> Install the Syncthing app on your Umbrel and pair it with the Syncthing app on your phone or computer for a self hosted peer-to-peer backup solution.
This text is identical word for word in the Syncthing app file at the Umbrel repo.
Not all of Umbrel's code is open source under a FOSS license for them to fork it under GPLv3. Even if they did fork it, I see no attribution to the original authors.
> cloud Light: no JavaScript, no ads, no tracking, no bloat
I have been an addicted reddit user since before they had user accounts. I never had any desire to block reddit ads until the last ~6-12 months or so when it would autoplay ads when I scroll. I have "no thumbnails" so it doesn't show me the ad other than a line of text or so. I have "old" reddit enabled on my account -- this works for desktop. And now I've started using the explicit "old.reddit.com" on mobile. But I would prefer mobile-optimized reddit without audio ads. I will probably give libreddit a try.
EDIT: of course, since it's privacy focused I can't login to my account and reddit is unbearable if you try and use it without your account to curate the subreddits. Whoops, scratch that idea!
I find that old.reddit.com is ok on desktop (with uBlock origin), and for mobile there's several third party apps that make for a better experience than a website. I personally like "Relay for reddit".
Teddit is a free and open source alternative Reddit front-end focused on privacy.
Teddit doesn't require you to have JavaScript enabled in your browser.
The source is available on Codeberg at https://codeberg.org/teddit/teddit.
No JavaScript or ads
All requests go through the backend, client never talks to Reddit
Prevents Reddit from tracking your IP or JavaScript fingerprint
Lightweight (teddit frontpage: ~30 HTTP requests with ~270 KB of data downloaded vs. Reddit frontpage: ~190 HTTP requests with ~24 MB)
I never understood why so many of these Reddit viewers have no JS in them (well it's generally a cultural preference among a certain crowd, but still feels irrational.) I usually open a forum like Reddit and have it open all day, I'd be fine with loading a SPA and having it make background requests to fetch API output and render them in page and give nice functionality, as long as the code is open and there's no ads. I've been building this myself because both Libreddit and Teddit don't use JS.
Unfortunately, Slide is abandoned by the author. He replied to an issue on github saying basically that he has no time to maintain it and that and that the code is a mess and needs to he completely rewritten from scratch so he doesn't recommend anyone else bother. Slowly but surely the bugs are mounting. There's so e new-fangked thing that's leaving blue boxes everywhere and videos are breaking again. And I think he also mentioned that the Play Store won't let him push small bug fixes without making another large change that he has no time to work on so it's defacto dead in the water now and will never be updated.
I've been trying Infinity from time to time which others have mentioned as the new OSS client, but it seems less textual than Slide. Sline also has great navigation that is immediately missed elsewhere.
(At least the Android version, dunno about the iOS)
There are 3rd party mobile-optimized apps btw. Support logging in and most reddit features. I use Boost for Reddit personally, but there are others like Baconreader.
I use proxmox, which is more or less a VM and workflow manager on top of KVM.
The overhead on something like an RPi would be ridiculous, but on modern x86 hardware with an IOMMU (VT-d in Intel speak, AMD-Vi for AMD), the overhead of passing through HW is, for homelab purposes, essentially 0. A lot more expensive, but the organization and extensibility is well worth it.
I have anything that I expose directly to the internet on a separate VM from my "internal" services. If I were super paranoid, I'd expose them to separate VLANs, and then use my FW to control network traffic. The Intel 82599 can enforce different vlans on different VFs with SR-IOV.
I have a VM that runs flatcar for docker for things that are too hard to set up otherwise, but I vastly prefer NixOS for most things.
> If I were super paranoid, I'd expose them to separate VLANs, and then use my FW to control network traffic
This is exactly what I did initially, but it was indeed a bit of a pain to manage. Eventually I went with something in between, by first compartmentalizing services and then putting them in separate VMs with separate VLANs:
0. Router / FW.
1. WireGuard / reverse proxy.
2. Personal, e.g. file storage, backups.
3. Hosting. My personal site is reverse proxied through Cloudflare and only their IP ranges are whitelisted.
4. Compute, i.e. stuff I want to compile / develop / run on my server. Handy if I want to run a heavy simulation overnight or need more disk space / RAM / CPU power than my M1 MB Air has available.
5. Services. This runs many small tools / services that don't need access to my RAID pool or anything like that. If this gets infected I wouldn't really care.
6. VPN. This VM can only access the internet through a VPN. Doesn't have anything installed ATM, but has been used in the past for urlwatch and torrenting.
7. Test. This is where I try out new software before actually installing it on the correct VM. Once I've concluded testing I rollback this VM to a clean install.
It takes a weekend to install Proxmox and set up the VMs / VLANs, but after that it easy to use.
Any advice on how to add n Raspberry Pi 4b to a Proxmox setup? Maybe just as bare docker nodes? I've used them for Nomad and k3s before, but Proxmox seems a bit heavy resource-wise in comparison.
Docker is the de-facto standard in the community now (and, to a lesser extent, alternatives like LXC or podman). The daemon should be run rootless if possible, or the containers rootless if not.
You can still use VMs, and some use that as an additional layer of isolation because they're virtualizing anyways (performance overhead is really negligible).
I've been self-hosting on my home server for at least 5 years now, and I think I've only seen two or three vulnerabilities across all the services I know about, none of which were ever really exploitable.
100% not worth it. If you need multi-host for some reason (beyond “I want it” - and you don’t) then try docker swarm.
It’s your home environment. You want it to be easy. You want to use the tools you run not maintain them. If you want to learn k8 for professional growth, learn it separately from a home server.
I went with Docker Swarm on the same advice from someone else, and tbh, it's unnecessary overhead as well. And at least on RPis, it's very fragile and not as self-healing as I'd hope it to be. My stacks are well compartmentalized, but weird database locks will still happen, or the swarm will just become unreachable, and I gotta go power-cycle a node or two to get things back up again. (I mean, we're talking once every few weeks or something, but still not okay.)
I've been moving workloads to an old gaming rig running NixOS with varying levels of isolation (some containers, but really just good user/group/permissions management), and it runs super well.
Of course, you could do the same with just Docker Compose and no Swarm, and I think you'd still be better off than using Swarm.
Yea I had a not dissimilar experience. I didn’t have as many issues, but I pretty quickly realized a single old gaming Pc was way easier than a half dozen Pis stacked up in the closet trying to coordinate. Auto scaling and balancing seem nice at work… but complexity was rarely needed at home.
The main reasons swarm is better than other options for clustering IMO is networking. They can be set up to share the ports on all devices and map it back to the correct container on whatever host it’s on, so you can disconnect the target IP:Port from the container.
My iPhone is a pet. It’s a pet with a great backup system that turns a new pet into exactly my pet. But it’s still a pet.
There’s only one and it changes manually as I need features to change. I download and install things as needed, from gui, with no version control or script to manage it. It’s a pet.
It sounds like for you: hand-operated -> pet, automated/script operated -> cattle. I think the whole point of the analogy is about if things get slaughtered can you furnish a new one without batting an eye. If yes, then cattle, not pet. So I guess the question is: if someone stole your phone right now, would you blink?
> if someone stole your phone right now, would you blink?
Yes absolutely. I can afford a new one, and I would immediately buy a new one (well I’m already waiting for the newly released one but still). I would still be quite upset and my life would be interrupted at least a little.
I took the pet/cattle analogy to be about how manual the setup is, and how replaceable it is. I think apple has smartly blurred that line with great backup tech, but I would still consider the “lovingly” hand customized aspect of maintaining a phone solidly a pet. Some version of my current phone has been around for ~10 years through various hardware iterations, all restarted from a backup image. I would be distraught if i had to recreate it without a backup, just finding my apps, logging in, finding wallpaper, rearranging icons, setting up shortcuts, etc. Maybe that’s the ideal state for a home server - a nearly no-op backup and restart process that you still manage as you need
Proxmox + Proxmox Backup Server + external storage (I use my NAS) means I don't really have to worry about disaster, as such, because every VM is backed up nightly. VMs and the hypervisor can all be pets and I can just restore a backup if something happens.
If you're doing something for a hobby, treat it like the special snowflake it is to you. If you're doing something just to get things done, treat it like the utility it is. If you're at home playing around with machines in a homelab, feel free to baby your servers.
As far as disaster is concerned, it's not that difficult to install software that really needs minimal maintenance. But it comes down to what you want out of the software and hardware that you run.
I have no experience with it, but generally my view is that a home server is NOT a “devops” project, its more like an iPhone. You want backups, and you want whatever is running to restart if you lose power (whether that’s a new toaster tripping a breaker or the weather killing power, it happens), but you dont need “infra as code” and all sorts of automation. Just update as you go, and move on. Docker et al. have enough tooling that you can run everything as its own container (basically a phone app) and you’re done.
If you want to try out <insert tech here> to learn something, then just learn it, don’t try to fit it in your normal life and eat at your existing stuff. Don’t replace your mac with a chrome book just because you’re learning webdev, and don’t replace your home server with terraform just because you’re learning it. What if you learn it but stop needing it or never use it professionally? You’ll now need to maintain that skill to maintain something at home.
If you want something more than a blank Linux box for your home server, check out HASS.io, synology, QNAP, TrueNAS, or one of the many “hold your hands” distros/tools designed to make it less work. Even Portainer/Proxmox will give you a bit of a GUI without being too opinionated. I use a blank Linux box primarily, but only because I live with other SWEs who all want to mess with the shared server, and everyone wants their own thing and we couldn’t agree on anything else. We plan to switch to TrueNAS and give everyone a VM but haven’t coordinated the switch yet…
Kubernetes alone recommends at least 1gb of ram just for itself IIRC, so that may push it out of some home servers such as RPIs or smaller nucs depending on the actual service load.
ProxMox running containers wherever possible - which is nearly everywhere except for when you need to run different OSs (Windows, Android, etc.). Even the router runs in a container with all the other containers connecting to it through bridges. These bridges are assigned VLANs which are brought out tagged on one of the Ethernet ports which connects to a managed switch which takes care of untagging to specific ports and/or trunking VLANs to the different buildings on the farm.
You're looking for Sandstorm containers. They are much more hardened and purpose-built for self-hosting. To my knowledge, nobody's ever reported a container escape that affects Sandstorm.
I create a separate user for each app, and use the systemd exec configuration [1] for sandboxing [2]. Some apps only get read-only access to their own files, and no Internet access, for example (along with many other restrictions). I have some systemd drop-in units that I frequently reuse.
For standard services, I use Apparmor with the default `apparmor-profiles`, as well as fail2ban with some additional firewall rules.
I use one VM per component. The overhead is pretty minimal and VMs I think are still more secure than containers. Maybe I am just a tech dinosaur though. I run my VMs on OpenStack for the networking flexibility, and use Ceph for block and file system.
VM's do not actually add that much overhead (depending on the workload - GPU's are notoroiously hard to share). And what most people do not realize is that something like VMware or another hypervisor is also very good at managing things like RAM across many VM's. In many cases you can overprovision (meaning you can have VM's that are technically "assigned" a total amount of RAM or CPU that is more than you even have physically) and still have great performance. The key is always to install the hypervisor on bare metal (dont run VMware on top of Windows or try to host a server where the "base" os is OSX or something).
Containers are fine for this unless you reach the popularity where you are attracting dedicated attackers.
Use userns-remap. Run the docker daemon rootless if you want but don’t stress about it. Set up auth to the docker socket. Don’t bother with running the processes in the container as not uid 0, with remap it’s effort for little gain.
Now breaking containment means having a local privesc on your Linux distro or breaking the auth on the docker socket. Like that’s plenty for drive by attackers.
> Docker/containers used to not be hardened enough. Are they now?
I don’t think they ever will be. At least once a year there is a kernel bug where root in a non-root container/namespace can be elevated to root on the host
I still use Sandstorm! Some of the apps are a bit outdated but the security model means that mostly doesn’t matter.
The WordPress Sandstorm app is slow enough at rebuilding the static side of our large site that I’ve been meaning to try forking it or building my own though. But Sandstorm itself has been great.
I use docker containers with separate dedicated users with just enough permissions for their purpose.
For example my media server user can't touch anything other than the media files and isn't part of sudo.
I am confused as what homeservers are. It seems this one is allowing me to run some apps. Does this mean I would otherwise not be able to use these apps if I did not have a homeserver? Also is there a difference between a homeserver and localhost?
Essentially, it's a single-click installer and management interface for a bunch of apps that you might want on your home server. Tipi isn't a "homeserver" itself, but it's goal is to let you turn any old computer (even if it's somebody's Windows desktop while they're not heavily using it) into a home server without needing server OS administration or related expertise.
Admittedly, a better title is "Tipi - a personal homeserver manager for everyone." But the idea behind the current title seems to be that it enables everyone—regardless of hardware and expertise—to run a homeserver.
A home server is a separate machine from your main computer. It may not be connected to a monitor, or it may be a used laptop no one sits at. But it lives on your network at home.
A server provides software services. Your router could be considered a server: it helps your wifi devices get online and manages the Internet connection.
Tipi is an example of a pre-configured router, but as a server for certain apps: by using it, you don't have to set it up yourself. It comes with software that you can use, already available, installed, and configured. But it is a server too--and running in your home, it is a "homeserver."
You could likely use those same apps without Tipi, with varying amounts of time spent configuring something similar.
> Also is there a difference between a homeserver and localhost?
Yes, it would be different. If Tipi is running on a separate machine (the server), its localhost may load some kind of web control panel. However, when you visit localhost on your personal machine, if a web server is not running, the browser may just load an error page.
It is just a server in your home. Cloud hosts will all give access to your data to law enforcement without any warrant, so if you host a private message board with friends where you talk about smoking weed or getting an abortion it isn't so private and you can get arrested without them ever going through getting a warrant with any kind of probable cause legal procedures.
In your home you are protected (this is why Hillary's email server was self-hosted, to get the same rights against unreasonable search and seizure you get with US Mail), on the cloud the third-party doctrine rules and they can just give out your private data at any time.
(some providers have now said they won't give it out for requests about people seeking abortion, but that could end up in there when they search it based on a request about something else, and I don't know if any put the restriction on sharing abortion stuff with law enforcement in their actual legal agreements)
There is a saying that the cloud is just somebody else's computer, but with your own server, it can be your computer. You always need to trust the admin or company of any server/cloud service you use to not abuse you in some way, but if you are the admin, you only need to trust yourself.
Some of these server apps are made available to others by hosts of servers. The more people hosting servers for their friends and family, the less we all rely on the big central services.
I will let you lookup the definition of localhost. You will need to learn some networking if you decide to host your own services, and I encourage you to do so. It is fun and empowering.
It means send this from my network connection to my network connection.
This homeserver is kind of like a smartphone loaded with default apps (and kinda not like that, too).
What I mean is that this homeserver is essentially a bunch of apps and a platform for running those apps all bundled together to make setup easier.
You can setup and run all the same apps yourself if you want, but it might be a lot of melodrama for little, no, or negative advantage (or it might not).
The same applies to the homeserver itself. It might not make your life easier and might make it worse.
Which is to say it might not be for you — it isn’t for me, because it seems like a bit of bother to address things I don’t really care about.
This appears to share lineage with Umbrel. I haven't looked deeply enough to make any particular claims, but I feel fairly confident that one of these projects is violating someone's copyright.
From my experience everyone who makes their own has some reason they want it done their way. While I'd like to see more selfhosting platforms collaborate, I think it's also good we don't have a strong monoculture in the space.
Not the OP, but while I would have no problem using an orchestrator based on a different common packaging than Docker (e.g. RPM or AppImage), I would be very hesitant to use one that needs its own bespoke packaging. Because that's maintenance work and I would need to feel confident that someone will keep packaging future app updates.
Comparatively speaking, going back to how we deployed applications 10 years ago is the dark ages. Having everything in containers is objectively easier both from a getting started and ongoing maintenance standpoint.
Now: making minimal edits to a provided compose file for initial configuration, run command to spin up everything application needs, and you're done.
Then: install application package onto system (best: from developer package source/better: from old version in operating system repo/worst: by compiling from source after locating all dependencies and running make install), setting up any necessary databases or storage by hand, editing configuration files that are hopefully in /etc if the developer thinks the FHS is something to be honored, setting up init scripts/unit files so the application starts up in the environment it wants and when you want, and finally running the command which starts the application (which is probably distro specific).
And that's not even getting into updates. I'll take pulling the latest version of the container and restarting over app specific update instructions any day of the week. Life is too short for putting up with that kind of minutia.
I played with YunoHost a bit yesterday, and within a couple of hours hit a situation where a misbehaving application froze the whole thing requiring a reboot. That's after spending longer than I wanted figuring out why the ISO always locked up mid-install, starting with Debian 11 + nonfree drivers instead and installing Yuno on top.
Really liked the concept, not the execution so much as it turns out.
Thinking of taking a look at CapRover next, which is docker based. This Tipi thing might be worth a go too, though maybe when it's a bit more mature.
Wow, that UI is basically the endstate of tile UI. All you get is a pastel color and two letters? What do they call that cult? Material Design?
That is SCREAMING for iPhone 1.0 style icons. There was just an HN post on how crappy modern icons are, I think it was the "there is no personality in 2020". This would be Exhibit A.
I gave it a try some months ago, and it was quite disappointing. The amount of broken packages was strange, and the number of problems with their Interface was slightly disappointing.
But true, if you can work past those things, it might be better than tipi.
Wohey, this seems like a freebie version of https://cloudron.io of which I really love.
Can't wait to run Tipi at home.
Cloudron will still run my businesses which is has been with incredible stability for 3 years, that includes email (sic). Not related to cldrn only a happy customer and impressed.
Is there a reason it needs to be started as root? In similar self-hosted apps I’ve run into many issues from having scripts run as root. Often the individual apps don’t play nicely enough with each other.
Otherwise it looks interesting, I like the UI and the demo instance shows the UX well.
Agree, I feel as though it should, itself, be a container, that manages a docker-compose file, then manages the apps using appropriate docker-compose commands. All tested against podman as well.
Then the tool could be used readily on the many docker appliances (Synology, Qnap, etc.).
You don't need to run a script with sudo to use docker. This is targeted at tech-agnostic users, really odd misalignment of goals to ask folks who don't know what they're doing to 'sudo run.sh'.
There's also an ansible playbook by the author to automate all of that for you.
Other solid solutions include Mail-in-a-box and Mailcow. DuckDuckGo them to learn more.
A lot of people say that you shouldn't waste your precious time hosting email. Then, these same people won't hesitate to spend countless hours browsing Pornhub or Netflix and playing video games.
Forget about these losers and roll your own email for fun. The last thing you want is to be on your deathbed regretting not having had your own personal mail server.
Yes, life is too precious to self host email. Get a reasonably secure provider and don’t put super sensitive information in it. Better channels for that type of information anyway.
The initial setup but then it's just OS updates, rarely a major version configuration adjustment, nothing wild.
Postfix Dovecot Postgres ezpz
I also use milter rspamd opendkim
UI is vimbadmin, but I'm working on writing a drop in replacement for it in Go. I'll release it open source once it's ready, likely also a setup script for the whole deal.
And with this you can be pretty sure no one eavesdrops.
And then install Delta Chat to have a messenger-like workflow.
Honestly, way better than self hosting if you're not an absolute expert in that field. I am a customer for years and Jarland is a legend when it comes to superb email delivery.
One solution one be to use our service called Hoppy. It provides a public IP even if you are behind a NAT using WireGuard. Plus you get an entire /56 IPv6!
i've always wanted to get my homeserver setup to really work for sabnzb/xbmc/kodi and all video files but it ALWAYS has never turned out quite right. Theres always some plugin or unzip that screws it up.
This looks good but still doesn't look proper home media server enabled.
In their title, they use the character U+26FA TENT, which could be depicted as any kind of tent. In the body, GitHub replaces emoji with images for some reason, in this case a particularly weird thing that isn’t even obviously a tent. (I presume this is what you’re remarking on.)
The screenshot shows what I presume is actually the logo, which is a tipi.
I hope meienberger here hasn't plagiarized source-available project named Umbrel.
The comments in this file seems similar too:
https://github.com/getumbrel/umbrel-apps/blob/eb0f119df8ed89...
https://github.com/meienberger/runtipi-appstore/blob/c86641b...