Dude! Thanks so much. You’re very generous with your time. I guess now I have no choice nor excuse. I’ll run it up the flag pole sometime this weekend,

(mostly illegal sports streaming sites)

This doesn’t accomplish what the legislature intends. It never does. For instance, in the US, Texas in all their wisdom that can’t keep an electrical grid running smooth without duct tape and bailing wire, has decided to ‘ban’ PornHub. It makes all the christofascist’s dicks hard because in their mind, they have rooted out evil and destroyed it. (See Satanic Panic in the 80s) However, their weak, little minds cannot comprehend the fact that for every technology, there exists an equal, yet undoing technology.

Do it for the children I hear them say, and I would agree in this example, that children should not be viewing porn. A better solution would be to make parents actually parent. You brought a service into your home that can be both highly detrimental and highly beneficial, and then you turn around give it all, including a cel phone, to a very inquisitive mind uninhibited, unmonitored, and uncontrolled in any manner. You’re the problem, not porn.

/end soapbox

Is a cheap VPS on hetzner where I installed python, PieFed and it’s Postgres database but also nginx and letsencrpt manually by mydelf and pointed my domain to it, selfhosting?

I don’t get hung up on the definitions and labels. I run a hybrid of 3 vps and one rack in the closet. I’m totally fine with you thinking that is not selfhosting or homelabbing. LOL I have a ton of fun doing it, and that’s the main reason why I do it; to learn and have fun. It’s like producing music, or creating bonsai, or any of the other many hobbies I have.

If you’re worried about system resources that’s one thing

My thoughts were that, even tho I know Graylog, et al are fantastic apps, if I could get away with something light, like Logwatch and lnav, that would allow me to read logs fairly easy and lighter on resources, I could channel those resources to other projects. I’m working from a remote VPS with 32 gb RAM, so yes I can run the big apps, and I know just enough about Docker so that it’s not way over my head as far as complicated. This particular VPS has only one user, so I’m not generating tons of user logs etc. IDK, it all made sense when I was thinking about it. LOL I do like a nice, dialed out UI tho.

I have a docker compose file that handles Graylog, Opensearch, and Mongodb

I certainly would like the opportunity to take a look at it, maybe run it on my test server and see how it does.

'presh

I didn’t know that existed. I’m reading presently.

I do know how to pull containers. I’m concerned with pulling a Docker container, that may be laced with xmrig for example, or opens a port by which a nefarious actor could gain access, much like in a windows environment. There are repositories like Docker Hub, but do they go through and verify all containers? I highly doubt they verify user content/containers. They do have verified containers, but not all of them bear the verified earmark.

I briefly checked out Docker Scout. That looks very interesting. I’ll dive in here in a little bit.

As you can probably see OP, AI doesn’t get much airplay here for some odd reason. I think it’s pretty damn amazing, tho I think it gets over hyped. For example an AI Rice Maker. AI is at it’s gimicky stage right now for the average, normal consumer, a selling point if you will. Kind of like when we discovered ‘the cloud’. Well we’ve been doing that for a while before the cloud became a selling point. Everyone and their brother trampled over each other to move entire operations to the cloud. Merely mentioning ‘the cloud’ in a board room meeting would make CEO’s jizz their pants. Then we figured out that not everything that can go in the cloud, should be in the cloud and so we regrouped. I see AI currently like that.

Lemme ask you about ADHD?! I’m pretty sure I have it but don’t care. I am who I am. How about you?

I’ve long been told that I have the tenants of ADHD. When I was a young lad, ADHD was not something that doctors looked for. Then as time progressed and we learned a lot more about ADHD, and two lines of thinking emerged. Either ADHD is a real illness, or it was bunk science. Nowadays, we know a ton more about these kinds of mental maladies and I truly feel that more people than what we realize are on the spectrum.

I have had a TBI which gifted me a seizure condition as well as other mental/neuro maladies. I’m sure a lot of my issues stem from the TBI as well. It has definitely made drastic changes in how my brain works and sometimes the most simplest of tasks are hard for me to comprehend. However, after falling from 2 stories onto a concrete pad and laying there in a pool of blood for an unknown amount of time before someone found me, I feel quite fortunate to be alive.

On the other hand, put me into a room with a teacher, who tries to teache me specifics about a tech I don’t care about and I will promise you, I will learn nothing. Even worse, I will start to hate that tech.

Interesting. I read a lot. Probably tb’s of data per day. I don’t watch tv not even news or weather. It’s not a religious thing and it doesn’t make me holier than thou. I just find that reading is best for me. However, if you hand me a traditional book, I will never crack the binding. Put that same book in a digital format that I can read from my devices, and I’ll read it cover to cover and probably storage the document to read later.

We’re all kind of quirky and we all have our own optimum way to learn. Mine is usually just screwing shit up until I get it.

I’m kind of that way. I will browse documentation, get a good idea as to what has to happen, then I raw dog it. Then, after many failed attempts, I go read the documentation. I agree with twinnie@feddit.uk tho, a ton of documentation either assumes you are a certified, dyed in the wool, sysadmin veteran with a wall of certs, or it’s just too sparse for me to put together.

Oh it happens to the best of us. I was working on a simple cron the other day with the cron string that would insert the cron into my cron config something like ‘echo’ and the normal string you’d recognize, and ended with a ‘-’. I wasn’t paying attention and issued the command which did insert itself into the cron config, but in a manner in which I didn’t want. It replaced the whole cron file with that one string. #$@^$$ Luckily I have a cron to back up the crontabs.

I’m currently self-hosting several services and looking to harden my setup

If you are looking to harden your server, might I suggest installing Lynis. Lynis will extensively scan your server, and at the end of the scan it will print the output of the test including a score of 1-100 and recommendations on how to fix, secure and harden the server. Not all of the recommendations will be applicable to you.

A proper WAF (Web Application Firewall)

I use Crowdsec. While Crowdsec is not a trad WAf, it is more than capable when set up correctly. I use Crowdsec in conjunction with UFW, Fail2ban, Tailscale, rkhunter, and chkrootkit. I have fail2ban in aggressive mode, since I am the only user, or legit user that is. ;) I have been accused of going overboard on security.

Traefik, BunkerWeb, and Pangolin.

You mentioned these, and I have never used them. I’m assuming you are going for a reverse proxy as part of your hardening methods. I use Caddy, and it’s real simple to set up. It also takes care of your cert renewals automatically.

Bonus: nice dashboard or at least logs that make sense

Most of the logging apps like Syslog, Graylog, or similar I’ve found to be quite heavy as they need a lot of additional modules to run like databases, elastic, et al. I recently discovered lnav, with the help of the kind folks here. It is not a pretty, graphical, dialed out dashboard. You view the logs in the terminal. Very light on resources, and does exactly what it says on the tin. Check it out.

Tailscale

Do it! It’s easy to set up and works very well. You can pipe all manner of things through Tailscale like ssh, sftp, etc.

Also, don’t forget about using ssh keys. I know there is a lot of discussion about changing the ssh port number and how effective it really is. For about 5 minutes of your time, you can have it all set up, and it will at the very least, cut down a lot of noisy bots. If you want to go even further, you can set up host allow/host deny: sudo host.allow and sudo hosts.deny. Make sure you edit host allow first. LOL

You may want to look into Debsums, AIDE, iptraf-ng, Apparmor Deborphan, unattended updates, Maldet, etc, which will probably recommended by Lynis when you initiate a scan.

deleted by creator

I recommend Caddy. It’s very easy to deploy, and configuring it is a snap. This tutorial helped me out a bunch. There is a Docker version of Caddy, tho I have never used it. I figured, Caddy would do better installed on bare metal. I use Caddy in conjunction with Duckdns.org. Caddy also takes care of renewing your certs when it’s time.

I think it’s overkill for homelab

How about a remote VPS?

Do you have a particular risk that you are worried about?

A couple of the Docker compose files I’ve used have non-hashed secrets in the compose itself. I am assuming, should someone penetrate the firewall, and gain access to Portainer somehow, they could see these compose entries just like I can. While I feel like I have adequately hardened the server (Lynis reports a score of 87) and I have rather robust ids/ips, firewall, and assorted accoutrements to support a secure server, there’s always that ‘what if’ scenario running in my brain and it causes doubt. Perhaps a secrets manager is over kill for a single user, docker container server.

“Don’t feel crazy/bad/dumb, I’ve had the same thing happen to me!”

There you go. As far as ‘my area’ I didn’t grow up in the US or any particular area. I grew up around the world and multiculturaly, so there is no telling where I picked that up at. LOL

The way you go about it on your wiki, is almost the same process/format, tho not as fancy . I’ll even throw in a couple links to tuts I found useful for that particular segment in the notes.

was some variation of crazy/bad/dumb?

No, no, no. I wouldn’t call you crazy or dumb. It was meant as ‘don’t feel singled out’ or ‘don’t feel like you’re the only one’.