view the rest of the comments
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
I’ve been struggling to wrap my head around a good security architecture for my mspencer.net replacement crap. Could I bug you for links?
I figured out a while ago to keep VM host management on a management VLAN, and I put each service VM on its own VLAN with heavy, service-specific firewalling and a private OS update repo mirror - but after hearing about ESXi jackpotting vulns and Broadcom shenanigans, I’ve gotten really disheartened. I’d love some safe defaults.
It sounds like you're getting into the keeping it running phase.
First, going back to your previous comment, self-hosting email is difficult. It's not hard for a small provider to end up blacklisted and you're probably kind of just done at that point and it will feel very unfair. I get that it's a fun set of technical challenges, but you couldn't pay me enough to help someone self-host email.
Second, guessing, but it sounds like you may be trying to expose your services directly and doing a lot to make that work which goes against what most would recommend for hosting your own services. Big companies don't expose their intranet like that, follow their example. Almost every guide or system is going to warn against that. If you're going to host more than one thing, highly recommend focusing on minimizing entry points and looking into a VPN-like solution for accessing most if not all of your services. Still spend time on securing your intranet, but most of your risk is going to come from how hard it is for people to get past the front door (or doors).
Thank you for your reply, but to be clear, I’m not looking for individual details to be spelled out in comments. What you said is absolutely correct, thoughtful, and very helpful. But emotions are running a little high and I’m worried I’ll accidentally lash out at someone for helping. Apologies in advance.
But do you have any links? Beyond just the general subjects of security architecture, secure design, threat modeling, and attack surface identification, I’d love to see this hypothetical “generic VM and web application housing provider in a box” come with a reasonably secure default architecture. Not what you’re running, but how you’re running it.
Like, imagine decades in the future, internet historians uncover documentation and backups from a successful generic hosting company. They don’t necessarily care what their customers are hosting, their job is to make sure a breach in one customer’s stuff doesn’t impact any other customer. The documentation describes what policies and practices they used for networking, storage, compute, etc. They paid some expensive employees to come up with this and maintain it, it was their competitive advantage, so they guarded it jealously.
I’d want to see that, but (a) a public, community project and (b) now, while it’s still useful and relevant to emulate it in one’s own homelab.
If I can get some of that sweet, sweet dopamine from others liking the idea and wishing for my success, maybe I can build my own first version of it, publish my flawed version, and it can get feedback.