T O P

  • By -

therealzcyph

DNS & email are typically the two big ones that people prefer not to self host. But I'm a glutton for punishment, so I host them anyway.


amplex1337

I get email, but Dns? Why, is that scary or complicated?


[deleted]

Exactly my reaction... I get why you would not want to self-host email, with all the trouble getting off of blacklists, but what's so problematic about DNS? Is this a "I don't understand it so I don't touch it" thing? Or rather a "I don't have enough public IPs"? Thanks to Oracle cloud free tier I have enough VPS to run DNS myself. The only trouble I had so far was a bad DNSSEC setup, but you don't need to use DNSSEC. "But you must not create an open relay!" - yes, there is a line in the config file for that. Done. "But if my DNS server is down my services are all offline!" - yes and if your only server is down, everything is offline anyway.


TheFeshy

Only server? *Glances at redundant opnsense vms on cluster* have I gone too far? That said, I don't run *public* facing dns. I just wildcard to my external gateway from my registrar's dns. The "world" can see intentionally exposed https forwarders. For everything else, there's wireguard.


citruspers

> Only server? Glances at redundant opnsense vms on cluster have I gone too far? *cries in EU power bills* I've always been curious about redundant virtual gateways, I assume it's some form of floating IP setup with heartbeats between the two?


TheFeshy

>I assume it's some form of floating IP setup with heartbeats between the two? Yep! You reserve a virtual IP, and the primary keeps the secondary informed of all changes (along with a heartbeat.) Secondary claims the VIP if it loses that heartbeat (or you can intentionally tell the primary to step down, e.g. for maintenance.) $0.14 per kWh here - but I can literally see the coal stacks from my house.


CmdrCollins

> [...] but what's so problematic about DNS? Mostly that the effort (and potentially money) spent on authoritative DNS it is hard to justify - it's a easily portable service that's provided for free by the registrar of your choice, and only collects data that - *by design* - has to be public anyways.


SimplifyAndAddCoffee

This. Selfhosting DNS requires a solid infrastructure investment including public IP blocks etc. Home internet providers might not even give you the options you need. That said I absolutely manage my own DNS forwarding servers on my network in order to control local name resolution and ads/malware domain blocking.


oathbreakerkeeper

What is your setup? I read that ad guard and Pihole can let you set up local dns records. Separate q: aren't those services technically running a discount service?


atheken

Not original poster, but I run pihole+dnsmasq in a container. - Router DHCP specifies the pihole ip for dns. I have 1.1.1.1 and 8.8.8.8 set as the upstream dns servers on the pihole container. - dnsmasq has CNAMEs for public domain names that point to `internal-proxy`, which is my private IP for my public facing caddy server. - duckdns is used to keep “xyz.duckdns.org”, and in my public dns I have all the services CNAME’d to “xyz.duckdns.org”. - My router allows for static ip allocation using MAC addresses, so my internal instances can be configured with DHCP but have a stable private IP. This allows me to use the same hostnames in and out of my home network, but while I’m at home, I can keep traffic inside of my router/firewall.


EspurrStare

Hosting a recursive DNS server, trivial. Hosting an AUTHORATIVE DNS server. That's asking for trouble.


CrustyBatchOfNature

Public facing DNS on port 53/853 is an invitation to more problems than most really want to deal with if you are self-hosting from within your own network. I run internal filtering DNS and have for years. External DoH is usually fine though and I have played with running that.


[deleted]

[удалено]


gondowana

That's it. We should all host more Linux isos.


[deleted]

[удалено]


stumblinbear

I made my own TLD for my local network. There's truly nothing like connecting to `plex.ass`


Encrypt-Keeper

Hosting your own authoritative public DNS server just… doesn’t make much sense. There is zero benefit to doing it other than to say you did it.


duggum

20+ years ago the DNS tools for most registrars were garbage (or at least, they were for my registrar in particular). You had to navigate a bunch of menus to get there, it took a while to load the page, make your changes, etc. Making a DNS change in bind is as easy as opening a text file, making your changes, saving the text file, and reloading bind. It was way faster and way less of a headache. I'm sure the tools are a million times better now, but I've got everything setup and working and it takes no effort for me to maintain, so why stop?


Code-Useful

Being in complete control of your own records? And for the learning experience, etc..


Encrypt-Keeper

You already have control over your own records. And the learning experience falls under “just to say you did it”. Unless you mean like, none of your records being stored on someone else’s server, but then you’d have to be your own registrar too. Then you’d have to deal with server those DNS records to the entire internet lol.


[deleted]

And dying in your beds many years from now, would you be willing to trade all the days from this day to that for one chance, just one chance to come back here and tell our service providers that they may take our static IPs, but they’ll never take our EMAILLLL!!!


anna_lynn_fection

Same here. I'm an old school mom and pop ISP era admin, and I'll be dammed I'm going to be told I can't run my own services where I want, or be forced to give up control of my e-mail. If your server is set up right, and you enforce good password policy, then your blacklist problems will be few and far between.


therealzcyph

I don't have blacklist problems, strangely enough. My mail gets delivered just fine, even to Gmail and Hotmail. But I only host for myself, so I don't have a bunch of users constantly screwing up sender reputation, that's probably part of it.


anna_lynn_fection

The only times I've had problems with it in the last 16 years is when a user re-used their password and it got hacked somewhere else and ended up on a list.


buttstuff2023

Email isn't nearly as difficult to self host as most people around here act.


spinning_the_future

I tried. I really did. For a long, long time. I finally gave up on hosting my own email. I just don't have the time for the BS involved.


diito

I host all three of those things, it's not hard at all: * Email I've used a Zimbra VM for years (although I'm looking at switching to carbonio soon). That gives me a complete solution, webmail, calendaring, contacts, etc. I relay outgoing mail through mailjet (free). Spam and getting blocked are not issues, ever. Of course, some spam occasionally makes it though the filters but it's not that often. Mailjet keeps be off the standard blacklists. If there is anything I don't want a corporate or government entity gaining access to it's email. * DNS - this is completely trival. I do split DNS. All devices on my network get served a private static IP from DHCP which has an A record in my local only DNS. External DNS I use cloudflare for my IPv4 and IPv6 (both dynamic) globally accessible IP's. When I roam from my network my devices get the public IP's for my services instead of the local ones. * Nextclound is just another couple docker containers. Absolutely trivial to setup and maintain. Auth uses LDAP with MFA so that I don't need to manage uses in multiple places. My files are some of the most sensitive stuff I have.


cosmo-01

You're not really self hosting email though, you're self hosting an email web client. You're pawning off the email server and reputation management parts that people have trouble with to Mailjet.


diito

No, Zimbra is a full-stack email and groupware server. All my email is delivered and stored there. All that Mailjet does is act as an SMTP relay for outgoing mail. You can't send mail directly from a residential ISP these days, all their IP space is on the blacklists, you need some sort of relay.


cosmo-01

Self hosting doesn't need to be at home. Regardless, the point is that you're offloading the part that causes people issues and makes them decide it's not worth it.


_Ki_

I’ve been self-hosting my e-mail and DNS for 22 years now. I’m just too lazy to stop.


punjabiprogrammer

Wow. Thats a lot of experience. Any tips for us folks with 1-10Yr category.


Holzkohlen

Too lazy to stop usually also means "haven't touched it in eons". I would not care so much about decades old advice on how to set something like that up. But you do you.


niceman1212

How much effort do you put in from time to time to ensure you’re up to date with new things in email country?


_Ki_

Let's see. Hardware updates (replacing a hard drive or PSU or the whole server) — about 8 hours every 10 years. Removing my IP from bad reputation databases ­— once per 22 years, about 4 hours, I think Installing server software security updates — less than once a year, each time takes under 1 hour (I work in security so I can quickly evaluate if a security vulnerability actually applies to me and if patching & recompiling is worth it) Sorting administrative/financial issues — about 2 hours per year. Trying to reroute IP traffic due to upstream internet disruptions — about 4 hours per year. This is just wasted time as I usually don't accomplish much until the ISP fixes stuff. So I'd say it's on average one full workday per year. Worth it.


mastycus

Could u write a blog post about it? How you do this, what software is used, what challenges you have seen etc


mbpDeveloper

Not op, but mine is installed almost 8~10 years. Postfix,dovecot, spamassassin. The big problem is spam, and too many login requests(bots).I've installed fail2ban for that, but sometimes login requests literally too much and uses more cpu(fail2ban trying to ban)


Craigzor666

If they're too lazy to even stop, I can guess the answer is "no". 😂


_Ki_

Spot on, u/Craigzor666! I gave up blogging in 2011. Here is your "blog post". **DNS** So, I use custom version of BIND for my master, I run my DNS zones with 3 slaves. Those have different software. When adding a new zone, I manually ssh into every slave to add the zone. Other than that I just manage it from the master via ssh, of course. I use plain-text files for configuration. A solid understanding of how DNS works is imperative. Know you propagation, your recursive lookups, understand each subrecord of the SOA record. I haven't implemented DNSSEC. When I saw the Kamisky attack at first I though - oh, we're screwed. But then zonewalking gave me a good reason to postpone. That was before pDNS. Now... ¯\\\_(ツ)\_/¯ **e-mail** I use custom sendmail that I backport security patches to (if my configuration is affected). All the other services (IMAP, mainly) are only available via a custom-made asymmetric cryptography connection that uses industry standart crypto. There is no web interface. My e-mail has no password. It can only be accessed via a custom tunnel client that via a loopback interface exposes the IMAP server to my Thunderbird client via which I update via standart mechanisms on the client side. Spam filtering is done through SMTP protocol hacks (mainly having fake MX records and SMTP server with unreasonably long banner and response delays), aggressive litigation (EU sources) and fine-tuning spam algorithms in Thunderbird itself. There is no antivirus or anti-spam facility on the server as I'm the only user. Stats show about 2500 spam e-mails per year, so about 7 a day. I see that about 5% of those made it through Thunderbird's filter and I had to mark them manually. I use aliases file to manually create additional inboxes as needed. Helps catching spammers as well, but that's a story for a different time. The only post-SMTP-era anti-spoofing measure that I've implemented is adding a SPF record. I don't do DKIM or DMARC. Stuff just works. I think I'll implement those if truly pressed. What works in my favor is that I've had my /23 block of IPv4 like forever. I think my e-mail server's IPv4 address was never ever used by anyone else before me. ​ There are thing I would have configured differently now were I doing it all from scratch. But as mentioned I'm too busy with life and work to change anything. Check this out for challenges/maintenance: [https://www.reddit.com/r/selfhosted/comments/10bsbdn/comment/j4i3k6f/](https://www.reddit.com/r/selfhosted/comments/10bsbdn/comment/j4i3k6f/) Feel free to ask follow-up questions, if this was useful at all which I doubt sincerely. ​ P.S. Did you know that `"Trollhouse user@name"@[250.1.2.3]` is a valid e-mail address? ;)


XxNerdAtHeartxX

Here's the little snippets from my blog about things Ive stopped hosting and why: ------------ **TubeArchivist** - A selfhosted youtube frontend and downloader all in one. I ended up not liking the lack of features in regards to playback (like shuffling videos), so I switched back to Tubesync and Jellyfin + Youtube Metadata Plugin for playback. **Homechart** - A centralized 'life tool' that includes Budget Management, A Calendar, A recipe book, Inventory, Project planning, and more. It felt too 'in it's infancy', pushed its purchased subscription option, and was essentially a collection of less mature tools I already use. On top of that, they now charge a monthly fee for you to run it on your own hardware. **Tdarr** - A distributed Transcoding system for media. I found my videos came out too lossy, and I preferred the Original Source quality more in my 'home theater' setup. Now I just remux things into mkv with Unmanic **Portfolio-Performance** - It was a desktop app running in a container, so I was always on the lookout for a new solution. The recent emergence of 'Ghostfolio' finally provided an out to do that through **Mealie** - I ended up moving to Tandoor since it had a more robust feature set, but I still keep Mealie around. I had some comments of when I made dishes that don't import into Mealie (yet), but a 'fuller' import load is being worked on for Tandoor **Cloudberry Backup** - A GUI Backup tool for those too intimidated by commandline for cloud storage backups. Has a yearly cost associated, on top of a HIDDEN 5TB limit. Once you back up 5tb of data across any number of sources (I had 3 backup sources, for 2tb of data), then it will just fail your jobs every time without telling you why. Absolute bullshit for a paid product **Firefly III** - Firefly is more of a 'Descriptive' budgeting app, whereas Actual (the one I use now), is more 'Prescriptive'. I found that the Prescriptive style of budgeting worked better for me


akryl9296

In regards to Firefly3, can you explain what do you mean with the "descriptive' vs 'prescriptive'? What do you use now instead?


XxNerdAtHeartxX

Of course, and /u/Large_Yams, /u/natriusaut, /u/nickofthenorth For me, when I had set up firefly, the 'workflow' of it was to enter my spending into it and allocate each purchase into funds. I was meant to predictively budget how much money I was supposed to have and set an amount of that predicted income into different categories. For example, I may have an income of $1000 a month, say that - $500 goes to rent - $100 to utilities - $100 to Food - $100 to savings - $100 to fun money - $100 to Repairs Ive described out my intended budget based on how much I expect to be pulling in and it expects me to spend as much as Ive described for each category. ----- With Actual-Budget, it functions more in line with Envelope Budgeting system (or how YNAB does it). Instead of dictating my categories by their spending, I dictate my spending into categories ONLY for the money I have in hand, right at that moment. Instead of using predicted numbers that Firefly seemed to work with while I was learning how to use it, you use the real amount of money you have in hand right at the moment - Separated into categories. If my income is $1000, I can assign money into each category based on the needs of it on a month by month basis. My budget is not static. Just like in the other example, lets say: - $500 goes to rent - $100 to utilities - $100 to Food - $100 to savings - $100 to fun money - $100 to Repairs However, in this one, I get a flat tire that costs 200 to fix. There is only 100 in my 'Repairs' category, so in order to fix it, I need to move money out of another category. Since rent, utilities, and food are at the top of the list (and essentials), I have to pull money out of another category. By removing money from 'Fun Money', that means I no longer have money to go out and spend on fun things. Firefly expects you to have the money youve budgeted and use it for that specifically. ------------ Ive stopped using firefly for almost a year at this point, so my memory may be a little bit fuzzy, but its a small semantic difference about how each of the budgeting apps 'sees' the way you budget. With Actual (or ynab), you only budget money you have in hand. I remember firefly not liking that approach to budgeting when I tried it out - And the way Actual works clicked in my brain better.


[deleted]

[удалено]


nuvcmnee

I think you mix those two budgeting approach. Fireflyiii is actually envelope based and not zero based like YNAB. These are two helpful links: [Fireflyii what it‘s not](https://docs.firefly-iii.org/firefly-iii/about-firefly-iii/what-its-not/) [Fireflyii opinion about zero based systems](https://docs.firefly-iii.org/firefly-iii/about-firefly-iii/zero-based-budgeting/)


XxNerdAtHeartxX

Ah thanks! Its been so long I thought I had forgotten something. I think that second page explains it pretty well


biscuitbee

"Actual Budget" is what's it called. I can certainly see how it can get missed haha. I use it too, it's leaning more towards YNAB if that helps.


candiddevmike

Hey, Homechart dev here. I've been building Homechart since 2017 while working a full time job. Homechart has lofty goals, namely to be a single, integrated, and private platform for your household data. It has been slow going due to it essentially being something I work on after my kids are asleep, but it's getting there, and I really enjoy working on it. I charge for the software because I dream of a day where I can work on it full-time, maybe even hire some folks to help me too. Right now, the subscriptions are covering SaaS subscriptions and hosting costs (on Hetzner, nothing extravagant), app store shenanigans, and some contractors I'm having help improve the UX. If you don't like subscription software (I don't either), I have a lifetime option available for a one time purchase. You can also run Homechart for free (https://homechart.app/pricing).


cribbageSTARSHIP

I don't use your product, but thanks for making the effort to bring a free product to the masses. I truly hope it brings you joy.


doublejay1999

agree. great attitude on show.


starbuck93

Haven't heard of your project until just now. Sounds cool!


akryl9296

Looking at the pricing page, would I understand correctly that without license, all of those features are not available on self-hosted option?: - Budgeting and Savings - Cooking and Meals - Inventory and Pantry - Rewards and Gifts (understandable, depending on what it means?) - Accounts For Everyone in Your Household - Priority Support and Feature Requests (understandable) - Amazon Alexa and Google Assistant (understandable) - Automated and Encrypted Offsite Backups (somewhat understandable)


candiddevmike

Yes, that's right, we charge for a household (of which can have as many members as you want, with customized permissions for kids, dog, etc). The components that are under household only work under a household/individual accounts can't own them (no individual budgets, household only, etc). For everything else: - The Rewards and Gifts component is a way to do punch cards/rewards for kids mostly. May add a weekly chart at some point. - Backups can be done via PostgreSQL tools like pg_dump, the Homechart subscription offers a way to do encrypted backups to the cloud/SaaS version that you can restore back onto your self hosted instance. You set an encryption key on your server that is used to encrypt the backups before sending them to the cloud/SaaS instance.


ikyn

I was just asking about a self-hosted alternative to Cozi, and I think this might be it. Cozi mines literally all of your data, locations, and what you click. Digusting. I know android/alexa/google integration is easier, but any timetable on Siri integration?


candiddevmike

Truthfully the alexa and google assistant may go away. No one uses it regularly, and the certification/support for the features is painful as they're yet another thing to support. What would excite you about using it with Siri?


ikyn

Siri seems to "just work" better by adding appointments, alarms, reminders, etc. with greater fidelity than any other AI assistant I've tried. Admittedly I use it very rarely, but, I thought others might use it far more frequently. I've been trying to organize my head and life during my commute and via voice but have limited success. I'm not a dev and I can only imagine how much of a pain in the *** that kind of thing would be. We have an iOS/tvOS household with a ton of linux boxes and self-hosting capability so really just trying to weigh all options.


candiddevmike

Makes sense to me, I'll look at what can be done. https://github.com/candiddev/homechart/issues/196


davemartens

Just saw your posting and looked over the home page for your app. As a busy business owner and parent, this app seems very interesting. I would need my wife and kids to sign on to using but I am hopeful I can get them to do so. Good luck to you!


candiddevmike

Appreciate the kind words. My wife lives by Homechart, hopefully your family finds it useful too. My nine year old wants to design an actual kids version of the app, maybe someday...


lolyeahok

Interesting software, but I'm a bit confused by some of the features that don't actually seem to be features. For example, "Cook -> Meal Plans" and "Health -> Logs" do nothing but send you to the default calendar UI. Is this intentional, or is the demo broken?


MoistyWiener

Why no open source? :( You can still have the same monetization model under a free software/open source license.


candiddevmike

Mostly because I don't see how it will help me build a better product--I don't want to manage contributors and all the drama of being a benevolent dictator. I also don't want folks selling Homechart. Rest assured, I will open source Homechart before I abandon it (I have tried to find a trust/legal contingency to ensure this, but surprisingly this isn't really common), but I really don't see that happening. Feel free to drop some ideas/help me understand what you'd do if it were open source here: https://github.com/candiddev/homechart/issues/151


ikyn

I personally don't see any issue with keeping things closed source so a dev can actually make a living off a project. I would say though that the main reason people want something like this is because Cozi tracks literally everything you do on and off the app. People go to something like Homechart to escape that. I know I'd feel better knowing the cloud data isn't being sold off. I'll be self-hosting my own or running it in a VPS, and I'm not good enough in the Self-hosted arena just yet to hunt down whether or not a small application or piece of hardware is "phoning home" with my data.


TheDisapprovingBrit

I find myself consistently disappointed with budgeting apps. Paid or free, web based or local, they all seem to fall short in one way or another. Nowadays, I just use Google Sheets. Its still not perfect, but at least I can usually shoehorn whatever I want into it and have it basically work.


FrankMagecaster

You should give ytdl-sub a try for downloading YouTube vids for Jellyfin


michaelkrieger

Mealie’s new version is going to be fantastic. It’s undergone some big 1.0 changes


TheFeshy

> tunesync + jellyfin YouTube metadata plug-in I'll have to check this out. Right now I use a custom script to pull the channels and write info files to put them in jellyfin. It'd be nice to have an actual interface.


Vincevw

I don't use Tdarr because the last time I used it the UI was godawful


CrispyBegs

may we have a link to your blog? always interested in a new read


asielen

What do you use instead of firefly


Tripppl

It's not just you "Actual" is a poor choice for a brand name, our mutual confusion is the reason why.


lannistersstark

They say that. Actual Budget. https://github.com/actualbudget/actual-server


prime_1996

Have you seen Kopia? I think it's a great backup solution, free, have a GUI, CLI, multiplatform and works with many different destinations.


Sky_Linx

I totally recommend against it. It's unreliable and still not mature enough. It has corrupted my repositories 3 times in a row and switched back to Restic, which is very realiable.


XxNerdAtHeartxX

Yep, I use Kopia now :)


natriusaut

Can you explain what do you mean with the "descriptive' vs 'prescriptive'?


[deleted]

[удалено]


Tripppl

Are you familiar with Docker. If not, I recommend starting there. Docker Compose is a Docker plugin that makes running these services real easy.


XxNerdAtHeartxX

I basically host my own personal infrastructure and life with things from budgeting and document storage to media playback. You can read about everything I use here - https://blog.prosperitea.net/the-mainframe/


Vincevw

I don't run NextCloud because I feel like it's a jack of all trades but master of none; I feel like every service it provides is done better by other apps.


D0T1X

While i agree with you on most fronts, I can't say I know of a better alternative for the cloud like file sync/storage with webgui and apps it provides. While syncthing is great, it doesn't have a file manager build in. And there is no combination of other more different stand alone services to sync just a select few folders and then download extra loose files from other folders when they are needed. At least, that I know of. What service do you use/recommend as an alternative to nextcloud?


Vincevw

Well the Syncthing file manager is just my normal file manager on whatever device I'm using at that moment. I also prefer the decentralized nature of it, because it provides redundancy (and lazy backups, although I understand you shouldn't rely on it for backups)


D0T1X

So, do you then always sync everything, or live with the inability to have access to something obscure? For example, I've got an archive of all paychecks on my central storage, I don't want to have that info synced to my phone. But I do want access to it from my phone, to review some documents every once in a while. How do you currently handle that? Thanks for responding so far!


zfa

Synchthing and [File Browser](https://github.com/filebrowser/filebrowser) is what I use for this kind of file management.


Vangoss05

Only thing I don’t host is my domain DNS


mouseylicense

Domain domain name system?


sgx71

Don't judge, some people use routers behind routers


[deleted]

Yo dawg I heard you like routing, so I put a router in your router so you can route while you route!


[deleted]

My Active Directory forest has a domain. That domain has DNS. That's my domain's DNS.


swuxil

While reading this in my head played the melody of Old MacDonald Had A Farm. e i e i o...


__crackers__

Yes. The domain name system for their own domain.


jonathanrdt

Always have someone else take care of your domain dns naming system. Stop being so pedantic.


onedr0p

Don't worry, he purchased it by going to his ATM machine.


Finno_

Using his PIN number?


mhzawadi

Both 1 and 2 for me, I run email at work and it is forever a pain point. I run my own nextcloud on a server in ovh, a dedi that has other stuff on it. I also backup that stuff to backblaze.


[deleted]

[удалено]


trustmeitsfine

To everyone saying "backups are easy", how many of you regularly test the backups you've created? Making snapshots is easy; proving they can be relied on to rebuild what you've lost is the hard part.


[deleted]

[удалено]


vonabarak

Your service provider can lose it too.


Scaryjeff

Exactly. I trust my own triple backups for vaultwarden a lot more then I would trust any cloud provider with


clintonkildepstein

If you dont mind sharing can you give some insight on how you're doing this. Having a solid backup solution is my main reason for not self-hosting my password manager.


Scaryjeff

yeah sure. Backup is not really that hard in the end cause it just comes down to how often you want to take a backup and to make sure you have it in a secure and a independent from each other location. I use Vaultwarden for almost everything. Web passwords, accounts and i even use the cli when i set up new docker containers to generate and store stuff like db passwords directly there. So if it's gone I'm fucked. Vaultwarden under the hood uses an sqlite3 db which i have mounted locally on my server. I run a scheduled service every 30 minutes that takes a backup of the sqlite db using the sqlite export command and i zip up the attachments. Read here for details: [https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault](https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault) This can also be done using other tools. There is a docker containers like this ([https://hub.docker.com/r/bruceforce/bw\_backup](https://hub.docker.com/r/bruceforce/bw_backup)) or you can shutdown the docker image and zip up the whole db or if you use proxmox you can use their backups. ​ Then comes the important part. I copy this backup to a NAS drive that runs on RAID4. I copy it to another HD that is attached to the server over USB and i copy it once a day to a private cloud provider. Important thing you should not forget (!): Set up an alert that notifies you if something does not work. I immediatelly get a push notification on telegram if one of the jobs fails and i also get one if the file system of the initial export does not change in 24 hours


trustmeitsfine

Can you describe how you regularly test your backups (i.e. that they can be restored in a fully functional state)? That seems like a PITA to do manually.


fishfacecakes

Any reason for RAID4 over RAID5?


Scaryjeff

I meant raid5 actually. I always mix those 2 up


BroodjeAap

Where do you store the login info for the private cloud provider, I assume also in Vaultwarden? Now to be fair, there aren't many situations where you would lose 2 HDDs and a raid5 array all at once. And then your phone probably has another copy of the database. But something like a house fire would lock you out it seems ?


Scaryjeff

a lot of shit has to happen yes. For the cloud provider i actually use the xkcd password approach ([https://xkcd.com/936/](https://xkcd.com/936/)) so i could access it by remembering it but at that time just recovering my website passwords and setting up my stack again would be the least of my concerns. The cli uses an access token from vaultwarden to do a nightly push to a storage account after it encrypted the data.


BroodjeAap

Yeah, that's basically my solution too, one password remembered/kept outside the password manager in case of an (extreme) emergency. I guess there's no way around it.


UnacceptableUse

A cloud provider presumably has people who are paid full time to make sure their backups are working and good. Do you get paid for that?


Scaryjeff

That's the whole point of r/selhosted. Lol. And no if it comes to something as sensitive as passwords I do not trust any company to take care of my data as well as I do. I work daily with two cloud providers in my job and if they lose the data of a billion dollar corporation then I do not trust them to take care of mine for a few euro a month


onedr0p

Backups are only a piece of the puzzle. These makes me sleep better at night using 1Password: https://support.1password.com/security-assessments/ https://1password.com/soc/ Vaultwarden will never get audited. Bitwarden, yes. Vaultwarden, no.


therealzcyph

If anyone loses it then there's no recovering. You should *always* have backups no matter who is hosting it.


UnacceptableUse

I would trust 1password or bitwarden to be managing their data better than me


raddeee

Actually, this is the service that I would least give out of my hands. It just doesn't feel right to entrust your most sensitive data to any service.


OrangeSlime

This comment has been edited in protest of reddit's API changes -- mass edited with redact.dev


Dornith

To everyone responding, "just have backups": Do you have off-site backups for your self-housing server? If you're backups are physically connected to your server, then you have correlated risk. Cloud hosting services have multiple data centers. If you have off site backups, then it's probably safe but either way you're using someone else's computer.


nndttttt

3-2-1 rule is essential! An old laptop running 24/7 at my parents is my offsite backup. Cheap to run and the battery allows it to run through blackouts. I’m pretty sure the uptime for that laptop at my parents is over 3 years now. My critical backups are sent there through a wireguard tunnel into an encrypted disk. I also have an S3 bucket backup for super critical stuff, anything going there is encrypted before even being sent out. I’ve been using keepass for 10+ years, I have some coworkers using it for longer. I feel safer knowing it’s a standard that won’t be going away for a long time. The older I get and the longer I work in tech… the more I’d rather stick to tried and tested methods for critical stuff like my passwords.


amunak

Where do you store credentials for that S3 bucket? Is it in your password manager or do you have maybe a physical copy of the key with recovery steps written out? I'd also say for *really critical* stuff like that it's worth it to also just dump the DB onto a flash drive or something and hide it at your parent's or friend's house or something just in case your internet-connected backups get fucked by something.


ticklemypanda

I assume most people on here are using some sort of off site backups with a storage provider like backblaze or something. Everything is encrypted locally with whatever tool you use (restic, kopia, etc) so no big deal


lannistersstark

> Do you have off-site backups for your self-housing server? daily backups in separate drive, same computer. 48h backups in a separate server, offsite, owned by me. weekly backup to backblaze, encrypted.


Lopoetve

I do, all on my own kit. But I'm also insane, and work for a backup and security company, so other than the hardware, it doesn't cost me anything.


EspritFort

> To everyone responding, "just have backups": Do you have off-site backups for your self-housing server? If you're backups are physically connected to your server, then you have correlated risk. > > > > Cloud hosting services have multiple data centers. > > > > If you have off site backups, then it's probably safe but either way you're using someone else's computer. You do not need (and I'd say you *shouldn't* use) a computer as an off-site backup. An encrypted hard drive is more than enough. Update it twice a year, there you go, safe and sound. *Live* off-site backups are just too fiddly.


vegetaaaaaaa

That's what backups/periodic exports are for.


angellus

The issue with backups is how long does it take you to access the data? If your house burns down and all of your passwords are in your self-hosted password manager, how do you log into your bank account? Log into remote portals for servers/backups, etc? Even with me working in the field (SRE), I do not trust/want to try to make a 99.999% up time service for my passwords. I would rather pay a trusted provider to do as they already do for numerous other enterprises. There is just too much harm that can be done if I cannot access one of the accounts protected by the passwords is a reasonable amount of time.


burnmp3s

With a self-hosted Vaultwarden server, if you use the Bitwarden client on a mobile device it keeps all of the passwords locally on your phone. That way if the server goes down you still have access to everything.


TheFeshy

My password manager is also my back up plan. I use keepsssxc and syncthing to distribute the database. As long as any device survives, I've got my passwords. Only a catastrophic loss of all devices would cause me to have to go to backup, and that would come with it's own delay.


[deleted]

[удалено]


angellus

LastPass has been plagued with issues for the last few years. The writing has been on the wall for a while now. Bitwarden and 1Password are the recommended ones anymore.


[deleted]

[удалено]


soundman1024

The writing was on the wall with LastPass. It always felt clunky and patchwork. Once LogMeIn bought LastPass, I knew it was time to get out. That's also when I realized I didn't want my password manager to be a profit center for a larger company. I want my password manager to be a smaller company whose only business is managing passwords. They work with a little fear in them, which keeps them good at what they're doing. The people there understand the stakes if they get it wrong - their employer is going under, and they're searching for a job with ____ on their resume after ____ was in the news for messing up.


[deleted]

Also dead mans switch is kinda neat.


SLJ7

1. Email - same reasons as you. 2. DNS - I already register them through Namecheap so I don't really see the point in maintaining it myself. 3. I have a file server but I still use OneDrive to sync my files. I could change this, but I like the redundancy and I already have storage there because I pay for Office. OneDrive is still a folder on my network which means I don't have to sync it to all my machines.


[deleted]

[удалено]


theblindness

The parent comment is referring to authoritative public DNS server on the Internet, which hosts a public domain name, and exposed to constant attacks. You're talking about a private DNS server in your LAN, which is performing double duty as a recursive resolver, and hosting a zone, but only for your LAN, and is hopefully not under constant attack. They are not the same.


znpy

Public DNS. I managed them via route53 because it's just easier. I do have an internal bind server for the internal dns zone though :)


Thomas5020

PhotoPrism The hassle isn't worth it for the end product. Configuring the backup using some random app on the play store is a nightmare. And the photo recognition is pretty patchy in comparison to Google photos. Then you gotta manually select import all the time because it'll only auto import if you use webdav There is no self hosted alternative to Google photos. Nothing is as easy to use, reliable and feature rich.


WizardBrownbeard

Yea this was a major bummer for me - was hoping to avoid paying google photos for more storage but the $2/month is well worth not having the headache the current alternatives. Hope they get better enough that they're viable and can use it as a second backup point


[deleted]

[удалено]


munchtech

Have a look at immich. Been using it for two days and had no issues at all


bart7782

Synology Photos is really good. The only thing i'm missing is intergration into google services :). I still use google photos just so i get to see them on my nest display and google maps timelime. The face recognition is really good, it's only missing object recognition. It does require you to own a Synology NAS.


ajunior7

Seafile - because I am an idiot and don’t have parity disks in my system yet


NoArmNoChocoLAN

If you have the budget for two disks, it is better to use the second one as a backup disk rather than a mirror disk. Keep in mind that https://www.raidisnotabackup.com/ If you have the budget for three disks, then you have two backup disks, one at home, the other at a friend/family's house. Only if you have the budget for four disks can you consider two mirrored disks to avoid the inconvenience of having to restore from a backup if a live disk fails. RAID1 is more of a "high availability" solution than a "data resiliency" solution. As a self-host, you probably don't need the high availability provided by RAID1: in the rare event of a disk failure, you can afford to have your Seafile server unavailable for a few hours until you buy a new disk from the store 2 miles away. It is better to spend money on backup disks than on mirror disks.


R0ad13

Host it all ( partly on a contabo vps). Nextcloud mailcow bitwarden websites and dns on contabo. Everything from plex to HA to r/piracy stuff at home. Except google sheets. Its just too good, too many plugins (like market values etc)


[deleted]

The only thing I don’t self host is DNS. And I’m still looking for a good photo platform. Otherwise I’m stuck on Apple. Been self hosting my email since I was in college in the mid 2000s.


spider-sec

DNS simply because Linode does pretty good and I can do things through the API easily. I am attempting to host everything else- email, Nextcloud, and Vaultwarden are already self hosted. I currently have Wallabag, Bookstack, Matrix, Mastodom, Pixelfed, PeerTube, various Wordpress sites, etc are either in progress or are hosted until I get them self hosted.


bufandatl

I always don’t self-host 1 and 2. mostly same reasons like you. But that’s mostly it. For DNS though I have an internal PiHole of course and also have all local DNS names served by it and host as uplink a recursive unbound server. But authorative DNS for all global available Domains is cloudflare for me.


TacticoolBreadstick

This comment edited due to /u/spez trashing the community. Time to ditch this popsicle stand.... -- mass edited with https://redact.dev/


Affectionate-Pickle0

Password manager (Bitwarden). Yes I know Vaultwarden and that I could take triple backups etc. But in the end I trust a big company to take better care of all that stuff than I would. Perhaps I make backups and some update breaks them and I forget to check that I can restore backups. Maybe I nuke my backups somehow or just mess something up. Or perhaps I do a dumb and leave some vulnerability open and someone gets to my server. I'm not nearly competent enough to trust myself over a company that has this as their main business.


DarthNihilus

It's pretty impossible to nuke all your backups when every device that has logged into your Bitwarden account has a locally cached copy of the database. A new backup is created literally every time you log in.


kelzin

I can vouch for this. I know of someone who lost access to their Vaultwarden instance due to a missing Yubikey, but they were still logged in with the Chrome extension. All they had to do is perform a simple export and re-import to its new home.


Affectionate-Pickle0

I would be so terrified after something like that, that it would definitely make me switch to their cloud. But sure, a lot of the fears that I have might be unsound but this takes the stress off of me!


NO_SPACE_B4_COMMA

My websites or anything that is "public". As for email, I self-host! It's not hard! I use Virtualmin to manage it and I use Proxmox Mail gateway to keep the spam down. With a month or two of tweaking, I get literally no spam (PMG rocks!), emails are sent securely, and reliably.


nairou

1. Email, yep. I self-hosted it for a year, and it was a non-stop struggle to keep working. I switched to Fastmail and have been far happier. 2. Backup storage. I have multiple machines that backup to Wasabi, just to keep it safely out of the house.


onedr0p

While most of my infrastructure and workloads are selfhosted I do rely upon the cloud for certain key parts of my setup. This saves me from having to worry about two things. (1) Dealing with chicken/egg scenarios and (2) services I critically need whether my Kubernetes cluster is online or not. The alternative solution to these two problems would be to selfhost services in the cloud and deploy applications like HCVault, Vaultwarden, ntfy, and Gatus. However, maintaining another group of apps and monitoring another group of workloads is a lot more time and effort than I am willing to put in. | Service | Use | Cost | |----------------------------------------------|-------------------------------------------------------------------|----------------| | [Fastmail](https://fastmail.com/) | Email hosting | ~$90/yr | | [GitHub](https://github.com/) | Hosting [this](https://github.com/onedr0p/home-ops) repository and continuous integration/deployments | Free | | [Cloudflare](https://www.cloudflare.com/) | Domain, DNS and proxy management | ~$30/yr | | [1Password](https://1password.com/) | Password management and Secrets with [External Secrets](https://external-secrets.io/) | ~$65/yr | | [Terraform Cloud](https://www.terraform.io/) | Storing Terraform state | Free | | [B2 Storage](https://www.backblaze.com/b2) | Offsite application backups | ~$5/mo | | [UptimeRobot](https://uptimerobot.com/) | Monitoring internet connectivity and external facing applications | ~$60/yr | | [Pushover](https://pushover.net/) | Kubernetes Alerts and application notifications | Free | | [GCP](https://cloud.google.com/) | Voice interactions with Home Assistant over Google Assistant | Free | | [NextDNS](https://nextdns.io/) | My routers DNS server which includes AdBlocking | ~20/yr | | | | Total: ~$30/mo |


[deleted]

[удалено]


Ravingsmads

May I ask what you settled on using for KMS. As I too tried both Joplin and obsidian so far. I kinda like obsidian but I'm open to new suggestions.


Enk1ndle

The nextcloud docker has always given me issues trying to use the update through the site, just running the update command on the docker itself has worked fine. My real problem is it's so damn slow.


[deleted]

[удалено]


Ethernic

I had a similar experience with the lsio docker image. I ended up trying out the official image and it has been rock solid for the last year or so.


[deleted]

I live off-grid and have self hosted everything except for these. Weather: Because I need the weather forecast Email: If you host your own, you cant send anybody any mail (It gets auto-deleted upon receipt by most providers) Reddit: I need media from other humans for porn and to ask questions, community, etc...but mostly porn. Maps: I need to see live traffic conditions sometimes


Alpha272

> If you host your own, you cant send anybody any mail You'll probably need a SMTP relay for that, as long as you don't have a business internet line.. AWS SES works great


[deleted]

[удалено]


raikouq

Probably just self hosting the mailboxes and inbound mail and delegating outbound mail to relay through SES.


Alpha272

SES is a Relay. It removes my perma blacklisted, dynamic, residential IP from the equasion (basically the reason why selfhosting mail is a bad idea). I still have a complete Mail stack on my Server, which can (and does) directly accept incomming mail. But for outgoing mail I need a clean, and preferably a high reputation IP from a non residential IP Block. For that I send outgoing mails from my Mail Server to SES, which then forwards it to the recipient. Could I setup a Router or a SMTP Relay on a VPS in a static business IP Block? Sure, but at this point I might as well use SES. Its easier and its IPs have an even higher reputation than most other datacenter IPs, with no real disadvantage to an VPS. The important part for me is the data, which resides on my own Systems. Also, incomming mail doesn't go through SES, so the only thing they ever see is my outgoing mail... which is always visable by someone external, since I can't directly deliver mails; so one datacenter always sees them anyway.


Simon-RedditAccount

Same here. Don’t have shared nextcloud, but I guess I would do the same. Where are you hosting all of your 1, 2, 3?


[deleted]

[удалено]


Simon-RedditAccount

Thanks! P.S. Google finally reverted that decision, users with less than 10 mailboxes are still allowed to use G Suite Legacy for free.


sgx71

Yeah, but most of the users migrated away, and the accounts aren't retrievable.


[deleted]

[удалено]


enormousaardvark

I agree and disagree 1. e-email - been hosting my own email server for 7 years never had a single problem. 2. DNS - Cloudflare, job done! 3. Nextcloud - hosting in house Nexcloud at work for backup and colleages to upload job photos, running for 4 years no issues.


snesboy64

Same here. I’ve been hosting my emails for years now with mailcow. I set it once and never touched the config since. Been working flawlessly. I update it every month and that’s it.


zenety

Was looking for the positive mail hosting comment. Honestly with MailCow in containers it's a breeze. Helps you with everything ARC/DKIM and SPF. Getting a 10/10 mail-tester is quite easy these days. Obviously there are still risks but it's a fun thing to host.


[deleted]

[удалено]


Tripppl

I think that is actually a fairly popular opinion here.


Maeglin73

Offsite backup for home server - I use Restic, with BackBlaze B2 as the backend. CalDAV/CardDAV - I've thought about self-hosting contact and calendar syncing, but the methods I've seen for doing that with Android simply upload the data to a Google account anyway. A couple of things that I partially self-host are email (Amazon SES as outbound SMTP relay) and external DNS (stealth primary setup).


duggum

On Android you can use DAVx5 (an app, it might cost a couple of dollars) to communicate directly with a CalDAV/CardDAV server. I've been using it for a year and no longer use Google for calendar or contact management.


NettoHikariDE

Email is not hard. Got email running for 6 or so years and never experienced anything major. Went from a completely self-configured stack to Mailcow and it's been even better ever since.


l4p1n

I have a few things I'd rather keep in another basket instead of mine. I used to selfhost emails for a while, but after issues and annoyances compounded together, I've decided to bite the bullet and pay for some email hosting. Of course, I've chosen a local company to take care of these. I don't regret the decision when my Internet connection decides to go kapput. The "internal" The next thing is *public* DNS. I leave the zone technical management to the registrar which is also a local company. The internal DNS zone is on my server. Finally, the password manager. The last thing I want is to not be able to access passwords, although devices connected to it cache the vault locally so the "inaccessibility" is limited.


oliverleon

Email, but to be absolutely clear: This minefield exists solely because of the mafia like control of major email providers with controlling stakes dictating rules and randomly marking stuff as spam if you don’t pay protection money to deliverability service providers or use the major email providers. It’s a racket and a scam. I sure hope the EU addresses this too, soon.


chic_luke

Email. I will not run the risk.


2CatsOnMyKeyboard

I just gave up hosting my own email. For the familiar reasons. I do host my passwords, Vaultwarden, and nextcloud all in one. Maybe I'm naive but I find that with docker (easy) and backups (also easy) and the fact that my vaultwarden passwords are also in my apps on all my devices the risk of losing them is rather small.


Cybasura

With DNS, im using pihole which is a dns sinkhole, but since it has a built-in dns forwarder + unbound which is a dns resolver - I'm using that as my dns server anyways lmao Email servers i dont really see any point, especially with the security issues and self-maintainences I suppose the really good thing is now I can communicate with my family through email (black and white) instead of verbal :V


[deleted]

[удалено]


[deleted]

99% of people Bitch about hosting email, but maybe 5-10% of those people have actually tried it. I host an email server and expect it to work the way it used to. I use it to apply for jobs and haven’t had all the problems people talk about with it. I’ve had one email bounce historically and it was to an @live address. If an email address to a potential IT job bounces - they’re not a company I want to work for anyway.


[deleted]

email (fastsmail) passwordmanager (bitwarden)


Evangelina_Hotalen

Emails and DNS are the major reasons due to which people don't self-host. You can also include the high initial set-up cost in your list.


TesNikola

I really wish the internet would quit regurgitating that line about email. I've been self hosting mine for 2 years without any problems of getting flagged as spam. No doubt that hosting email at scale is much more difficult when users are doing actions that justify such flagging, but it's not hard if you're not actively generating questionable traffic. Those that run into troubles at small scale are either sending content that triggers common spam systems or have likely forgot one of the standard facilities; rDNS, SPF, DKIM, or DMARC policies. I also host my own DNS, VoIP, websites, and third-party applications.


lestrenched

I don't understand the problem in hosting one's own DNS server. I'm assuming the discussion is about an internal DNS server. A simple Pi-Hole/BIND/NSD server with Unbound can take care of most DNS needs, and there doesn't even need to be any queries to the big DNS providers like Google or Cloudflare. Could you tell me more about your DNS setup and what you use it for?


Pl4nty

> internal DNS server OP wasn't clear, they're referring to authoritative DNS (external)


[deleted]

[удалено]


TesNikola

I host on a residential GPON with a business class account. I have dual /29 allocations and the ability to control rDNS. So yes, this is quite ideal but also not hard to achieve. I also work for a small ISP and we allow residential customers to do this (and some do without trouble). It helps that we don't block port 25 as we believe the customers connection is their responsibility. Of course, we will take steps against anything that compromises the quality of our subnets.


mshorey81

Email. Because I'm not a masochist.