Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam.
-
Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.
-
Don't duplicate the full text of your blog or git here. Just post the link for folks to click.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, and your account is at least 7 days old, your post is exempt from this rule as long as you continue to engage in comments.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
I do DNS challenges with let's encrypt for either host fqnds (for my kubes cluster) or wildcard for the few other services.
The trick is to do a subdomain off of a domain that you own (e.g.
thing.lan.mydomain.com) this way, you can scope the DNS to only*.lan.mydomain.comif you're conscious about scoped api security.Using let's encrypt is nice because you can have a valid ssl chain that android, iOS, windows, and Linux all trust with their default trusts without having to do something with a custom CA (ask me how awful that process can be).
Wildcard is actually good these days because you don’t have to set up DNS entries for your hostnames.
It’s not security, just obscurity - but in the age of crawlers, it’s helpful.
Also, you can use it internally for services on LAN and because LetsEncrypt is a CA everyone trusts, you don’t need to register a local CA (like a FreeIPA instance) with all your devices- which sometimes isn’t possible.
EDIT: you can also use DNS01 challenges and instead of proving yourself by serving up a challenge response from a server, you prove ownership by adding a DNS TXT entry with the response. It is safer, from a security perspective, to use one cert per service.
IIRC for my setup it's a bit of both. My DNS API key is scoped to only handle the specific subdomain updates instead of my entire DNS account.
I still use a wildcard for that subdomain for non-kubernetes systems, but the cert plugins for kubes is excellent at handling a LE cert per lan fqdn.
This was my biggest reason to move to Let's Encrypt. I have a Hashicorp Vault instance in my homelab for secrets and I tried using it for an internal CA (like how the lab at work is set up), but trying to get on every device and add the full Vault chain to each individual system's trust store was massive pain in the ass.
That sounds cool and kind of makes sense. I’m going to go learn more about this.