this post was submitted on 29 Jan 2024
48 points (98.0% liked)

Selfhosted

40246 readers
763 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hello peoples,

I am looking for tips on how to make my self-hosted setup as safe as possible.

Some background: I started self-hosting some services about a year ago, using an old lenovo thin client. It's plenty powerful for what I'm asking it to do, and it's not too loud. Hardware wise I am not expecting to change things up any time soon.

I am not expecting anyone to take the time to baby me through the process, I will be more than happy with some links to good articles and the like. My main problem is that there's so much information out there, I just don't know where to start or what to trust.

Anyways, thank you for reading.

N

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 9 months ago (3 children)

Software:

  • firewall, no inbound and do outbound restrictions
  • use immutable OS
  • full disk encryption (keep in mind that in many setups you will need to be beside the computer after restart)

Hardware:

  • put it in the trusted datacenter (home stuff is not safe from teenagers and people that need computer's electrical socket for a vacuum cleaner)
[–] [email protected] -2 points 9 months ago* (last edited 9 months ago) (2 children)

use immutable OS

Just no.

Immutable distros are all about making thing that were easy into complex, “locked down”, “inflexible”, bullshit to justify jobs and payed tech stacks and a soon to be released property solution.

Security isn’t even a valid argument for immutable distros because we had Ansible, containers, ZFS and BTRFS that provided all the required immutability needed already, but someone decided that is is time to transform proven development techniques in the hopes of eventually selling some orchestration and/or other proprietary repository / platform / BS like Docker / Kubernetes does.

“Oh but there are truly open-source immutable distros” … true, but this hype is much like Docker and it will invariably and inevitably lead people down a path that will then require some proprietary solution or dependency somewhere that is only required because the “new” technology itself alone doesn’t deliver as others did in the past. As with CentOS’s fiasco or Docker it doesn’t really matter if there are truly open-source and open ecosystems of immutable distributions because in the end people/companies will pick the proprietary / closed option just because “it’s easier to use” or some other specific thing that will be good on the short term and very bad on the long term. This happened with CentOS vs Debian is currently unfolding with Docker vs LXC/RKT and will happen with Ubuntu vs Debian for all those who moved from CentOS to Ubuntu.

We had good examples of immutable distributions and architectures before this new hype. We've been using MIPS routers and/or IOT devices that are usually immutable and there are also reasons why people are moving away from those towards more mutable ARM architectures.

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago) (1 children)

Dude... It's the hundredth time you've posted this copypasta.
Image-based OSs aren't locked down and also don't depend on proprietary services.

You can just read my post I made about immutable systems, maybe we can discuss it there.

But, I wouldn't choose a image based OS right now too for servers. At least yet.
I'm just afraid about compatibility, because many installers and services might rely on access to the root file system for now. Debian is right now the best choice as server OS, but that might change in the future.

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago)

Image-based OSs aren’t locked down and also don’t depend on proprietary services.

I'm sure we've been over this. It's just a question of time until those solutions become unmanageable at scale and for the more professional users and then a magic proprietary solution that fixes it all will appear. Exactly the same that happened with Docker/DockerHub/Kubernetes.

I’m just afraid about compatibility, because many installers and services might rely on access to the root file system for now. Debian is right now the best choice as server OS, but that might change in the future.

Use BRTFS/ZFS snapshots to rollback if anything breaks. Either way you can use LXD/LXC as containers to run your stuff that are easy to setup and will resolve the root filesystem issue.