dumpsterr - Safely empty Plex trash (For NFS / SMB users)
https://github.com/chase-roohms/dumpsterr
https://redd.it/1q8eof9
@r_SelfHosted
Homebox Companion v2.2.0 released! New AI Chat feature lets you manage inventory with natural language
https://redd.it/1q8aibj
@r_SelfHosted
Glance dashboard widget
https://redd.it/1q868nw
@r_SelfHosted
Unhappy with HomeLab configuration - Reworking Setup
https://redd.it/1q84byw
@r_SelfHosted
An actually good WYSIWYG markdown notepad?
Does anyone know of a good, combined WYSIWYG / raw Markdown, mobile friendly (app preferred), browser accessible, no database (or uses sqlite), preferably single-binary note-taking application with support for multiple users (or at least has local authentication)? Ideally it should also support syntax highlighting in all the languages GitHub supports in GFM.
I've tried:
- Joplin
WYSIWYG is fairly buggy, especially on mobile. No browser support, syntax highlighting.
- Memos
I still use it for just memos now, but it's really not designed to be a notepad. No WYSIWYG, syntax highlighting.
- code-server
Complicated, poor mobile experience, no Markdown preview or WYSIWYG (obviously).
- Hedgedoc
Can't remember, but pretty sure it didn't work on mobile well. No WYSIWYG.
- Trilium
No multi-user support, can't create code documents on mobile (mobile editing was pretty bad as well).
- AFFiNE
Awful editor with basically no mobile support. Self-hosting is an after-thought for the maintainers. Too much AI.
- Cryptpad (what I'm currently using)
Not a notepad. More like Google's suite of web applications. No WYSIWYG, and limited mobile support. It works great for everything else though.
I'll note that I'd prefer notes to be able to be organised well, like with Trilium's hierarchical folder structure.
https://redd.it/1q82iqb
@r_SelfHosted
I built a tool to convert Dolby Vision Profile 7 to 8.1 - Prevents HDR fallback and increases compatibility with common streaming devices [Docker, Web Terminal, CLI]
https://redd.it/1q7kurd
@r_SelfHosted
LLM-Shield: Self-hosted privacy proxy for cloud LLMs
https://redd.it/1q7eoer
@r_SelfHosted
It’s not perfect, but it’s mine!
https://redd.it/1q7i097
@r_SelfHosted
2026 is the year of self-hosting
https://fulghum.io/self-hosting
https://redd.it/1q4sxqh
@r_SelfHosted
I built a dashboard that tracks when my ISP is probably messing with me (for my own sanity)
https://redd.it/1q4lj92
@r_SelfHosted
Thoughts on using Oracle Cloud Free Tier as a “pass-through” VPS?
I live in a dorm / rented place where I don’t control the main Wi-Fi, so no port forwarding. I use my own router to give my home server a static local IP and better local performance (streaming + file transfers).
For global access, I currently use Cloudflare Tunnel with a domain, but traffic limits are a downside. Tailscale isn’t ideal for me either since it requires VPN clients and manual on/off.
I’m considering renting a small VPS just as a relay (VPN / reverse proxy) to expose my server via a domain. I don’t need compute or storage on the VPS, mostly bandwidth.
What do you think about using Oracle Cloud Free Tier for this purpose? Any gotchas if it’s only used as a pass-through node?
https://redd.it/1q4cm1a
@r_SelfHosted
Update your RustFS immediately - Hardcoded token with privileged access (CVE-2025-68926)
RustFS has been mentioned quite a lot in this subreddit and it appears to be a promising replacement for MinIO.
In case you are already using RustFS, you should immediately update to version Alpha.78 as it contains a fix for this CVE https://github.com/rustfs/rustfs/security/advisories/GHSA-h956-rh7x-ppgj / https://nvd.nist.gov/vuln/detail/CVE-2025-68926
>Any attacker with network access to the gRPC port can authenticate using this publicly known token and execute privileged operations including data destruction, policy manipulation, and cluster configuration changes.
There is a hardcoded token string rustfs rpc in the code prior to Alpha.78 that can be used to bypass the authentication mechanism for gRPC calls. And this token allows access to all 50+ grpc methods, including all administrative methods such as deleting buckets, deleting users, reading/writing/deleting objects, etc.
The bad news is that, per my understanding, the gRPC port is always open as it is exposed as part of the "HTTP + gRPC hybrid service" of RustFS. So in case your have a port open for HTTP traffic, which would be the standard to use for S3 clients, you also have the gRPC "port" opened automatically.
On top of that, it looks like the CVE description might be wrong and this vulnerability is indeed already present in Alpha.13 (of Jul 10, 2025) and not only since Alpha.77 which means that a lot of RustFS deployments in the wild are vulnerable to this.
https://redd.it/1q432iz
@r_SelfHosted
My lazy Docker setup: Using Traefik and Wildcard DNS for painless self hosting with TLS
I know most of you already have a pretty good setup. This is for those who have a janky docker setup (like myself in the beginning)
Context
I initially used to run kubernetes in my homelab, but then I decided to switch to using just docker (my reasons in that linked post). At first I was using Nginx Proxy Manager (it is great, but I found myself annoyed at a lot of clicking) and I had docker services running on multiple different servers. It was really annoying to setup a new service.
I also had to make sure that there are no port conflicts between docker containers.
So I decided to scrap the whole thing and start over with one goal in mind -- Simplicity
My needs
1. Not having to worry about port conflicts
2. Easy to add new service
3. Easy TLS
My simple setup that works well for me
1. I use a single VM (in Proxmox) to run most of my services (I have dedicated instances for things like Plex, but they almost never need any changes).
1. Each service's docker compose file lives in its own directory
2. I use a wildcard DNS to point *.home.mydomain.tld to point to the docker VM internal IP
1. Even though I have a private DNS setup using unbound, I did not bother to use that, I just pointed the DNS record in my DNS provider (Cloudflare) to keep things simple
3. Use Traefik as the reverse proxy for all the services in this docker VM
1. Traefik has the capabilities to auto detect docker containers, ports, retrieve TLS certificates using lets encrypt etc
4. Create an internal docker network so that traefik which runs on a separate docker compose stack can reach out to each of the docker containers
Selfhosting a new service
It makes it so easy to add a new service. This actually prompted me to try a lot of random services just because how easy it is
1. Download the docker compose for the new service into a directory in my docker VM
2. Remove the exposed port config, add traefik labels (some identifiers, domains etc). For example, if I want to start kavita (awesome reader btw), I will add kavita.home.domain.tld
Example:
labels:
traefik.enable: true
traefik.http.routers.kavita.rule: Host(kavita.home.domain.tld)
traefik.http.routers.kavita.entrypoints: websecure
traefik.http.routers.kavita.tls.certresolver: myresolver
And finally do docker compose up -d
And that is all!! Wait 20 seconds and I can access my new service in the browser from the domain kavita.home.domain.tld with SSL/TLS
So, since my copy-paste game is so strong, it is so easy to add a new service and be ready in under a minute
I wrote a guide explaining how to do this from scratch with full traefik configs : https://blog.esc.sh/traefik-docker/
I hope you find it useful.
https://redd.it/1q3wxer
@r_SelfHosted
Roast my infrastructure: Free 100MB SFTP hosting. Jailed environment. Try to break it
Hi everyone!
I’ve spent the last week fighting with file permissions, man pages, and systemd to build a hosting provider completely from scratch. No Docker, no CPanel, no pre-made scripts.
I wanted to understand the architecture of a system, not just use tools.
It’s running on a VPS. The backend is a custom PHP script that drops job files into a protected queue, watched by a Bash daemon I wrote that provisions users, sets quotas, and jails them in real-time.
I need traffic to verify the logic. Here is the deal:
The Offer: 100MB of storage.
The Tech: Pure SFTP access. No databases. PHP is activated :)
Your URL: `rats.systems/<your-username>`
The Cost: $0.
To create an account you only need to input your desired username. Use only lowcase characters and numbers. Your credentials will be shown to you. Keep them somewhere safe since the 'lost my password' feature will be available the next version.
The Warning (Read this): This is a Beta environment. Do not upload your Bitcoin keys or family photos. I reserve the right to wipe the disks or rm -rf the user partition if the daemon goes rogue or if I need to re-architect the filesystem. Consider your data ephemeral.
The Mission: I want to see if the system holds up under load. If you can break out of your home directory or crash the daemon, you win (and please DM me how you did it).
Claim your space here: https://rats.systems/add-user.php
I’ll be watching journalctl -f and auth.log all night. Let’s see if it survives.
Cheers.
https://redd.it/1q3y3xt
@r_SelfHosted
integrate with the interface, with tags treated as just a particular case of metadata. We also wanted to make sure we could swap out the base plugin implementation for others metadata engine that are more enterprisey like SEDA, METS, PREMIS, Dublin Core, MODS, EAD, MIX, MARCXML, or Adobe Metadata.
- Workflow and automation (screenshot)
- MCP (screenshot): So you can ask ChatGPT to grab your start page and, if you give it write access, let it run the update directly.
- Virtual filesystem (screenshot): Handy to make your multiple storages appear as one.
- SFTP gateways (screenshot): To your users it's an SFTP server, but underneath it can be IPFS, NFS, SMB, the virtual filesystem or any other supported storage ...
- Antivirus
- Quota
- Versioning
- Public sites: Turning files into a static website is awesome. Enable the plugin, create a shared link, and you're online too!
- Transfer monitoring (screenshot)
- Authorization middleware (screenshot): There were already several ways to add authorization layers. This is just another option.
- Captcha
- GeoBlock and IP restriction
- More Authentication middleware: In other words, you can now authenticate using your existing SQL DB via either your existing users table, wordpress, supabase, etc.... use deep URLs from a QRCode or your app redirecting with a JWT token carrying the RBAC information, or via headers injected by a proxy you control, ....
We have gone through an endless list of bug fixes, UX improvements, vendor specific fixes, documentation rewrite, creation of guides, and improvements over existing features. You know, it's all those little things that add up, like better file selection, image zooming, things work fine with cloudflare tunnels, .... With the work done this year, Filestash is better than ever, and I hope more self hosted projects would adopt its ability to create extensions, which is becoming more and more like WordPress, but made mostly with Go, C, and ES6.
# Road To Sustainability
Being sustainable as an open source project is tough. The approach we took was to offer bespoke development alongside enterprise licensing and support for companies. This year alone, we onboarded several large customers, including the European Commission, JP Morgan, and cloud providers such as Infomaniak and KingHost. Filestash is now a core component of an archiving solution handling 15 PB of data at Monash University, and we are about to deploy it as a white labeled product at LVMH.
As of today, we are about 50 percent of the way toward the original sustainability goal, which was to match my previous salary building far less interesting software for companies that were not exactly giving much back to the world, and even less to self hosters. I made a pledge about a year ago that if Filestash ever reaches that point, everything that is currently part of the enterprise release will be fully open sourced.
In the meantime, if you are a self-hoster using Filestash for non business use cases, feel free to reach out and I will send you a free copy. Some people were not happy about this approach last time, but the reality is simple: if I cannot focus on this full time, Filestash will never get better than Dropbox, and that would mean I failed the mission.
# Next Year
The primary objective for next year is to reach v1.0 🎉
https://redd.it/1q3suu8
@r_SelfHosted
Privacy-first Spreadsheets: No backend, no tracking, and optional password protection
https://redd.it/1q88oo4
@r_SelfHosted
Looking for a Selfhosted Variant of devdocs.io
Hello I'm searching for a selfhostable variant of devdocs.io
Do you know something like that?
https://redd.it/1q89h57
@r_SelfHosted
If you use Caddy with a DNS challenge and a wildcard certificate... you should know the config now can be much much cleaner.
The new directive has been out for over a year, but only recently I noticed.
[The old way](https://pastebin.com/jYJVadYP)
The new way with the use of auto_https prefer_wildcard
The old way made me stay away from the wildcard cert as it made the config look ugly and complicated and more fragile. The new way allows config to stay clean, with just global directive added and an empty definition of a wildcard block.
And with wildcard one can finally stop announcing to the world all the subdomains they have in use.
https://redd.it/1q84hts
@r_SelfHosted
Weird question, have you ever paid someone or gotten a friend with this specific skill set to try to "hack" your server to test the security?
Something I was considering doing since the server is on my home network where I have other important computers or am I overthink the fuck out of it?
https://redd.it/1q7tjao
@r_SelfHosted
Anyone using MediaManager over the arr apps?
Server went down a bit and decided to use the opportunity to revamp my setup. I download a lot of foreign shows (kdramas, anime, etc) so good subtitle handling is key. I also use a seedbox so it should be able to handle that situation gracefully.
I saw [this recent thread](https://www.reddit.com/r/selfhosted/comments/1os6866/current_best_practices_for_arr_stack/) but it felt a bit inconclusive and I ran across /u/cookiedude25 's app MediaManager which seems to be trying to address a lot of the issues I have seen.
Seems like there are two routes to go:
[MediaManager](https://github.com/maxdorninger/MediaManager) | Arr stack
---|---
Mediamanager | sonarr - shows
| radarr - movies
| profilarr - optimized download profiles
| prowlarr - index managing
| ~~huntarr - episode gap filling~~
| bazarr - subtitle handling
| byparr - cloudflare resolver
So can people who have run both or are a bit obsessed with optimized setups and thus constantly evaluating chime in?
https://redd.it/1q7jbx1
@r_SelfHosted
Bose Opening its Older Units
Bose is making the steps to open up the software of its older speakers instead of bricking them
https://www.theverge.com/news/858501/bose-soundtouch-smart-speakers-open-source
https://redd.it/1q7uxi9
@r_SelfHosted
What selfhosted service/s did you recently remove?
Beginning of the year I removed:
* **Speedtest tracker** - Looking for another similar service with more feature
* **Your Spotify** - breaking change from Spotify API
* **Owntracks** - Looking alternative
What did you recently remove and why?
https://redd.it/1q7vgbv
@r_SelfHosted
[Giveaway] Holiday Season Giveaway from Omada Networks — Show Off Your Self-Hosted Network to Win Omada Multi-Gig Switches, Wi-Fi 7 Access Points & more!
https://redd.it/1ox9mm4
@r_SelfHosted
OVHCloud gave me a blacklisted IP and told me it’s my problem!
I signed up for their service and chose a ‘Full Year Commitment’ after hearing about them. To my despair, this was my worst decision. Although I had opted for their cheapest service, as soon as I tried connecting to something as basic as GITHUB, I got to know that I cannot do it cz I’ve been assigned a blacklisted IP. I develop for open source and cannot afford really expensive servers for all my use cases. This server was supposed to be for a cloud reverse proxy into my homelab!
On opening the incident # CS14530016 support told me to run a bunch of unneeded commands (wasting a day or two) only to later confirm that indeed my IP was blacklisted.
Upon requesting them to well.. rotate it as any sane person would do, I got responded with the following response:
We regret to inform you that we cannot change the primary IP address of the server, since the primary IP is under blacklist we cannot change or replace it. If you want a different IP you will need to purchase a new server however we cannot guarantee a clean IP as our IPv4's are recycled as there is currently a shortage of IPv4's, all IPv4's are recycled from most service providers therefore there are times certain IP(s) would be placed in a block-list. We are unable to de-list IP(s) if they are in a block-list we do not support and IP(s) are unable to be replaced especially if it's the main IP of the server.
Thank you for your understanding.
Like really? Apart from their atrocious UI, is this somehow become an expected practice and / or outcome? I understand that their servers are cheap and clearly would’ve attracted abusers in the past but why am I, a paying customer penalised for it? Curious to know what you guys think on if expecting a clean IP is now a luxury which warrants additional premium?
Looking for guidance from the community on their experience over this scenario and other alternatives.
Thanks a lot.
EDIT: This server is blacklisted under UCEPROTECTL3.
It’s a brand new server bought two weeks ago. Since then I’ve been in letter exchange with support. GitHub is only one such affected host.
EDIT2: Some of you have suggested that being on the blacklist may not be the cause for my issues. Doing a traceroute although shows that the requests stop ‘hopping’ or ‘routing’ any further post reaching a Microsoft owned IP. curl resolves the IP but timeout and fails to perform the TLS Handshake. Also, it is possible that their support is delusional because what they said was the following:
I can see that your server IP {redacted} is blacklisted under UCEPROTECTL3 which is likely causing the issue. As OVH does not manage UCEPROTECT we will unfortunately not be able to delist the IP immediately and also we don't have the ETA.
And after verifying that indeed my IP is blacklisted therein, I just assumed that that’s the cause. Could there be something else cooking? Even Cloudflare doesn’t work. And, it’s not a general issue with HTTPS.
—
curl -v https://1.1.1.1
* Trying 1.1.1.1:443...
* connect to 1.1.1.1 port 443 from {redacted} port 35724 failed: Connection timed out
* Failed to connect to 1.1.1.1 port 443 after 135972 ms: Could not connect to server
* closing connection #0
curl: (28) Failed to connect to 1.1.1.1 port 443 after 135972 ms: Could not connect to server
Please note that a curl to Google on 443 works just fine and I’m able to receive the HTML payload back just fine.
https://redd.it/1q4jked
@r_SelfHosted
What KVM are you using?
https://redd.it/1q4hh3f
@r_SelfHosted
Replacing “smart TV” software with something I actually control
Not a guide, not a recommendation. Just sharing what I tried.
I had an old x86 box lying around, so I wiped it, installed a minimal Linux setup, and ran Android on top of it mostly out of curiosity. The goal wasn’t performance or benchmarks I just wanted something predictable.
What surprised me is how much of the “smart TV experience” problems are software, not hardware.
Boot is fast. UI doesn’t stutter over time. No ads. No accounts. No background junk fighting the remote. It turns on and does what it’s supposed to do.
Before anyone says it: yes, ARM boxes are cheaper and more power efficient. Yes, DRM is still a limitation. Yes, this isn’t something I’d recommend to non-technical users.
But separating the panel from the software changed how I look at TVs. Once the “smart” part stops being tied to vendor firmware, the screen itself suddenly feels like it could last a lot longer.
Curious if others here have gone the same route x86, ARM, custom Android, Kodi-only setups, whatever or if you’ve just accepted smart TVs as disposable appliances.
https://redd.it/1q3xopx
@r_SelfHosted
Should I go OIDC only for my Application?
Hello selfhosters,
I am developing an Application and for my Backend/API I am considering going OIDC only.
Would you selfhost an Application where you need to setup and OIDC IdP (like Authentik or Keycloak) to get it running?
Would you try it if there is an install script that sets up and pre-configured Keycloak and the App for you using docker and docker compose?
OIDC is great and IdP already have all the features everyone wants (optional registrations, reset flows, 2FA, PassKey support etc.).
I would like to focus on features instead of user and session stuff and I really doubt that I can make it as safe as Keycloak even if I follow all industry standards.
https://redd.it/1q42i0u
@r_SelfHosted
Finally centralized my self-hosted stack with Homarr (DS220+)
https://redd.it/1q3z2hp
@r_SelfHosted
Looking to replace spotify
Hi guys, I am currently planning to replace spotify. I know it‘s hard but I believe it‘s possible.
I believe I have Read about a an Open Source project that can find your Desired Media on different Platforms and Stream them directly in one App.
What I want:
\- Podcast Streaming (can be done through podimo or similar)
\- music of all Kinds
\- playlists
\- sleep Timer
Maybe someone can be of help :)
Thanks
https://redd.it/1q3ufxt
@r_SelfHosted
Filestash - 2025 Recap 🎊
Github
Website
Hello everyone, Mickael from Filestash here.
As 2025 came to an end, I wanted to leave my den to share a recap for what happened this year.
For those not familiar with the project, I started Filestash in 2017 with the mission of building a better Dropbox, out of frustration with the state of "Dropbox alternatives". Most of them were, and still are, building their own silos, bundling storage, sync tools, and UI into a single, tightly coupled package that works in isolation. That lack of interoperability felt very wrong, given the amount of existing cloud storage software and sync tools already available at the time.
This is even more true today with the emergence of technologies like IPFS, as well as more specialized solutions for archival and long term cold storage. Filestash rejects the existing agreed-upon model and lets you pick and choose the parts you want. We acknowledge that the ecosystem always had, and always will have, better tools for storage and sync and we believe there exist a better way by integrating with them and build around a file management platform that works just as well for self hosters at home with a couple of disks as it does at petabyte scale with thousands of concurrent users.
# Major Milestone
This year we finally completed the frontend rewrite, moving away from the old React codebase to a future proof vanilla JS frontend. The new frontend is significantly faster, lighter (at around 130 KB of compressed javascript), uses much less RAM, and can load folders with millions of files without ever breaking a sweat.
More importantly, this rewrite unlocked an entirely new plugin system where plugins are simple zip files dropped into Filestash's plugins folder without recompilation, which lets you:
1. Add support for apps: Want to add a viewer for a particular file type? You can either build your own or drop one of our zip based plugins into the plugins folder. Filestash can now handle formats like PSD, Sketch, CDR, PostScript, DNG, TIFF, Latex, midi, parquet, sqlite, swf and about a hundred more. The full list is available here. Most of those run C code that was compiled to wasm to run from the browser
2. Support themes: We have shipped themes that replicate the look and feel of Dropbox, Google Drive, OneDrive, Github and a few more (docs). The idea, however, is not just to use ours, but to make it easy for you to create your own
3. Customise anything in the frontend (and soon in the backend too using wasm): The secret sauce of this new plugin system is the ability to ship diff based patches that are dynamically applied by the server to frontend assets at runtime. This allows you to change almost any aspect of the UI without rebuilding anything.
# Features
There have been quite literally hundreds of changes. The most visible side of the iceberg:
- Standalone binary: One binary, zero dependencies (outside the glib of course). I lost a few hairs getting it to work with our super fast thumbnailing plugin made of carefully crafted C code that is 10x faster than ImageMagick and makes pre generating thumbnails unnecessary but we got it done!
- Metadata and tag support (screenshot): This was delayed for quite a long time because I had high expectations for how it should
