With the recent discussions around replacing Spotify with selfhosted services and the possibilities to obtain the music itself, I’ve been finally setting up Navidrome. I had to do quite a bit of reorganization to do with my existing collection (beets helping a ton) but now it’s in a neatly organized structure and I’m enjoying it everywhere. I get most of my stuff from Bandcamp but I have a big catalog from when I’ve still had a large physical collection.
I’m also still working on my docker quasi gitops stack. I’ve cleaned up my compose files and put the secrets in env files where I hadn’t already, checked them into my new forgejo instance and (mostly) configured renovate. Komodo is about to get productive but I couldn’t find the time yet. Also I need to figure out how to check in secrets in a secure way. I know some but I haven’t tried those with Komodo yet. This close of my fully automated update-on-merge compose stacks!
I’ve also been doing these for quite a while and decided to sometimes post them in !selfhosting@slrpnk.net to possibly help moving a bit from the biggest Lemmy instance, even though this community as it is is perfectly fine as well as it seems.
What’s going on on your servers? Anything you are trying to pursue at the moment?
You must log in or # to comment.
For privacy reasons, I have finally fully disabled dynamic dns updates and closed the last holes in the home firewall, moving to 100% proxying via a VPS for publicly available stuff, and a tailnet (headscale) for everything private. The only real cross-over is Nextcloud - mountains of private data, but I want it publicly available for file shares. Fortunately, Nextcloud has a setting to whitelist IP addresses that allow log-in, so I can restrict that to just the non-VPS tailnet addresses. From the public internet, only public shares are accessible.
I set up a L4 proxy so that the encryption for Nextcloud happens at home and the VPS just passes encrypted packets. Then it occurred to me that a compromised VPS could easily grab a SSL cert for my Nextcloud subdomain via a regular-old http-challenge and MITM access to all my files, defeating the point.
Then I found a neat hack that effectively disables http-challenge certs for subdomains by requiring a wildcard certificate - which can only be created with a dns-challenge. I was able to also disable all other certificate authorities. Obviously, I have /some/ trust in the VPS I administer - it’s on my tailnet network - but no longer have the concern that it could easily MITM Nextcloud. https://www.naut.ca/blog/2019/10/19/mitigating-http-mitm-possibilities-with-lets-encrypt/
I spent some time last week learning both Ansible and Podman Quadlets. They are a powerful duo, especially for self hosting.
Ansible is a desired state system for Linux. Letting you define a list of servers and what their configuration should be, like “have podman installed” and “have this file at this location with this content”.
Podman quadlets is a system for defining podman containers as a service. You define the container, volumes, and networks all in essentially Systemd unit files.
Mixing the two together, I can have my entire podman setup in a format that can be pushed to any server in seconds.
And of course everything is text files that git well.
I was thinking about this for some time now, can you link me to some good tutorials about quadlets in particular? Ansible will have to wait for now.
Unfortunately not. I found documentation largely lacking. I mostly read the docs and searched specific questions that came up(which often just took me back to the docs). I did as a local LLM for help, but found it’s knowledge base lacking. Sometimes it would work for a hint, but it more often than not made up parameters and features.
Which docs did you read in particular? If you mind to share? And so nice, that you setup a local LLM. I sadly don’t have the horsepower for that.
Here is a redhat blog about it: https://www.redhat.com/en/blog/quadlet-podman
This docs page has more details: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/building_running_and_managing_containers/porting-containers-to-systemd-using-podman
And last, this page shows most of the options you’d expect to find: https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html
So I am in a vicious cycle. I start doing something, notice there is a better way, change my setup and restart. So from just Ubuntu server, I developed to proxmox. From documenting everything manuall in joplin, i am now using ansible. I started with wireguard, then tailscale with selfhosted headscale. I try to get my setup right on the first try, which i notice is stupid as I am writing. It just hinders me to make progress. I think I should rather try to get it up and running as fast as possible (and securely of cause) to make progress and fail fast maybe? And I like all the changes I made, I think they were the right choice, but its a bit tiering. And I like ansible, I just have the urge to automate absolutely everything, so I can redeploy everything right after I installed proxmox. Which is not necessary at all at this stage, idk :D Maybe someone has some tips how to overcome perfectionism?
For me, tinkering is part of the process and I’m enjoying it. Deciding to do something differently and changing a lot of stuff every now and then is fine. What’s annoying is if you are in the middle of such a process and then run out of (free) time. Next time I look at it I forgot half of it if it’s not finished and documented.