• 3 Posts
  • 73 Comments
Joined 10M ago
cake
Cake day: Jun 12, 2023

help-circle
rss

I think he is saying that his physical attack surface is very small since he is remote, so maybe he doesn’t bother?

Either way, encrypting drives is simply always good if you ever resell the computer or upgrade drives.


The only problem there is that, at least a whole ago, you will get duplicate images. Between the external library and your app upload


Maybe that is a new android thing or a Samsung thing? That phrase doesn’t show up in my settings.

2 years ago, my mother and I tested it extensively when I moved trying all of the “allowing app” settings combined with starred people and it never worked for whatsapp, only stock dialer and texts.


True, but if you are not from America, many many people use VOIP calling on apps like WhatsApp to call.

DnD priority overrides don’t work for that.


A new 12 TB drive is literally 300€ now.

I don’t think it was EVER 100€ for a 12TB, certainly not helium filled. Prices during covid went up, but not even near 3x for hard dives.


Can’t be hit by new backdoors when your packages haven’t had updates for years 😉

In all seriousness Debian makes solid choices that makes everything as low maintenance as it can get for self hosting.

For someone who recently lost a bunch of their free time, that is amazing to not have to mess with stuff.


If you go for WD red plus 12TB drives, they are helium filled and less noisy even than the 8TB air versions.

I have one and it is silent when not tracking, but all hard drives have some seeking noise. Mostly because it is irregular so human ears pick it up more than white fan or spinning noise.

Best idea for absolute noise reduction in the same room is getting a good closed case, reinforcing with some foam panels with a direct air path that you can direct through a cupboard cutout for example.

What you are looking for is high capacity SSDs in this situation, but that is pricey.


About 90mbps down and 31 Mbps up. Sometimes they dip though.

We will be getting fiber soon™ (probably 5 years of so)

On the bright side, 2 phones with 10GB data + data is 70€ per month and 60 of it is pre-tax payments. So in reality, probably more like 40€ per month.


OIDC does indeed work fine too.

I use it on nextcloud and immich and a few others.

You will be much more hard pressed to find apps that support SSO and oidc than oidc that authelia is broken on.


This is standard, but often unwanted, behavior of docker.

Docker creates a bunch of chain rules, but IIRC, doesn’t modify actual incoming rules (at least it doesn’t for me) it just will make a chain rule for every internal docker network item to make sure all of the services can contact each other.

Yes it is a security risk, but if you don’t have all ports forwarded, someone would still have to breach your internal network IIRC, so you would have many many more problems than docker.

I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

Option to disable this behavior would be 100x better then current, but what do I know lol


I have. I use it for all of my home projects

Kanban, Gantt charts, milestones, idea collections, file uploading, retrospectives, time tracking, documentation, etc… all supported with the selfhosted version.

These are the “premium” features:

  • Custom fields
  • Pomodoro timer
  • Whiteboard
  • Program plans (I really don’t understand what is different about this than goals + milestones + documentation + tasks)
  • Strategies (pretty much just collecting and categorizing goals it seems)

https://i.imgur.com/T6bSIhK.png

I hope they don’t remove features and make people pay for them. It has plenty of features to make it useful now, but if they start removing them, then I think i will have to find another solution.


The problem is that for most self-hosters, they would be working and unavailable to do a graceful shutdown in any case even if they had a UPS unless they work fully from home with 0 meetings. If they are sleeping or at work, (>70% of the day for many or most) then it is useless without graceful shutdown scripts.

I just don’t worry about it and go through the 10 minute startup and verification process if anything happens. Easier to use an uptime monitor like uptimekuma and log checker like dozzle for all of your services available locally and remotely and see if anything failed to come back up.


I think if you pay them like 80€ per year or something.


Hey man, that is what I used it for, but with the Belgian government! Great piece of software though!


Intel Arc GPU. Had to enable a few modules, reboot, debug, follow the jellyfin docs for writing to some configs, reboot, didn’t work. Follow the error messages which are pretty much useless, get pointed to stuff that isn’t relevant. Finally someone on a forum had a good reply where they told me I have to download the entire linux proprietary firmware directory, extract the i915 folder from it, and plop it in my firmware folder and reboot. Then everything loaded and hwacceleration worked.


Hard agree. I love jellyfin and use it exclusively, but getting hardware acceleration working is a mess, the movie and show selection UI is really written by a developer and is very basic and 2010ish.

Android apps like Findroid really improve this, but the webUI and androidTV/chromecast UI really need an overhaul.


  • Ryzen 2700X on a gigabyte B450i

  • Arc A380

  • 2 mirrored 4TB HDDs and 1 12 TB HDD, luks encrypted and on 2 zpools (I have an “unsafe” mount path for data on a single drive like media)

  • removable flash drive with boot partition and main SSD keyfile

-Zwave dongle

That’s it.

I can run everything I need to on it and my home internet is only 100/30 still because I don’t live in a city, so 2.5gig networking isn’t worth the cost. a380 does all of the hardware transcoding I need at a fairly low power. It isn’t as good as just getting a newer NUC, but it was cheaper and a fun project.

Also doing a full renovation, so KNX will be connected for home assistant to control my lights and things and my smart home stuff will probably balloon.


For sure, but the point is that it isn’t integrated into homeassistant.

For many people, they want to do everything from homeassistant. You can always have kludged together solutions. I edit my configs with VIM and backup to my central backup location via an automation. However, this is doing things outside of homeassistant that many people find inconvenient.


  • No backup solutions besides manual backing up and then setting up baremetal backing up

  • no configuration editor

  • HACS works, but no custom addons

  • manual configuration of esphome/nodered/mosquitto (I prefer this though)

I prefer docker because it is comfortable for me and I run all my services on one server, but it is indeed a bit less easy.


Though for the actual password selfhosting part of it, that is too much for my blood. Much higher chance that I would seriously fuck something up and lose access to hundreds of services than the remote bitwarden server gets compromised or becomes too shitty to use.


I have that setup. The entire front page of Chromecast is baked-in advertising with a small row of your apps and pihole with a good list still doesn’t get rid of them, sadly.

Chromecast is built for and of ads. That being said, it definitely does “just work”. Jellyfin + Chromecast is a great streaming experience. I don’t have to deal with skipping and stuttering like on the android app.


I use a similar setup, but use a USB for my boot drive that has the lvs partition encryption keyfile. I find it much handier since my computer is not near my server. I can boot and then walk upstairs and it is ready, and remove the USB later.

Then there is no way to brute force the decryption or get a password out of me. Also, when the USB is removed and put in a safe place, there is no way to modify the boot partition or UEFI either.

Then I have a password encryption on my data harddrives that I don’t know the password to, but is on my password manager.

The thing about being paranoid about this stuff is that I probably focused on the wrong thing. A smash & grab is completely protected against, but that is like a 0.1% chance anyway and a 0.1% chance on top of that 0.1% chance that it would be targeted enough that they would even try to decrypt it.

Full disk encryption is really only usefully at all for an unpowered system. Network hardening will probably take care of 99.99% of attack attempts where encryption is 0.01%.

Even for a laptop, if it gets stolen in public, it is still running and can have the keys extracted or break into the running system if someone really wants to hack it. They wouldn’t even try to reboot and break the disk encryption probably…

Too much info, but I guess I am just rambling about how dumb my approach probably is 😅


Right now, most services are running via traefik with authelia over it. I haven’t done the work of making traefik able to route from local ip addresses without the hostname and I have no idea if my ISP router does NAT hairpinning.

Some services I have only or also local without traefik or authelia, depending on the service.

In this case immich is running completely through the reverse proxy, through a cloudflare proxy with whitelisted IPs.


Runs through my reverse proxy, so technically yes? The photos are indeed on the server through syncthing


[Immich] What is the “proper” way to navigate migration from another service (all photos are already on the server)
I got immich with SSO up and running. It runs like a dream compared to Photoprism and is simple enough for me, but also has necessary features like user accounts. There is one thing I couldn't find in the docs: I already have a library of 5000 photos and 150 videos on my server that sync to my phone with Syncthing to 4 different directories (one for each phone I took the photos on) in Immich. Right now I have that directory as an external library, but I don't think this is the "right way." My goal: - No duplicates between phone app and desktop app - Don't have to re-upload every image from my phone as my network is 100/30 mbps - Am able to manage my photos from the Immich app and web app (deleting photos that will propagate between devices) Can I just map the "Upload" folder to that syncthing photo base folder and get parity between my phone and my server? Or do I have to re-upload everything from my phone? Or am I waiting for a feature that doesn't quite exist yet? I noticed some feature discussions about photo hashing and de-duplication. I tried asking in a discussion on the repo, but nobody answers those much.
fedilink

No, pricing is the side of Apple’s business that is absolute shit. If you look at the PCBs, they are usually very well designed with proper shielding, high-quality components, and good layout. Apple Silicon is one of the world’s best silicon design orgs.

Most of what you describes is quite literally their business and aesthetic design choices that have little or nothing to do with the hardware. I agree that all of those are shit and that’s why I would never buy it. The only bad hardware they have are marketing/business choices (i.e. no sd card to sell higher NVM models, lightning to vendor-lock customers, dongle hell to sell more dongles, etc…)

Though indeed the dongle situation is really fucking stupid also.


Apple legitimately makes super solid hardware. Their Apple watch heart rate accuracy is second only to chest straps and has a ton of very useful features. It is pretty much the best as far as integration, a “health watch” and haptics.

Their phones and laptops have some beautiful hardware design too.

Their business side just sucks donkey cock is all. But google is just as bad as Apple so potato potahto. Nobody should fanboy when every choice is shit lol


Tried it, much more… tuned… than jellyfin in this specific area haha. It can grab thumbnails, covers, etc… and do a lot of preview generation. It is quite sophisticated surprisingly!


That is not feasible for many/most people.

Upload speeds of the average person make general internet use while connected to a home VPN much worse. For example, my mobile nework is at least 10x faster than my home network upload speed if I am in a place with 5g. I’d much rather connect to my paid VPN provider where the speed difference is barely noticable.

Not to mention even if people are using a VPS, it might be very far away and severely impact speeds.


Everything you want is definitely possible for the budget.

I used an old I5 laptop with 4GB of RAM for a year or two. If you need a lot of storage, an old HDD will be fine usually. A raspberry pi 4 or 5 will be slower, but would still work, but if Norway prices are anything like belgium, an old I7 laptop sips power and will save money in electric costs

A few tips:

  • Run nextcloud all-in-one or spend some time optimizing nextcloud. It will help performance a lot

  • Unless you are a serious photographer, use Immich, 100%. Immich is a google photos replacement that has a bunch of good user features like accounts and good security and sharing that photoprism just doesn’t. Photoprism is really geared towards professional photographers.

  • transmission + wireguard container for a VPN is the way to go …

  • radarr/sonarr/lidarr & prowlarr are good to use with transmission


Have a node 304. Extremely happy with it. Literally unbeatable hard drive and CPU cooler compatibility for its size.

That being said, it only fits 6 drives.


I starter my home server with a laptop. I did nextcloud, paperless, jellyfin + *arr services, photoprism, and a few others.

Not having control over your network is the biggest hurdle because you kind of need a fixed IP to access it.

However, there are some services to broadcast your hostname to the local network (e.g. so you can log in with serveruser@myserver over SSH).

You may be able to use that to access your containers from the network, but just keep in mind that other users on the local network can also access your server.


It really depends on the size of the space. It does a lot more in a room of 8m^2 than 20m^2. There is a reason that a 40W incandescent bulb is used to ferment foods like yogurt in an oven. It produces enough heat to keep the whole oven at fermenting temps.


Well, considering going from a 40W idle system to 80 to 100W is a >100% increase in power.

In Belgium we pay 0.30€ per kWh, so running the entire year at 80W average is approximately 150€ difference with idle the entire year. That definitely helps. That is 1/3 the cost of a lawnmower or a month of groceries.

But in the winter it is a 80-100W small heater that can keep a local area a degree or so warmer.

When you start paying your own power bill it really adds up. I wish I had gone for an intel NUC sometimes.


A single SFF desktop setup in a Node306. 2700x, 32 GB RAM, Arc A380, some WD reds.

  • Homeassistant & associated packages for esphome and Zwave stuff
  • Jellyfin
  • *arr suite + transmission
  • yacht
  • uptimekuma
  • paperless
  • immich
  • authelia with OIDC SSO for containers where possible
  • traefik for reverse proxy
  • Nexcloud
  • valheim server
  • boinc in the winter
  • syncthing for phone sync
  • more services for keeping up the others

Soon a pihole to come.

I want to expand my smart home setup. My project this spring is integrating my smart gas and electric meters into homeassistant. We are completely stripping the house so I am wiring up everything with KNX with a nee Zwave devices where needed. Greatly expanding the smartish home.

I also have to set up a proper network. Right now I am using my Proximus Internet Box from the ISP which admittedly is pretty customizable.


Hey fellow european!

Tinytronics.nl -> Pi4 model B 8GB: 87€ and in stock. The 4GB model is 68€. They also have orange Pi for a higher budget.

Kiwi-electronics.com -> Pi 4 model B, 4GB? 63€. They also have all the pi accessories you could want.

If you are going to use paperless for important documents, and if you want to not lose data for sure, get a 1TB cheap HDD or something and a USB3.0 adapter. SD cards will eventually fail.

Otherwise, get an old used laptop 2nd hand. I used an old HP probook G1 laptop for about a year for my server. It didn’t use much power at all.


I think photoprism supports multiple users.

If you pay $72 per year…


For my thief threat model, I just have the computer in an unassuming black Node304 in a utility room on a shelf lol. Security through obscurity is often as good for a smash and grab threat. They go for visually high value items.

Entire boot partition with main drive keys on a removable hard drive with security keys for the data drives in an encrypted password manager. No way a theif is getting that data, even if I accidentally leave the boot drive in there out of laziness. That means that I am comfortable storing personal documents there also.

It is indeed more of a hassle to reboot. USB plugged in -> decrypt and setup zpools script -> docker service restart. Specifically upgrading the kernel also because with the boot partition removed, all of the hooks don’t get processed. However, this also protests against the copyright gangster smash and grabs as a bonus. Probably an extreme edge case as that doesn’t happen anymore here in Belgium, but it was interesting to set up.


Yep, I used to be on r/diyhotas and that was already a niche within the HOTAS niche within the simulator game niche 😂


Does volume normalization mean that we can choose the volume level finally? I cannot figure out a way to do this in 10.8.x

Jellyfin, across every single device that I have, is literally 50%+ quieter than every other app. I have to double the volume on my TV w/Chromecast for example to watch a show.


To reduce that, there are a few things you can do.

Option 1:

  • Only open port 443 and run everything through a reverse proxy like traefik. You can open other ports ad you need them (game server for example)

  • Run crowdsec to get rid of 95% of bad actors

  • Whitelist IPs that you know traffic will be coming from and drop everything else

Option 2:

  • wireguard VPN and just VPN into your home network to access your server

Option 3:

  • Run tailscale

  • run fail2ban


How do you guys do sensitive document storage?
Hey lemmings, I was wondering not just what you are using foe documents, but how you go about securing them. Right now I am simply running paperless-ngx on a LUKS encrypted drive with all of my other data, permissions so only docker can access it, and running it through my reverse proxy with authelia in front of the paperless authentication for 2 factor. I have sensitive documents like house sale documents and pay slips on there. I want to keep it publically exposed for my work documents (we have to submit documentation of different tickets and invoices for personal things to get repaid), but I am worried about the security aspect of it. I figure data-at-rest encryption is useless because if a bad actor gets in to my server, they could get it all from memory anyway, but I wonder if specifically I should make that 1 docker image only accessible by VPN or something like that? Any recommendations on how to secure documents like that while still having them accessible?
fedilink

Headless server hardware transcoding without X or Wayland?
Hey lemmings, I have a headless server that works beautifully. B450 with 2700X and 32GB of micron 3200MHz RAM. I am currently running Debian 12 Bookworm on it. I am at kernel 6.1, but in preparation for 6.2 or 6.3 being backlogged, I want to buy an Arc A380 for transcoding since they are only 150€ here. Software was fine for a single video stream, but I bought a new house and will have 4 camera streams running. Plus I want to dabble in AV1 transcoding for media or storage of my camera streams Currently there is neither X nor Wayland installed since it is exclusively with SSH that I do all of my work on it. After I install the GPU, I was wondering if it is possible to not even install X or Wayland since I will literally never use a display on it? Would I still be able to do Jellyfin and Frigate transcoding without an X server? If I have to get one, does it matter if I choose X or Wayland for hardware transcoding? Thanks!
fedilink