I want to implement 3-2-1 backups but I'm not sure on how to implement it
Hi everybody.
I'm looking to start backing up my devices with a 3-2-1 backup strategy. Right now my home server is the only one correctly backed up via Proxmox BS with a local backup and a remote one via S3 storage.
I want to start to backup my desktop PC and my laptops with the same 3-2-1 strategy but I'm unsure on how to implement it. I'd like to use a GUI application (not web UI) on my endpoints and I want to back them up locally in my network and remotely to an S3 bucket.
What I thought of doing is backing up my PCs using something like Deja Dup or Pika to a VM on my Proxmox server and then backup the backups to the S3 bucket using something like rclone or restic, but I'm not sure if a backup of a backup is good practice or what's the right tool for the job as I have the feeling that doing an incremental backup with deduplication of an incremental backup with deduplicaton calls for problems.
I tried making Pika work with rclone (as borgbackup supports it) to be able to use it for both local and remote backups, but had no success, I understand paying for a borg repository would probably make this easier but I'm already paying for the S3 storage and I don't want another subscription nor I want to stop using S3. What would you do with my resources?
EDIT:
I should add that I intend to only backup Linux machines, Windows is expendable.
https://redd.it/1pcokt1
@r_SelfHosted
Rethinking my services being publicly visible. What to do though about my RSS Reader?
Hey there. I don't run much myself, really only FreshRSS, Kavita/Calibre, a couple old websites for my family members, and Trilium-Next.
I've been seeing a lot of comments here lately that effectively say "nothing you host should be publicly visible; put everything behind a tunnel/Tailscale." And I could see retiring the websites for my family (they aren't really used) and doing that for every other service - I don't really need Calibre or Trilium-Next unless I'm at home. But FreshRSS is a different matter. I have that open at work all day and check stuff when I have downtime.
What do folks do for services that they use *all the time*. Just always have a Tailscale connection going? Or is there a better way to access it?
Or is it really not that bad to have a service publicly visible? I don't trust myself to securely lock down a server, which is why I'm thinking I need to pull it from being publicly visible. Thanks.
Edit/Update - I'll look into Cloudflare tunnels. I (maybe naively) though it was the same thing as a Tailscale connection I had to manually spin up every time, so I hadn't dug into them.
https://redd.it/1pcma6c
@r_SelfHosted
Does Oracle "always free" plan charge you automatically as the program requires more resources?
Basically title.
I'm trying to showcase a small web project (SAAS) on internet to get hired and I really don't have much money so I can't allow myself paying 120000€ because a recursive function decided to inflict generational debt to me.
https://redd.it/1pcjk1k
@r_SelfHosted
What do I do with this thing?
https://redd.it/1pc4x5z
@r_SelfHosted
A More Private Alternative to Cloudflare Proxy: True End-to-End TLS for Jellyfin & Self-Hosted Apps
Please correct me if my understanding at any stage is incorrect.
I’ve been learning how Cloudflare’s proxy (orange cloud) works and a friend mentioned that Cloudflare actually terminates TLS at their edge, so I looked into my setup a bit more. This makes sense but it means all traffic is completely unencrypted for cloudflare, any cookies or headers, passwords your users may be sending from client is plain text readable to cloudflare as the DNS proxy. After this it will be re-encrypted by cloudflare. This is fine but I feel that others may have been under the impression that TLS meant end to end encryption for them.
For my admin services I require mTLS and VPN, but for friends/family I still want something easy like HTTPS and passkeys.
I have been running an alternate solution for some time and would like to get thoughts and opinions on the following
Flow: DNS -\> VPS Public IP -\> Wireguard Tunnel 443 TLS passthrough -\> VM-B Caddy TLS Certs -\> VM-C Authentik -\> VM-D Jellyfin etc
# First I will outline my requirements:
Hidden public IP - Access via HTTPS externally (no vpn for client)
(Passkeys, HTTPs should be enough)
No port opening on Home router.
# The proposal to be audited:
(VPS-A) Trusted VPS:
Caddy L4 TLS Passthrough
Wireguard Tunnel to VM-B:443
(VM-B) Proxmox Alpine VM in Segregated VLAN:
Caddy TLS Termination
Reverse proxy to Authentik
(VM-C) Authentik:
Authorise and proxy to App (Jellyfin, Immich etc)
Flow: DNS -> VPS Public IP -> Wireguard Tunnel 443 TLS passthrough -> VM-B Caddy TLS Certs -> VM-C Authentik -> VM-D Jellyfin etc
# Pros:
Hidden public IP - Zero ports open on home router
Complete TLS end-to-end encryption (No man in the middle [orange cloud\])
Cloudflare can no longer inspect the traffic (passwords typed, cookies, headers passed)
I can now also use CGNAT network providers to expose services which was not possible before
I now have more granular control over caching images etc which Cloudflare was disallowing before for some reason... Even video stream chunks can be cached now that I am controlling the proxy.
# Cons I can see:
VPS must be trusted party
Losing a bit of selfhosted control due to VPS (must trust \*some** party but considering cloudflare is a US entity I am fine with outsourcing this to an offshore service like OrangeWebsite or Infomaniak).
What else would I be losing from moving away from CF proxy (orange cloud) on home lab services?
Do self hosting folks also use CF proxy and are fine with Cloudflare terminating TLS and thus being able to see all traffic unencrypted?
If there is enough interest in the comments I will be happy to do a detailed guide on how to get the VPS setup with custom xcaddy build for tls passthrough and I am writing generic ansible playbooks for both the L4 passthrough on the VPS and the TLS terminator caddy VM.
If I am missing something or could make this flow any more secure please comment.
https://redd.it/1pc06bf
@r_SelfHosted
Please help me understand reverse proxies and how it relates to security...
So if I understand correctly the purpose of a reverse proxy is to obfuscate your local network traffic while at the same time providing host names for services you wish to expose to the internet.
So lets say I set up a caddy server and open ports 80 and 443 on my router. If a bad actor hits my IP what will they see and what could they do?
As far as I know there have been no known public exploits of caddy. However the services behind the proxies must also be secure amd that is where I am having trouble understanding.
The simplest way I can ask this is: Can a bad actor probe caddy and find out what services it is hosting? Lets say I give all my services obscure names, would that make me almost un-hackable? Does the bad guy have to know the names of my services before trying to hack them?
https://redd.it/1pbv485
@r_SelfHosted
I left a Debian server open to the internet for months.
Hi, chief dumbass here,
I bought a new router a while ago and instead of forwarding a single port I opened an entire machine to the internet. I was hosting immich and then some web projects for testing. I had left the sever do its thing not paying attention for quite a while and then I was alerted to everything being open when I created a default user/pass/port postgres DB and saw my data instantly vanish.
I checked through my auth logs and could see many people/bots were trying to brute force their way into SSH but never succeeded because I had disabled password logins. Looked through my open connections nothing out of the ordinary, no crypto miners in top, nothing from rkhunter. Is there anything I should look for?
Should I wipe the machine completely?
https://redd.it/1pbtpvg
@r_SelfHosted
Jellyfin TV
https://github.com/DrewThomasson/JellyfinTV
https://redd.it/1pblaau
@r_SelfHosted
Ferron: A Fast and Memory Safe Web Server and Reverse Proxy
https://ferron.sh/
https://redd.it/1pbbren
@r_SelfHosted
Omnom: A self-hosted content preservation service
https://github.com/asciimoo/omnom
https://redd.it/1pbfje0
@r_SelfHosted
[Version Update] PruneMate Started as a Personal Fix… Now It supports Remote Docker Hosts and Tracks Everything
https://redd.it/1pb9sk9
@r_SelfHosted
Any tips on getting started with reverse proxies like caddy?
I spent years deploying different services using NAS-IP:port number. I’ve heard about reverse proxies for a while, and have been worried about taking the next step.
Is deploying caddy as simple as launching another docker container, editing all the other docker compose files, and … pointing my router at caddy?
https://redd.it/1pbae3h
@r_SelfHosted
that's ofc also because the applications themselves are much request heavier than what I used to host (only a static homesite that didn't get much traffic).
What surprised me was the lack of comprehensive guides for this. I'm still not sure if my stack is what you'd call "optimal", but at least it works for me and my users right now :)
https://redd.it/1pb819m
@r_SelfHosted
I made a simple GUI for Rclone because the command line is not for me (my family)
Hey everyone,
I wanted to share a small tool I've been working on. It's called RClone Backup Manager.
The "Why" I love rclone. It's powerful and reliable. But honestly, I got tired of remembering command flags, and I definitely couldn't ask my family to use a terminal to back up their photos. I just wanted a simple "set it and forget it" app that looks decent and sits in the system tray.
What is it? It's a simple desktop application (Windows and Linux) that wraps around rclone.
You pick a local folder.
You pick a remote path (like your Google Drive or OneDrive configured in rclone).
You hit "Auto-Run".
That's it. It backs up every 5 minutes in the background.
Why you might like it (The "Pros")
Visual: No terminal needed. You can see your backup progress bars.
Simple: It doesn't have a million checkboxes. Just "Source", "Destination", and "Go".
Tray Icon: It minimizes to the tray so it doesn't clutter your taskbar.
Peace of Mind: It runs quietly in the background.
Why you might NOT like it (The "Cons")
It's Basic: If you need complex filtering, bandwidth limiting schedules, or advanced rclone flags, this isn't for you. Stick to the CLI or more advanced tools.
Requires Rclone: You still need rclone installed and your remotes configured (run rclone config once). This is just a manager for running the copy jobs.
Transparency / Credits I'm not a professional developer. I built this with the heavy assistance of AI coding agents (specifically Antigravity and Claude). They helped me write the Python code, design the UI, and fix my messy git commits. So if the code looks a bit mixed, that's why! But we've tested it, and it works reliably for my needs. --- still in development, i.e., beta: just to know will people use it, non-power user
Link It's open source (Source Available). You can grab the latest release for Windows or Linux here: https://github.com/Nityam2007/rclone-backup-manager
>!Tech Stack for the curious: Python, Tkinter (ttkbootstrap for the theme), and Rclone for the heavy lifting.!<
Feedback is welcome, but please be gentle! I'm just trying to make backing up easier for the average person. If by means MOD or any person does think irrelevant, I am happy to remove the post
Thanks!
https://preview.redd.it/4rstvt38aj4g1.png?width=1055&format=png&auto=webp&s=6be4e09f4e107154ea7506ed7195d8741c4cd08e
https://preview.redd.it/7s5kwewcaj4g1.png?width=1055&format=png&auto=webp&s=d6f93c98330b3aca80182f3e3d3ad817cb2a0cdd
https://redd.it/1pb57rs
@r_SelfHosted
Project I built a Docker container that turns free ChatGPT/AIStudio/Claude web accounts into a REST API for local dev
Hey everyone,
I’ve been working on a project to solve a specific annoyance I had with my home lab setup. I wanted to integrate LLMs into my local dashboards and automation scripts, but I didn't want to keep paying per-token API fees just to ask simple questions or test out chains.
I built LLM Session API – it’s a self-hosted container that acts as a bridge between your code and the web interfaces of ChatGPT, Claude, and AIStudio.
How it works:
It spins up a headless browser (inside Docker) using your Google credentials for SSO.
It exposes a unified REST API (POST /generate) at localhost:8080.
You send a JSON request, it automates the browser interaction, scrapes the response, and sends it back.
The "Self-Hosted" Details:
Persistence: It mounts a volume to store browser cookies/sessions. This means it doesn't need to re-login every request (avoids triggering security checks).
Resource Usage: It manages a queue so it doesn't kill your RAM by opening 50 tabs at once.
Privacy: It runs on your network. No data is sent to a third-party proxy, just directly to the providers via the headless browser.
Why I made this: I’m using it to prototype agents without burning credits. Once the logic works, I can swap the endpoint URL to the official paid API if I need production stability.
Repo: https://github.com/STAR-173/LLMSession-Docker
Disclaimer: This obviously lives in a grey area regarding ToS since it automates the web interface. I recommend using it for dev/testing only, not for high-volume production apps.
Let me know if you run into any issues getting the Docker container to start—Xvfb can be tricky on some architectures!
https://redd.it/1pb0lwr
@r_SelfHosted
ReadMeABook - Audiobook Library Manager / Request Manager / Recommendations / Download Manager - Seeking Beta Testers
Hello!
[For Context - Here's the initial teaser post](https://www.reddit.com/r/selfhosted/comments/1ozy44n/readmeabook_self_hosted_allinone_audiobook/)
ReadMeABook is getting very close to being done with MVP and I am looking for a couple of savvy users who are using my same media stack to test things out, look for bugs, and provide overall user feedback.
**Specific requirements (based on MVP limitations):**
* Plex Audiobook Library
* Preferably Audnexus metadata management in plex
* English (other audible regions not supported currently)
* qBitTorrent as downloading backend (torrent only)
* Prowlarr indexer management
**Some key features added since the last post:**
* BookDate - AI Powered (Claude/OpenAI) book suggestions using your existing library and/or how you rated your library to drive compelling suggestions
* Managed user account support in plex
* Cleaned up UI all over the place
* Interactive search supported for unfound audiobooks
* Fully hand-held setup with interactive wizard
* Metadata tagging of audio files (to help plex match)
**Some things I know you guys want, but aren't here yet:**
* Audiobookshelf support
* Usenet support
* Non-audible results in search and recommended
* Non-english support
**[Here's a video sample of walking through the setup wizard](https://streamable.com/85lq9f)**
**[Here's a video of some general use, similar to the last post](https://streamable.com/f8311r)**
If you meet the above requirements and are interested in participating, comment below and let me know!
https://redd.it/1pcnqst
@r_SelfHosted
How do you manage your media center space when everyone stores their crap on it?
I have a problem. I run a media server for my family. They have the choice of using Plex, Emby, or Jellyfin. I'm trying to avoid simply buying my storage every time I run out of space, for a number of reasons. The issue I am facing is how to manage space. It's easy enough when it's just my data. There is stuff they request and could probably just delete afterwards. I know I could probably grant them permissions to delete things that they request, which would probably be a half-way solution. But someone might be watching a show that someone else requested so I don't want a situation where the requester deletes it before the other person that wants to watch it watches it. I don't know of any existing features the existing media players have that may help this this. Or maybe even another tool. Right now I've just resorted to manually pruning things and asking in a group text if anyone wants me to keep it. Any suggestions are appreciated.
https://redd.it/1pcn7ca
@r_SelfHosted
Email domain name advice?
I'm struggling to come up with a decent domain name for my email. I have a long ass Polish last name so it's hard to make one that's simple to say and spell out.
The best I came up with were:
- firstL.dev (L being the last name intial)
- firstdev.com
- firstML.com (M being the middle name initial).
I read .com emails are the most widely supoorted, and people tend to forget about other TLDs and send emails to .com by mistake. In your experience, is this true? Can you suggest other domain names?
https://redd.it/1pc6dep
@r_SelfHosted
Lookikg for Wiki-style dashboard
For a small business context, I’m looking for a self hosted app that is like a multi-user wiki but focused on quick edits with a single page. The use case would be a dashboard page with sections for different departments or business functions. Under each section there would be our or more “issues” or notes. The idea is to list major issues or reminders of critical activities broken down by department or business function.
We love and use Bookstack, but I think it’s too heavyweight for this use case. We are looking for something that has simple and effortless controls for adding, removing, or updating items in each section. It doesn’t need the full history logging and full formatting capabilities of Bookstack.
We also use UptimeKuma, but this is different because it’s the status of non-software / non-automated business functions. Think of one section being “Shipping / Receiving” and a status item being “🔴 No outgoing shipments - Out of packing tape”.
I’m open to ideas that are close to this even if it’s not right on the money.
Thanks Selfhosters!!
https://redd.it/1pc10qc
@r_SelfHosted
I built AuthKeySync, a safer alternative to "curl >> authorizedkeys" for my servers
Hi everyone,
I manage a fleet of servers in my homelab and work and got tired of manually updating SSH keys every time I rotated them on GitHub. I used to rely on simple bash scripts with curl to fetch keys, but I realized how risky that was. If GitHub went down or returned a 500 error, I could accidentally wipe my authorized\keys file and lock myself out
So I built AuthKeySync. It’s a small Go binary that fetches public keys from URLs (GitHub, GitLab, Private URLs etc.) and syncs them to your system.
The main difference from a script is safety:
It uses atomic file writes (temp file -> fsync -> rename) so the key file never gets corrupted.
It aborts the sync if the network request fails, keeping your old keys intact.
It creates automatic backups of your authorized\_keys before changing anything.
It can preserve your manually added local keys while syncing the remote ones.
It’s open source and im starting using it in production for my own setup. I’d love to hear what you think or if there are features you’d find useful for your labs.
Repo and docs here: https://github.com/eduardolat/authkeysync
Thanks!
Edit:
Just to clarify the technical distinction for anyone reading: ssh-keyscan retrieves Host Keys to populateknown_hosts (so the client verifies the server's identity). My tool retrieves User Public Keys to populate authorized_keys (so the server authorizes the user's access). They solve opposite sides of the SSH connection.
https://redd.it/1pbzkgq
@r_SelfHosted
Family diary/ calendar
Looking for something like a self hosted Facebook-ish thing. Somewhere where family members can post updates, share pictures, have a shared calendar for upcoming events etc. Does something like this exist?
https://redd.it/1pbr6bz
@r_SelfHosted
I built BetterShift: A modern, self-hostable shift management app (Next.js 16 + SQLite)
Hey everyone,
I wanted to share a project I've been working on called **BetterShift**.
I needed a better way to organize variable work schedules without relying on ad-riddled apps or complex enterprise software. I built this to be lightweight, easy to self-host, and user-friendly.
**What is it?** It's a web-based shift planner that lets you manage multiple calendars, create shift presets, and track your working hours.
**✨ Key Features:**
* **Docker Support:** Easy deployment with a provided `docker-compose.yml`.
* **Privacy Focused:** Optional password protection for calendars (SHA-256 hashed) and local SQLite database (easy to backup).
* **Fast Management:** Left-click to toggle shifts, right-click to add notes (e.g., "Leaving early").
* **Visuals:** Drag & drop presets, color coding, and statistics/insights for your work hours.
* **Real-time:** Syncs across tabs/devices using Server-Sent Events.
**🛠️ Tech Stack:**
* Next.js 16
* SQLite with Drizzle ORM
* Tailwind CSS 4 & shadcn
**🔗 Links:**
* **GitHub:**[https://github.com/pantelx/bettershift](https://github.com/pantelx/bettershift)
I’d love to hear your feedback or suggestions for features!
https://redd.it/1pbqgfr
@r_SelfHosted
[Python] I built an automated Abuse Reporter: Parse logs, identify owners via RDAP, and send XARF-compliant reports (plus Blocklist.de integration)
Hi everyone,
I was getting tired of the constant background noise. The servers I manage were getting hammered on every port and service imaginable—whether it was WordPress, SSH, SMTP, POP3, etc.
I already use scripts to fetch filter lists from blocklist.de to feed my local fail2ban blocklists/firewalls, but I wanted to do more than just block.
My philosophy: If "hackers" can automate their attacks, I can automate the response.
So, I built a Python script that automatically parses my server logs and sends out proper abuse reports to the network owners. It also reports the attacks back to the blocklist.de API to help the community.
If you are interested, feel free to use and modify the script. I’m happy to hear suggestions for improvements or feature requests here!
🛠️ What the script does
Log Parsing: It monitors various log files (Fail2Ban, Nginx, Apache, SSH, Postfix, etc.) using configurable Regex patterns.
Intelligent Lookup: It uses RDAP (via ipwhois) to find the correct abuse contact and the country of origin for the attacking IP.
XARF Support: It generates reports in the XARF format.
What is XARF? XARF (eXtended Abuse Reporting Format) is a standard designed to make abuse reporting machine-readable. Instead of just sending a plain text email that a human has to read, the script attaches a standardized JSON file. This allows ISPs and hosting providers to automate the processing of the report on their end, leading to faster mitigation.
Multi-Language Emails: Based on the IP's country code, the script automatically selects the appropriate language for the email body (e.g., German for DE/AT/CH IPs, Chinese for CN, with English as a fallback).
Blocklist.de Integration: It pushes the attack data to the blocklist.de API.
Spam Prevention: It caches reported IPs in a local SQLite database to ensure I don't spam abuse desks with duplicate reports for the same incident within a set timeframe.
⚙️ The Workflow
Init: Loads config and checks the database.
Parse: Scans logs for events within a lookback window (e.g., last 24h).
Filter: Checks against a whitelist (e.g., Cloudflare, own servers) and ensures a minimum event threshold is met.
Enrich: Queries RDAP for contact info and caches the result.
Report:
Generates the XARF JSON.
Compiles the email with the correct language template + Log evidence.
Sends via SMTP.
Reports to Blocklist.de.
📝 Configuration
Everything is controlled via a config.yaml. You can define your SMTP settings, log paths/regex, translations, and thresholds there.
This script works well for my setup, but there is always room for optimization. I invite everyone to take this code, adapt it to your needs, and—most importantly—share your improvements! Whether you create more efficient Regex patterns, add support for additional log files (like Traefik, Caddy, etc.), or refactor the code for better performance: please feel free to publish your extensions or forks here. Let's make life a bit harder for these bots together.
abuse_report.py
https://pastebin.com/8kMH3p4K
config.yaml
https://pastebin.com/TPg8s0LA
(at the moment set to private bc pastebin smart filter detected offensive content.. I have sent a request to fix this)
(This post was translated and structured with the help of AI.)
https://redd.it/1pbijys
@r_SelfHosted
LubeLogger, Vehicle Maintenance and Fuel Mileage Tracker, slips into December with some banging new features
Good day, been a hot minute since I posted on this sub, we've been working on some shiny new features for LubeLogger which we think our userbase would really benefit from.
## Inspections
First up, Inspections. This is pretty much a custom forms feature for your vehicle. You can create re-usable inspection forms for pretty much every aspect of your vehicle and create action items for failed inspections.
Documentation
Youtube Walkthrough
## Household
One of the most requested features for LubeLogger is the ability to allow users to inherit vehicles in a garage and also to limit what actions they can perform for the vehicles. With the new Household feature, you no longer have to manually add a user to each vehicle and instead you can add them to your household once and they will automatically have access to all the vehicles in your garage. Household members can be assigned Viewer, Editor, or Manager roles.
Viewer has read-only permissions, Editor can Add and Edit records, and Manager can Add, Edit, and Delete records.
Documentation
## AI
It's a controversial topic, we're well aware of that, which is why instead of adding AI directly into LubeLogger and asking for an API key, we have decided to create a MCP server for LubeLogger that you have to spin up separately and this will serve as a bridge between any AI Agents capable of tool-calling and LubeLogger.
This integration allows you to add fuel records from receipts, odometer record from a picture of your dashboard, and even service/repair/upgrade records from invoices. Note that this MCP server is still in an experimental stage and is not considered stable whatsoever.
Youtube Walkthrough
GitHub Repository
## Ending Notes
We know these changes might not seem huge compared to other projects, but we sincerely do believe that these are some key features that will reduce friction when it comes to user experience.
Anyways, if you've never heard of LubeLogger and you're looking to start logging lube, here's our details:
GitHub
Website
https://redd.it/1pbhuyj
@r_SelfHosted
We built a 1 and 3B local Git agents that turns plain English into correct git commands. They matche GPT-OSS 120B accuracy (gitara)
https://redd.it/1pbeijk
@r_SelfHosted
I built an open-source CRM that you can self-host - Relaticle
Hey r/selfhosted!
I've been working on Relaticle, a modern open-source CRM built with Laravel and Filament. After years of using various SaaS CRMs and being frustrated with data ownership concerns and subscription costs, I decided to build something that can be fully self-hosted.
# Why I built this
Complete data ownership - your customer data stays on your servers
No per-seat pricing or usage limits
Full customization through custom fields
Modern tech stack that's easy to maintain
# Tech Stack
Backend: Laravel 12, PHP 8.4
Frontend: Livewire 3, Alpine.js, TailwindCSS
Admin Panel: Filament 4
Database: PostgreSQL (recommended) or MySQL
Search: Meilisearch (optional)
Queue: Redis + Laravel Horizon
# Features
Company & Contact management with relationship linking
Sales pipeline with custom stages
Task management with assignments and notifications
Notes system linked to any entity
AI-powered record summaries
Custom fields - add any field type to any entity
Multi-workspace support for teams
CSV import/export for data portability
Role-based permissions
# Deployment
Works great with:
Docker / Docker Compose
Laravel Forge / Ploi
Any VPS with PHP 8.4+
Coolify, CapRover, or similar PaaS
# Links
GitHub: https://github.com/relaticle/relaticle
Demo: [https://app.relaticle.com](https://app.relaticle.com)
Docs: https://relaticle.test/documentation
Would love to hear your feedback! What features would you want to see in a self-hosted CRM?
https://redd.it/1pbbg0j
@r_SelfHosted
Backup particular folder on Android
Hello. I recently setup my homelab and wanted suggestions for a particular kind of service.
I use an Android. There's this particular folder on my device which holds backups for certain apps. I want that folder to be periodically backed up to the homelab.
Any services you'd recommend to accomplish this? Thanks
https://redd.it/1pb8gou
@r_SelfHosted
Took my self-hosted homelab public: Cloudflare Tunnels + Traefik + SSO journey
So I've been running variations of my own stack for a long time, but have always avoided the great and terrible public Internet. This has meant local network only, Wireguard, getting frustrated with telling people how to Wireguard and switching to Tailscale so people can just "install app and connect" and so forth. My current setup is a home server (some old piece of office computing with a server motherboard I picked for cheap used) fitted with a 2TB SSD with Proxmox, where I host most of my services like a true pagan in a single VM via a single file of docker compose spaghetti just allocating 90% of the disk for the single VM.
This weekend, after yet another manual configuration session of doom with Nginx proxy manager, Pi-hole local DNS and Tailscale, I figured I'm tired of the GUI. Everything else in my stack is infrastructure as code (IAC), so why not the rest of it too. I'm also tired of logging into every service one by one, so just knock SSO at the same time, because why not (spoilers: it was not simple, should have guessed).
What resulted was half of my weekend spent configuring, tinkering, hitting my LLM usage maxes and a lot of RTFM moments, but in the end I can now happily report that the whole stack is now accessible from internet and behind some sweet, sweet SSO.
After a few tests I ended up going with Cloudflare (DNS + Tunnels) + Traefik + Authelia. I split my services into two groups: User facing software I want to be accessible from Internet directly and admin stuff only via Authelia. I figured because Jellyfin+Jellyseer work so nicely together, my users already have and know their credentials there and nobody except me really requires the SSO stuff for the underlying stack, I'll just keep those using their own auth and move myself alone to the SSO (and just use my own Jellyfin account like my users).
In the end the result was:
Internet
|
Cloudflare DNS + Tunnel
|
/\
Authelia Media (Jellyfin, Jellyseer, Wizarr)
|
|
Admin (Dashy, Glances, arrs)
This way my users get invite via Wizarr explaining everything (+ I get easy visibility and user management) and can connect to the Jellyfin / Jellyseer with just my domain, no tricks required. Users use the basic Jellyfin account and auth for both Jellyfin and Jellyseer.
Authelia sits in front of all the admin stuff, making it easy for me to just handle the login there. For now I'm the only admin, so I figured to just use a local user in Authelia to login.
Surprising amount of time was spent on:
Figuring out to make Cloudflare tunnel HTTP and use traefik for HTTPS/SSL termination
Traefik-Authelia and required middleware
Making sure Cloudflare tunnel is not using caching for the Jellyfin. My understanding is that this is enough for the ToS, but would appreciate if anyone knows definitively.
Anyways I wish I kept a better install journal, as there was a bazillion things I fixed on the way here, as the stack had been running for a while without intervention. I also set up UptimeRobot with integration to my Discord to ping me in case the media services aren't working.
Only thing left unsatisfactory in the stack was the Cloudflared docker container setup:
The Cloudflare panel GUI was even worse than nginx proxy manager, but fortunately they have API-access. Unfortunately I didn't get the Cloudflared docker container to be able to create the required tunnels itself and had to resort to a bash script that does it via the API. It works, but it's still half manual as it doesn't handle migrations and deletes, only does updates and requires update in the script in case my paths change. That's hopefully rare enough that it doesn't matter too much.
I think I spent over 8 hours on this during the weekend (other obligations, so in hour-two increments) and overall happy. Huge increase in requests, bots and crawling, my domain used to get 100 hits a month and now it's thousands per day, but
I just counted: 68 different credentials across my homelab. Send help.
Did a quick audit tonight:
23 Docker containers with their own admin users 18 services still using static API keys 27 human logins (me + family) That’s sixty-eight ways this can break at 3 a.m.
Just migrated everything I could to workload identities + JIT certs + single OIDC provider for humans. Cut the list down to literally one master password + certs that expire before I wake up.
If you’ve ever cried while resetting a forgotten Paperless-ngx password at 2 a.m., you’ll get it. What’s your actual credential count right now? Be honest.
https://redd.it/1pb5n0r
@r_SelfHosted
Built eziwiki - Turn Markdown into beautiful documentation sites
https://redd.it/1paz6y5
@r_SelfHosted
