FlorisBoard is also back in the game :)

If you want to run your own pki with self-signed certificate in your homelab I really encourage you to read through this tutorial. There is a lot to process and read and it will take you some time to set everything up and understand every terminology but after that:

• Own self-signed certificate with SAN wildcards (https://*.home.lab)
• Certificate chain of trust
• CSR with your own configuration
• CRL and certificate revocation
• X509 extensions

After everything is in place, you can write your own script that revoks, write and generates your certificate, but that is another story !

Put everything behind your reverse proxy of choice (traefik in my case) and serve all your docker services with your own self-signed wildcard certificates ! It's complex but if you have spare time and are willing to learn something new, it's worth the effort !

Keep in mind to never expose such certificates on the wild wild west ! Keep those certificate in a closed homelab you access through a secure tunnel on your LAN !

edit

Always take notes, to keep track of what you did and how you solved some issues and always make some visuals to have a better understanding on how things work !

What about the missing about:config feature ? :/

They also have an I2P address. More secure than Tor, because alot of the end nodes are controlled by government and private institutions.

I tried it 3 months ago. It looked nice had some cool features, but It didn't fit into my personal selfhosted Home server.

This is more or like to help less-tech savy people to secure their infrastructure, which is a good point, but can't replace a complex wireguard, VPN, opnsense, 2FA , self-signed CA, docker installation.

It's a bit like Nginx proxy manager, it's good enough, does what it is suposed to do with minimal user inputs. Less prone to error, security issues...

Here you go !

• Vaultwarden
• Searxng
• Nextcloud
• Smallstep (own CA for self-signed full chain certificates)
• Linkding
• Gotify + watchtower
• Adguardhome
• Traefik
• Wireguard

Took me to much time to make everything work perfectly together, but learned alot along the road ! Everything hosted on a old spare laptopt with docker containers.

That's way exposing your home services to the internet is a bad idea. Accessing it through a secure tunnel is the way to go.

Also, they already "fixed" the docker image with an update, something todo with phpinfo...

I use Linkding, which even as an android workaround for mobile. I have no idea if it works with brave, but does work with Firefox/chrome !

It's pretty cool piece of software, but something it's missing is a way to groupe tags together or have some folder structure.

If you don't have a tag structure beforehead, your tags can quickly get messy :/!

Linkding

Have you tried Obtainium as f-droid alternative? It's a really cool project with some degree of customization !

Migration takes some time specially if you have a dozen apps, but after that everything is automated !

Just self-host your toilet 😎

As long as they continue to maintain the github repository and keep it free without any hidden ads/spyware or restrictions, I will continue to use their service.

Bookstack looks good :) But I'm to much tied to Obsidian.

Have you managed to selfhost it ? Funkwhale looks great, but the installation process with another proxy than nginx in a container setup is far from ready and accessible to hobby selfhosters.

If you have no idea about proxies and headers forwarder... just don't waste your time and go straight to audiobookshelf !

Strange enough TLS 1.3 still doesn't support signed ed25519 certificates :| P‐256, NIST P‐384 or NIST P‐521 curves are known to be "backdoored" or having deliberately chosen mathematical weakness. I'm not an expert and just a noob security/selfhoster enthusiast but I don't want to depend on curves made by NSA or other spy agencies !

I also wondering if the EU isn't going to implement something similar with all their new spying laws currently discussed...

Wait until you experience your first astral projection ! But yeah, when I tried it a second time I also fell into sleep paralysis... Scary shit !

I wish It could be so simple for everyone... Docker is great when you have an old spare laptop and want to self host a few nice things: vaultwarden, traefik, searxng... Sure it's relatively new compared to VMs and is going to have some security flaws and reworks during the maturing process... But VMs had also their ups and downs long time ago before It got in a stable maturing state !

VM are nice but we (in my opinion) as human species need to find other solutions to get away from energy, rare metal hungry devices... something in between docker and VMs. But that's just my opinion.

Plus, docker and derivatives are also really interesting technologies where you have to read manuals and gain deep and durable knowledge to understand the future of virtualization.

Then, I tried ownCloud for the first time. Wow, it was fast! Uploading an 8GB folder took just 3 minutes compared to the 25 minutes it took with Nextcloud. Plus, everything was lightning quick on the same machine. I really loved using it. Unfortunately, there’s currently a vulnerability affecting it, which led me to uninstall it.

I have no idea on how you access your self-hosted services but wireguard could help you out to access all your service from all your devices, with less security risks and only one point of failure (the wireguard port). Also this takes away most of the vulnerabilities you could be exposed to, because you access all your home services through a secure tunnel without directly exposing the api ports on your router !

I personally run all my services with docker-compose + traefik + self signed CA certificats + adguardhome dns rewrite. And access all my services through https://service.home.lab on all my devices ! It took me some time to set everything up nicely but right now I'm pretty happy how everything works !

About the current ownCloud vulnerability, they already took some measure and the new docker image has the phpinfo fix (uhhg). Also while I wouldn't take their word for granted:

"The importance of ownCloud’s open source in the enterprise and public-sector markets is embraced by both organizations.”

You're not weird ! Quite the contrary, we are on the right path to fight those greedy corporation !! To bad we're the minority ://!

I don't have half the knowledge in IT you have, but i totally agree we should find a solution to seperate from mastadons who owns the whole network.

It's very similar to how we shouldn't give big corpos like GAFAM willingly our data/privacy or our foodchain shouldn't be controled by a few corpos who serve poison... (the list goes on).

Most people just don't care, they have nothing to hide or they won't die if they eat one cheesburger from McDonald's a week...

But in the case of lemmy I think (personal opinion) It's because it's easier, simpler, faster to setup right now. I'm sure if they had a better solution to not depend on cloudflare they would chose the other solution.

I mean your idea seems great, but how long would it take to put it inplace? How many highly qulified people are needed to make it work? How much will it cost....

I hope that in the long run, lemmy instances are going to find a better solution 😀

While rsync is great, I recovered partially from an outtage... Containers with databases need special care: dumping there database...

Lesson learned !

Yeah NC is way too much bloated and heavily unstable after some long term use. As an alternative for cloud storage I use ownCloud. The newer owncloudIS version needs a bit more maturing before it's fully functional and less unstable for selfhosters, but the php version is fully functional and the native apps are awesome :).

While AIO is neat on paper, it's most of the time buggy and not as good as native tools. Having all your tools bind together is a bad idea in my opinion... Having a hammer that's also a screwdriver, a scissor... Leave them less functional as having them separated !

Yeah this takes more space and is less convenient, but the right tool for the right job is a principle that always works in the long term !

Okay, thank you :)) too bad it looked liked a simple and elegant way...

Hi thanks for your quick response !

I already checked with apt show emacs and the output clearly shows emacs-gtk as depends on. And while installing the emacs package with: sudo apt-get install emacs it installed a ~400Mo package and all dependencies.

So why doesn't sudo apt remove --purge --autoremove emacs removes everything ? I thought this command would be the exact opposite of sudo apt install package-name

Thank you for your insights and personal experiences :) I love Debian stable as server, never had any issues on a old Asus laptop ! I have only 2 years of "experience" and started with Ubuntu. Good introduction to linux but switched to Debian (<3)

That's way I'm asking arround I don't wan't to have a too bad experience with Debian as main personal PC !

Thank you for your personal blog post and the wiki link :) will surely read through before making my final choice !

Cool project :D probably not a real use case, but funny enough to try it out !!!

Step CA is really nice if you want to learn more about how a real CA works. Had some fun playing with it but yeah it's a bit overkill for home lab xD.

You can achieve the same result with openssl with less complexity !

Yeah... and sometimes you find some uttery shitty people who use multiple account to comment shame you or think they are better than you while having a self conversation on your post ! Uhhhg !

Certificate chain of trust: I assume you’re talking about PKI infrastructure and using root CAs + Derivative CAs? If yes, then I must note that I’m not planning to run derivative CAs because it’s just for my lab and I don’t need that much of infrastructure.

An intermediate CA could potentially be useful, but isn't really needed in self-signed CA. But in case you have to revoke your rootCA, you have to replace that certificate on all your devices, which can become a lot of hassle if you share that trusted root CA with family/friends. By having a intermediate CA and hiding your root CAs private key somewhere offline, you could take away that overheat by just revoking the intermediate CA and updating the server certificate with the newly signed Intermediate bundle and serving that new certificate through the proxy. (Hope that makes sense? :|)

I do not know what X.509 extensions are and why I need them. Could you tell me more?

This will probably give you some better explanation than I could :| I have everything written in a markdown file, and reading through my notes I remember I had to put some basic constraints TRUE in my certificates to make them work on my android root store ! Some are necessary to make your root CA work properly (like CA:True). Also if you want SAN certificates (multidomaine) you have to put them in your x509 extensions.

’m also considering client certificates as an alternative to SSO, am I right in considering them this way?

Ohhh, I don't know... I haven't installed or used any SSO service and thinking of MFA/SSO with authelia in the future ! My guess would be that those are 2 different technologies and could work together? Having self-signed CA with a 2FA could possible work in a homelab but I have no idea how because I haven't tested it out. But thinks to consider if you want clients certificates for your family/friends is to have a intermediate CA in case of revocation, you don't have to replace the certificate in their root store every time you sign a new Intermediate CA.

I’ll mention that I plan to run an instance of HAProxy per podman pod so that I terminate my encrypted traffic inside the pod and exclusively route unencrypted traffic through local host inside the pod.

I have no idea about HAProxy and podman and how they work to encrypt traffic. All my traffic passes through a wireguard tunnel to my docker containers/proxy which I consider safe enough? Listening to all my traffic with wireshark seamed to do exactly what I'm expecting but I'm not an expert :L So I cannot help you further on that topic. But I will keep your idea in my notes to see If there could be further improvement in my setup with HAProxy and podman compared to docker and traefik through wireguard tunnel.

Of course, that means that every pod on my network (hosting an HAProxy instance) will be given a distinct subdomain, and I will be producing certificates for specific subdomains, instead of using a wildcard.

Openssl SAN certificates are going to be a life/time saver in your setup ! One certificat with multidomian !

I'm just a hobby homelaber/tinkerer so take everything with caution and always double check with other sources ! :) Hope it helps !

Edit

Thinking of your use case I would personally create a rootCA and an intermediateCA + certificate bundle. Put the rootCA in the trusted store on all your devices and serve the intermediateCA/certificate bundle with your proxy of choice. Signing the certificate with SAN X.509 extension for all your domains. Save your rootCA's key somwhere offline to keep it save !

The links I gave you are very useful but every bit of information is a bit dispatched and you have to combine them by yourself, but it's a gold mine of information !

Yeah wrong wording, but the fact that we have to depend mostly on NSA's cryptographic schemes makes it very suspicious !

wow... That blog post blew my mind ! I don't know if you're the author, but really interesting read !

Thank you for the insight ! So, I could have used " " instead of ` . Which I normally do, but because I tried to follow the docs blindly, I just used their syntax without questioning the single quotes !

You probably have your reason to run Debian testing but I read somewhere that testing is somehow a bad idea as desktop environment !

If somehing is stuck and being updated in sid, and bugs are still happening, you could be stuck for month without the correct update in testing.

Sorry if it's not clear, but I read it somewhere in the official debian documentation.

I blocked all reddit domain names, delete reddit and will never come back... Right now I feel the carving like any other drug abuse. Thankfully I wasn't that much of a reddict and were scrolling through healthy subreddits. Keep save, don't fall for the poisonous digital social drug !

Didn't knew that was possible... seems not easy to set-up :/ is also an old article, you sure this still works?

Thank you for your nice write up and your link ! I think I will follow your guts and personal experiences ! Thank your for pre-saving my ass !! <3

I feel u ! It's really hard to get rid of bad habits... Took me some time to get rid of Facebook but in the end I somehow gaine a precious resource: TIME ! I still have another bad habit I'm trying to reduce... Twitch ! Imagine u have youtube, facebook, twitter, reddit, twitch... Combined altogether you probably lose over 3h a day on social media, for nothing !

Take care !

Yeah, because there isn't a native linkding app for android there is a way to make it work in firefox, with HTTP shortcut

See here

It works flawlessly and never had any issue with it.

Yeah I have it in my favs, but I wanted a direct experience with people who actually know what they are doing and how ! :D

Thank you for your great insight !!!

Thank you :) This was the best of the 2 worlds. I was a bit reluctant because of the name (nextcloud) but after 2 days of hard searching, docker tinkering, cronjobbing and a few lost hairs It fits quite good. Except it doesn't work with todoist but jtx board seems promising and is not proprietary, so maybe I will make the switch :).

I edited my post accordingly, for other users stumbling on the post (also making lemmy more active 🌤 )