I’m a C/C++ developer though.

Ya feel good about yourself, slugger? /s

Very true! You can also take it a step farther and setup SSHFP records for your domain.

I’ve read a lot about using a VPS with reverse proxy but I’m kind of a noob in that area. How exactly does that protect my machine?

So you’re not letting people directly connect to your server via ports. Instead, you’re sending the data through your reverse proxy. So let’s say you have a server and you want to server something off port :9000. Normally you would connect from domain.com:9000. With a reverse proxy you would setup to use a subdomain, like service.domain.com. If you choose caddy as your reverse proxy (which I highly recommend that you do) everything is served from port :443 on your proxy, which as you might know is the default SSL port.

And do I understand correctly that since we’re using the reverse proxy the possible attack surface just from finding the domain would be limited to the web interface of e.g. Jellyfin?

I wouldn’t say that it decreases your attack surface, but it does put an additional server between end-users and your server, which is nice. It acts like a firewall. If you wanted to take security to the n^th degree, you could run a connection whitelist from your home server to only allow local and connections from your rproxy (assuming it’s a dedicated IP). Doing that significantly increases your security and drastically lowers your attack vector–because even if an attack is able to determine the port, and even your home IP, they can’t connect because the connection isn’t originating from your rproxy.

Sorry for the chaotic & potentially stupid questions, I’m just really a confused beginner in this area.

You’re good. Most of this shit is honestly hard.

It depends.

I judge people harshly for still using yahoo email. You disgusting fucks know who you are. Just look at yourselves. Ugh. /s

As soon as Jellyfin allows downloads for offline viewing, I’m jumping ship.

https://i.xno.dev/02fl4.png

Not that I’m some kind of UPS expert, but I’ve never found a UPS that NUT wasn’t compatible with.

Love Lowend. Just grabbed this deal from massiveGRID. Never heard of them, but I took a chance;

4 Shared Intel Xeon CPU vCores
8 RAM DDR4 ECC Registered (GB)
256 Primary High Availability SSD Storage (GB)
20 TB Guaranteed Internet Traffic
1 IP Addresses

I paid $141.28 for 3 years, and replied on their forum post for Lowend and they added 1 extra year of service for free, and activated lifetime pricing. So it works out to be about $2.95/mo which is a damn great price. The only real drawbacks are the network is 1 Gbps shared** and no IPv6 (they’re adding it over the next several weeks looks like).

**speedtest;

[root@dev ~]$ speedtest --secure
Retrieving speedtest.net configuration...
Testing from Massivegrid (xx.xx.xx.xx)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by Wnet (New York, NY) [0.09 km]: 2.429 ms
Testing download speed................................................................................
Download: 1028.91 Mbit/s
Testing upload speed......................................................................................................
Upload: 997.58 Mbit/s

So not absolutely mindblowing, but you seem to get the full 1 Gbps, which is great. I contacted support and they’ll be offering VDS plans soon with access to higher than 1 Gbps speeds. Super happy so far.

It’s not that the a models have “inferior build quality,” but they’re made with less expensive materials to bring down the cost of the device…

So, docker is a viable solution, but since you’re a fullstack and will likely add more shit than you can imagine in the future, you might as well setup a proper solution.

Check out Proxmox. It’s a management platform that allows you to run containers and just about everything else you need for self-host. In addition to that, I recommend getting a very small VPS with a domain to reverse proxy your services if you want. I highly recommend caddy2 for this as it does rproxy and even ssl seamlessly.

I’m on a shitty 5G internet at home, so VPS seems like the way to go but with who?

Considering you have a poor internet connection, you’d want to keep as much locally as possible. You’re not going to be able to stream HD movies with shitty internet if you host your media on a remote server, but if you rely on a local wifi network, it’s fine. You won’t have remote access to your movies (I mean you can, but like you said, shitty internet) it’s not going to be awesome. Other services like your matrix server would be fine, but since you’re self-hosting, might as well host them at home, too. Matrix isn’t exactly resource heavy and doesn’t require a shit ton of upload to make usable.

If I’m torrenting, do I need to be careful which hosts I choose so I don’t get copyright pinged?

If you’re on 5G, and you torrent, you’ll be found out almost immediately, even with a VPN. I highly recommend a seedbox. Download to the seedbox, then use rclone or something to grab the files to your local NAS cluster (in proxmox) then stream the video’s locally.

Is there a good guide for securing and hardening my server?

I always recommend 2 things when dealing with *nix servers;

1. Run SSH from a non-standard port and drop connections on port 22.
2. Only open ports you’re using.

IMO this is really the only hardening you need, especially if you’re working with rproxy and the ports only have to be opened locally or tunneled.

Because Bluesky keeps to what made Twitter popular in the first place. The UX. You make a post and its syndicated to a federated feed that anyone can search for, and you can tag content using hashtags.

It’s a great concept. There’s a reason a lot of people use it.

Oh, damn. Not much you can do then. You may be eventually be able to get something outrageously complicated to work, but honestly it’s just plain not worth it. Just get a cheap VPS.

Best you could do is a forward server with tailscale and a reverse_proxy, but I’ve never had any real luck getting that type of setup to work reliably.

1. Click the Home icon
2. Click the far right of the blue start button and enable Firewall (enables all 3 options)
3. Click Configure > Proxy > Setup Wireguard
4. Using the + icon, import your Wireguard config and enable it
5. Go back to Settings > DNS > System DNS
6. Scroll down and enable “DNS booster” and “Prevent DNS leaks”
7. Go back to Home and enable RethinkDNS
8. Open Android Settings > Netowork & Internet > Private DNS (make sure it’s set to Automatic)

This will tell Android (and RethinkDNS) to scoop your Wireguard DNS.

I don’t see how it’s particularly hard? Could set it up in an afternoon and have a forward thinking infrastructure from then onward that can vertically scale.

my current ISP refuses to provide me a static IP

So then use dynamic dns? HurricaneElectric offers DynDNS now and it’s great. You can update it right over curl if you want. I have it mapped to a cli function;

~\downloads
❯ ddns
HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Content-Length: 18
Content-Type: text/html
Date: Tue, 25 Feb 2025 09:24:18 GMT
Email: DNS Administrator <dnsadmin@he.net>
Expires: Wed, 25 Feb 2026 09:24:18 GMT
Server: dns.he.net v0.0.1

nochg {ip}

$29.6 billion (2023). $1,217 GDP per capita. So about 5.01% of it’s GDP.

However, I also read about unbound in the Pi-Hole guides. I was curious if this was to prefer over cloudflared?

Many people advocate for Cloudflared as a tunneling solution, but it’s not a one-size-fits-all tool. Personally, I avoid it. Your VPS already functions as a firewall for your connection. Using Tailscale is also self-host and avoids reliance on third-party services like Cloudflare while maintaining security and the same functionality.

For DNS privacy, I prefer odoh-proxy, which enables your VPS to act as an oDoH (Oblivious DNS over HTTPS) proxy for the cloudflare network. While oDoH introduces a slight latency increase, it significantly enhances privacy by decoupling query origins from content, making it a more secure option for DNS resolution. So you would be able to set your DoH resolver to your domain (https://dns.whatever.com/dns-query) and it would forward the request to cloudflare for resolution, and then back again.

As for Pi-Hole, its utility has diminished with the modern alternatives like serverless-dns. It allows you to deploy RethinkDNS resolver servers on free platforms, handling 99% of security concerns out-of-the-box. The trade-off is a loss of full custody over your DNS infrastructure, which may matter to some users but is less critical for general use cases.

Lastly, using consumer VPNs like Mullvad to proxy connections often introduces unnecessary complexity without meaningful security gains. While VPNs have their place they can really overcomplicate setups like this and rarely provide substantial privacy benefits for services like DNS.

So that would be a limitation of whichever filesystem you use. I’ve not personally done it, but this reddit user uses a CEPH cluster to be able to hotplug storage into a volume. But doing just that gives you no redundancy, so you would have to do a little research into how to set it up in whichever way would be best for you, but it looks like using the CEPH cluster is what you’re looking for.

The year of the Linux desktop has arrived.

It’s also a specific procol, which can absolutely be blocked. I don’t know where this notion that it’s impossible to block tor because it was designed to be censorship resistant came from, but you can absolutely stop people from using it.

It’s not even that hard and there’s nothing end users can do about it if they don’t know how to circumvent it…

I assume people are shitting on it because it’s fake?

lmao no it’s not… They literally post the link to the Github: https://github.com/PennyroyalTea/gibberlink

You can even test their data-to-sound module (ggwave) here: https://waver.ggerganov.com/

At least it looks fake to me as the sounds they’re making seem the same each time.

In a lot of respects Lemmy is worse than Reddit. Jesus. The technology is designed for it to be imperceptible to humans (as such, you can even use high frequency sound that can barely be heard), because it’s not meant for us to hear or understand… So it’s not weird that it sounds the same to you. But it’s not.