With regards to the backup key, Yubikey recommends to save (screenshot) the QR code that is generated during 2FA setup to setup the backup key later on. Maybe that is also a workaround for services that only allow a single 2FA device. https://support.yubico.com/hc/en-us/articles/360021919459-How-to-register-your-spare-key

Just looking back at my purchase history, I got my Yubikey’s back in January 2020, it appears that I never read this doc about scanning the QR code for the backup key, or maybe I did? I don’t really remember it all too well. Regardless In certain circumstances my keys do the exact same thing and I’m quite sure I followed some guide to create one primary and one secondary key but it’s possible that guide has gone outdated.

Similar to something like Keepass, the database is local and you are in charge of making backups and such.

I can totally respect the folks who opted to self host, I’m horrible when it comes to backing up data and such and self hosting wasn’t really my thing back in 2020 so it never really was on my radar.

In the end this comes always down to an optimization problem between security and convenience that everyone has to decided for themself.

Couldn’t agree with you more, everybody has that dial between convenience and security and should adjust accordingly.

Doesn’t cover Traefik, plus the docker-compose.yml contains 4 separate images and researching into them didn’t provide much info. snicket_proxy, snikket_certs, snikket_portal and snikket_server. All four of these images bind to the host but if I am supplying my own reverse proxy then both snikket_proxy and snikket_certs are redundant right? Or do they serve another purpose? And if I wanted to take them off the host network, follow their firewall guide and expose the necessary ports manually behind a docker bridge network what images do I bind those ports to? When I tried binding them all to snikket_server that’s when my docker service crashed and I gave up.

Snikket locked my docker service up, their documentation sucks for when you want to use your own reverse proxy or bind it behind a docker network and not the host.

Can you explain a little more how you handle them in your daily life? I always liked the idea if Yubikeys, but I am a bit worried that I just would switch back to my phone (Aegis) for convenience.

I have two Yubikey 5 NFC’s, one I keep majority of my 2Fa auth codes on and keep on my keychain the other I leave at home mainly for backup 2Fa setups or desktop/WebAUTH/Single Sign-On logins, most websites won’t let you setup 2 2Fa keys so the second one mostly handles the plug-in and touch key portion of my setup.

Are they inconvenient? Yes, the amount of times where I got annoyed because I’ve had to grab my keychain to sign in has gotten annoying but not enough to switch back to online providers. I prioritized security over convenience in this circumstance. The Yubikey that I keep on my keychain also handles my work 2Fa codes, doesn’t feel necessary to have a dedicated key for that unless my company is willing to pay for it.

Do you just have it on your keychain a plug it in whenever you need it? Because always plugged in keys in your phone or laptop doesn’t really make sense.

It actually works out quite nice having it plugged in all the time, especially if you’re doing multiple 2Fa authentications, the keys won’t authenticate until you enter the password of the key (if you set one up) and touch the key, so even if your computer is compromised they still need to physically touch the key to generate the authentication codes.

As far as I know you can’t just clone a key.

So no you cannot clone a Yubikey to another Yubikey, which I think is dumb, but they have their security reasoning behind it I believe. Like I mentioned earlier all my 2Fa codes/keys are on my keychain so if I break that key I am in a horrible position as I lose access to a lot of accounts that I couldn’t setup multiple 2Fa’s for.

How easy is it to setup a backup key?

While Yubico does recommend having two keys as I mentioned certain services only let you setup 2Fa once and not multiple times. However, Linux (and I want to assume Windows as well) let you setup as many 2Fa keys as you want, so both the Yubikey on my keychain and the one I leave at home both grant Root access to my desktop and server.

I try to not use my phone for critical stuff, but there are times I have to just check an account. Do you use your phone with Yubikeys?

So I don’t have a USB C Yubikey ironically both my iPhone and iPad are USB C so I have the option to use a dongle or NFC, both have worked great, I have had a couple scares where the app will error and say “No response from key” but it seems that error is due to bad contact/connection. I’ve attached a few images of the iOS app to help get an idea of the layout.

Yubikey for 2Fa codes also works well for sudo and su (2Fa) or if you still use Windows I think it supports single sign on there. Absolutely worth the purchase have had my keys for years.

If you can make your own like I did I would highly recommend it.

Honestly I could, metal fabrication comes in handy, get it shop issued and laser or water cut send it through the machinists, I would have to supply the material myself which would be difficult but certainly doable.

I’ll have to consider this! By chance do you have drawings or dimensions of your rack as a starting point, looks like you’re using Aluminum HSS for the frame? Completely understandable if you rather not share the details,

Was eyeing a 52Pi rack for a good little while this post inspired me to get one, but then I saw the shipping cost.

Apparently the folks from the rreading-glasses repo accuse Chaptarr of being vibe coded, can find it directly in their README.

For the unaware rreading-glasses is a rebuilt metadata server for Readarr, also happens to be endorsed by Readarr/Servarr, just switch it out and you’re good to go. However, Readarr won’t receive anymore feature updates or bug fixes it seems.

Everyone here is telling you to ditch Arch for Debian and I absolutely agree with them however, if you’re so hell bent on having an Arch server than install Proxmox VE to the host and run both Debian and Arch, build your server up and get it working in Debian first then try to replicate it with Arch, compare the differences.

If you’re already familiar with BASH then making the switch from Arch to Debian wouldn’t be a hassle.

This gave me a chuckle, my server is about 4’ away from my cabinet and not nearly as flashy, pretty sure the thief is prioritizing in that situation.

I’m a bit confused on this comment here:

Additionally, I’d prefer not to not do something like: Computer -> Home VPN -> Mullvad server -> destination, as my upload speed is pretty bad and this would throttle every non-local connection

Because you also mention this:

Computer -> Mullvad server -> Home VPN -> Home server

Which would be the same thing, no? You’re just making a connection to the Mullvad server first then your home network?

I’ll share my experience but it looks like it’s not the solution you’re looking for, I opted to use my Asus WRT Router w/ Merlin Firmware to host my VPN server, the Merlin Firmware lets me connect to 5 different VPN clients at a time, in my case 4 different Proton clients and a buddies server, I use the “VPN Director” feature to route my VPN Server through one of the 5 different clients effectively creating the multi-hop.

I personally haven’t noticed much degradation in regard to connection speeds but at the same time I don’t constantly hop VPN clients or have the same internet speeds as you, I typically stick with the server closest to me.

Edit: To help visualize what i mean:

If I’m not mistaken Emby started to do some sketchy stuff which birthed Jellyfin.

As the end use my biggest gripe with Matrix is with voice communications, it’s almost as if you sneeze wrong you’ll lose connection to the voice group, screen sharing is horrible, no audio and the window is not adjustable, cant even make it full screen.

Now they’re reducing people’s usage by putting in a subscription and locking certain features, at least on the home server.

While I am disappointed they did at least take my advice and prevent Windows Recall from capturing people’s messages.

if you use the Netflix application chances are they’ll detect the virtual network on your system and if it’s in use, most people don’t seem to realize that applications have direct access to your hardware unless it’s containerized, virtualized or explicitly restricted by some policy.

EDIT: We get it, you like torrenting. Let’s keep comments on topic folks.

To be fair, you posted in the self-hosted community discussing an Issue for proprietary software.

To answer your question, which others have already done, yes your VPN tunnel will share the same IP as your household so long as it’s setup properly.

Should put a note on your blog that Lidarr’s Metadata database is being rebuilt, currently the Lidarr APi spits a bunch of 5xx errors when searching for artists/albums/etc.

https://github.com/Lidarr/Lidarr/issues/5498

If you currently have a library on the stable build the Lidarr team could use some help building the cache, they made this tool:

https://github.com/DeviantEng/lidarr-cache-warmer

It’ll search every artist in your Lidarr library so that the new database has a cache to quickly call upon.

Pretty sure GoAccess covers all types of logging as far as I know, I mainly use it for access logs from my reverse proxy.

deleted by creator

Something else must be wrong then because I just copied and pasted that onto my raspberry pi and was able to start the container without issue, are you sure you’re using the tag properly?

user@raspberrypi:~/test $ sudo docker compose up 
[+] Running 10/10
 ✔ lidarr Pulled                                                           22.0s 
   ✔ 995f2a46b147 Pull complete                                             2.7s 
   ✔ e1cde46db0e1 Pull complete                                             3.1s 
   ✔ acaee427f4c7 Pull complete                                             3.5s 
   ✔ 255c3937324a Pull complete                                             4.1s 
   ✔ edec534df16f Pull complete                                             4.6s 
   ✔ b163a490af0b Pull complete                                             6.3s 
   ✔ bd4af268fa91 Pull complete                                             6.8s 
   ✔ ff4dab968553 Pull complete                                            14.9s 
   ✔ 004112d930a4 Pull complete                                            15.3s 
[+] Running 2/2
 ✔ Network test_default  Created                                            0.2s 
 ✔ Container lidarr      Created                                            4.0s 
Attaching to lidarr
lidarr  | [migrations] started
lidarr  | [migrations] no migrations found
lidarr  | ───────────────────────────────────────
lidarr  | 
lidarr  |       ██╗     ███████╗██╗ ██████╗
lidarr  |       ██║     ██╔════╝██║██╔═══██╗
lidarr  |       ██║     ███████╗██║██║   ██║
lidarr  |       ██║     ╚════██║██║██║   ██║
lidarr  |       ███████╗███████║██║╚██████╔╝
lidarr  |       ╚══════╝╚══════╝╚═╝ ╚═════╝
lidarr  | 
lidarr  |    Brought to you by linuxserver.io
lidarr  | ───────────────────────────────────────
lidarr  | 
lidarr  | To support the app dev(s) visit:
lidarr  | Lidarr: https://opencollective.com/lidarr
lidarr  | 
lidarr  | To support LSIO projects visit:
lidarr  | https://www.linuxserver.io/donate/
lidarr  | 
lidarr  | ───────────────────────────────────────
lidarr  | GID/UID
lidarr  | ───────────────────────────────────────
lidarr  | 
lidarr  | User UID:    1000
lidarr  | User GID:    1000
lidarr  | ───────────────────────────────────────
lidarr  | Linuxserver.io version: 2.12.4.4658-ls50
lidarr  | Build-date: 2025-08-20T02:50:40+00:00
lidarr  | ───────────────────────────────────────
lidarr  |     
lidarr  | [custom-init] No custom files found, skipping...
lidarr  | [Info] Bootstrap: Starting Lidarr - /app/lidarr/bin/Lidarr - Version 2.12.4.4658 
lidarr  | [Info] AppFolderInfo: Data directory is being overridden to [/config] 
lidarr  | [Debug] Bootstrap: Console selected 
lidarr  | [Info] AppFolderInfo: Data directory is being overridden to [/config] 
lidarr  | [Info] AppFolderInfo: Data directory is being overridden to [/config] 
lidarr  | [Warn] Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager: No XML encryptor configured. Key {bff9bf8a-f5db-4092-9ada-c55e886ac294}

Make a docker-compose.yml file and paste this into it:

services:
  lidarr:
    container_name: lidarr
    hostname: lidarr
### Use custom docker network
    #networks:
    #  - CustomNetworkName
    ports:
      - 8686:8686
    image: lscr.io/linuxserver/lidarr:arm64v8-latest
    restart: unless-stopped
    volumes:
      - /path/to/lidarr/config:/config
      - /path/to/music:/music #optional
      - /path/to/downloads:/downloads #optional
    environment:
      - PGID=1000
      - PUID=1000
    healthcheck:
      test: curl --fail localhost:8686 || exit 1
      interval: 60s
      retries: 5
      start_period: 300s
      timeout: 2s

This should work for you, just change the volume mounts so that they associate with your setup and run sudo docker compose up -d to start the container, sudo docker compose down to bring it down.

LSIO documentation describes the arm64v8-latest tag for their image.