How do I get started in self hosting?
I'm curious on how to get started in self hosting. I have computer experience, being an Android Developer, but I hardly have experience in Linux and backend/networking work.
I've been wanting to start up a Plex/Jellyfin server for a while, and I have an old system sitting around with a Ryzen 1700 with a graphics card in there as well that's been begging for attention, and maybe I can throw on a Minecraft server in there as well. Since I travel a bunch, it would be nice too to be able to access my media for when I'm traveling, or to let my parents or friends access some shows if they so desire!
What I'm worried about is exposing my network to the internet basically. I used to run a Minecraft server with port forwarding and such on a personal computer but now I'm realizing that that's probably a bit unsafe lol.
Basically, are there any guides that I can look at, or any of your own experiences that could potentially help me or anyone who's interested?
Take all the money that you'd spend on streaming services for the next 3 years then go buy all the hard drives you can for that amount. Pirate prolifically.
For some reason still keep all the streaming subscriptions too.
Port forwarding can be done safely, but it's a bit difficult. Run a reverse proxy to minimize your attack surface. Run in a DMZ. Patch your shit regularly. Key auth only for as much as you can.
That one hit way too close to home, it definitely got a chuckle out of me.
Why do we sail the high seas and yet still keep the bloody services we were sure we were going to disconnect from?
So that I can tell my wife that my prolific piracy is ok because I'm still paying into the system so it doesn't matter if she thinks it's wrong, I'm ethically ok on this one and we can stop talking about it now.
Or so I think... I've certainly never been in that situation...
"Because I don't want to have to find something new online and then wait for it to download, I want it to just be there."
- my dear wife
I run a homelab with a half rack and a lot of R710s (proxmox).
I only have 1 open port and nothing in the DMZ. My router is pfSense running in a VM on proxmox and the open port is OpenVPN.
Whatever I want to access, whether it's the IP cams, homeassistant, Plex, sonarr/radarr whatever I just VPN in first, then access the LAN by hostname or IP directly.
So basically my recommendation is: do not port forward, do not DMZ. For video game consoles use NAT alias and sticky port to gain "NAT type 2" or equivalent, the rest use a VPN that's it.
Better than port forwarding/dmz is if you can go 100% VPN - if you need to use your services, VPN back in to your own network then do so. Reduces your attack surface to a single highly scrutinized application. It's not universal - you may want to provide services for less tech savvy family members, for example - but is far safer if it fits in your use case.
I've found this method easier for less tech-savvy family members. If they want to access anything at home all they do is open a WireGuard app and slide the button to 'On'.
If I can ask a sub question: What is the anatomy of a homeserver?
What's in between? Are you just running each service "bare" on top of your OS? Or are they running in a container, or VM, or [insert other technology for process isolation], etc...? If there are multiple answers, what's the recommended approach?
No one answer here. Probably most commonly people run docker containers with dockerd managing them and some kind of keepalive policy configured. It's a decent mixture of convenience and isolation, though more in a practical than a security sense (e.g you won't get dependency hell), as docker infamously runs on root.
Nothing wrong with running things on "bare metal", with systemd or another init manager to gets things running, especially if it mainly does one thing.
On the more extreme end you can run a hypervisor with each application in its own VM, although the resource costs will be much higher.
Nothing in particular is better or worse than the other, different needs for different problem sets.
I'm a bare-metal guy. I've run all the *darrs, Jellyfin, nzbhydra, sabnzbdp, etc, all on Debian and Arch/Manjaro without issue.
My main PC runs all of the services, the storage is on a NAS. Nginx handles the reverse proxy. I even run NextCloud on the same rig.
I'm not a fan of Docker and I won't do the overhead of many VMs. There's just simply no need. If I hose the system with an update, that's the big gotcha, it's harder to roll back from whereas with container you can simply nuke and make again. However, if you know what you're doing with a package manager and you have snapshoting/backups in place, bare metal will always be that teeny weeny bit faster. Plus, I like all my configs in /etc.
Curious, what are the key downsides to docker for you? I'm a more recent convert, and definitely not an IT professional but I think it's been an overall a time saver for me. Moving all my services to a new host by coping a single yaml file was pretty close to magic compared to previous home server upgrades I've done.
I'm definitely trading ease of use for some overhead, especially on the storage front, but it seems worth it to me unless I'm missing something.
That's no real different to me copying in a config file from /etc, no?
I get some services need a little more work to configure but most distributions have a version in the repo. Docker or other containers only make sense to me if you're wanting to run the absolute latest bleeding edge. Then again, Arch has a lot of -git versions.
The only time I've considered docker recently is for photoprism and libre photos. This is simply due to the quantity of depending services and specific versions of modules in python or whatever language they need.
Don't get me wrong, I understand the versatility but for the most part, it's overrated and I would only use if a service was built like a thing of nightmares as stated above.
I almost abandoned librephotos all together trying to get it to run on bare metal. Do no recommend trying. It's the only thing I have in docker.
I have shifted from VM to Docker for some things, but I do have reservations about it from a security perspective. There's a lot of out if date, poorly maintained Docker images out there. As a result I have some pretty strict standards about any image I will run, and if I want a service in Docker that doesn't meet my standard, I will instead roll my own.
My home box is a less used PC. Runs very stock debian Linux.
Services I want to run are in Containers (preference) or VMs (when needed) - depends on the thing.
The box exposes filesystem to my Apple and Linux devices. Special folders are replicated off-site (to rsync.net).
I have large external driver (4+ TB)
The containers and VMs can share access to those.
So Minidlna in a container serves content from a folder that is shared with the media collector tools.
To connect I have another $5/mo box that is VPNed back to it.
No holes in the home firewall.
Setup an UnRaid server on an old machine around the beginning of the year and have been very satisfied with it. Some teething pains because while I knew what containers/docker are/is I'd never really had a need to use them before.
Once I got everything straight in my head it's been very nice. After it's setup it mostly "just works". My biggest pain at the moment is there aren't a lot of great options for photo storage/browsing. The one that technically works nicest (PhotoPrysm) doesn't have bulk editing ability... which is insane.
I do mine in LXC containers, running on a Fedora Server host (on an old PC I got for free from a coworker). The only service running on the host is smbd for local file sharing, otherwise, everything (basically just a Transmission+WireGuard server, a Jellyfin one, a ebook/comic sharing one, and a Pi-hole) are in their own containers-- the first three are running Arch, the last one Debian. Now that I have the ability to natively connect to these without using either a VPN or Cloudflare tunnels (the joys of using an ISP that only has CGNAT on v4 and blocks all incoming connections on v6, with no way of manually changing that as an end user-- luckily my new place has gigabit fiber), I should get around to setting up a reverse Nginx proxy.
I like containerization because it's given me less hassle than Docker ever has, is less resource-intensive than full blown VMs (but with much of the same flexibility/functionality), I can just use standard documentation for setting up each of these services, and I don't have to worry about them conflicting with each other on the same host. IDK why I have such a hard time with Docker/Podman, but eh, I'm not in the tech or IT world in a professional capacity, so I'll stick with what I know and what works for my home setup.
Dont start with a reverse proxy and bespoke exposed services. If you're going to run Plex, it can manage its own exposing securely. Start out with whatever machine you have and just start playing around. Using docker/containers will be your best bet to not have too many issues. /r/selfhosted is a great resource as well.
haha I think part of the reason I posted this thread was to try to get some resources onto Tildes so people who aren't using reddit anymore can have something to search for! But yes, I will have to check out the subreddit at some point.
If you can convince any clients to install software, then a VPN like tailscale is the simplest and safest solution.
If you need it to be publicly available, then the usual solution is to use a tunnel to proxy traffic between a server in a datacenter. Cloudflare tunnels and ngrok are the most common ones, although there's a bunch of these services now. You could even make your own with a cheap VPS instance. Cloudflare tunnels is as I know the only free option.
Port forwarding is indeed not advised.
Yeah i saw another comment about Tailscale that got me wondering this question, haha. I'll have to look at that some more, but Cloudflare Tunnels looks like it might be what I'm looking for, specifically for my parents that live across the country to access some of their shows, right? It would make it at least easy to configure once for them and then we wouldn't need to worry about it after that.
Yeah, haha. Probably not my smartest move but I wanted to play minecraft with friends as fast as possible with as little work as possible, and I didn't exactly have as many resources as I do now.
You can't use cloudflare tunnel for media streaming FYI. Well technically you can but it's against their ToS.
If it’s just for your parents and maybe a few friends, I think I’d lean towards Tailscale - one of its major reasons for existing is making the whole experience relatively user friendly, because it’s otherwise pretty much just a wrapper around wireguard. It’s creating tunnels directly between your authorised devices, with Tailscale’s systems just handling certificates, IP checking, and NAT traversal to allow those devices to securely find each other.
Cloudflare tunnels are less focused on user friendliness, more on scalability. You aren’t tunnelling directly device to device, you’re doing so to the nearest Cloudflare edge, where their networking infrastructure takes over. This is awesome (and necessary) if you want to do things like making your secured server available to devices on the public internet with just standard browser HTTP authentication - Cloudflare handles that at the edge and then makes the decision whether to connect you at the network level, rather than having your server itself exposed to the public internet doing its own auth checking. The downside is it’s more “enterprisey” to set up, and there’s more to potentially go wrong in the config since you’re not just creating VPN connections point-to-point.
Since it sounds like you’ll just be serving a handful of users, it seems like having them install a client app wouldn’t be a deal breaker?
Maybe! My parent's aren't "watch things on the computer" type of people though, they'd prefer to watch their things on a TV, which makes me worry about TailScale, but maybe I just don't understand how it works?
Will be too much trouble then honestly. Do a reverse proxy.
Smart TVs definitely add a layer of complexity, unless they happen to use Android TV - how were you thinking of authenticating the TV onto the Cloudflare network if you went down that route? (Probably moot given what @imperator mentioned about the ToS, but it’s a useful question to drill down into your options anyway!)
i'll be honest i have no idea what I'm even looking at at the moment so I probably wouldn't have gotten to that point anyways!
Haha very fair, and I appreciate the self awareness! In that case what I’ll say is whichever solution you do settle on, just be careful you don’t accidentally end up having a super secure connection to an endpoint that then routes everything straight back in from the open internet anyway.
A relative and I are currently setting up Unraid machines and using Tailscale and rclone to serve as each other's off-site backups. It's been a slow burn of a project, but in the end it ought to be worth it!
My answer to this is Tailscale. I don't have time at the moment to talk about it in much detail, but you should check it out. You can get an entire home's worth of devices on a VPN network in minutes (no hyperbole) and it's easy to add outsiders into your network if you want to. They also have an incredibly generous free tier that means that most home users wouldn't come to close to having to pay anything. I believe their business model relies on us falling in love with it and then convincing our workplaces to use it.
Me too. I feel much more comfortable hosting on a VPS than on my home network. I think I'd go with digitalOcean in the future just because they have so many support articles (that I need) but Hetzner is fantastic and reliable. I use it to run a Matrix chat server for my family
At the very least you need to make sure to run a firewall that allows you to put the server in its own zone/DMZ so if the server is compromised, they won't be able to pivot into your home network. Create the firewall rules so your clients inside your "home" zone can access the DMZ but not vice versa. Then only expose the DMZ to the internet on ports that are absolutely necessary for accessing the content, and consider geoblocking IP space that you'll never be coming from.
The easiest recommendation for this is to run some manner of pfsense/opnsense on commodity hardware. I haven't really touched consumer level gear in a while so I'm not sure what the capabilities are these days. OpenWRT firmware would be your best bet on any of that kind of stuff.
Basically you want to treat your hosting environment as hostile as you treat the internet.
Hmm so the only thing I really understood was the last statement lol but at least I have some things to google!
I'm right there with you OP, I'm glad you asked the question. My current setup is an old Thinkpad with a couple of external drives running ubuntu, so I'm taking notes for what I need to be thinking about when I make a more permanent build
I didn't see it mentioned yet here but Synology has some great starter options for this. You can use a browser based GUI that feels like Windows to install all sorts of things like Node.js, Plex, an ftp server, a Google Drive/iCloud alternative, a Google Photos/iCloud alternative, and way more. You can also get into the nitty gritty by logging into the Synology diskstation via command line
Have you already chosen something? I'm in the same moment, thinking about hosting some stuff, but I have no idea how to do it securely. This topic provided some answers, but also created even more questions, haha.
I feel like the people in the thread went a bit overboard :D In my opinion, to start out just get a RPi4 and start tinkering. Once you start playing with exposing services you're hosting to the internet, look into NGINX Proxy Manager and secure it with Authelia. This setup is really low effort and beginner-friendly and probably covers most of your bases. If you wanna add another layer, look into Tailscale. If you want to add something else, look into Fail2ban (but if you set up Authelia properly, you've probably stumbled upon F2B already at that point).
If what you want to serve is of a certain kind of thing, you might be better off serving remotely. That is, subscribing to what places like Linode and Digital Ocean offer. Then it's safely off your home network, and also available to you over the Internet.
hmm this is definitely a consideration, i feel like it might get expensive though, especially considering I already have some hardware for it, right?
How I do it:
About the hardware:
It's easier than it looks, you just need some free time and dedication. You can do it!