
I'd love to see a blog post that says, this is how to setup X (I dunno.. mediawiki, owncloud, whatever).. and then go fully in-depth into _everything_ surrounding it.. security, backups, logging, alerting, monitoring, backup testing/restoration etc.. a blog post that really covers everything for a well-protected 21st century hosted application that won't leave the owner in tears after a year!
There's honestly so many posts that make it look so easy, but without everything else that would normally make it a job position in a company :)
It should start with how to make your system upgradeable too. I've server that started on Ubuntu 16 and made a helluva mess upgrading to 18. Due to php changes i've had to use ondrej's packages for later php... but that will break on a (very overdue) upgrade to 20...
All these script kiddie tutorials are terrible at showing how to maintain a server for years.
I think the hard part is that would be largely dependent on specific implementation, which itself is very opinionated. I could write a post on how I run, maintain, and secure Docker Container X on Ubuntu Y using vSphere with Synology and get 100 comments on why CentOS is better and I'm wasting time/money with vSphere over Proxmox, etc. Cloud doesn't have quite this problem. Once you've chosen a cloud provider, you have significantly fewer options in each category, minimizing this option-overload.
Easiest solution is to just host stuff on a local network without access to the wider internet. E.g. running on an old laptop/raspberry pi/server in your basement.
Sure, that means you can no longer access your self-hosted stuff when you're out of the house, but the tradeoff is peace of mind about your data leaking or worse.
> Sure, that means you can no longer access your self-hosted stuff when you're out of the house, but the tradeoff is peace of mind about your data leaking or worse.
Lots of things I'd consider self-hosting are functionally useless if I can't access them from my phone while out and about.
I could put my phone on a VPN, but that's just another layer of complexity to add to the self-hosting process.
That helps for external threats breaking into buggy network services, but it doesn't help for compromised apps/images/dependencies exfiltrating your secrets.
"Flip the wrong switch and you expose something to the world."
One strategy for dealing with accidental misconfigurations is to employ a "network slug"[1]:
"A Network Slug, or "Slug", is a transparent layer 2 firewall running on a device with only two interfaces. ... The purpose of a Slug is to reinforce a security policy or to block uninentional leaks of information."
I have never head this idea described in text before. However, I have made firewalls this way for decades.
They were typically for stuff that ran in a datacenter so it would be a 1U server with three NICs.
I would really like to make such devices for home or office use. What would be a good device to use for this? Unfortunately, RaspberryPIs do not come with 2 or 3 NICs.
Any recommended alternatives?
For me the issue is that I now have (let me count) 15 different devices in my household with unique configuration needs that it’s up to me manage. I could handle it when it was 1, 2, 3. Now it’s just too much.
I recognize that this embarrassment of riches is in part my own fault. But this is my answer to your “why”
As someone who used to have a server in my dorm room but switched to outsourcing it I stopped because the list of technologies I had to keep track of kept monotonically growing and I had no interest in making it my day job.
If it becomes simple again I would gladly self-host.
> Even on something like a QNAP (which can be compared to managed hosting) this can be hard. Flip the wrong switch and you expose something to the world. Missed a security update: your device is now vulnerable.
It doesn't even require actively flipping switches, but can be from not knowing a vulnerable feature was enabled by default. My QNAP got hit with ransomware because of a vulnerability in the cloud access software that I wasn't even using. I've since locked down all non-local traffic.
Wanted to reply saying the same thing. I didn't really muck with the settings on my QNAP NAS and then checked into my files one day and everything was encrypted with some txt files telling me to send BTC to some address. I just formatted the disks, lamented not backing some stuff up, and moved on.
I'd say the point being: I'm a software engineer who knows better about these sorts of things and still got caught with my pants down. You have to be very judicious with respect to security. You can't just plug and play and say "I'm too busy to worry about that."
Another thing I'll add is the amount of software tools they have on these NAS machines strikes me as 1) very impressive for a company their size and 2) a huge surface area rife for being hacked. When it happened I wasn't surprised at all.
I've since stopped using it because at the end of the day I'd rather pay Dropbox to have peace of mind.
I tried it but there are so many traps you can fall in, like security settings as mentioned by you.
When i had my server online back then, it was hacked 1 week later :D
I hear a lot of stories like this. I've been self-hosting for a few years out of my home. I have a symmetrical gigabit fiber connection. My IP changes very frequently (DDNS and a low TTL solves that problem for my use cases).
_anyway_
I haven't been hacked.. yet. /me knocks on wood
The precautions I take are basic:
- Use unique and secure credentials on each service I expose.
- I only expose ports 80 and 443 to the public. 80 HTTP redirects to HTTPS/443
- I keep my software updated (docker-compose pull)
- Nightly backups to cloud storage and local disk
- I "airgap" my home network from my hosting network. There is no shared hardware between them including firewalss/routers, switches, etc.
I figure cloud services and SaaS get hacked anyway. I can't enumerate the breaches my data has been a part of. If my self-hosted stuff gets hacked at least I can do the forensics and actually see what happened and what was accessed. With a 3rd party all I can hope for is what their PR department lets out.
It has also gotten much easier. For instance running your own full blown email server with docker-mailcow. There's a great UI tool that helps to setup the required DNS records. I remember doing the lengthy postfix + dovecot + SASL + MySQL + Auth + this + that guides. No need for it anymore.
I agree but I think about it in the reverse way: the hosting is easy, what you get when you use another company's service is the maintenance. Just like every other option where we choose who will maintain something there are trade-offs. You can maintain your own car if you want, but it'll involve things! We all look at our lives and decide which is best for us for each thing.
Personally, I tend to self host the things whose maintenance I at least find satisfying, and hopefully enjoy. Otherwise I pay someone (through ads or my own money) to do it for me.
I'm amused by the implications here that 1) the outsourced alternatives are better than you are at keeping up with the 'hard stuff', and 2) that in an outsourced scenario you can't "flip the wrong switch and you expose something to the world". This thinking is why I can't tell you how many incident post-mortems I've done where I have to once again hear "...but, but, but...we outsourced this to them so this couldn't happen...".
Depends on whether you're referring to a SaaS provider or something more like a MSP.
I'd like to believe the engineers running Google Photos or iCloud are spending a lot more time on keeping my photos secure and available than I would be willing to put into a server running in my basement.
In the case of a business hiring an MSP to manage something complex like firewalls, Active Directory, server patching, then sure it's reasonable to assume that if they made a mistake, the impact would be equivalent to you making the mistake yourself.
It's possible you need to tell whomever you are reporting to for these post-mortems, they should be outsourcing to reputable service providers in order to free up time and man-hours, not necessarily just to save financially. I suspect that is the real problem.
You can use a popular Linux dist and turn on automatic updates, and use Snap apps that update by themselves. But you still would not have control - apps could update with breaking changes.
The only way to win is by choosing simple tools that are either considered "infrastructure", or simple to build and even patch yourself if needed.
To the extent permitted by the hosted service, you should still backup your data. If you manage to accidentally delete all of your hosted photos or if your account is compromised, I wouldn't rely on most services going to their backups to restore your data. Unless it's a site-wide issue, most places will say "that's too bad" and send you directions on how to protect your account.
I have a home server. It runs on a 2013/14 HP Pavillion laptop. I am indeed a linux user. I currently have arch linux installed on it. I run a blog at [0] and use a dynamic dns provider.
I must say, it has not been easy at all. I learned a lot of things. I did not attend any school lectures to learn this. I am still in high school, but thanks to the beauty of the internet and a ton of effort I was able to get a static blog working, learned a lot about free software, how sometimes just using certain web servers is just too complex.
The main web server is at [0]. It runs on my home internet connection. Thankfully they do allow for port forwarding. But it's certainly a good exercise to understand how much
we give for granted to giant and sometimes small corporations.
I've learned to write and express my feelings among lots of other technical knowledge.
I love arch for a lot of things, but I've learned to keep stick to more "traditional" operating systems when it comes to servers. There's simply no auto-update functionality available in Arch so you need to constantly remind yourself to update. I wish you the best of luck with your arch server endeavours, may they treat you better than they have treated me.
Ubuntu is pushing me away with their idiotic focus on snap every new release but I'm not hosting anything on a server that I can't just run sudo dpkg-reconfigure unattended-upgrades on to auto install security patches. I still need to reboot my servers from time to time, but that's rarely ever really necessary for security. It's a shame because I think the "closer to the metal" approach of Arch works quite well for server setups.
My utmost respect. I ran a Linux box at home while I was at university. It acted like a NAT/masquerading server. It was the time when DSL routers weren't a thing. At least not widely available.
But I never had the idea to use it to host internal or external stuff there.
My business just started self-hosting, but we severely underestimated the cost of air conditioning (installation), SFP adapters, enterprise Ethernet and electrical infrastructure and ended up spending as much on peripheral stuff as servers.
So far the whole operation has cost around $30k (small business). We stand to save $1-1.5k per month at the moment, less the cost of symmetrical fiber about $500/mo.
Next year it will pay off but this year we definitely won’t break even on the servers.
How has this has changed our culture? Well, what I have enjoyed about the whole process is now we have a bunch of spare capacity, so we can spin up demo servers for SMB clients for even a few months and it “costs us nothing”. Then we can arrange payment later when they fully appreciate the service. We don’t take any risks anymore with bills that need to be settled to cloud providers. This has changed how “generous” we are in the outset with our clients. It feels really healthy to be able to do this.
I'm glad you did. One of the things that scare me the most about the current state of the Internet, it's how centralized it's everything in the "cloud" with a lot of the Internet infrastructure depending on like 5 providers. Self hosting it's dirty, time consuming, expensive, risky, but it's predictable.
The problem with XaaS it's how little control we have. Not only the rules of pricing can change any day, but if you're already dependable on the service, they could easily shut down that service if it's not profitable enough, and with some luck you will only be able to migrate in a few months.
In the end I think it will boil down to a question of anti fragility or resiliency VS. efficiency.
And there is actually imho no black and white answer. Take a current, very small freelance client of mine. I built them a homepage based on Kirby CMS. Hosted on uberspace.de. On the same shared server there is Matomo being hosted for basic stats.
Another client I was involved in went another way. They had their site built by a team of designers with webflow and are using Google Analytics.
In both cases the decision makes sense given the conditions and constraints of the respective projects.
Personally I would have not recommend to use webflow, but that was not my call to make. For GA I provided a pro/con evaluation and the client decided to go with GA (not my primary recommendation). I still think for his use case at the time a sensible decision.
What I don't get is if the problem was the risk of unexpected bills from a cloud provider, then why not just use simple virtual servers that you can rent for a fixed price from almost any hosting provider?
Gives you all that extra benefit you speak of of the extra compute headroom that you can use for spinning up any demo server application you want, and saves you all the costs, risks, and headache of managing your own hardware.
Why the debate of cloud vs on prem? The logical sweet spot in the middle seems to be vps to me.
You're still managing a server, but now you're paying through the nose to do it.
The costs just simply don't work out nicely to anyone who can afford to buy at even small scales.
A 4 cpu, 8gb ram machine will pretty commonly run you $50 a month, with less than 200gb storage. You're paying 600/year for a machine that I can build (with better specs) for ~400.
Not to mention that the machine you buy yourself will have a lifespan of 3 to 8 years.
So sure - once you factor in bandwidth, storage location, power - you're probably not going to save money in the first year. But by year 2 you are, and by year 4 you've saved a considerable sum.
Dumb question. I’m building little social apps, and I’m hosting stuff in GCP or AWS.
I have a few old computers that are still kinda beefy (quad cores and a 6-core, 16+ Gb ram, some old but still working 3TB hdd). Would it be stupid to run some of my code and data on these? Not everything I have needs to be geographically close to users or something like that, such as a mass notifier service that runs every so often. For example I’ve got a few auxiliary services that I’m sure I could run just fine off these machines, but I chose the cloud because it’s what I’m used to from work.. I have a fiber connection at home and I’m anyway powering my laptops and other electronics 24/7..
Obviously not a bigger business like your use case but I’m just curious. Some services cost quite a bit and I feel like I have better hardware for some things (non database) than what I pay for.
You aren't really paying for computing power and storage - you are paying for power/network/facility/server redundancy and availability.
We host out own servers, and the bulk of the time is ensuring that the power doesn't go out, that there is a backup internet connection, that the HDs are on RAID, that the server has a backup server available (and the router, and the switch, and the NICs), and that the management network is available, and that the location has proper security monitoring, and that the offsite backup happens nightly, and that we have an employee that knows how to do all of the above... All of that is time consuming and expensive.
...BUT, some people/some companies actually enjoy that sort of thing, in which case, it can work out financially - though often you're sacrificing one of the 9's in your 99.99% uptime/reliability.
I would recommend plugging the hardware into power measuring units before the wall sockets to give you an estimated running cost. Depending on where you are in the world electricity can be crazy expensive.
The cost of purchasing a lower power SBC (x86, ARM) might be very quickly offset.
A RaspberryPi can handle a surprising amount, especially the 4/8GB models. The trick is using low resource software.
If you're already paying for business internet in the location you have, and your power costs are reasonable, and you don't mind possible downtime - I'd vote go for it.
Honestly - Most cloud services are exorbitantly over-priced. There's a reason AWS is ~15% of amazon's total revenue, and Azure now pulls in more revenue than any other MS product.
I throw old machines into a micro-k8s cluster. It costs me literally pennies on the dollar for much better computing hardware compared to a vps.
Well, to host anything serious, you’d have to have the right infra.
Like a good edge router, redundant power supplies, RAID arrays, a backup mechanism, and a very good upload connection (ie 500mbit). By the time you setup all that, you may as well be using new hardware to make the investment worth it.
I don’t need a reason why to self host, I need nice, clear, up-to-date tutorials on how to self host various services.
Self hosting should be easy enough for everyday people. Perhaps preconfigured servers that treat services just like apps. Once I have a server setup, I should be able to install (and uninstall) services in a single click. The OS can handle permissions and containers.
There are numerous projects which have attempted to create this.
https://sandstorm.io/ was the biggest one but as far as I can tell its largely unmaintained and most of the apps are outdated
https://yunohost.org/ probably has the best "just works" experience but I didn't like that it wasn't using any kind of containerization which has caused them issues with shared libraries like PHP being difficult to update. As well as security concerns about one insecure app giving access to the whole server.
Ultimately the problem is just extremely difficult / high maintenance. And no one wants to pay for this work.
Sandstorm is in need of more coders to help maintain and update apps, but it's not abandoned. I use it, both personally and professionally.
It results in a better experience for end-users because applications are actually sandboxed. This (mercifully) means that any security issues in the out-of-date applications does not become a cause for panic. The downside is that packaging those applications is not trivial.
I always check for yunohost on these self-hosting threads. Standing up a yunohost on my raspberry pie has been on my to-do list for a long time.
Unfortunately their default for my raspberry pie didn't "just work" on the Saturday evening I tried it. It was my first foray with that raspberry pie, so installed a different server OS and spent the rest of the evening setting up a basic server for an HTML file and learning more about SSH. That was my experience as a non-IT engineer. I'd be interested in other people's experiences using yunohost (or sandstorm for that matter).
Maybe the solution isn't to make an idiot-proof stack of tech. Maybe we need a central repo of tutorials and how-tos so that any idiot could self host? Something better than the scattered YouTubes and blogs I remember seeing when I Googled after this.
It's kinda sad that something like yunohost is still the best "just working"-solution we have at the moment. I tested it some weeks ago for a homelab-server, and holy crap was this a poor experience.
But the general problem with those projects is, they all are packaging their own apps, and most of those have a very low number available. Some of thise apps are outdated, or are not well tested. It's quite strange that we have dozens of linux-distributions, each with thousand of packages, yet we have no good solution that actually works well enough.
You either have solutions which are hiding everything in a tanglement which is hard to understand, or you must do all the work yourself, or you live with the in-betweens which offer only a handful of apps. Maybe in another 20 years we have something workable on all levels...
> the best "just works" experience but I didn't like that it wasn't using any kind of containerization which has caused them issues with shared libraries like PHP being difficult to update. As well as security concerns about one insecure app giving access to the whole server.
imo the reproducability guarantees of docker aren't enough and domething like NixOS is needed.
I am with you. I think the future is something like Umbrel[1].
Because frankly, I would rather have the server running on a little device in my home than having to mess around with things like SSH and a VPS. An app that is running on a little computer in my house is both more understandable and easier for me to maintain.
I'm guessing the "why" eventually can trigger experts to craft mechanism and associated tutorials/docs to show the "how". That is, i think people should understand the compelling reasons why self-hosting could be important...and maybe there will be much more incentive to get experts to create more things - and easier - for lay people to adopt them...For example, if tons more people start demanding that easier self hosting options exist (both mechanism AND how to docs), then we would have many more entities - both commercial and private - incentivized to generate better/easier on-ramsp for self hosting. But of course, you're right that ultimately, eventually, the "how" to get to such a nirvana is essential too. That is my guess anyway.
Unraid can do something extremely similar to this. There's a plugin that provides a repository of Community Applications that are essentially docker configuration templates designed specifically for Unraid. You can search for say, HomeAssistant and install it with just a few clicks.
Unraid is great, but be warned, it can spiral out of control. I started with unraid and a gazillion containers, now I have that, 2 mini PCs, and some networking equipment that I never thought I'd want or need. It's a lot of fun.
Lots of good points about the challenges of self-hosting throughout this thread, especially maintenance, security, and time-investment.
Here's my solution to all of them:
Invest in your common infra. Docker provides stable images configured primarily with env vars. I have a docker-compose host with logging/monitoring/alerting. All service-specific files are mounted from a NAS that has backups. All network access is closed by default, but exposed via a central login proxy (tailscale would be an easier alternative, but my Beyondcorp-esque system lets non-technical family members use my services easily from anywhere by tapping a yubikey).
That's 3 pieces of infra to maintain (docker host, NAS, login proxy) but I can check all the boxes for self-hosting 15+ services. O(n) services with O(1) infra.
I regularly spin up new services in under 10 minutes, while only having to touch 3 files that I am already familiar with (docker-compose.yml, dnsconfig.js, nginx.conf). I've run stable services for years on this stack. The only painful issues have been upgrades to the docker host, docker ipv6, and hardware issues.
This is all on a recycled computer in the basement, with a cheap VPS as a stable public entrypoint.
But then you're adding even more parties to trust as it's often the case that Docker images are not provided by the same people that are maintaining the project.
Fair point, but I haven't hit it in practice. Tons of services are embracing docker as a first-class output. I just checked and I run exactly 2 images that are from a third party.
How'd you go getting docker + IPv6 going? I spent hours trying to get docker containers to get native IPv6 IPs and eventually gave up because it was to painful.
I feel for you. I also wasted a lot of very painful hours trying to get it to work. I even had it working for a while before a docker update broke it -- turns out docker-compose's ipv6 support that many people relied on for years was a "bug" that they "fixed".
Ultimately I also gave up and now have a combination of port forwarding, nat64, and 10+ socat proxies in my docker-compose file. (Specifically, intranet->container and container->intranet are ipv6; but container->container is still ipv4)
More generally, I now try to keep my docker host as stock as possible. Whenever I'm reaching for daemon.json I just catch myself, take a step back, and say "what's the stupid but easy way to get this working".
Why? All you have to do is add a prefix to both the docker daemon and individual networks configured by compose. I do it and it's painless, never hit a bug. Just ensure the prefixes are at least /112.
Docker will not solve the problem. It's just another layer in the pile of garbage. It's just another confusing system that the user must learn and become an expert in to even get started. Totally the wrong solution.
You want something that just works without the user having to know anything.
If you really want mainstream adoption of self hosting then you need to stop calling it self hosting and rebrand to "personal cloud". The ease of use of cloud software includes zero install, zero management and consumption based pricing. Desktop and mobile had hardware packaged with software and a simple install mechanism with ease of use as a staple for mainstream users.
Self hosting has zero standardisation around hardware, software, install mechanisms. It's a Dev led movement that has everything to do with control and ownership over ease of use. You want mainstream adoption of self hosting. Rebrand it, standardise it, make it easy for non devs.
That's because its a product by western digital. No one wants that. Let's put it like this. Cloud 1.0 was infrastructure, Cloud 2.0 was services, Cloud 3.0 is personal/private.
Readit News
There's some projects trying to tackle the workload orchestration piece; CasaOS (https://www.casaos.io/) being one of my favorites but there's also Portainer (https://portainer.io). TailScale and and ZeroTier are great for Mesh VPN networking, where you may need to run some workloads in the cloud but want them networked with your home applications (or just to keep them offline). They also allow you to access applications running on a home server that doesn't have a static IP. Cloudflare Access is okay; I haven't tried it because it deviates from the mesh VPN model significantly.
Is it? It has clean and logical abstractions, and consistency. Services depending in each other isn‘t complex or difficult to understand.
I suspect that a nice GUI would make systemd quite usable for non-expert users.
BTW: It‘s called ”systemd“:
> Yes, it is written systemd, not system D or System D, or even SystemD. And it isn't system d either. [0]
[0]: https://www.freedesktop.org/wiki/Software/systemd/#spelling
For a technologist or engineer, yes. For a layperson, no. The average consumer who desires privacy is probably neither a technologist or engineer, so the longterm target is something that just works.
Laypeople also aren't going to entertain the kind of pedantry that is systemd vs systemD vs System D vs SystemD so making systems that abstract further away from those communities is beneficial.
Edit: Thank you for your correction, as a systems engineer, but I couldn't help but highlight this is a big hurdle even in the Linux communities that I've been a part of as desktop Linux as gained wider adoption by laypeople.
I want to edit a service to harden it for example. Oh, wait I shouldn't edit it directly with vi? Because it gets overwritten by package updates. Okay, makes sense, I need to use systemctl edit instead. But that opens a file that has everything commented out. Do I uncomment the [Unit] heading? What do I need to keep and where do I add my additions? I recall there being a comment at the start of this file, but unless I'm misremembering it doesn't answer that.
All I ask of it to do one thing - start something.service after other.service. yet it just refuses to order them this way. Why? I have no idea. I also have no idea where to start debugging a problem like this. There's a billion ways to try and do this after all: do I add Before=something to other.service? Do I add After=other to something.service? Both? Wants=something?
The better question is why should a layperson ever need to know about systemd in the first place.
I'm a technical person and I don't know about systemd, nor have I ever needed it.
When designing products for end users who are not technical, the overriding design goal should be easiness and reliability.
Easy: does not require special knowledge or expertise to operate.
For someone who just wants to self host, having to learn about systemd, by definition makes the product/system not easy.
Reliability: does the system implode in unexpected way based on the slight variations in the environment? If it implodes as such then it is fragile. If it does not, then it is robust and reliable.
For the end user, what matters is that the system is easy and reliable.
If the system is easy but not reliable, the user is effectively forced to become an expert in order to fix the system when it breaks. Thus, if a system is not reliable, then it doesn't matter that it's "easy".
Simple/Complicated only concerns the developers. It's important to keep systems as simple as possible under the hood, because a system that is simple is easier to make reliable than a system that is complicated. But for the end user it does not matter directly. Simplicity is about how many parts the system is composed of and how these parts interact. If there are many many parts that all have to interact with each other, then the system is complex.
Maybe once someone learns about systemd they can find it conceptually simple. But that's a moot point. The point is: they should not even have to learn about its existence.
A system where editing text files can make or break the system, is not a reliable system. It's easy to make mistakes in text files. Specially for users without expertise.
Imagine yourself a windows user. You edit a text file. Restart the machine, and now it doesn't boot, or boots in a special text-only mode. (This is not unheard of on linux based systems).
(This can, of course, happen if you put a technologist outside their element, too)
It is for me with Systemd - I had to spend hours (on two different occasions, if I remember correctly on Debian & Linux Mint) trying to understand how to set a dependency against an NFS filesystem mount so that a DB would not be started before that, and to make that work reliably => Systemd's docs & behaviour (& special distro settings related to systemD?) weren't that great for me.
Sorry, but an actual layperson would already be lost upon reaching the word "abstraction".
I think the abstractions are good, but there's a lot of terms that are needed just for the basic "Spin up this process on boot" (one might say that explicit is better than implicit, but I dunno).
I am not an expert here, but to the best of my knowledge systemd has no concept of inter-host dependencies, making it effectively useless for anything distributed. For example classic lb+app+db cannot be directly controlled by systemd.
But why stop at self-hosting? Beyond self-hosting, it could be extended to local-first paradigm meaning that there's a choice to have a scalable on demand auxiliary cloud based for handling bursty access demands if you need it. In addition, you can have extra backup for the peace of mind.
I'm currently working on realiable solutions (physical wireless and application layers) to extend the local-first system to be automatically secured even you have intermittent Internet outage unlike TailScale and ZeroTier [2]. This system will be invaluable where Internet connection is not reliable due to weather, harsh environment, war, unreliable power provider or lousy ISPs [3].
[1] Local-First Software: You Own Your Data, in spite of the Cloud:
https://martin.kleppmann.com/papers/local-first.pdf
[2] Internet outage:
https://en.wikipedia.org/wiki/Internet_outage
[3] NIST Helps Next-Generation Cell Technology See Past the Greenery:
https://www.nist.gov/news-events/news/2022/01/nist-helps-nex...
Sorry but i don't understand what this means. Internet outage should not affect your LAN services, no matter what selfhosting distro you use.
Self-hosting means:
- Needing to know how to configure your linux host across firewalls, upgrades, backups.
- Negotiating contracts with network service providers. While verifying that you have the right kind of optic on the network line drop.
- Thinking through the order of operations on every remote hands request, and idiot proofing them so that no one accidentally unplugs your DB.
- Making sure that you have sufficient cold spares that a server loss doesn't nuke your business for 6-12 weeks depending on how the hardware manufacturers view your business.
- Building your own monitoring, notifications, and deployment tools using both open source and in-house tools.
- Building expertise in all of your custom tools.
- A 6-20 week lead time to provision a build server.
- Paying for all of your hardware for 3-5 years, regardless of whether you will actually need it.
- Over-provisioning memory or CPU to make up for the fact that you can't get hardware fast enough.
- Getting paged in the middle of the night because the hardware is over-provisioned and something gets overwhelmed or a physical machine died.
- Dealing with the fact that an overworked systems engineer or developer is never making any component the best. And everything you touch will just passably work.
- Everyone will have their own opinions on how something should be done, and every decision will have long term consequences. Get ready for physical vs virtual debates till the heat death of the universe.
And yes, having a web hosting company manage your server isn't "real" self hosting, for all the reasons you described, but it's a far cry from dumping all your data with a big data-guzzling giant. Your data isn't calling home, isn't being used by a company, it's sitting on your server under your control, and only you manage it.
I think that's their main gripe.
For example, an OS that has a nextcloud-like suite of services, and a very easy to use GUI to enable a VPN / mesh network for all of your devices pretty much removes much of the concerns you mentioned regarding networking/firewalls/etc.
Except that:
Build servers took a day or so depending on the approval chain.
Hardware could be leased, or the capital expendite written off over 3 years, plus it came with a 4-hr onsite service warranty (if you worked with the right partners), and it being a capital, rather than operational, cost had bottom-line benefits.
24/7 service coverage for major incidents was very doable if you planned correctly, plus you owned the kit and so could control how you brought in resources to support incident recovery, rather thank waiting for your service provider to put the green dot back on their service status page.
//CSB The max total outage time for one corporate where I ran the IT dept was 12 minutes in 3 years, while we swapped out an HP battery-backed disk cache controller that took itself offline due to a confidence check failure.
today i accidentally nuked everything by not flushing the disk before rebooting and then naively letting fsck try to ‘fix’ it (which just makes things worse since it unlinks every inode it thinks is wrong instead of helping you recover data). now i’m manually dumping blocks and re-linking them in, supplementing whatever’s not recoverable with a 3-day old backup. that’s probably gonna take an entire day to fix up.
after this i have to figure out a better backup solution, because it costs me $5 of API requests every time i rclone the system to Backblaze, making frequent backups too expensive.
after that, i have to figure out the email part of things. AFAICT it’s pretty much impossible to 100% self-host email because of blacklisting. you have to at least proxy it through a VPS, or something.
and in between that i may spin up a DNS server to overcome the part where it takes 60min for any new service to be accessible because of the negative caching common in DNS.
no, this stuff is just way too involved for anyone who hasn’t already spent a decade in the CLI. i’m only doing this because i’m a nerd with time on his hands between jobs. self-hosting isn’t gonna catch on this decade. but maybe we can federate, so that you just need to have one friend who cares about this stuff manage the infra and provide it to their peers as a social good.
also, i don’t think privacy is the right angle for promoting self-hosting. a good deal of the things that people self-host have a public-facing component (websites; public chatrooms; etc). if privacy is what you seek, then you should strive to live life offline. the larger differentiator for self-housing is control.
What do you mean? Did you interrupt the reboot process (eg. repetitive ^C)? Otherwise the OS should flush everything properly.
> after this i have to figure out a better backup solution
If you have other friends doing selfhosting, giving them a HDD to put in their server so you can rsync your data is a good solution. Also, keeping another local backup is a good solution. Doing both is even better.
> AFAICT it’s pretty much impossible to 100% self-host email because of blacklisting
It depends. It's almost impossible with some bad-faith providers (google/microsoft) otherwise everything works well. And even with those bad-faith providers, residential IPs usually have better reputation (if only because your ISP likely blocks outgoing TCP 25 by default and you have to ask them to unfilter it) than VPS IPs which all have a long history of abuse.
> and in between that i may spin up a DNS server to overcome the part where it takes 60min for any new service to be accessible
If you didn't previously query that domain name on your resolver, it will not be cached and will resolve quasi-instantly. The question is how long does your authoritative name server take to apply your changes to the config: if it takes any longer than 10s you should consider switching providers.
> but maybe we can federate, so that you just need to have one friend who cares about this stuff manage the infra and provide it to their peers as a social good.
Very good point! That's the entire premise behind hosting coops like disroot.org or various members of the libreho.st/chatons.org federations.
Deleted Comment
Host a static page on github pages makes all that a ton easier and also free.
That's a trite example sure. But when I was at a previous company who did almost everything on premises I couldn't help but think if we had an internal portal/system a la GCP's console or that of Amazon's that could be a way for devs to spin up resources and have it all managed and even be a bit programmatic (no no K8s doesn't solve all of this it's its own bag of crazy) then we'd not need cloud much since we'd not need the almost infinite scale that cloud offers.
If Mozilla still had FlyWeb things could be plug and play.
I have a set of proposals here to bring some of that back: https://github.com/WICG/proposals/issues/43
And some are considering the Tox protocol, but in general, we have not solved the most basic issue of self hosting. How do I connect to my device in a way that just works, LAN or WAN, without manually serting up the client or registering for a service?
The linux model of "first learn how to use a package manager, edit configuration files by hand, and configure init scripts" is never going to be something that I can comfortably explain to computer users like my parents...
Deleted Comment
Deleted Comment
Good for them that it is seeing traction :)
[0]: https://www.zimaboard.com/
I'm pretty sure that's exactly what we did and ended up where we are today. Any sufficiently-advanced self-hosting is indistinguishable from AWS?
I'm not sure how joking I am.
Which is exactly why OP pointed out this is where we should be headed if we care about privacy.
Deleted Comment
openziti is strong for app-centric use cases - put the (programmable, zero trust) network into your self-hosted app (via SDKs for various languages), rather than putting the app on the network.
https://openziti.github.io/ (quick starts) https://github.com/openziti
disclosure: founder of company selling saas on top of openziti
If you truly believe that a layperson can "easily follow" a technical guide or that a guide with the most common cases is sufficient to maintain a webserver... then the only thing I can say is that your experience with both laypeople and webservers is worlds apart from mine.
It's a little different from "self hosting" but it does have a similar effect of bringing all your data home and putting it in your control. We have to start somewhere, might as well start with bringing in all the data we've put out there. (It's not a replacement for self-hosted media servers, for example.)
The backend and underlying processing engine is all functional and working very well; now I'm just getting the UI put together, so I hope to have something to share later this year.
[1]: https://twitter.com/timelinize (website coming eventually)
[2]: https://github.com/mholt/timeliner
Anyway I love this idea. Storing your data as Timeline, such as simple thing yet I never thought of it. Please submit shown HN when you are ready.
Edit: I was wondering why the username look for familiar, turns out it was the author of Caddy Server :)
And thanks! I'll show it off as soon as I can.
Do you know some tool, to have all your feeds in one place. I hate having to use Instagram, but a few friends post nice things. Like timeline but with your own feed with only the things i want to see from the sources i want.
Like a daily "You missed this posts, images and ..."
For instance, I'll remember where I was while listening to a podcast or song. But I won't remember which episode or the artist. I'd like to cross reference and search my listening history with my location tracking. Should be easy, right?
I've dabbled a bit with journaling, habit tracking, etc. I've created Shortcuts on my iPhone for quickly adding entries. When I circle back, I intend to add my location to each entry. Resulting in something like "20220324T120000 LAT/LONG I just saw a pair of bald eagles at the beach".
Another to do item is always tracking my location. One of the apps I've got installed is OwnTracks, but I haven't config'd the server stuff.
Any way, I'll definitely be trying your timeliner. Thanks for sharing.
The idea is inspired by the movie Bandersnatch. There's something so powerful about reflection with clarity.
I do have plans to add context to one's timeline; for example, to optionally overlay the weather on that day, or major world or local events. That might be helpful in understanding your own timeline entries in hindsight.
So the life choices thing is interesting. You're talking about divergence points, or nexus events (there are different terms in different literature/cinema), and charting your world lines, basically. (Some Loki and Steins;Gate would be recommended watching.) I am not sure how to do that, but would like to figure that out...
IMHO there are three parts for those tools. Fetching data, storing data and Letting People working with them. But most project I've seen so far for this, are doing all this together, instead of having individual parts, which would allow other people to build optimized parts for themself.
I'm not really sure what you mean by "optimized parts" but I'm happy to get more feedback on that!
(As soon as Timelinize has a private beta I'll probably create a forum for more in-depth discussions like this.)
[1]: https://twitter.com/HypercoreProto
Even on something like a QNAP (which can be compared to managed hosting) this can be hard. Flip the wrong switch and you expose something to the world. Missed a security update: your device is now vulnerable.
While I host a lot of things myself I can understand self hosting is not for everyone.
I have never volunteered to maintain servers since, it was horrible and everything was always my fault (it kinda was, I was a hobbyist at best with no real production Linux experience.)
I do still end up as the dev ops/infra guy at every place I’ve worked but at this point I’m probably one of those stubborn senior guys who wouldn’t like the way the juniors went about it.
Now I'd rather leave hosting to a someone dedicated to it who has internalized the latest state of things for all the relevant bits of software and is constantly keeping this knowledge in their brain. Set and forget self hosting can't work in the current environment we have where things require constant security updates and complex security hardening.
I used to backup to external drives. Now I use bare ones since finding big externals got difficult.
I use (and probably abuse) docker compose. K8s is great but compose is easier.
I use a single makefile. Kinda ugly but it's fine.
Bunch of friends and family use my "services". They usually chip in for hard drives and stuff.
I have a few central points of failure but it keeps things easy. My uptime still beats most big clouds - though I have it easier.
I accidentally took down my server for a few days from a botched hardware install. It's a bit funny because now we realize how critical the home server has become to us.. on the other hand, already got the spouses blessing to build a backup standby server.
Maintaining inherited environments is also much more painful than ones you get to design from the ground up. I work with varied environments, and one with ~250 RHEL / CentOS machines has approximately the same level of maintenance burden as another with a dozen or so Ubuntus because the first environment has had configuration management from the beginning and the second is a complete mess that I've slowly tried to reverse-engineer and clean up.
When your change management works, maintaining a dozen servers isn't all that different from maintaining a thousand or more; and the need for change management and automation doesn't really go anywhere even when you don't self-host things.
There's honestly so many posts that make it look so easy, but without everything else that would normally make it a job position in a company :)
All these script kiddie tutorials are terrible at showing how to maintain a server for years.
Easiest solution is to just host stuff on a local network without access to the wider internet. E.g. running on an old laptop/raspberry pi/server in your basement.
Sure, that means you can no longer access your self-hosted stuff when you're out of the house, but the tradeoff is peace of mind about your data leaking or worse.
Lots of things I'd consider self-hosting are functionally useless if I can't access them from my phone while out and about.
I could put my phone on a VPN, but that's just another layer of complexity to add to the self-hosting process.
I think Tailscale opens up all kinds of new opportunities for self-hosting.
One strategy for dealing with accidental misconfigurations is to employ a "network slug"[1]:
"A Network Slug, or "Slug", is a transparent layer 2 firewall running on a device with only two interfaces. ... The purpose of a Slug is to reinforce a security policy or to block uninentional leaks of information."
[1] https://john.kozubik.com/pub/NetworkSlug/tip.html
I would really like to make such devices for home or office use. What would be a good device to use for this? Unfortunately, RaspberryPIs do not come with 2 or 3 NICs. Any recommended alternatives?
It also does “waterfall” egress packet delaying.
I'm pretty sure we all used to that and it was mostly fine.
I get that the mainstream computer user has been lost to techno-infantilism. But why should we?
I recognize that this embarrassment of riches is in part my own fault. But this is my answer to your “why”
If it becomes simple again I would gladly self-host.
It doesn't even require actively flipping switches, but can be from not knowing a vulnerable feature was enabled by default. My QNAP got hit with ransomware because of a vulnerability in the cloud access software that I wasn't even using. I've since locked down all non-local traffic.
I'd say the point being: I'm a software engineer who knows better about these sorts of things and still got caught with my pants down. You have to be very judicious with respect to security. You can't just plug and play and say "I'm too busy to worry about that."
Another thing I'll add is the amount of software tools they have on these NAS machines strikes me as 1) very impressive for a company their size and 2) a huge surface area rife for being hacked. When it happened I wasn't surprised at all.
I've since stopped using it because at the end of the day I'd rather pay Dropbox to have peace of mind.
_anyway_
I haven't been hacked.. yet. /me knocks on wood
The precautions I take are basic:
I figure cloud services and SaaS get hacked anyway. I can't enumerate the breaches my data has been a part of. If my self-hosted stuff gets hacked at least I can do the forensics and actually see what happened and what was accessed. With a 3rd party all I can hope for is what their PR department lets out.Personally, I tend to self host the things whose maintenance I at least find satisfying, and hopefully enjoy. Otherwise I pay someone (through ads or my own money) to do it for me.
I'd like to believe the engineers running Google Photos or iCloud are spending a lot more time on keeping my photos secure and available than I would be willing to put into a server running in my basement.
In the case of a business hiring an MSP to manage something complex like firewalls, Active Directory, server patching, then sure it's reasonable to assume that if they made a mistake, the impact would be equivalent to you making the mistake yourself.
It's possible you need to tell whomever you are reporting to for these post-mortems, they should be outsourcing to reputable service providers in order to free up time and man-hours, not necessarily just to save financially. I suspect that is the real problem.
Maybe I'm too old (experienced) and cynical, but I always read that as "apps that are going to brick themselves". No thanks.
Drop in replacement while outside LAN are admittedly a little harder and more at risk of mistakes
automation is not a thing? I'm pretty all cloud providers do it...
I must say, it has not been easy at all. I learned a lot of things. I did not attend any school lectures to learn this. I am still in high school, but thanks to the beauty of the internet and a ton of effort I was able to get a static blog working, learned a lot about free software, how sometimes just using certain web servers is just too complex.
The main web server is at [0]. It runs on my home internet connection. Thankfully they do allow for port forwarding. But it's certainly a good exercise to understand how much we give for granted to giant and sometimes small corporations.
I've learned to write and express my feelings among lots of other technical knowledge.
references
[0] https://blog.trevcan.duckdns.org/
[1] https://trevcan.duckdns.org/
Ubuntu is pushing me away with their idiotic focus on snap every new release but I'm not hosting anything on a server that I can't just run sudo dpkg-reconfigure unattended-upgrades on to auto install security patches. I still need to reboot my servers from time to time, but that's rarely ever really necessary for security. It's a shame because I think the "closer to the metal" approach of Arch works quite well for server setups.
But I never had the idea to use it to host internal or external stuff there.
Kudos to you.
So far the whole operation has cost around $30k (small business). We stand to save $1-1.5k per month at the moment, less the cost of symmetrical fiber about $500/mo.
Next year it will pay off but this year we definitely won’t break even on the servers.
How has this has changed our culture? Well, what I have enjoyed about the whole process is now we have a bunch of spare capacity, so we can spin up demo servers for SMB clients for even a few months and it “costs us nothing”. Then we can arrange payment later when they fully appreciate the service. We don’t take any risks anymore with bills that need to be settled to cloud providers. This has changed how “generous” we are in the outset with our clients. It feels really healthy to be able to do this.
The problem with XaaS it's how little control we have. Not only the rules of pricing can change any day, but if you're already dependable on the service, they could easily shut down that service if it's not profitable enough, and with some luck you will only be able to migrate in a few months.
And there is actually imho no black and white answer. Take a current, very small freelance client of mine. I built them a homepage based on Kirby CMS. Hosted on uberspace.de. On the same shared server there is Matomo being hosted for basic stats.
Another client I was involved in went another way. They had their site built by a team of designers with webflow and are using Google Analytics.
In both cases the decision makes sense given the conditions and constraints of the respective projects.
Personally I would have not recommend to use webflow, but that was not my call to make. For GA I provided a pro/con evaluation and the client decided to go with GA (not my primary recommendation). I still think for his use case at the time a sensible decision.
Gives you all that extra benefit you speak of of the extra compute headroom that you can use for spinning up any demo server application you want, and saves you all the costs, risks, and headache of managing your own hardware.
Why the debate of cloud vs on prem? The logical sweet spot in the middle seems to be vps to me.
You're still managing a server, but now you're paying through the nose to do it.
The costs just simply don't work out nicely to anyone who can afford to buy at even small scales.
A 4 cpu, 8gb ram machine will pretty commonly run you $50 a month, with less than 200gb storage. You're paying 600/year for a machine that I can build (with better specs) for ~400.
Not to mention that the machine you buy yourself will have a lifespan of 3 to 8 years.
So sure - once you factor in bandwidth, storage location, power - you're probably not going to save money in the first year. But by year 2 you are, and by year 4 you've saved a considerable sum.
I have a few old computers that are still kinda beefy (quad cores and a 6-core, 16+ Gb ram, some old but still working 3TB hdd). Would it be stupid to run some of my code and data on these? Not everything I have needs to be geographically close to users or something like that, such as a mass notifier service that runs every so often. For example I’ve got a few auxiliary services that I’m sure I could run just fine off these machines, but I chose the cloud because it’s what I’m used to from work.. I have a fiber connection at home and I’m anyway powering my laptops and other electronics 24/7..
Obviously not a bigger business like your use case but I’m just curious. Some services cost quite a bit and I feel like I have better hardware for some things (non database) than what I pay for.
We host out own servers, and the bulk of the time is ensuring that the power doesn't go out, that there is a backup internet connection, that the HDs are on RAID, that the server has a backup server available (and the router, and the switch, and the NICs), and that the management network is available, and that the location has proper security monitoring, and that the offsite backup happens nightly, and that we have an employee that knows how to do all of the above... All of that is time consuming and expensive.
...BUT, some people/some companies actually enjoy that sort of thing, in which case, it can work out financially - though often you're sacrificing one of the 9's in your 99.99% uptime/reliability.
The cost of purchasing a lower power SBC (x86, ARM) might be very quickly offset.
A RaspberryPi can handle a surprising amount, especially the 4/8GB models. The trick is using low resource software.
Honestly - Most cloud services are exorbitantly over-priced. There's a reason AWS is ~15% of amazon's total revenue, and Azure now pulls in more revenue than any other MS product.
I throw old machines into a micro-k8s cluster. It costs me literally pennies on the dollar for much better computing hardware compared to a vps.
Like a good edge router, redundant power supplies, RAID arrays, a backup mechanism, and a very good upload connection (ie 500mbit). By the time you setup all that, you may as well be using new hardware to make the investment worth it.
Self hosting should be easy enough for everyday people. Perhaps preconfigured servers that treat services just like apps. Once I have a server setup, I should be able to install (and uninstall) services in a single click. The OS can handle permissions and containers.
https://sandstorm.io/ was the biggest one but as far as I can tell its largely unmaintained and most of the apps are outdated
https://yunohost.org/ probably has the best "just works" experience but I didn't like that it wasn't using any kind of containerization which has caused them issues with shared libraries like PHP being difficult to update. As well as security concerns about one insecure app giving access to the whole server.
Ultimately the problem is just extremely difficult / high maintenance. And no one wants to pay for this work.
It results in a better experience for end-users because applications are actually sandboxed. This (mercifully) means that any security issues in the out-of-date applications does not become a cause for panic. The downside is that packaging those applications is not trivial.
Unfortunately their default for my raspberry pie didn't "just work" on the Saturday evening I tried it. It was my first foray with that raspberry pie, so installed a different server OS and spent the rest of the evening setting up a basic server for an HTML file and learning more about SSH. That was my experience as a non-IT engineer. I'd be interested in other people's experiences using yunohost (or sandstorm for that matter).
Maybe the solution isn't to make an idiot-proof stack of tech. Maybe we need a central repo of tutorials and how-tos so that any idiot could self host? Something better than the scattered YouTubes and blogs I remember seeing when I Googled after this.
But the general problem with those projects is, they all are packaging their own apps, and most of those have a very low number available. Some of thise apps are outdated, or are not well tested. It's quite strange that we have dozens of linux-distributions, each with thousand of packages, yet we have no good solution that actually works well enough.
You either have solutions which are hiding everything in a tanglement which is hard to understand, or you must do all the work yourself, or you live with the in-betweens which offer only a handful of apps. Maybe in another 20 years we have something workable on all levels...
imo the reproducability guarantees of docker aren't enough and domething like NixOS is needed.
Because frankly, I would rather have the server running on a little device in my home than having to mess around with things like SSH and a VPS. An app that is running on a little computer in my house is both more understandable and easier for me to maintain.
[1]: https://getumbrel.com/
I think the single most important thing of any software is "how do i install this". Thats the first thing i search for on a github repo.
And please no outdated tutorials, that sucks so bad ... that i give up and don't use it.
Here's my solution to all of them:
Invest in your common infra. Docker provides stable images configured primarily with env vars. I have a docker-compose host with logging/monitoring/alerting. All service-specific files are mounted from a NAS that has backups. All network access is closed by default, but exposed via a central login proxy (tailscale would be an easier alternative, but my Beyondcorp-esque system lets non-technical family members use my services easily from anywhere by tapping a yubikey).
That's 3 pieces of infra to maintain (docker host, NAS, login proxy) but I can check all the boxes for self-hosting 15+ services. O(n) services with O(1) infra.
I regularly spin up new services in under 10 minutes, while only having to touch 3 files that I am already familiar with (docker-compose.yml, dnsconfig.js, nginx.conf). I've run stable services for years on this stack. The only painful issues have been upgrades to the docker host, docker ipv6, and hardware issues.
This is all on a recycled computer in the basement, with a cheap VPS as a stable public entrypoint.
Ultimately I also gave up and now have a combination of port forwarding, nat64, and 10+ socat proxies in my docker-compose file. (Specifically, intranet->container and container->intranet are ipv6; but container->container is still ipv4)
More generally, I now try to keep my docker host as stock as possible. Whenever I'm reaching for daemon.json I just catch myself, take a step back, and say "what's the stupid but easy way to get this working".
You want something that just works without the user having to know anything.
Self hosting has zero standardisation around hardware, software, install mechanisms. It's a Dev led movement that has everything to do with control and ownership over ease of use. You want mainstream adoption of self hosting. Rebrand it, standardise it, make it easy for non devs.