TCB13

TCB13, 1 year ago (edited 9 months ago)

Your basic requirements are:

• Some kind of domain / subdomain payed or free;
• Preferably Home ISP that has provides public IP addresses - no CGNAT BS;
• Ideally a static IP at home, but you can do just fine with a dynamic DNS service such as freedns.afraid.org.

Quick setup guide and checklist:

1. Create your subdomain for the dynamic DNS service freedns.afraid.org and install the daemon on the server - will update your domain with your dynamic IP when it changes;
2. List what ports you need remote access to;
3. Isolate the server from your main network as much as possible. If possible have then on a different public IP either using a VLAN or better yet with an entire physical network just for that - avoids VLAN hopping attacks and DDoS attacks to the server that will also take your internet down;
4. If you’re using VLANs then configure your switch properly. Decent switches allows you to restrict the WebUI to a certain VLAN / physical port - this will make sure if your server is hacked they won’t be able to access the Switch’s UI and reconfigure their own port to access the entire network. Note that cheap TP-Link switches usually don’t have a way to specify this;
5. Configure your ISP router to assign a static local IP to the server and port forward what’s supposed to be exposed to the internet to the server;
6. Only expose required services (nginx, game server, program x) to the Internet us. Everything else such as SSH, configuration interfaces and whatnot can be moved to another private network and/or a WireGuard VPN you can connect to when you want to manage the server;
7. Use custom ports with 5 digits for everything - something like 23901 (up to 65535) to make your service(s) harder to find;
8. Disable IPv6? Might be easier than dealing with a dual stack firewall and/or other complexities;
9. Use nftables / iptables / another firewall and set it to drop everything but those ports you need for services and management VPN access to work - 10 minute guide;
10. Configure nftables to only allow traffic coming from public IP addresses (IPs outside your home network IP / VPN range) to the Wireguard or required services port - this will protect your server if by some mistake the router starts forwarding more traffic from the internet to the server than it should;
11. Configure nftables to restrict what countries are allowed to access your server. Most likely you only need to allow incoming connections from your country and more details here.

Realistically speaking if you’re doing this just for a few friends why not require them to access the server through WireGuard VPN? This will reduce the risk a LOT and won’t probably impact the performance. Here a decent setup guide and you might use this GUI to add/remove clients easily.

Don’t be afraid to expose the Wireguard port because if someone tried to connect and they don’t authenticate with the right key the server will silently drop the packets.

Now if your ISP doesn’t provide you with a public IP / port forwarding abilities you may want to read this in order to find why you should avoid Cloudflare tunnels and how to setup and alternative / more private solution.

TCB13, 1 year ago (edited 9 months ago)

You can selfhost the email server wherever you want. But you’ve to use some external system to deliver the email or you’ll end up in spam because your residential IP is most likely dynamic and already flagged by most email providers.

One way to do it is to get a VPS somewhere and setup Wireguard on it. Then configure your local system to bind to the Wireguard interface and IP so all email send and received using the tunnel. Dovecot doesn’t care what interface it is running on, Postfix has specific options that you can change in master.cf to accommodate the fact that it will be binding to the VPN IP and the real IP is the VPS public IP.

1. Setup a install of Dovecot / Postfix / Rspamd on your local server: workaround.org/ispmail-bookworm/
2. Start by setting up a Wireguard tunnel between your local server and the VPS: digitalocean.com/…/how-to-set-up-wireguard-on-ubu…
3. Create a outgoing transport for the email that uses the WG tunnel and is aware of the VPS public IP:

<span style="color:#323232;">out-wg      unix  -       -       n       -       -       smtp
</span><span style="color:#323232;"> -o proxy_interfaces=188.xxx.xxx.xxx # the real public IP of the VPS
</span><span style="color:#323232;"> -o smtp_bind_address=10.0.0.2 # the IP that your local server has on the WG interface
</span><span style="color:#323232;"> -o inet_interfaces=10.0.0.2 # same as above
</span><span style="color:#323232;"> -o myhostname=server.example.org # should match the PTR / reverse DNS entry on the VPS IP
</span><span style="color:#323232;"> -o smtp_helo_name=server.example.org # should match the PTR / reverse DNS entry on the VPS IP
</span><span style="color:#323232;"> -o syslog_name=smtp-wg
</span>

4. Set your VPS firewall to NAT/forward incoming traffic on port 25, 587, 465 and 993 to the local server (wireguard client 10.0.0.2);
5. Change main.cf to use the transport by adding: default_transport = out-wg.

That’s everything you need to get it going. Use www.mail-tester.com to debug if DKIM and everything else is properly setup at the end.

TCB13, 1 year ago

I was trying to go that route with LXC actually and while it seems great what about the ESPHome addon? I’m not even sure if that thing is required to use ESPHome devices or not.

TCB13, 1 year ago

I’m not using any other integration. Isn’t this a resource monster?

https://lemmy.world/pictrs/image/d26476df-d1b5-4afd-84ac-a4f737c4846d.png

I just don’t want to keep running an entire VM with their image. Something more simple that could be used on a LXC / systemd-nspawn container or directly on a base system would be nicer.

TCB13, 1 year ago (edited 9 months ago)

Tiny you say… answer to what you asked: lemmy.world/comment/7101252

TCB13, 1 year ago

Hmm… that’s interesting. I’ll have to explore further. Thanks.

TCB13, 1 year ago (edited 9 months ago)

I’ve been doing this. I’m running HA under LXD (VM) and it works.

<span style="color:#323232;">$ lxc info havm
</span><span style="color:#323232;">Name: havm
</span><span style="color:#323232;">Status: RUNNING
</span><span style="color:#323232;">Type: virtual-machine
</span><span style="color:#323232;">Architecture: x86_64
</span><span style="color:#323232;">PID: 541921
</span><span style="color:#323232;">Created: 2023/12/05 14:14 WET
</span><span style="color:#323232;">Last Used: 2024/01/28 13:35 WET
</span>

While it works great and it was very easy to get the VM running I would rather move to something lighter like a container. About the storage I just see it growing everyday and from what I read it should be keeping for 10 days however it keeps growing. Almost 10GB for a web interface and logs from a couple of sensors, wtf?

I would be very happy with HA, really no need to move other stuff as long as things were a bit less opaque than a ready to go VM that runs 32434 daemons and containers inside it.

TCB13, 1 year ago

And how do I go about that?

TCB13, 1 year ago

Yes.

TCB13, 1 year ago

What is weird is having to waste almost 700MB of ram + 10GB of storage for a simple webui that charts sensor data and only keeps it for 10 days. As a comparison my NAS container runs Samba4, FileBrowser, Syncthing, Transmission, and a few others under 300MB of RAM with pontual spikes on operations.

TCB13, 1 year ago

I’m not upset, just wondering / looking for way to keep the potato from growing further and/or alternatives.

TCB13, 1 year ago

This isn’t reasonable at all, 700MB of ram + 10GB of storage for a simple webui that charts sensor data and only keeps it for 10 days.

TCB13, 1 year ago

What I’m going to do is setup HA Core on a container manually and run without addons / docker. That will be about installing python and should waste way less resources.

TCB13, 1 year ago (edited 9 months ago)

If you don’t need the addons you don’t need Docker. HA Core is a python script with a few dependencies that can run with pyenv and a simple systemd service unit at every boot.

TCB13, 1 year ago

Yes, but I would rather do it inside a LXC container.

TCB13, 1 year ago

I wasn’t aware that node-red existed until this post :P

TCB13, 1 year ago

Interesting. I’ll have to check what might be logging so much info.

TCB13, 1 year ago

Unless you have to collaborate with others who use said Windows only apps and you can’t afford compatibility issues.

TCB13, 1 year ago

Okay that’s fair. So this this the solution, fallback to a second machine running Windows? :P

TCB13, 1 year ago

Okay that’s fair, you don’t try to do any work in your Linux box and things work out. Great.

TCB13, 1 year ago

No no, no justification required :). It isn’t also about working or not for me. It is just that there’s a bunch of people arguing around here that Linux (desktop) is great for every use case be it work or play under any circumstance, while it isn’t.

TCB13, 1 year ago

I would agree to a certain point. If you get a 10th gen CPU it is power efficient and there are a lot of gamers and whatnot selling those. Also there are a lot of MiniPCs that come with mobile “T” CPU that are very decent at idle.

TCB13, 1 year ago (edited 10 months ago)

But idle still would run much more than 15w

This isn’t true.

• HP Prodesk 400 G5 i5 9500T > idles at 4.5W
• Optiplex Micro 3080 > idles at 7W
• Unbranded Mini Atom C3758 > idles at 3.5W

Either way, quick math, on a 7W range were talking about less than 10$/year to run the device.

TCB13, 1 year ago (edited 9 months ago)

Ahaha I don’t explain why 😂😂

I wrote dozens of posts replying to every single question people had about LXD/Incus. Gave out printscreens, explained how it works, what it does, described useful features and pointed out multiple issues of Proxmox. I can show you what roads you can take and why but you must do the work yourself.

The same applies to the MiniPC vs Raspberry discussion as my price, performance and feature breakdowns and proved countless times that for a large number of use cases a MiniPC is better. Unsurprisingly this is the first of such breakdowns that got upvotes, and do you know why? Because a known youtuber in this space recently came out with a video saying the exact same things I’ve been saying and now it became “acceptable” to criticize the Raspberry Pi money grab.

to use something they don’t know, and not explaining how that would be beneficial you’ve only explained how LXD, when setup correctly, can do what Proxmox does.

Even if that were true, what’s was the issue then? Isn’t it obvious that a true open-source solution that is available on Debian’s repos from a fresh install is better than a half proprietary solution that asks you to buy a license at any turn? Use your common sense.

Besides my comments aren’t a marketing campaign there’s no “LXD will make you rich today and solve all your family drama” as soon as you complete our three step formula:

1. apt install lxd
2. lxd init
3. lxc launch debian debian-container

The advantage of using LXD/Incus are on the details, not on a flashy and shinny feature. It’s about running a clean Debian system, a non twisted and mangled kernel that will conflict with everything and not run stuff like OVPN properly, it’s about the license, the tools, not depending on a company, not having to wait 3x the time before your cluster is online. It’s about having a decent API for once and so many others.

Most people say they don’t want to be put in the same situation they were put about the the CentOS/RedHat licensing change, but then they proceeded to replace CentOS with Ubuntu and still use Proxmox. All questionable open-source that is as likely to fuck you over as RedHat did.

So eventually there will be a video from some youtuber stating that LXD/Incus is much better than Proxmox and people will flock to it without questioning anything. :)