irotsoma

One of the primary requirements for my latest project moving a bunch of stuff to self hosted is that if it has a GUI that is going to be internet facing, it either has to support OIDC or it has to be something low risk enough that I feel comfortable setting it up without much security and just setting up a single basic auth login with traefik. A few apps I had trouble finding, but worked most of it out.

It’s good to use SSL even if you don’t plan to use it externally. At some point you may change your mind, or you may need to access it via VPN and there may be one hop between your browser and the VPN that will then be in plain text. Plus, not all devices are trustworthy anymore. An Android or iPhone device might have “malware” (including from reputable companies like Google trying to track you for ad purposes but recording unsecured http traffic to do it.) Or a frienday bring a bad device over and connect to your wifi and inadvertently capture that traffic. Lots of ways for internal traffic to be spied on.

Google: “how to create self signed certificate authority on <your workstation OS>”

And if that article doesn’t have it, google: “how to create a domain certificate from a self signed certificate authority”.

It doesn’t have to be a valid external domain, just use “.internal” as the top level domain which is reserved for this kind of thing, like “vaultwarden.internal”. You can also just use IP addresses in the certificate, but I find that less desirable.

Then google: "how to add a trusted certificate authority on <all your OS’s of all internal devices>”. Depending on what web browser you use, you may need to add it there as well. Once the certificate authority is trusted by your devices and browsers, then the domain certificate created by that CA will be as well.

You can set your expiration dates to be far in the future if you want, to avoid having to create new ones often, but be sure to document how just so in 5 or 10 years or so, if it’s still that way, you’ll know how to update them.

Cloudflare DDNS updated by ddclient on my OpnSense router. Cloudflare happens to be my current domain registrar. Honestly, my IPv4 doesn’t change that often. And when I used to be on Comcast, they assigned a block of IPv6 addresses and the router dealt with that. Unfortunately, I now have Quantum Fiber who only assign a single IPv6 address, so I gave up on IPv6 for now.

I self host a lot, but I host a lot on cheap VPS’s, mostly, in addition to the few services on local hardware.

However, these also don’t take into account the amount of time and money to maintain these networks and equipment. Residential electricity isn’t cheap; internet access isn’t cheap, especially if you have to get business class Internet to get upload speeds over 10 or 15 mbps or to avoid TOS breaches of running what they consider commercial services even if it’s just for you, mostly because of of cable company monopolies; cooling the hardware, especially if you live in a hotter climate, isn’t cheap; and maintaining the hardware and OS, upgrades, offsite backups for disaster recovery, and all of the other costs. For me, VPS’s work, but for others maintaining the OS and software is too much time to put in. And just figuring out what software to host and then how to set it up and properly secure it takes a ton of time.

That electric bill, though. 🤣

Mailcow or Mailu have pretty good setups if you don’t want to do anything too different and don’t need to keep resource usage to a minimum.

Docker is nice for things that have complex installations and I want a very specific implementation that I don’t plan to tweak very much. Otherwise, it’s more hassle than it’s worth. There are lots of networking issues like limited/experimental support for IPv6, and too much is hidden and preconfigured, making it difficult to make adjustments that would otherwise just be a config file change.

So it is good for products like a mail server where you want to use the exact software they use like let’s say postfix + dovecot + roundcube + nginix + acme + MySQL + spam assassin + amavisd, etc. But you want to use an existing reverse proxy and cert it setup, or want to use a different spam filter or database and it becomes a huge hassle.

Yeah Comcast has been doing it for a while.

Anyone tried out the L009UiGS-RM? Seeing that it could also run my pihole seems like a big advantage. My edgerouter lite is getting old.

I’ve heard log28 is a good simple app with a local database and without tracking. I haven’t looked at it too closely to verify much. But seems like it hasn’t had an update for a while.