Sonos-Control Update: Identity, Scheduling & Audit Logging
https://redd.it/1no973r
@r_SelfHosted
Help forge a self-hosted POS for anyone? Open demo + testers wanted
https://redd.it/1nnxiww
@r_SelfHosted
Anyway to upscale dvd rips?
Hey all, pretty new to self hosting stuff, and was wondering if I could be pointed in the right direction.
I have a dvd box set of a show that was only ever released on dvd with no bluray ever having been made available (god damn it Cartoon Network). I was wondering if there what my options are in terms of upscalers that I could run on mkvs that could get them to at least 720p. My rig is running an amd 7700X cpu and a 9070xt gpu, so I should be able to run something like Topaz Labs or something (the pricing on that seems a bit insane for my use case)
Any options here?
https://redd.it/1nnuklv
@r_SelfHosted
Pangolin VPS only forwards UDP "partially", (Debian / Mojang bedrock server)
Hello, I just got started self hosting and trying to get a local server machine running using a pangolin / newt vps, as my provider does not allow me to obtain a public ip address.
So i rented a virtual server from ionos and set up pangolin there according to the doc (see https://github.com/fosrl/pangolin )
I also have a local server running Debian 6.12.43-1 /w KDE. The newt endpoint is running in a docker container stack.
My gaming machine (client) is dual booted and for this test purpose running Fedora 42 KDE Plasma edition.
I was planning to run a minecraft bedrock server on the machine however clients cant properly connect from the outside.
The bedrock server exe runs fine and im able to connect over the local network with the game client. But im not able to connect from externally via the vps.
So I set up some ports for testing in my config / firewall settings. 12344 using TCP and 12345 UDP respectively.
I tested if the ports are open using nc / netcat and i found that:
A: The test ports are open via my local network. So far so good.
B: Both ports are accessible and forwarded correctly publicly (via the vps tunnel)
TCP Test \(server side\)
TCP Test Client side \(from the outside via VPS, works\)
However: The UDP port doesnt seem to function "properly". Im only able to send one line of text via netcat. The following lines are never received. This only happens when i connect from the outside. Not locally. But im completely at a loss as to why this could be..
UDP Test over local network:
UDP Test Server Side \(local network\)
UDP Test Client Side \(local network, works fine\)
vs. UDP Test from the outside:
UDP Test Server Side \(external connection\) ONLY RECEIVES THE FIRST LINE SENT
UDP Test Client Side \(external connection\)
Probably the same reason why the bedrock server doesnt function properly, cant be sure as microsofts excellent software doesnt spit out any usefull information to the user.
Does anyone know what the reason might be? What do i even have to look into here?
Any help is appreciated, thanks
https://redd.it/1nntjkg
@r_SelfHosted
Pangolin 1.10.2: Declarative configs & Docker labels, multi-site failover, path-based routing, and more
Hello everyone,
We’ve been busy expanding Pangolin, our self‑hosted alternative to Cloudflare Tunnels. Pangolin makes it super easy to bring any service online with authentication no matter where it is hosted.
* GitHub: [https://github.com/fosrl/pangolin](https://github.com/fosrl/pangolin)
* Docs: [https://docs.digpangolin.com/](https://docs.digpangolin.com/)
# Declarative Config (Blueprints)
Now you can define your entire stack of resources using YAML files or Docker labels (just like Traefik) directly in your Docker Compose setup. This makes resource management consistent, automatable, and GitOps-friendly. We’re starting small with just resources but will continue to expand this functionality. [Read our documentation](https://docs.digpangolin.com/manage/blueprints) to learn more and see examples with videos.
services:
grafana:
image: grafana/grafana
container_name: grafana
labels:
- pangolin.proxy-resources.grafana.name=Grafana
- pangolin.proxy-resources.grafana.full-domain=grafana.example.com
- pangolin.proxy-resources.grafana.protocol=http
- pangolin.proxy-resources.grafana.auth.sso-enabled=true
- pangolin.proxy-resources.grafana.targets[0].method=http
- pangolin.proxy-resources.grafana.targets[0].port=3000
# Multi-site Resources
Instead of tying a resource to a single site, targets are now site‑aware, letting you have multiple site (Newt) backends on the same resource. This means you can load balance and fail over traffic seamlessly across completely different environments with sticky sessions keeping requests on the same backend when needed.
# Path-based Routing
When adding targets to a resource, you can now define rules based on exact matches, prefixes, or even regex to control exactly where traffic goes. This makes it easy to send requests to the right backend service. Combined with multi-site resources, path-based routing lets you steer requests down specific tunnels to the right location or environment.
[Targets page of a Pangolin resource showing path-based routing to multiple sites.](https://preview.redd.it/yw3uftalwqqf1.png?width=2352&format=png&auto=webp&s=31f481269f1b9e337f914aa0a21188f1b1720e4a)
# Coming Soon
Thanks to Marc from the community we already have a full featured [Helm chart for Newt](https://artifacthub.io/packages/helm/fosrl/newt)! We are working on more extensive charts for Pangolin itself as well as OTEL monitoring and more! Look out for a new post in a couple of weeks when it is all published.
# Cloud
We have also been hard at work on the Cloud! The Cloud is for anyone who is looking to use Pangolin without the overhead of managing a full node themselves, or who want the high availability provided by having many nodes.
We have recently added managed self-hosted (hybrid) nodes to Pangolin Cloud ([read docs](https://docs.digpangolin.com/self-host/quick-install-managed)). This allows you to still self host a node that all the traffic goes through (so no need to pay for bandwidth) and maintain control over your network while benefiting from us managing the database and system for you and achieving high availability.
In addition to this we have added EU deployment ([blog post](https://digpangolin.com/blog/posts/pangolin-cloud-eu)) and finally identity provider support ([blog post](https://digpangolin.com/blog/posts/idp-support))!
# Other Updates
* Add pass custom headers to targets
* Add skip login page and go straight to identity provider
* Add override for auto-provisioned users (manually set roles)
* Bug fixes and reliability improvements
Come chat with us on [Discord](https://discord.gg/HCJR8Xhme4) or [Slack](https://digpangolin.com/slack).
https://redd.it/1nnry8a
@r_SelfHosted
Jellyfin qbittorrent throttle automation
Hey all,
I have a 5G internet connection at home so I don’t get the best speeds. Max download I get is around 20 MB/s on a good day. I host Jellyfin with the arr stack at home and use qbittorrent. I share this with some of my friends and family. I noticed that whenever someone would play something on Jellyfin while something was being downloaded on qbittorrent, it would cause buffering so I had to manually stop all downloads.
Because of this I created a flask app that listens for Jellyfin webhooks, and when playback starts it sets qBittorrent’s global download speed to basically nothing (1 B/s). When playback stops, it resets the limit back to unlimited. If multiple people are watching, it only unthrottles once everyone stops.
I also added Discord notifications so I get messages like:
▶️ Playback start — Wonder Woman (2017)
👤 user1 on Samsung TV
⚙️ Throttled to 1 B/s
🧮 Active viewers: user1, user2
And when it ends:
⏹️ Playback stop — Wonder Woman (2017)
👤 user1 on Samsung TV
⚙️ Unthrottled
🧮 Active viewers: none
To summarize the setup is Jellyfin + qBittorrent in Docker, a small Python/Flask app running as a systemd service listening to Jellyfin webhooks, and a Discord webhook for notifications.
Does anyone do something similar or fixed this issue in a different way?
https://redd.it/1nnmc6f
@r_SelfHosted
NextCloud sucks, there must be something better.
Every post on the internet related to "Self-hosted alternative to GSuite/M365" points to NextCloud. But, using NextCloud when you're not an enterprise is painful at best. It's clunky, it's buggy, and it's behind its supposed competitors in features for every one one of it's main planks (Files, Contacts, Photos, etc). And getting my family members to switch from Google Family accounts to NextCloud is horrible. They experience nothing but bugs and problems, complain about missing features, and wonder why on earth they'd switch with the only advantage being data ownership. Comparing every thing about actually using the system is a con, not a pro.
As the admin, and a professional IT engineer for the last 8 years, I can see how NextCloud could work for enterprise. It really seems like it was built for enterprise honestly. The feature development and features support are much more oriented around what I might want for work rather than what I want at home.
There has to be something better for home users.
Something that's simple to use, intuitive to use, and pretty to use.
I found Immich for photos, and they get it. They get the self hosting mindset. Simple to setup, simple to use, pretty apps, useful features.
Is there an "Immich" for contacts? For Drive? For Calendar? Even if they're different apps. I can use a different product for Calendar than Contacts if it's simple to use and something my family members can switch to from Outlook and GCalendar without complaint. (Setting up a caldav/carddav server isn't gonna cut it. It's gotta be a self contained system, even if it's just caldav/carddav on the backend. Gotta be pretty and intuitive on the frontend).
If there isn't something better. We really need to make something better.
https://redd.it/1nndfud
@r_SelfHosted
Self-Hosted Software Management?
Hello everyone,
I have been using Gameyfin lately to serve my DRM free games in a pleasent way so I can download the files from my server. I was wondering if there is something similar that allows me to download general software?
I was thinking it would be good to browse software and OS images in a similar way with description and screenshots etc. Even better would be a way to have my Linus ISO images automatically update from their respective repositories but I am happy to update the files manually.
Thanks all in advance :)
https://redd.it/1nnitt2
@r_SelfHosted
Maloja DB to Lidarr import
Kia ora kotou.
I am a homelab enthusiast and have no coding training or formal git usage etc so forgive me if I've done something wrong or not best practice.
In my effort to move from Spotify, I decided I wanted to begin scrobbling my data so whatever service I ended on, I'd maybe be able to keep my listening history.
I already run *Arr suite but knew Lidarr was having it's issues so for a while I setup multi-scrobbler to write to a Maloja DB. Now that Lidarr is *working, I thought I'd import my listening history in.... to find that this wasn't supported.
So I wrote my own program to set up an API call that lists the artists in the DB in a json structure as Musicbrainz IDs and then I can link that api url into a custom list.
*as the API still kinda doesn't work, it hasn't yet started importing artists but as far as I can tell, everything else is working.
Maybe it's very unique to me, but in case anyone else is in a similar situation, I have everything uploaded to my gitea including a docker image ready to pull.
Happy to hear feedback!
https://gitea.kansaigaijin.com/KansaiGaijin/Majola-Lidarr-Importer
https://redd.it/1nn9v99
@r_SelfHosted
SABnzbd/qBittorrent failing via Gluetun + OpenVPN (Homebox stack routed through VPS)
I’m running into issues with **SABnzbd** and **qBittorrent** when routing them through **Gluetun + OpenVPN** in my Docker Compose stack, and I’d love some advice.
**Setup details:**
* **Homebox** runs my Docker Compose stack (Traefik, SABnzbd, qBittorrent, Gluetun, etc.)
* **VPS** acts as the endpoint to bypass my ISP’s heavy download shaping (ISP is behind CGNAT)
* Gluetun is configured with my VPN provider’s **OpenVPN config** and routes SAB/qBit
* Traefik is part of the same stack for reverse proxy
* Other services (like Plex) route fine, but SAB/qBit consistently fail
**Problems I’m facing:**
1. **SABnzbd/qBittorrent fail to resolve hosts** — e.g., `getent hosts` [`news.newsdemon.com`](http://news.newsdemon.com) returns `FAIL` inside SAB container.
2. **DNS resolution weirdness** — resolv.conf inside containers points to [`127.0.0.1`](http://127.0.0.1), but name resolution still fails.
3. **Download throttling** — even when it connects, speeds are shaped hard by ISP unless traffic is routed correctly through the VPS.
4. **Traefik API/router** — I previously had trouble with Traefik routing through Gluetun, though I think I’ve resolved it. Including here in case it’s relevant.
**What I’ve tried:**
* Checked container resolv.conf (`127.0.0.1` in SAB/qBit)
* Restarted Gluetun with different DNS configs (including explicit resolvers)
* Tested WireGuard vs OpenVPN configs — OpenVPN works for routing, but downloaders fail
* Verified that non-download services (Plex etc.) work fine through same setup
**What I’d like help with:**
* Anyone successfully running SABnzbd/qBittorrent through Gluetun + OpenVPN in a similar homebox → VPS setup?
* Best way to handle DNS resolution inside containers? Should I override resolvers in Gluetun or in Docker?
* Is combining WireGuard + OpenVPN necessary to bypass ISP shaping, or should Gluetun alone be enough?
* Any config snippets (docker-compose or Gluetun env) known to work for downloaders would be hugely helpful.
Thanks in advance — I feel I’m close, but missing something obvious in the config.
https://redd.it/1nnairy
@r_SelfHosted
is still compressed on the registry. Second, the space savings and also download, unpacking savings are enormous. Up to a factor of multiples enormous, without any drawbacks or cutbacks. Projects like [eStargz](https://github.com/containerd/stargz-snapshotter) try to solve the rampant container image growth by lazy loading images during download, instead of focusing on creating small images in the first place. The solution is distroless, not lazy loading.
# DISTROLESS - HOW CAN I USE IT?
That’s the easiest part. Simply find a distroless image for the application you need. There aren’t many distroless image providers available sadly, because creating a distroless image is a lot more work for the provider than it is for you to use it. You will basically never get a distroless image from the actual developer of the app. They ship their app often run as root and with a distro like Debian or Alpine. This is done for easy adoption of their app, but leaves you with a poor image in terms of security.
So, what can you do? Simply request the image in question from the provider you prefer. The more demand there is for distroless images, the more will hopefully exist. I myself provide many distroless images for this community. If you are interested you can check them out yourself.
# DISTROLESS - I GOT NO SHELL, WHAT NOW?
Since distroless containers have no shell, you can’t `docker exec -ti` into them. Instead, enter the world of [nsenter](https://man7.org/linux/man-pages/man1/nsenter.1.html). A Linux command that lets you enter any namespace of any process and lets you execute binaries from the host within that namespace. Here is an example command from my own educational RTFM:
nsenter -t $(docker inspect -f '{{.State.Pid}}' adguard-server-1) -n netstat -tulpn
This will execute netstat attached to the defined PID *(-t)* in the namespace network *(-n)*, even though the image does not have netstat installed. Like this you can still debug your images like you would if they would have a shell, just safer and more elegant. You have also the added benefit that you can execute any binary from the host, so you don’ t need to install debug tools into the image itself. Of course, to use nsenter, you must have the correct privileges. If you use a rootless container runtime, make sure you have set the correct permissions for the user you are using nsenter with.
# DISTROLESS - I USE PODMAN, SO NO THANK YOU!
Distroless images are useful regardless what container runtime you use. A slimmed down attack surface helps everyone, even if your images are not executed as root and use a UID/GID mapping that is safer. Not running as root does not mean an exploited image can’t be used to attack other images or even the host. The less there is to attack, the better!
# DISTROLESS - LIMITATIONS
In a perfect world, every app could be run as distroless image, sadly that’s not the case. The reason for that is simple: Some apps require external libraries to be loaded at runtime, dynamically. This makes it impossible to convert them to a distroless image, unless the developer of the app would change their code to not dynamically load additional content at runtime. What are common signs you can’t request a distroless image from an app?
* App is based on Python
* App is based on node/deno with dynamic loaded libraries
* App is based on .NET core with inline Assembly calls
# DISTROLESS - CONCLUSION
The benefits are many, the downsides only a few and are not tied to actual distroless images but apps that can’t be converted to distroless. This sounds like one of these things that is too good to be true, and it somehow is, otherwise everyone would create and use them. I hope this post could educate and inform you more what is possible and what developers actually could do. Why it is not done that way as the best practice and normal way, you have to figure out for yourself. If you have further questions, feel free to ask anything you did not understand or if you need more information about some aspect.
I hope you enjoyed this short and brief educational
📖 Know-How: Distroless container images, why you should use them all the time if you can!
# KNOW-HOW - COMMUNITY EDUCATION
This post is part of a know-how and how-to section for the community to improve or brush up your knowledge. Selfhosting requires some decent understanding of the underlying technologies and their implications. These posts try to educate the community on best practices and best hygiene habits to run each and every selfhosted application as secure and smart as possible. You'll find more resources and info’s at the end of the post.
# DISTROLESS - WHAT IS THAT?
Most on this sub know what a distro is, if not, please read the wiki article about it and return back to this guide. So, what shall distroless mean? Another buzzword from the cloud? No. It simply means that no binaries (executable programs) are present that are specifically tied to a Linux distribution. Container images, are nothing more than like a compressed archive, a zip file, containing everything the application within needs to work. The question is, how much junk is in that zip file? A distroless image has all junk removed from its image. This means that your zip file contains only what the application needs to run, not one bit more. This does not only make the image several times lighter on your hard drive but also by default more secure.
Why does it make it by default more secure? Well, simply put, if there is less to attack, you have a harder time attacking something. That’s why all ports on your firewall are by default closed. If all ports would be open, someone could find maybe something to exploit and attack you. The same is true for a container image. Why add a shell or curl to your image when your application doesn’t need them to work? There is no benefit in having curl, ls, git, sh, wget and many more in your container image, but there could be a potential downside if any of these have a zero day or known CVE that can be exploited.
Someone might tell you, this does not matter, since you run your app and not git. That is not entirely true. The app you run, could have an exploit but not offer much in terms of functionality. For instance, the app can’t make a web request (there is simply no function for this within the app), but the attacker gained access to the container's file system, hence he can now use curl or wget inside your image, to further download more tools to exploit and continue his malicious work. This is especially useful for automated attacks, where known CVEs or science forbid, zero days, are used to exploit your Jellyfin in an automated way. These are commands that will try to download additional malicious code with tools available which the exploit thinks are present in any image (like curl, wget or sh). If these tools are not available, the attack will already fail and the target will be marked as not vulnerable (to not waste time).
Nothing will protect you from a targeted attack! If you are a target of an exploit or hacker group there is basically nothing you can do to protect yourself. You can only mitigate, but not prevent! Don't believe me, believe the shadow brokers.
# DISTROLESS - TINY HEROES
Another advantage of a distroless image is its physical size. This is not a very important factor, but a welcome one none the less. Since a distroless image has nothing in it that’s not required to run the app, you save a lot of disk space in addition to reducing your attack surface. Don’t believe me? Well, here is an infamous example:
|image|size on disk|distroless|
|:-|:-|:-|
|11notes/qbittorrent|17MB|✅|
|home-operations/qbittorrent|111MB|❌|
|hotio/qbittorrent|159MB|❌|
|qbittorrentofficial/qbittorrent-nox|172MB|❌|
|linuxserver/qbittorrent|198MB|❌|
There are two important take aways from this table. First is the size on disk. Images are compressed when you download them, but will then be uncompressed on your container host. That’s the actual image size, not the size while it
Sophia NLU Engine Upgrade - New and Improved POS Tagger
Just released large upgrade to Sophia NLU Engine, which includes a new and improved POS tagger along with a revamped automated spelling corrections system. POS tagger now gets 99.03% accuracy across 34 million validation tokens, still blazingly fast at ~20,000 words/sec, plus the size of the vocab data store dropped from 238MB to 142MB for a savings of 96MB which was a nice bonus.
Full details, online demo and source code at: https://cicero.sh/sophia/
Release announcement at: https://cicero.sh/r/sophia-upgrade-pos-tagger
Github: https://github.com/cicero/cicero-ai/
Enjoy! More coming, namely contextual awareness shortly.
Sophia = self hosted, privacy focused NLU (natural language understanding) engine. No external dependencies or API calls to big tech, self contained, blazingly fast, and accurate.
https://redd.it/1nn8ayd
@r_SelfHosted
An open source privacy-preserving home security camera using end-to-end encryption
We have built Secluso, an open source, privacy-preserving home security camera solution, which uses end-to-end encryption. Secluso tries to provide functionality similar to a Ring camera, but without violating the user privacy (as most mainstream consumer cameras do!) The functionality includes sending video recordings to the app when the camera detects an event (motion, person, pet, etc.) as well as on-demand live-streaming. To detect events, Secluso performs AI on the camera feed fully locally (i.e., on the camera).
Secluso uses end-to-end encryption to send videos from the camera to the mobile app. It uses OpenMLS for end-to-end encryption. The videos are relayed via a server, but the server is untrusted and cannot decrypt them.
All components of Secluso are open source including the camera code (i.e., the code to process the camera feed, detect events, encrypt videos, and send them to the mobile app), the server, and the mobile app (which uses Flutter and can run on both iOS and Android). You can use our code to set up your own private home security camera system using a Raspberry Pi or an IP camera. In our GitHub repository, we provide detailed instructions for setting up the system.
All comments and feedback are welcome!
Our GitHub repository: https://github.com/secluso/secluso
https://redd.it/1nn6a39
@r_SelfHosted
Meeplestats: AAA looking for boardgame enthusiasts
Hi everyone! I’m back with a quick update on the state of the app (original post here).
TL;DR: I’m building a self-hosted application to keep track of scores from your game nights. It also includes extra features such as a chatbot to retrieve information about a game’s rules and semi-automatic score sheets to speed up point calculation.
The UX/UI is still under development, and I’ve recently added a dark mode. You can now also add games manually without needing a BGG account.
I’m looking for board game enthusiasts to join the community! I’ve created a new Discord server to gather feedback, improve the application, and plan new features. If you’re interested, feel free to join!
You can find all the important information about MeepleStats in the GitHub repo, as well as a Docker Compose file for easy installation, image preview of the app and the link to the Discord server.
https://redd.it/1nn3ub3
@r_SelfHosted
MPClipboard - multi-platform shared clipboard
https://github.com/mpclipboard/
https://redd.it/1nnzcqj
@r_SelfHosted
Anyone figured out a good way to do “global search” across Nextcloud, Immich, and Jellyfin?
Hey folks,
One pain point I keep running into with my self-hosted stack is **search across different services.**
In my case:
* **Nextcloud** → for documents & notes
* **Immich** → for photos
* **Jellyfin** → for media
* Plus a couple of smaller apps (like Paperless-ngx for PDFs)
Each app has its own search, but they’re totally siloed. If I want to find:
* a PDF with my travel plans (in Paperless),
* the photos from that same trip (in Immich), and
* the movie I queued up to watch on the flight (in Jellyfin),
…I have to jump between 3-4 apps.
So I’m wondering:
* Has anyone built/used a **centralized search layer** (Elasticsearch, Meilisearch, etc.) to query across multiple self-hosted services?
* Or do you just accept the silos and keep things organized manually?
* Any clever scripts/integrations that help link things together without going full enterprise mode?
* How do you personally organize your data so you don’t have to remember *which app has it*?
Feels like self-hosting gives me total control over storage, but **search and organization across apps is still a weak point.** Curious how others here are handling it.
**TL;DR:** I use Nextcloud + Immich + Jellyfin + Paperless-ngx. Searching across them is fragmented. Anyone figured out a nice way to unify or simplify global search?
https://redd.it/1nnv1ez
@r_SelfHosted
FIle managment arr stack
Hi guys, I have a docker stack on my home lab running jellyfin, jellyserr, qbittorrent under gluetun, prowlarr, radarr and sonarr, and I'm pretty happy on how It's working, the only problem I'm having is with tvshows... qbittorrent downloads in his folder, than sonarr moves the files to the tvshows folder, but not always in the correct way:
I want it to create a folder for the show, then subfolders for each season and inside that the video files. How can I do that? I checked "create seasons subfolder" but it leaves them empty (??)
Also I would like to have all these folders and files without spaces, to be easier in the console.
https://redd.it/1nnqaav
@r_SelfHosted
Netflix seems to block video stream if its trackers are blocked
I have been using AdguardHome for a long time. And always set the defaults, which normally allow Netflix but block its trackers. But since this evening, I am seeing that if Netflix doesn't get to connect to its tracker, it's not allowing the videos to be streamed, with frequent NSURL:-1200 errors on iPhone and "We are having trouble playing Netflix" error on the browser.
After I dug in and added these 3 domains to the custom filter to allow them
@@||ichnaea-web.netflix.com\^$important
@@||logs.netflix.com\^$important
@@||logs.dradis.netflix.com\^$important
And voila, Netflix started working again. These companies are catching up to the adblocking scene pretty fast and with a vengeance.
https://redd.it/1nnq6w4
@r_SelfHosted
Imagor Studio: Self-hosted image gallery and live editing web application
https://redd.it/1nnmgnb
@r_SelfHosted
Colo/Self Hosted IPMI On WAN?
Hey All -
A few providers I’ve looked into don’t offer dedicated or secured by VPN access to the IPMI interface. I was a little surprised their guidance was to use one of the IPs in the /29 meaning it’s exposed to the Internet.
Is there a better way? I don’t believe my X10 SuperMicro board has any fail2ban like characteristics
Thanks
https://redd.it/1nnjtn8
@r_SelfHosted
Advice on Home Server Setup (NAS, Jellyfin, AdGuard, Containers)
Hi everyone,
I’m planning to replace my old Synology DiskStation and Raspberry Pi with a Mini PC that will serve as my new home server. The main use cases are:
NAS
Jellyfin media server
AdGuard Home DNS
Potentially other services in the future
Ideally, I’d like to run each service in its own LXC container so that dependencies and configurations stay isolated.
For the setup, I’ve been considering:
Host OS: Proxmox VE
Guest OS (per container): NixOS – mainly because I like the idea of having all configurations stored as code, which makes rebuilding the server much easier in the long run.
While I’m comfortable with the terminal and config files (been using Linux on and off since the late ’90s), I’d still prefer a graphical web interface for managing, maintaining, and monitoring the server and containers. At this point in my life, I’d rather spend less time tinkering and more time just having a reliable system that works.
I briefly thought about running NixOS directly as the host, but I really want the flexibility of multiple containers per service and a web GUI. Is there something like this for NixOS, too?
What would you recommend in terms of OS/software setup?
Thanks in advance!
https://redd.it/1nnellr
@r_SelfHosted
Looking for nextcloud alternatives but similar to filebrowser
Nextcloud is pretty neat but I want something like filebrowser, I do not want user specific directory, I want the root directory to be on the root of a specific ZFS dataset, which is impossible with nextcloud, is there a solution to this
Note that I am using truenas, while technically I can symlink but I don’t want to do it that way, and I shouldn’t
https://redd.it/1nnfumv
@r_SelfHosted
know-how guide. If you are interested in more topics, feel free to ask for them. I will make more such posts in the future.
**Stay safe, stay distroless!**
# DISTROLESS - SOURCES
* [NIST SP 800-123/4.2.1 - Remove or Disable Unnecessary Services, Applications, and Network Protocols](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf)
* [Docker Docs - Don't install unnecessary packages](https://docs.docker.com/build/building/best-practices/#dont-install-unnecessary-packages)
* [Docker Blog - Is Your Container Image Really Distroless?](https://www.docker.com/blog/is-your-container-image-really-distroless/)
https://redd.it/1nne76k
@r_SelfHosted
📖 Know-How: Distroless container images, why you should use them all the time if you can!
# KNOW-HOW - COMMUNITY EDUCATION
This post is part of a know-how and how-to section for the community to improve or brush up your knowledge. Selfhosting requires some decent understanding of the underlying technologies and their implications. These posts try to educate the community on best practices and best hygiene habits to run each and every selfhosted application as secure and smart as possible. You'll find more resources and info’s at the end of the post.
# DISTROLESS - WHAT IS THAT?
Most on this sub know what a distro is, if not, please read the [wiki article](https://en.wikipedia.org/wiki/Linux_distribution) about it and return back to this guide. So, what shall distroless mean? Another buzzword from the cloud? No. It simply means that no binaries (executable programs) are present that are specifically tied to a Linux distribution. Container images, are nothing more than like a compressed archive, a zip file, containing everything the application within needs to work. The question is, how much junk is in that zip file? A distroless image has **all junk removed** from its image. This means that your zip file contains only what the application needs to run, not one bit more. This does not only make the image several times lighter on your hard drive but also by default more secure.
**Why does it make it by default more secure?** Well, simply put, if there is less to attack, you have a harder time attacking something. That’s why all ports on your firewall are by default closed. If all ports would be open, someone could find maybe something to exploit and attack you. The same is true for a container image. Why add a shell or curl to your image when your application doesn’t need them to work? There is no benefit in having curl, ls, git, sh, wget and many more in your container image, but there could be a potential downside if any of these have a zero day or known CVE that can be exploited.
Someone might tell you, **this does not matter**, since you run your app and not git. That is not entirely true. The app you run, could have an exploit but not offer much in terms of functionality. For instance, the app can’t make a web request (there is simply no function for this within the app), but the attacker gained access to the container's file system, hence he can now use curl or wget inside your image, to further download more tools to exploit and continue his malicious work. This is especially useful for automated attacks, where known CVEs or science forbid, zero days, are used to exploit your Jellyfin in an automated way. These are commands that will try to download additional malicious code with tools available which the exploit thinks are present in any image (like curl, wget or sh). If these tools are not available, the attack will already fail and the target will be marked as not vulnerable (to not waste time).
**Nothing will protect you from a targeted attack!** If you are a target of an exploit or hacker group there is basically nothing you can do to protect yourself. You can only mitigate, but not prevent! Don't believe me, believe [the shadow brokers](https://en.wikipedia.org/wiki/The_Shadow_Brokers).
# DISTROLESS - TINY HEROES
Another advantage of a distroless image is its physical size. This is not a very important factor, but a welcome one none the less. Since a distroless image has nothing in it that’s not required to run the app, you save a lot of disk space in addition to reducing your attack surface. Don’t believe me? Well, here is an infamous example:
|**image**|**size on disk**|**distroless**|
|:-|:-|:-|
|11notes/qbittorrent|17MB|✅|
|home-operations/qbittorrent|111MB|❌|
|hotio/qbittorrent|159MB|❌|
|qbittorrentofficial/qbittorrent-nox|172MB|❌|
|linuxserver/qbittorrent|198MB|❌|
There are two important take aways from this table. First is the **size on disk**. Images are compressed when you download them, but will then be uncompressed on your container host. That’s the actual image size, not the size while it
Can I use onlyoffice with another file manager, to edit files on my server?
I want to setup a "google drive" alternative on my server (unraid) and after reading some posts trying to find the best solution, it looks like there is file managers and file editors (only office for example).
How does it work? Can I install a file manager and then connect only office somehow, so when I want to edit a file, then it will open using only office, or is it two seperate things, using two separate containers?
Sorry if this is a dumb question, but having a hard time wrapping my head around this.
https://redd.it/1nn9jtb
@r_SelfHosted
Security best practices of Pterodactyl server?
Hi, new to self hosting but have a proxmox setup running currently and trying to understand best security practices for a Pterodactyl server (mostly just Minecraft and only for a couple of friends).
Currently have Pterodactyl panel + wing in separate VMs and externally accessible via cloudflare tunnel with my domain. I have the panel setup with cloudflare access to sign in + only traffic from my country + the panel itself has a 2FA login.
I plan on running Tailscale for access to my Jellyfin server. Should I just have the panel/wing only locally accessible and then connect to the panel via Tailscale? Having external access isn't overly important but all the Pterodactyl setup guides seemed to happily port forward the panel and wing without a mention of security so wondering if I'm being overly paranoid or not?
Ultimately I guess port forwarding for a minecraft server is inherently the least secure service I am running,
Happy to be directed towards some resources to read/learn and just trying to learn the best practices in this scenario.
Thanks,
https://redd.it/1nn7jt3
@r_SelfHosted
AutoProductImagery — Dockerized Gemini 2.5 Flash Image (nano banana) frontend for batch product imagery and more
Hey r/selfhosted,
I built AutoProductImagery, an open‑source, self‑hostable web UI/CLI for batch image processing. It runs the same prompt across many input images, and you can include “model” images that get submitted along with every input to speed up on‑model/e‑commerce workflows. Works for other batch image tasks too.
* Repo: [https://github.com/Codethier/autoproductimagery](https://github.com/Codethier/autoproductimagery)
* Image: codethier/autoproductimagery:latest (Docker Hub)
* Inference: Google Gemini 2.5 Flash Image (via “nano banana”)
* Auth: simple cookie auth (username/password via env)
* Storage: local filesystem + SQLite
Notes up front for this sub
* This is self‑hosted UI/API and storage, but it depends on Google’s Gemini API for the image generation step. Your assets stay local; images you process are sent to Gemini per your API usage.
* No job queue yet. There are automatic retries on transient errors.
What it does
* Batch the same prompt across lots of images (add one or more “model” images that go with every input)
* Good for on‑model product imagery, catalog mockups, and other repeatable image transforms
* Basic web UI to select inputs, model images, and a prompt; preview and download outputs
* Persists outputs and a lightweight SQLite DB on mounted volumes
* Retries for flaky API calls
Quick start (Docker)
docker run -p 3000:3000 \
--env-file .env \
-v /folderOnYourMachine/data:/app/data \
-v /folderOnYourMachine/sqlite:/app/sqlite \
codethier/autoproductimagery:latest
Example .env
GEMINI_API_KEY="AIzaXXXXXXXXXXXXXXXXXXXXXXXX"
# Basic cookie auth for server-side routes
NUXT_AUTH_USER="admin"
NUXT_AUTH_PASSWORD="secretMakeItVeryLongAndSecure"
DATABASE_URL="file:./sqlite/drizzle.db"
Security
* Behind a reverse proxy with HTTPS is recommended.
* Change the default auth values; use long, unique credentials.
* Don’t expose it publicly unless you’re comfortable with the simple cookie‑auth model.
https://preview.redd.it/lijvo354clqf1.png?width=2022&format=png&auto=webp&s=a298f392de4c2fd274451740ff9c8f60db790f0f
https://redd.it/1nn4s4g
@r_SelfHosted
ThinkNote - Note Taking app with WebDAV sync (Windows/Android)
Note: I'll publish this here as I'm also a user of the selfhosted community and I think many people could be interesting in an app that uses WebDAV sync.
Advice: the app is made 99% with AI. I'm not a developer, just a guy who wanted to make a note taking app for himself and now wants to share it with everyone.
Hi everyone!
For the past months I've been working on this "little" app, a fully featured note taking app with WebDAV sync and with both Windows and Android apps.
My main goal with this app is to be useful to me, I wanted a simple note taking app with some other small systems (Bookmark saver, tasks, calendar, diary, etc) and with one important thing: a native-looking android app.
No, I'm not a developer, the app is made with AI, but I wanted to share it with everyone because maybe SOMEONE is looking for something like this.
Main features:
\- Fully local storage (SQlite3 database)
\- WebDAV sync
\- Full database export (I don't want to gatekeep YOUR notes, you can import notes into the app and then export them back to .md files and folders)
\- Adaptative theme on Android and theme selector on Windows (Catppuccin theme + other pallete selector)
I'm open to receive any feedback regarding the app, as well as bugs, suggestions, and help implementing new features or maybe cleaning the code or whatever.
The app will be always Open Source with MIT license :)
⭐ GitHub link: **https://github.com/MatiasDesuu/ThinkNote**
https://redd.it/1nn372w
@r_SelfHosted
