PiHole and similar services just use DNS blocking, which only works if the ads are served via a third-party ad server. Sites with their own ad inventory (YouTube, Facebook, Twitter, etc) can’t be blocked this way since they can just serve the ads from the same domain as their regular content.
Not sure of any downside yet but setting your country to Albania via vpn removes all YouTube ads on Apple TV. Was just informed of this yesterday and as mentioned there may be reasons to not do this.
If you’re comfortable self hosting you can use isponsorblocktv to block ads/sponsorship on YouTube on AppleTv and various smart TVs. I use this + Pi-Hole github.com/dmunozv04/iSponsorBlockTV
This has been a serious concern of mine. In the event that I prematurely die I have everything set up with automatic updates, so that hopefully my family can continue to use the self-hosted services without me.
Nextcloud will not stop shitting the bed. I’d give it a few months at most if I died, at which point my family would likely turn back to Google Drive.
I’m looking for a more reliable alternative, even if it’s not as feature-rich.
The way that they do updates doesn’t make automated updates very easy. There are usually a few little nagging things that have to be done or changed and they don’t always seem to be the same. I just update manually and make sure I’ve got a good backup of all my family’s files.
If you’re ok with just file storage sftpgo has been solid for me for years now. Does sftp ftp and WebDAV (like nextcloud). Webui isn’t as pretty but it’s fast. Mobile apps will be various sync apps with sftp or WebDAV support. On Android folder sync pro is pretty good for keeping documents and pictures backed up
I’ve told my wife and family that if something happens to me, they need to start migrating all their stuff off my self-hosted services to cloud services because its a matter of time before something fails and nobody’s around who knows or cares to fix it.
My oldest kid is a senior in highschool and is starting to show some interest in Linux and this kind of stuff. I’m hopeful that I can change my tune soon and maybe have one of the kids to share a hobby with!
Isnt’t port 81 where usually the nginx proxy manager webui is served? I think you should just forward the requests directly to port 80 and 443 respectively.
I’m pretty happy with Digital Ocean if I need a temporary VPS because I can pay by the minute. Anything that I want to stay alive for more than a month or two, I do on a single 6-core VPS rented long-term from Netcup, a low-cost German provider, deploying with Docker and Traefik.
www.serverbuilds.net is a popular website online for folks building NASes at home. They’re fans of Unraid as well. They’ve got a Discord if you’re looking for something more interactive. Worth checking out. 👍
I’ll probably reconsider once renewal comes around, but that’s ~4 years away. Until then, as long as things continue functioning: meh. Doesn’t really make a difference.
Only complaints I have with Nextcloud are that it’s slow and updates suck over the web interface. But apart from that it has been reliable. I’m not running it through Docker. In fact, my installation is so old that the database tables still have an oc_ prefix.
You might want to try migrating your nextcloud instance to postgres instead of mysql/mariadb. Many people says they get some big performance boost. I’m going to try it myself next weekend to see if it’s true.
Mine is a snap install that started 3 years ago on virtual box and was ported over to proxmox. It has never broken, updates automatically, and generally seems to work just fine.
It doesn’t load instantly, but it doesn’t drag by any means.
I run it and mariaDB in docker and they run perfectly when left alone, but everything breaks horribly if I try to do an update. I recently figured out that you need to do updates for NC in steps, and docker (unRAID’s, specifically) defaults to jumping to the latest version. I think I figured out how to specify version now so fingers crossed I won’t destroy it the next time I do updates.
This is probably what I’m doing wrong. I’m using linuxserver’s docker which should be okay to auto update, but it just continuously degrades over time with updates until it becomes non-functional. Random login failures, logs failing to load, file thumbnails disappearing, the goddamn Collabora office docker that absolutely refuses to work for more than one week, etc.
I just nuke the NC docker and database and start from scratch every year or so.
You absolutely need to move from patch to patch and cannot just do a multiple version jump safely. You also need to validate the configs between versions, especially major release updates or you risk breaking. New features and optimizations happen and you also may need to change our update your reverse proxy configuration on update, or modify db table configuration (just puking this from memory as I’ve had to do it before). I don’t know that there’s automation for each one of those steps.
Because of that, I run nextcloud in a VM and install it from the binary package. I wrote a shell script that handles downloading, moving the files, updating permissions and copying the old config forward, symlinking and doing the upgrade. Then all I have to do is log in as administrator, check out the admin dashboard and make sure there aren’t new things I have to address in the status page. It’s a pain, but my nextcloud uses external db and redis and PHP caching so it’s not an easy out of the box setup. But it’s been solid for a long time once I adopted using this script.
There could probably be some additional refactoring here, but it works for my setup. I’m using default nginx paths, so they probably look different than other installs that use custom stuff like /var/www, etc.
Use it by putting it in a shell script, make it executable, then call it:
sudo scriptName.sh 28.0.1
Replace the version with whatever version you’re upgrading to. I would highly recommend never upgrading to a .0, always wait for at least a .1 patch. I left some sleeps in the when I was debugging a while back, those are safe to remove assuming it works in your setup. I also noticed some variables weren’t quoted, I’m not a bash programmer so there’s probably some consistency issues that could be addressed if someone is OCD.
Use encryption, using vpns for such a trivial task is a “really bad idea”
There are many cases when somebody wants to have their dns public, maybe they want to share with their friends, family, community, audience (not everyone is a solo server user)
Also, it’s good to use your dns even before connecting to the vpn. Just use encryption, it’s safe and nice
Keeping 53 opened is not that bad, the only thing you will notice is an increased load on your server if somebody tried to ddos somebody’s server using your dns
P.S. Or as somebody mentioned below, use rate limiting. It’s described pretty well in some other comments. Not just “spooky internet port”
Use a public dns provider. Cloudflare, route53, dyndns (are they still around?), etc. Cheap, reliable, no worries about joining a ddos by accident. Some services are better left to experts until you really know what you’re doing.
And if you do really know what you’re doing you’ll use a dns provider rather than host your own.
Host your own private DNS - yes, knock yourself out. I highly recommend it.
Public DNS? No - don’t do that.
There are two services homegamers should be extra cautious of and should likely leave alone - DNS and email. These protocols are rife with historic issues that affect everybody, not just the hosting system. A poorly configured DNS server can participate in a DDOS attack without being “hacked” specifically. A poorly configured mail server can be responsible for sending millions of spam emails.
For a homegamer you probably only need a single public DNS record anyway (with multiple CNAME if you want to do host based routing on a load balancer). You take on a lot of risk with almost zero benefit.
From outside? Set up a Cloudflare account and point the NS from your registrar to it.
From inside? Set up unbound on a docker host and don’t open it to the internet. Use that one when you’re local and the normal public DNS when you’re outside. But everything I’m seeing in here makes me sure you shouldn’t even consider opening ports in your firewall to expose inside host services. Use a VPN when you’re roaming, and only use your DNS for local servers/hosts via that VPN. The only use for your outside domain name should be to point a single hostname to your outside IP address so you can use it for your VPN endpoint.
Use DNS challenges for LetsEncrypt cert requests and remove host entries from your Cloudflare after you get your cert.
I use a DNS server on my local network, and then I also use Tailscale.
I have my private DNS server configured in tailscale so whether on or off my local network everything uses my DNS server.
This way I don’t have to change any DNS settings no matter where I am and all my domains work properly.
And my phone always has DNS adblocking even on cell data or public Wi-Fi
The other advantage is you can configure the reverse proxy of some services to only accept connections originating from your tailscale network to effectively make them only privately accessible or behave differently when accessed from specific devices
This is why the concept of running services until different ports than default isn’t a real security measure, it doesn’t actually take any effort to figure out what kind of service is running on a port.
Others have addressed the root and trust questions, so I thought I’d mention the “mess” question:
Even the messiest bowl of ravioli is easier to untangle than a bowl of spaghetti.
The mounts/networks/rules and such aren’t “mess”, they are isolation. They’re commoditization. They’re abstraction - Ways to tell whatever is running in the container what it wants to hear, so that you can treat the container as a “black box” that solves the problem you want solved.
Think of Docker containers less like pets and more like cattle, and it very quickly justifies a lot of that stuff because it makes the container disposable, even if the data it’s handling isn’t.
selfhosted
Top
This magazine is from a federated server and may be incomplete. Browse more on the original instance.