Hello, I currently have a home server mainly for media, in which I have an SSD for the system and 2 6TB hard drives set up in raid 1 using mdadm, its the most I can fit in the case. I have been getting interested in ZFS and wanting to expand my storage since it's getting pretty full. I have 2 12TB external hard drives. My question is can I create a pool (I think that's what they are called), using all 4 of these drives in a raidz configuration, or is this a bad idea?

(6TB+6TB) + 12TB + 12TB, should give me 24TB, and should work even if one of the 6TB or 12TB fails if I understand this correctly.

How would one go about doing this? Would you mdadm the 2 6TB ones into a raid 0 and then create a pool over that?

I am also just dipping my toes now into Nixos so having a resource that would cover that might be useful since the home server is currently running Debian. This server will be left at my parents house and would like it to have minimal onsite support needed. Parents just need to be able to turn screen on and use the browser.

Thank you

I have two computers with Windows 10. Preferably the simplest option, so that at the other end people with minimal IT competence can figure it out

Do you guys have any suggestions for a 1gig ethernet modem that openwrt or ddwrt supports?

Another successful OpenBSD setup

I've been buying these little boxes from AliExpress for years to use as firewalls and routers. My oldest one is almost 9 years old now! OpenBSD installs just fine. Just a BIOS tweak to always boot up after power is restored.

@selfhosted #selfhosting #selfhosted #openbsd #runbsd

Hi! I hope this is the right community to ask.

Next week I will be on the road for 5 Days for work. I have quite some spare time, so I thought I would dig up my raspberry project again and hopefully finish it.

I need it with me, because it controls some hardware, so a VPN to home does not work. So only option I could think of, is to connect the pi directly to my laptop via an ethernet cable. As far as I understood from some research is that I would need to install and run an DHCP server on my laptop, which they did not recommend. Alternatively they suggested to just take a router and plug both devices in there. I don't really have a spare router, so that's not an option either.

To be hones it confuses me a little, that there does not seem to be a standard for connecting to a device directly over a single cable and login with a user account.

Any recommendations how I can work on the pi like with ssh?

Thanks a lot!

I have an 8gb Raspberry Pi 4 that has been a workhorse for years. I keep it for my not intense but essential networking purposes, NetBoot.xyz, Homepage, etc., because I can run it over PoE, so it is always on as long as my network is up.

It is growing long in the tooth, and I find myself wanting to replace it with something a bit more capable. Looking at the 8gb Pi 5 at $80 plus another $30 for a PoE hat, I wonder if there is something out there that would be a better value for running PoE? Can you convert a micro pc over to PoE? Does anyone have any recommendations for computers that run off PoE or can be converted to PoE?

Is there a way I can use reverse proxy like nginx to proxy the traffic to the Lemmy instance deployed with Ubergeek77 method?

I need the instance to be behind dedicated proxy, like Nginx.

Whenever I try to set up the proxy I get the "Bad Gateway" error or error in the redirect.

If I proxy through CF it works, but I want to use my own dedicated proxy server and I have problems with it. Why CF works and my Nginx proxy does not?

Hi all!

I'd like to share some slow, but steady progress I've made on my self-hosted personal photo gallery - a Google Photos alternative. It's been a while since I last posted any updates - the last time was about v0.9.2 on /r/selfhosted, so it's actually my first post here.

What's new?

Lots of things! Here's a quick summary:

• New website! photofield.dev - bonus, it's embedded in every install, in fact, even the website is just hosted from the app itself. 😎
• UX polish - lots of small improvements, like better interaction & fixed video controls and better error messages & autoreloading config.
• Zoomier than ever - since v0.15.0 when you zoom into a photo, it zooms the whole scene! This wasn't the case for a few versions due to a technical detour, but I found a way to get it back without too many compromises.
• Related image search - you can Find Similar Images now, using the same AI functionality as the semantic image search.
• Map view - you can see your photos on a map. Still has some quirks, so make sure to zoom in first. To be improved.
• Reverse geolocation - you can see the location of a photo in the timeline view. Completely local, using tinygpkg.
• Tags (alpha) - you can tag your photos now. Quite basic for now, but should be a good foundation for things to come.
• ARM Docker images - since v0.14.1 the published Docker images are multiarch - x64 and arm64, including photofield-ai. Makes it possible to run on cheaper, ARM-based servers, and faster on M1/M2/M3 Macs.

Show me the demo

https://demo.photofield.dev/

Now hosted on Hetzner's arm64-based CAX11 - 2 vCPUs & 4 GB of RAM - the cheapest one.

The photos are © by their authors. Since migrating to the CAX11, it only uses one size of internally pregenerated sqlite-based thumbnails, taking up roughly 4% of the disk space of originals. Support for Synology Moments thumbnails is still there, but doesn't seem as crucial as before.

How do I try it out?

It's very low commitment, a single executable or Docker image that you can mount with read-only access to an existing file structure, see Quick Start (also on GitHub if the website is dead).

Another one??? Why?

It's a conspiracy to increase fragmentation and increase shareholder value of big tech companies. 😄 Jokes aside, I think there is some space for a fast, self-contained, extremely easy to deploy solution. But mainly, it's to scratch my developer itch and I get to learn new things.

Thanks

Thanks to everyone who's been using it, contributing, and giving feedback! See also foss_photo_libraries for alternatives if this doesn't fit your needs.

Let me know what you think and what you'd like to see next! 🙏

I want to migrate my Nextcloud instance from MariaDB over to PostgreSQL. I already have a PostgreSQL service running for Lemmy. And I'm pretty starved for RAM.

Would it be better to just have one PostgreSQL service running that serves both Nextcloud and Lemmy? Or should every service have its own PostgreSQL instance?

I'm pretty new to PostgreSQL. But in my mind I would tend towards one service to serve them all and let it figure out by itself how to split resources between everything. Especially when I think that in the long run I will probably migrate more services over to PostgreSQL (and upgrade the RAM).

But maybe I am overlooking something.

Hey everyone, asking here since I've been trying (and failing) at the numerous guides online. The end goal is so that I can have proper Let's Encrypt certs for my self hosted servers to include VaultWarden (which will not work with self-signed or http) as well as have easy urls for myself and family to use.

So I am trying to setup my Porkbun domain with my Opnsense nginx plugin in order to resolve the address (such as navidrome.example.com to my local server's navidrome instance @ 192.168.1.99:4533). I attempted this guide here as well as trying to configure a separate nginx on the server itself. I haven't had much luck with these guides either.

Any address outside of router.example.com results in a connection failure. Including when I tried to route everything like navi.router.example.com. This is with and without wildcards in the A Record entries on Porkbun's DNS control panel. I've tried *.example.com, *.router.example.com, navidrome.example.com, navidrome.router.example.com.

Sorry if this seems like a simple problem or if I am missing a massive step, I am complete newbie at self-hosting/networking.

Hello friends,

Just about every guide that comes up on my Google search for "How to create certificate authority with OpenSSL" seems to be out-of-date. Particularly, they all guide me towards creating a certificate that gets rejected by the browser due to the "Common Name" field deprecation, and the requirement of "Subject Alternative Name" field.

Does someone know a tool that creates a Certificate Authority and signs certificates with that CA? A tool that follows modern standards, gets accepted by browsers and other common web tools. Preferably something based on OpenSSL.

If you know a guide that does this using OpenSSL, even better! But I have low hopes for this after going through dozens of guides all having the same issue I mentioned above.

Replies to Some Questions you Might Ask Me

Why not just correct those two fields you mention?

I want to make sure I am doing this right. I don't want to keep running into errors in the future. For example, I actually did try that, and npm CLI rejected my certs without a good explanation (through browser accepts it).

Why not Let's Encrypt?

This is for private services that are only accessible on a private network or VPN

If this is for LAN and VPN only services, why do you need TLS?

TLS still has benefits. Any device on the same network could still compromise the security of the communication without TLS. Examples: random webcam or accessory at your house, a Meta Quest VR headset, or even a compromised smartphone or computer.

Use small step CA (or other ACME tools)

I am not sure I want the added complexity of this. I only have 2 services requiring TLS now, and I don't believe I will need to scale that much. I will have setup a way to consume the ACME server. I am happier with just a tool that spits out the certificates and I manage them that way, instead of a whole service for managing certs.

If I am over estimating the difficulty for this, please correct me.

After an all-too-long development phase, I'm opening the new year with a new version of Tempo. This new version brings with it Android Auto support, one of the most requested features of all time.

Other new features include support for Chinese and Korean languages, an update to the French localization, the implementation of landscape viewing of the media player and more.

You can find Tempo on Github ready for download: it’s free, it’s open source and it’s made by the community for the community.

If you appreciate the work put into Tempo, remember that you can star the project on Github or make a donation! It’s not much but it’s useful to help the project grow and give visibility to the app.

Probably a dumb question, but I have to report pretty much the same post (some website-link + some mentioned usernames, but always sent from different instances) multiple times a day.

The weird thing is, that this happens only here in this community, and not in any else I have subscribed to.

Is this some targeted attack, because due to the self hosting, we're a more valuable victims, or is it just due to time shift because the mods are in a different time zone and asleep when we report the posts?

I think the latter one isn't the case, since there are many active moderators here :)

Is there something we can do about it?

With free esxi over, not shocking bit sad, I am now about to move away from a virtualisation platform i’ve used for a quarter of a century.

Never having really tried the alternatives, is there anything that looks and feels like esxi out there?

I don’t have anything exceptional I host, I don’t need production quality for myself but in all seriousness what we run at home end up at work at some point so there’s that aspect too.

Thanks for your input!

Is there a FOSS program where I can inventory my high value items in case there is an insurance claim?

I was thinking of the item, the picture of the item and serial number, maybe the UPC, and then an attachment of the receipt.

I'm guessing some kind of database that integrates file attachments per item.

Not my blog, just a good community share :)

It looks like !buildapc community isn't super active so I apologize for posting here. Mods, let me know if I should post there instead.

I built my first PC when I was I think 10-11 years old. Built my next PC after that and then sort of moved toward pre-made HP/Dell/etc. My last PC's mobo just gave out and I'm looking to replace the whole thing. I've read over the last few years that prefabs from HP/Dell/etc. have gone to shit and don't really work like they used to. Since I'm looking to expand comfortably, I've been thinking of giving building my own again.

I remember when I was a young lad, that there were two big pain points when putting the rig together: motherboard alignment with the case (I shorted two mobos by having it touch the bare metal of the grounded case; not sure how that happened but it did) and CPU pin alignment so you don't bend any pins when inserting into the socket.

Since it's been several decades since my last build, what are some things I should be aware of? Things I should avoid?

For example, I only recently learned what M.2 SSD are. My desktop has (had) SATA 3.5" drives, only one of which is an SSD.

I'll admit I am a bit overwhelmed by some of my choices. I've spent some time on pcpartpicker and feel very overwhelmed by some of the options. Most of my time is spent in code development (primarily containers and node). I am planning on installing Linux (Ubuntu, most likely) and I am hoping to tinker with some AI models, something I haven't been able to do with my now broken desktop due to it's age. For ML/AI, I know I'll need some sort of GPU, knowing only that NVIDIA cards require closed-source drivers. While I fully support FOSS, I'm not a OSS purist and fully accept that using a closed source drivers for linux may not be avoidable. Happy to take recommendations on GPUs!

Since I also host a myriad of self hosted apps on my desktop, I know I'll need to beef up my RAM (I usually go the max or at least plan for the max).

My main requirements:

• Intel i7 processor (I've tried i5s and they can't keep up with what I code; I know i9s are the latest hotness but don't think the price is worth it; I've also tried AMD processors before and had terrible luck. I'm willing to try them again but I'd need a GOOD recommendation)
• At least 3 SATA ports so that I can carry my drives over
• At least one M.2 port (I cannibalized a laptop I recycled recently and grabbed the 1TB M.2 card)
• On-board Ethernet/NIC (on-board wifi/bluetooth not required, but won't complain if they have them)
• Support at least 32 GB of RAM
• GPU that can support some sort of ML/AI with DisplayPort (preferred)

Nice to haves:

• MoBo with front USB 3 ports but will accept USB 2 (C vs A doesn't matter)
• On-board sound (I typically use headphones or bluetooth headset so I don't need anything fancy. I mostly listen to music when I code and occasionally do video calls.)

I threw together this list: https://pcpartpicker.com/list/n6wVRK

It didn't matter to me if it was in stock; just wanted a place to start. Advice is very much appreciated!

EDIT: WOW!! I am shocked and humbled by the great advice I've gotten here. And you've given me a boost in confidence in doing this myself. Thank you all and I'll keep replying as I can.

cross-posted from: https://lemmy.world/post/12284817

> There's a new version of Nephele WebDAV server (also on Docker Hub) that supports using an S3 compatible server as storage and encrypting filenames and file contents. > > This essentially means you can build your own cloud storage server leveraging something like Backblaze B2 for $6/TB/month, and that data is kept private through encryption. That's cheaper than Google Drive, and no one can snoop on your files.

Hi everyone.

I'm planning to open a small gym and am looking for management software. I don't want cloud services or a subscription fee. I use Linux in my personal life and would prefer to keep running that at the business. Does anyone have experience with this type of thing?

I plan to self host all my services and data if possible such as camera systems and maybe even the website (I found a great local website company I'll be talking with soon).

I'm interested in exploring the world of self hosting, but most of the information that I find is incredibly detailed and specific, such as what type of CPU performs better, etc. What I'm really looking for is an extremely basic square 1 guide. I know basically nothing about networking, I don't really know any coding, but it seems like there are a lot of tools out there that might make this possible even for a dummy like me.

Right now, my cloud computing is pretty much typical, I think. I use onedrive to sync my documents and old files. I need to be able to quickly access files on different devices, such as a powerpoint created on one device and presented on another. On my phone I use Android and my backups of downloads and photos and other data (messages, etc) are all on Google Drive /Google 1.

I'm willing to spend the time learning to an extent, but I'm not looking to become a network expert. I'm also willing to spend a little bit of money on hardware or a subscription service if necessary. Ideally I'd like to be out of this subscription service game, but the main goal is to be in charge of my own files. I have an old laptop running Linux to play around with and a fast and stable home internet connection.

Eventually, I would like to not only be syncing my files, photos, and documents in real time, but also I'd like to maybe try using it as an entertainment server to watch/listen to downloaded media on my home network.

Is there such a thing as a guide for a total beginner starting from zero? Is this worth attempting, or will I quickly find myself frustrated and in way over my head? Or, do I need to wait a little longer until more idiot-proof tools become available?

That's a question I always asked myself. Currently, I'm running Debian on both my servers, but I consider switching to Fedora Atomic Core (CoreOS), since I already use Fedora Atomic on my desktop and feel very comfortable with it.

There's always the mentality of using a "stable" host OS bein better due to following reasons:

• Things not changing means less maintenance, and nothing will break compatibility all of the sudden.
• Less chance to break.
• Services are up to date anyway, since they are usually containerized (e.g. Docker).
• And, for Debian especially, there's one of the biggest availability of services and documentation, since it's THE server OS.

My question is, how much of these pro-arguments will I loose when I switch to something less stable (more regular updates), in my case, Fedora Atomic?

---

My pro-arguments in general for it would be:

• The host OS image is very minimal, and I think most core packages should be running very reliably. And, in the worst case, if something breaks, I can always roll back. Even the, in comparison to the server image, "bloated" desktop OS (Silverblue) had been running extremely reliably and pretty much bug free in the past.
• I can always use Podman/ Toolbx for example for running services that were made for Debian, and for everything else there's Docker and more. So, the software availability shouldn't be an issue.
• I feel relatively comfortable using containers, and think especially the security benefits sound promising.

Cons:

• I don't have much experience. Everything I do related to my servers, e.g. getting a new service running, troubleshooting, etc., is hard for me.
• Because of that, I often don't have "workarounds" (e.g. using Toolbx instead of installing something on the host directly) in my mind, due to the lack of experience.
• Distros other than Debian and some others aren't the standard, and therefore, documentation and availability isn't as good.
• Containerization adds another layer of abstraction. For example, if my webcam doesn't work, is it because of a missing driver, Docker, the service, the cable not being plugged in, or something entirely different? Troubleshooting would get harder that way.

---

On my "proper" server I mainly use Nextcloud, installed as Docker image. My Raspberry Pi on the other hand is only used as print server, running Octoprint for my 3D-printer. I have installed Octoprint there in the form of Octopi, which is a Raspian fork distro where Octoprint is pre-installed, which is the recommended way.

With my "proper" server, I'm not really unhappy with Debian. It works and the server is running 24/7. I don't plan to change it for the time being.

Regarding the Raspi especially, it looks quite a bit different. I think I will just try it and see if I like it.

Why?

• It is running only rarely. Most of the time, the device is powered off. I only power it on a few times per month when I want to print something. This is actually pretty good, since the OS needs to reboot to apply updates, and it updates itself automatically, so I don't have to SSH into it from time to time, reducing maintenence.
• And, last but not least, I've lost my password. I can't log in anymore and am not able to update anymore, so I have to reinstall anyway.

---

What is your opinion about that?

I heard about this project years ago. Cool concept: standardized, interchangeable storage + identity that can be plugged into arbitrary apps. The idea is that your identity is tied to your data, and your data can be hosted anywhere so you can retain control over your data or use a simple provider. It was also created by Tim Berners-Lee, creator of the web.

However, it doesn't seem to be gaining traction anywhere, even in the already-niche self-hosting community. From the GitHub (which was hard to find on the website!) I could see that it's being actively developed, including a new website redesign, but everything else seems stagnant. Their newsletter has no updates since 2021. There are only a small handful of apps listed on the site and most of them haven't been maintained since 2019 or earlier, and a lot are just things like "solid pod explorer" or "demo app".

Anyone had any experience with it? Or know more about the situation? I would love to see this become more widely used.

For context: I want to automatically enable Intel SGX for every VM and LXC in Proxmox, but it doesn't seem like there's a way to do it using APIs AFAIK (so Terraform is out of the question unless I've missed something) other than editing the template for the individual LXC/VM.

I'd like to know if there's a tool that can automate this. I could potentially write a shell script but I'd like to know if there's something that's mature software before I go do this. I have been reading about Packer, Vagrant and cloud-init but I don't think this is something in their scope of usage.

Thanks!

I'm looking for a media player/OS for an ARM SBC that can stream from my navidrome (subsonic compatible) music server, and be controlled via either a web GUI or an android app. I'd love to hear what you guys came up with!

Currently really happy with my setup, I'm using Navidrome as my music server, along with Ultrasonic as my phone client.

I've set up a (dumb/analog) speaker system on my workshop, and I'd like to be able to listen to music there, but I don't want to add a whole setup (be it an old laptop, or add kb/mouse, monitor and such) and my phone no loner has a 3.5mm jack.

I have a Raspberry Pi 3, an OrangePi Zero, and an OrangePi PC+. I'd rather use the zero or the PC+ since they're kinda unstable/wonky and I don't trust them anymore for stuff I want to keep running 24/7 (like pihole).

I'm open to testing other music servers (volumio maybe?) on my main homelab if that means having the ability to change the client/sink from the app/gui (something like what Spotify does, where you can pick from any client to stream to other clients/speakers)

What do you think about buying second hand disks and using higher redundancy?

For example 4x 16TB in RAIDz2? Is anyone using something like that? How's it performing, reliability-wise?

E: Thanks all for the opinions and information!

I currently use keePass, and use it on both my PC and my phone. I like it because I can keep a copy of my DB on my phone and export it through a few different means. But I can't seem to find an option to actually sync my local DB against a remote one. I've thought about switching to BitWarden but from what I can see it uses a single DB with multiple connections. Is there a password manager that allows ultiple databases (one PC one Phone) with easy syncing between them - specifically from my phone? Or a way to setup keePass to allow syncing with a machine on my home network?

Hi all, looking for some help with the Jellyfin Media Player.

For background, I've used Plex for years, and I've had it working well. I'm trying out Jellyfin because of all of the reasons you're already thinking of.

One issue I'm having - I like uncompressed 4K HDR. I'm trying to play a large movie, one Plex direct plays perfectly fine to my HTPC. (2.5GB networking through and through, direct access, all the basics have checked). However Jellyfin Media Player seems to stutter and drop frames.

Not like "It stops and buffers", but more like playing a video game and it drops down to 15fps. Is there a setting somewhere I'm missing to enable GPU support or something? I toggled OpenGL on and off and it didn't seem to have an effect.

Video says it's direct play, no transcode. Not sure what else it could be beyond hardware acceleration?

Thanks!

I recently decided to replace the SD card in my Raspberry Pi and reinstall the system. Without any special backups in place, I turned to rsync to duplicate /var/lib/docker with all my containers, including Nextcloud.

Step #1: I mounted an external hard drive to /mnt/temp.

Step #2: I used rsync to copy the data to /mnt/tmp. See the difference?

Step #3: I reformatted the SD card.

Step #4: I realized my mistake.

Moral: no one is immune to their own stupidity 😂

cross-posted from: https://discuss.online/post/5391072

> February 20, 2024 piefedadmin writes: > > > For a very small instance with only a couple of concurrent users a CDN might not make much difference. But if you take a look at your web server logs you’ll quickly notice that every post / like / vote triggers a storm of requests from other instances to yours, looking up lots of different things. It’s easy to imagine how quickly this would overwhelm an instance once it gets even a little busy. > > > > One of the first web performance tools people reach for is to use a CDN, like Cloudflare. But how much difference will it make? In this video I show you my web server logs before and after and compare them. > > Read How much difference does a CDN make to a fediverse instance?

A couple of years ago, IFTTT did a thing where they asked people to sign up to premium and they could pay whatever they like and could keep the service forever. I didn't use many of the services, but thought it made sense to try and preserve something so useful for in case I did need it. In the meantime, I would allow it to check some RSS feeds and alert me when certain keywords came up.

Some time goes by and the ambitions of IFTTT grow, they now rename the service I pay for as Legacy. Seems ominous, but I'm only using it for RSS so nothing to worry about.

Fast forward to yesterday and I get an email to say that they're moving me to a new premium service and doubling what I pay. It left a bad taste in my mouth. I hate when companies do this. Especially when they promised I could keep my old thing at the same price forever.

Anyway, since they've clearly lost their mind in the pursuit of AI supremacy, I may as well just host this myself.

So is there a self hosted solution for RSS where I can get notifications when some RSS feeds publish indiscriminately and others when specific keywords come up?

Something I can put in a Docker container on my RPi, set and forget.

Hey, I'm really stumped by this issue so perhaps one of you folks might be able to help me out here. I run a little server on an RPi 5.i got for another project originally. So ce I cannot finish said project due to time constraints, I repurposed the thing into a little server. It's running smoothly so far with one really weird exception. Whenever I attach more than 1 HDDs to the pi and use at least 2 at the same time, both HDDs will start to fail, unmount and the whole USB hubs I connected them to will just disappear from LSUSB. Originally I thought this was a power issue but the weird behavior continues when I connect each HDD to it's own powered USB hub. I'm really at a loss as to what's happening. Any ideas?

Hi everyone,

Was just going through tower server listings on Ebay. I'm seeing my options decrease mainly due to not being able to fit a standard ATX/SFX PSU into some of these systems.

For example:

1. Dell Precision T3600/T3610/T5810/T7820 series: PSU with a short height, seems to have about the length of a standard PSU.
2. Lenovo ThinkStation P520 - although this looks like a TFX PSU from the outside, it's actually a very different way to connect to the components inside.
3. HP Z440: strange size of the PSU. I don't think an ATX PSU can fit in there.

Now, I have failed in trying to find brackets to place normal PSUs in these configurations. The reason why I don't purchase PSUs on Ebay is because I can't exactly be sure if they are used or not, and I prefer purchasing new PSUs.

With that said, for everyone who purchases these tower workstations - how do you replace your PSUs?

Thanks.

Edit2: Thanks all for your responses! I have checked the logs, https://lemmy.nz/comment/6192604, and based on that removed tracker-miner-fs as it's a search/index tool which I don't need. No idea why it took over all memory. I'll also get a WiFi Smartplug as a kill switch. Hopefully that solves it. Thanks again heaps!

---- I've got a HP ProDesk G3 which I'm using as home server, I've installed Ubuntu on it. Earlier this week the services I host on it stopped (Immich & Frigate). I tried to SSH, but it just hung after asking for a password. I could ping it, but it was just unresponsive.

I had to force reboot it manually. This is fine, but I'm not always at home.

The chip has Intel vPro as far as I know, which could be an option, but I have no idea how this works. The documentation on the Intel site seems focused on enterprises. I tried to connect with RealVNC which does not work, so I think I've got to install/configure something on the server first.

I also asked Bing Chat but it came up with non existing packages & commands. Welcome your thoughts!

/edit: I just found this, which seems to be exactly what I need: https://manpages.ubuntu.com/manpages/focal/en/man7/amt-howto.7.html

So Podman is an open source container engine like Docker—with "full"¹ Docker compatibility. IMO Podman's main benefit over Docker is security. But how is it more secure? Keep reading...

Docker traditionally runs a daemon as the root user, and you need to mount that daemon's socket into various containers for them to work as intended (See: Traefik, Portainer, etc.) But if someone compromises such a container and therefore gains access to the Docker socket, it's game over for your host. That Docker socket is the keys to the root kingdom, so to speak.

Podman doesn't have a daemon by default, although you can run a very minimal one for Docker compatibility. And perhaps more importantly, Podman can run entirely as a non-root user.² Non-root means if someone compromises a container and somehow manages to break out of it, they don't get the keys to the kingdom. They only get access to your non-privileged Unix user. So like the keys to a little room that only contains the thing they already compromised.^2.5 Pretty neat.

Okay, now for the annoying parts of Podman. In order to achieve this rootless, daemonless nirvana, you have to give up the convenience of Unix users in your containers being the same as the users on the host. (Or at least the same UIDs.) That's because Podman typically³ runs as a non-root user, and most containers expect to either run as root or some other specific user.

The "solution"⁴ is user re-mapping. Meaning that you can configure your non-root user that Podman is running as to map into the container as the root user! Or as UID 1234. Or really any mapping you can imagine. If that makes your head spin, wait until you actually try to configure it. It's actually not so bad on containers that expect to run as root. You just map your non-root user to the container UID 0 (root)... and Bob's your uncle. But it can get more complicated and annoying when you have to do more involved UID and GID mappings—and then play the resultant permissions whack-a-mole on the host because your volumes are no longer accessed from a container running as host-root....

Still, it's a pretty cool feeling the first time you run a "root" container in your completely unprivileged Unix user and everything just works. (After spending hours of swearing and Duck-Ducking to get it to that point.) At least, it was pretty cool for me. If it's not when you do it, then Podman may not be for you.

The other big annoying thing about Podman is that because there's no Big Bad Daemon managing everything, there are certain things you give up. Like containers actually starting on boot. You'd think that'd be a fundamental feature of a container engine in 2023, but you'd be wrong. Podman doesn't do that. Podman adheres to the "Unix philosophy." Meaning, briefly, if Podman doesn't feel like doing something, then it doesn't. And therefore expects you to use systemd for starting your containers on boot. Which is all good and well in theory, until you realize that means Podman wants you to manage your containers entirely with systemd. So... running each container with a systemd service, using those services to stop/start/manage your containers, etc.

Which, if you ask me, is totally bananasland. I don't know about you, but I don't want to individually manage my containers with systemd. I want to use my good old trusty Docker Compose. The good news is you can use good old trusty Docker Compose with Podman! Just run a compatibility daemon (tiny and minimal and rootless… don't you worry) to present a Docker-like socket to Compose and boom everything works. Except your containers still don't actually start on boot. You still need systemd for that. But if you make systemd run Docker Compose, problem solved!

This isn't the "Podman Way" though, and any real Podman user will be happy to tell you that. The Podman Way is either the aforementioned systemd-running-the-show approach or something called Quadlet or even a Kubernetes compatibility feature. Briefly, about those: Quadlet is "just" a tighter integration between systemd and Podman so that you can declaratively define Podman containers and volumes directly in a sort of systemd service file. (Well, multiple.) It's like Podman and Docker Compose and systemd and Windows 3.1 INI files all had a bastard love child—and it's about as pretty as it sounds. IMO, you'd do well to stick with Docker Compose.

The Kubernetes compatibility feature lets you write Kubernetes-style configuration files and run them with Podman to start/manage your containers. It doesn't actually use a Kubernetes cluster; it lets you pretend you're running a big boy cluster because your command has the word "kube" in it, but in actuality you're just running your lowly Podman containers instead. It also has the feel of being a dev toy intended for local development rather than actual production use.⁵ For instance, there's no way to apply a change in-place without totally stopping and starting a container with two separate commands. What is this, 2003?

Lastly, there's Podman Compose. It's a third-party project (not produced by the Podman devs) that's intended to support Docker Compose configuration files while working more "natively" with Podman. My brief experience using it (with all due respect to the devs) is that it's total amateur hour and/or just not ready for prime time. Again, stick with Docker Compose, which works great with Podman.

Anyway, that's all I've got! Use Podman if you want. Don't use it if you don't want. I'm not the boss of you. But you said you wanted content on Lemmy, and now you've got content on Lemmy. This is all your fault!

¹ Where "full" is defined as: Not actually full.

² Newer versions of Docker also have some rootless capabilities. But they've still got that stinky ol' daemon.

^2.5 It's maybe not quite this simple in practice, because you'll probably want to run multiple containers under the same Unix account unless you're really OCD about security and/or have a hatred of the convenience of container networking.

³ You can run Podman as root and have many of the same properties as root Docker, but then what's the point? One less daemon, I guess?

⁴ Where "solution" is defined as: Something that solves the problem while creating five new ones.

⁵ Spoiler: Red Hat's whole positioning with Podman is like they see it is as a way for buttoned-up corporate devs to run containers locally for development while their "production" is running K8s or whatever. Personally, I don't care how they position it as long as Podman works well to run my self-hosting shit....

Hey y'all, I've been using my.freenom as my domain registrar for the past six years without too many issues. I've kept it mainly because it has been cheap as balls. However, I am now looking for a registrar that supports dynamic dns and would love to hear your suggestions. The first results that pop up are google and godaddy which are not what I'm looking for. (I actually had issues with godaddy stealing domain names all the way back in 2010, but that's another story) A local community reference is worth a lot more to me than a top search result.

The plan is to set up my domain to point to my local IP for stuff like valheim servers so i don't have to share an IP every time we want to play. My friendlywrt router supports dynamic dns out of the box, so that's what I'm looking to use for my domain.

Also, it needs to support subdomains going to different places. Complete access to the dns records is enough, but I would love a more user friendly interface for adding things like a separate email host, a webhost address, plus a subdomain for the valheim server.

• Unraid is switching to annual subscription pricing, offering Starter, Unleashed, and Lifetime licenses with optional extension fees for updates.
• Existing Basic, Plus, and Pro licenses can be upgraded to higher levels of perpetual licenses.
• This change may increase revenue for Lime Technology but could also make other NAS providers more appealing to users.

Archive link: https://archive.ph/YCFoR

Cross-posted to: https://sh.itjust.works/post/14975166

---

Solution

I'm still not really sure exactly what the root cause of the issue was (I would appreciate it if someone could explain it to me), but I disabled HTTPS on the Nextcloud server nextcloud.disable-https and, all of a sudden, it started working. My Caddyfile simply contains the following: nextcloud.domain.com { server-LAN-ip:80 }

Original Post

I am trying to upgrade my existing Nextcloud server (installed as a Snap) so that it is sitting behind a reverse proxy. Originally, The Nextcloud server handled HTTPS with Let's Encrypt at domain.com; now, I would like for Caddy to handle HTTPS with Let's Encrypt at nextcloud.domain.com and to forward the traffic to the Nextcloud server.

With my current setup, I am encountering an error where it is saying 301 Moved Permanently. Does anyone have any ideas on how to fix or troubleshoot this?

Caddyfile: https://nextcloud.domain.com { reverse_proxy 192.168.1.182:443 header / Strict-Transport-Security max-age=31536000; } And here is the output of curl -v https://nextcloud.domain.com/: ```

• Host nextcloud.domain.com:443 was resolved.
• IPv6: (none)
• IPv4: public-ip
• Trying public-ip:443...
• Connected to nextcloud.domain.com (public-ip) port 443
• ALPN: curl offers h2,http/1.1
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: none
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256 / x25519 / id-ecPublicKey
• ALPN: server accepted h2
• Server certificate:
• subject: CN=nextcloud.domain.com
• start date: Feb 21 06:09:01 2024 GMT
• expire date: May 21 06:09:00 2024 GMT
• subjectAltName: host "nextcloud.domain.com" matched cert's "nextcloud.domain.com"
• issuer: C=US; O=Let's Encrypt; CN=R3
• SSL certificate verify ok.
• Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
• Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
• Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• using HTTP/2
• [HTTP/2] [1] OPENED stream for https://nextcloud.domain.com/
• [HTTP/2] [1] [:method: GET]
• [HTTP/2] [1] [:scheme: https]
• [HTTP/2] [1] [:authority: nextcloud.domain.com]
• [HTTP/2] [1] [:path: /]
• [HTTP/2] [1] [user-agent: curl/8.6.0]
• [HTTP/2] [1] [accept: /] > GET / HTTP/2 > Host: nextcloud.domain.com > User-Agent: curl/8.6.0 > Accept: / > < HTTP/2 301 < alt-svc: h3="public-ip:443"; ma=2592000 < content-type: text/html; charset=iso-8859-1 < date: Wed, 21 Feb 2024 07:45:34 GMT < location: https://nextcloud.domain.com:443/ < server: Caddy < server: Apache < strict-transport-security: max-age=31536000; < content-length: 250 <

301 Moved Permanently

<h1>Moved Permanently</h1> <p>The document has moved here.</p>

• Connection #0 to host nextcloud.domain.com left intact ```

Hi. I switched from a few SBCs to a proxmox-server and i really enjoy it. Now - after playing a little bit around - i plugged an external 8tb-hdd on my server mainly for backups. I followed this tutorial: https://ostechnix.com/add-external-usb-storage-to-proxmox/

Next step is to use urbackup. I created a folder /urbackup on the 8tb-hdd and now i would like to assign this folder to the urbackup-docker but i do not understand how to do this.

What "content" do i have to choose for this case and how can i assign the folder to the docker?

Important EDIT: I forgot to mention that i do not use a VM but LXC!

SOLUTION in this case is pretty simple: https://pve.proxmox.com/wiki/Linux_Container#_bind_mount_points

For example, to make the directory /mnt/bindmounts/shared accessible in the container with ID 100 under the path /shared, add a configuration line such as:

mp0: /mnt/bindmounts/shared,mp=/shared

into /etc/pve/lxc/100.conf.

Or alternatively use the pct tool:

pct set 100 -mp0 /mnt/bindmounts/shared,mp=/shared

to achieve the same result.

Thanks a lot for your help!