just out of interest .. somebody here on satellite? I am interested to know the prices for sat services out there?

Hi,

What is the reason you do not want a domain? it is not that DNS-domains are that expensive these days. The cheapest option I found is .ovh (which is one of the major cloud-providers in France), which is 3 euro / year (+VAT). You can then put as much hosts or subdomains under it, and it supports dynamic IP.

Agreed, .ovh is not the most "professional" looking domain, but it depends on what you want to do. If your goal is simply to have something for yourself / family / friends, then this is good enough.

BTW. Having your own domain for a nextcloud instance has additional advances: you can get a real https/tls certificate from letsencrypt, and -if you put a reverse proxy in front of your NC- it shields you from people who just scan the complete IP-space of the internet but who do not know your domain.

I dan't know if this is still valid but I used to be told to have different partitions for your system, logs and data (home directories) .. and have the swap-partition located in between them. This was to limit the distance the head has to move when reading from your system starts swapping.

But if you use a SSD drive, that is not valid anymore of course :-)

Kr.

or a one-way trip from a window on the 10th storey of a building all the way down to the ground.

Well, the issue here is that your backup may be physically in a different location (which you can ask to host your S3 backup storage in a different datacenter then the VMs), if the servers themselfs on which the service (VMs or S3) is hosted is managed by the same technical entity, then a ransomware attack on that company can affect both services.

So, get S3 storage for your backups from a completely different company?

I just wonder to what degree this will impact the bandwidth-usage of your VM if -say- you do a complete backup of your every day to a host that will be comsidered as "of-premises"

Yes. Fair point.

On the other hand, most of the disaster senarios you mention are solved by geographic redundancy: set up your backup // DRS storage in a datacenter far away from the primary service. A scenario where all services,in all datacenters managed by a could-provider are impacted is probably new.

It is something that, considering the current geopolical situation we are now it, -and that I assume will only become worse- that we should better keep in the back of our mind.

The issue is not cloud vs self-hosted. The question is "who has technical control over all the servers involved". If you would home-host a server and have a backup of that a network of your friend, if your username / password pops up on a infostealer-website, you will be equaly in problem!

What was that saying again?

"the biggest thread to the safety and cybersecurity of the citizens of a country ... are managers who think that cybersecurity is just a number on an exellsheet"

(I don't know where I read this, but I think it really hits the nail on the head)

A /48 is quite overkill for a home customer. Do you have 65536 LANs at home? Here in Belgium, we get a /56.

The question is .. do we care about THAT 80 % of the people. I would be more then happy if we can have that 20 % of more technical-oriented audience :-)

Hi,

I have also been thinking about selfhoating a jisti-meet server. Just how easy / difficult is it to selfhost it? Do you run it in docker or natively? Linux or some other OS (FreeBSD)?

Kr.

Well, based on advice of Samsy, take a backup of home-server network to a NAS on your home-network. (I do home that your server-segment and your home-segment are two seperated networks, no?) Or better, set up your NAS at a friend's house (and require MFA or a hardware security-key to access it remotely)

Hi, I have it running as of today. apache reverse-proxy native on the server and "stable-8922" in docker.

I have been wondering if it makes sense to move the jvb from docker to the server. I guess that is the part of the system that pulls most of the traffic. I don't know if this make any real difference for performance or not.

Anycase. All, thanks again for the help. Appriciate it. :-)

Kr.

Hi, Perhaps a stupid question, but what exactly is required to port an OS to a different architecture? OK, there is the boot-process, and low-level language compilers, ... but what else?

How much code has actually to be rewriten, and how much just needs "make" to be recompiled?

Kr.

Australia looks like an interesting case. Iknow that in some countries, ISPs have to provide service to both urban and rural customers at the same price, which means that urban customers actually subsidize people living in rural areas. In some other cases, the gouvernements help pay for this.

Isn't there a project in Australia that the federal gouvernement is subsidizing the role-out of fibre?

Hi Neutrom, I don't know this one. I'll check it out. Thx! 👍

For me, the first goal is to simply understand the setup. I now have been able to create a setup with two frontend jvb-instances and one backend. In the end, the architecture setup of a jitsi-server is quite nicely explained, and -by delving a little bit into the startup scripts of the docker-based jitsi setup, you do get some idea of how things fit together.

From a practicle point of view, I think I'll go for the basic setup (1 backend, 2 frontends) natively on two servers, and -if the backend server would go down- just have a dockerised backup-setup ready to go if it would be needed.

Thanks!

First of all, thanks to all who replied! I didn't think there would have been that many people who self-host a SSO-server, so I am happy to see these replies.

As a side-note, I have also been looking into making the setup more robust, i.e. add redundancy. For a "light redundant" senario (not fully automatic, but -say- where I have a 2nd instance ready to run, so I just need to adapt the DNS-record if it is needed), can I conclude from the "makeing a backup" question, that I just need to run a 2nd instance of postgres and do streaming-replication from the main instance to the backup-instance ?

Or are there other caviats I haven't thought about?

for the nextcloud instance on my local LAN , I use the .local domain (multicast DNS). Just enable avahi on your server and you can use hostname.local on your network without having to deal with local DNS on your router and so on.

In this case, it is not you -as a customer- that gets hacked, but it was the cloud-company itself. The randomware-gang encrypted the disks on server level, which impacted all the customers on every server of the cloud-provider.

I have been thinking the same thing.

I have been looking into a way to copy files from our servers to our S3 backup-storage, without having the access-keys stored on the server. (as I think we can assume that will be one of the first thing the ransomware toolkits will be looking for).

Perhaps a script on a remote machine that initiate a ssh to the server and does a "s3cmd cp" with the keys entered from stdin ? Sofar, I have not found how to do this.

Does anybody know if this is possible?

Yes, that's a very useful idea. Thanks!

Hi all. Thanks for the feedback. Very much appreciated 👍. ... I will set it up in docker.

most people probably just watch some YouTube videos if they want an introduction to mastodon 😀

hi,

The problem with hash tag-following is that it some on the messages that enter the instance in some way (either local or from the federation). This works great on big Instances and on specialised instances. However, on smaller less-special instances (like personal instances or -say-an instance for a mid-sized city with 50 members) ... it works much less.

But that is then where grup.pe and following public instances of remote instances comes in.

Kr.

interesting article.

I understand the fact that you do not want to make it to.complicated, but there qte soms other things you might try to squeze in:

• other microblogging software besides mastodon (miskey, pleroma, gotosocial. ) who are also the fediverse I understand that you are mainly addressing people who come from twitter/X. A lot of people equate micro blogging with twitter .. and twitter with microblogging. It is interesting to note that micro blogging is just a service, and twitter and mastodon are just two examples (be it the biggest ones). But there is other microblogging software out there! And, due to the fediverse, you are free to use anyone you like.

You can mention that these othersoftwarei offer other perspectives to the same service. Eg. a service like hubzilla has a more privacy-oriented approach.

• You mention mastodon pixelfed and Lemmy as the fediverse replacement for X, Instagram and reddit (services people know). You canalsoo mention services like friendica (which has a more FB like interface), or peertube, librecast, (videos and videostreaming) , funkwhale (audio),/ WordPress (for macroblogging) .. or less know services that do not have 'big name' tech behind it (eg bookwyrm for books, agenda-sharing services, .. or even activitypub based chess).

I understand that listing all of this would be to much. It is however interesting to make people understand that social media is a lot more then 'the big three names they know', both in the variety in the types of services social media offers and the choice of software inside each segment)

Kr.

I use fedilabs. Works very well. Allows hashtag-following following the public feed of a remote instance multi-account with cross-account actions

Hi Kux,

The problem I see here, is that you then also need to explain why following a remote instance might be interesting, . which means that you need to explain how the fediverse has led to the existance of specialised instances. (which means that you also need explain that the fediverse is more community driven).

"even though you can be on one instance (as you really like the community overthere, and it the posts have a good signal-over-noise ratio), the ability to follow remote instances does still allow you to follow other instances (read: other communities) .. after all .. most people do are interested in several things, no? "

Hi, Correct. For you info. I co-manage a activity-pub relay for fediverse instances oriented towards hamradio. If you are interested in peering, feel free to send me a ping)

Hi Hugh,

To be clear. This is not about the tags itself. It's about the system of tag-following and how it is implemented on the fediverse. It is due to how the fediverse (acitivtypub) works and how (or why) messages are routed from one instance to another.

There is a major different on how following (people) and how tag-following work. (perhaps the simularity in name is not such a good choice)

The basic idea of following (people) is this: Consider that you are me are on a different instances and I want to follow you; so I hit the "follow" buttom.

What actually happens is this:

• My instance sents an activitypub message to your instance. That message contains the information about me and you .. and that way, your instance is aware that I (on my instance) want to follow you (on your instance)
• when you then write / boost / ... a post, your instance will then forward that post to my instance (based on the information received in step 1), which will then put it in my personal inbox stream.

So far, so good. I am happy to read your (very interesting) posts, and you are happy as your messages gets forwarded to a lot of people who think you are an awsome guy!

Tag-following however is based on a very different system.

• you do a tag-follow request. What this does is that this tells your local instance that you are interested in all messages that contain the tag (say) "#caterday"

• What this will do is this: If (in any way) a message enters your instance and that message contains the tag "caterday", your instance will drop a copy of that message in your inbox steam, .. which results in another post with a nice cat-image in your personal stream. Yeah!

• What this does NOT do: Unlike the "following-people" system, tag-following is purely local thing. ("local" means "on your own instance"). So, what does NOT happen is that that your instance has started sending messages to all instances out there on the fedivere saying "hey .. here is somebody who is interested in cats .. please send me all these posts".

The main point here is that tag-following is only local between you and your own instance. Not more than then.

In essence, .. the important thing here is the first part of my message above: "If (in any way) a message enters your instance, and that message containts the tag ..."

So, then the question is: "what are the mechanisms so that a post enters an instance? (and -hence- be subject to tag-following)" This could happen in two ways:

• because somebody local on the instance writes a post.

• because somebody on a remote instance writes a post AND somebody on the local instances follows that person. As explained above, that message will get forwared by the remote host to your local instance.

So, to put things together, Consider we are on different instances, I write a post with the #caterday tag, .. but neither you or anybody else on your instance follows me, .. the video of my cat attacking a ball of cotton will NOT reach you. (bad luck for you ... you should have followed me :-p )

Does this mean that tag-following is useless? No, not at all.

When does tag-following work very well? To give a practicle example. I have an account on mastodon.radio (an specialised instance for amateur-radio) and overthere I do tag-following of #electronics.

That works very well because

• there are a lot of ham-radio people doing electronics
• there are also lot of people on other instances who are into building electronics .. but there is a very big chance that they are followed by at least one person on mastodon.radio. So their posts get forwarded to mastodon,radio ... which will then also appear in my inbox due to tag-following. This really works very well, and provides me with a good stream of messages with a good signal-to-noise ratio.

When does tag-following not work well?

• if you have a personal instance as I also do.

• if you are on a smaller instance and you have a less common interest. So, if you happen to be the only metalhead on (say) a 50 member instance that serves your local city, there is a very little chance that a tag-follow for your favorite all-female Japanese metal band will produce much content.

What can you do if you are in the 2nd senario?

If there exists an instance dedicated to your interest (that still accepts people)

• get an account on that instance and use a multi-account app like fedilab

• use an app like fedilab to remote-read the public feed of that instance, find interesting people, follow them with your current fediverse account you already have, and build up your list of interesting people to follow that way.

• switch to lemmy or kbin :-) (as lemmy and kbin are by nature more community-based)

• follow the lemmy/kbin community from within your mastodon/fediverse account.

If you happen to be interested in something very specific and the other nerds are all spread out over a zillion different fediverse instances out there:

• use gup.pe

A nice exercise to get a good feeling about this is to get both an account on a mid-side instance and set up your own personal instance. The different in how to approach the fediverse become apparent quite fast.

Hope this helps :-)

Hi,

Good idea!

And once you have you domainname, you can do the following:

• set up a reverse reverse proxy (apache, nginx) in front of nextcloud
• in the configuration of apache/bginx use virtual hosts.
• make sure that the default virtualhost (in apache, that is the the one that does not have "ServerName") first in the configuration. Point that to a local website with just an empty directory
• then, AFTER the default virtual host, add the reverse-proxy configuration of your nextcloud instance.

What this does, is that if somebody addresses your website with a URL that does not contain the exact hostname of your nextcloud, the webquery will go to the empty website and simply return a 404. A hacker who does a webrequest to "https://your-ip-address/login" will just get a "404 not found" and not reach your nextcloud instance.

This keeps people who just scan the internet for vulnerable systems and try out all kind of URLs to try to get in out of your nextcloud.

Of course, this only works if you keep the full hostname of your instance to yourself and do not post it somewhere (including social media, mailing-lists, ...)

Good luck with your nextcloud server

Is there a place where is explained what is exactly in the DMA (and DSA). I did find this video (be it quite high-level) interesting: https://www.youtube.com/watch?v=8y8BYI422NU&pp=ygURZHNhIGRtYSBleHBsYWluZWQ%3D

I have been wondering about this. Could the DMA (or DSA) be used to force google/youtube to allow users to disable the "this video might also interest you" (or simular) feeds from youtube, as this is (in my opinion) clearly aimed at creating addictive behaviour.

Funny, I use a special plugin to hidden the "Recommendations" feed on youtube (to counter the "getting hooked" effect), .. but this "privacy-respecting open-source alternative frontend to YouTube" does show them (unless you explicitally say you do not want see them).

For a privacy oriented app, I would concider showing recommendation as "opt-in", not "opt-out"

Great thanks! (also thanks to Mike .. you have some valid points)

I will put "multicloud" on my wishlist.

Looking at it from a infosec point of view, cloud-providers are an ideal target. All the customers who have just lost all their data now complaining to the cloud-provider are the ideal pressure-mechanism to get the cloud-provider to pay out.

What is your 'deleted files' policy? How long do you keep them? I had a similar issue but then found out that the nextcloud cron-process wasn't running so files in the 'deleted files' folder where never really deleted.

If you get your domain from OVH, you get one single mailbox (be it with a lot of aliases, like a different email-address for every service/website you use) for free.