Episode: 3532 Title: HPR3532: Self-hosting in small scale E0: Disclaimer and general idea Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3532/hpr3532.mp3 Transcribed: 2025-10-25 01:03:35 --- This is Hacker Public Radio Episode 3532 for Tuesday the 15th of February 2022. Today's show is entitled, Self-hosting in Smalls Klee Zero, Disclaimer and General Idea. It is the first show by Newhost TAC on 751, and is about 9 minutes long, and carries a clean flag. The summary is, this end is just explanation of the general idea, and introducing useful communities around the topic. Hello everyone, TAC of 751 speaking. I would like to apologize beforehand for the quality, as I am trying to wrap my head around, recording, and basically giving a talk like this is highly unlikely of me. So with that said, I am by no means professional at the moment, and just trying to share what I learned about self-hosting. And today episode is just a starter of a series, where I am trying to explain how to self-host services on your land without exposing too much on the wide and dangerous internet to keep your attack surface as small as you can. Because I had some really bad time, because I made some poor choices. So with that said, I am trying to apply the infrastructure as a cold principles, and easy way to record what I mean behind it, that as a runtime I am trying to use Docker for everything. And using the Docker Compose, which is a neat solution, where you basically able to define a wall service stack in one file, and how they connect to each other. And which container has internet connection, which is separated from the network, you can do segmentation in this case, where containers can see only each other, for example, without any internet connection. And that can prevent many, many issues. The other neat feature is if you own a public domain, and you have a DNS provider, which is supported by Let's Encrypt. You can request a white card certificate for that domain without any DNS record involved, just the API keys for the DNS provider, so that the DNS challenge by Let's Encrypt can be done, which set both other solutions, I would say. And with that you will have a white card certificate, as I said before, and you can serve up on your LAN. And with the help of a local DNS server, you can resolve that domain to a local LAN IP address. And that way, you don't need to fiddle around with a ding root certificate or a self-signed certificate to every single device every time. And then you have to redo it at least in two years, because some operations systems like the iOS and basically all the Apple operation systems has a requirement of certificate where the expired date is less than a year, and the root certificate expired date is less than two years, otherwise it wouldn't even allow to audit as a trusted certificate, which is a pain in the bomb. The next thing is, and as I said before, you will need the DNS server on your LAN to do the domain resolves, and you have to set your devices to use that DNS server as the primary DNS, and you can choose any as a secondary, as a fallback in case your DNS server is not responding or any other issues. And then we can add to this infrastructure a VPN solution as well. I'm going to speak later about their scale and via guard. Well via guard is a really neat solution, and their scale is based upon via guard with enhanced features like really good security features, but there's some downsides as well, because you will need to use a public, it called lighthouse, which is basically a service which helps the client finding each other, and you can set your configurations with the command line and on their online interface, which need only out-indicated with GitHub, Facebook or Gmail I believe, but I will speak about that later in more detail in probably in the next episode. And I wanted to talk about a few communities which are helpful at the very least, and they have really good resources and tutorials, and one of them is linuxserver.io. The community builds and hosts their Docker images, which have a few neat ones. They have, for example, jellyfin, which is a plaques alternative. They have sync thing, they have their own via guard solution, next cloud, swag, and this is one of them which I'm going to speak in more detail because this is one of the neatest one, because it is a modified engine next. Server, which applies for certificates and renewing them automatically, and you basically just need to edit the Docker Compose file on first start and modify a configuration file afterward, and when you want to put a service behind the reverse proxy, you just have to use their templates and modify them to your needs. I will speak about this one as well later because this will be one of the pillars of our project. And the next one is Home Assistant. This one is basically, as it says, a home automation service, which is fully open source. I think it was acquired by Nebuchasse recently, but they working with a patch license, and most of their code is written in Python. So it's easy to make integrations and your own plugins and your own automation, and you can run it on basically in Raspberry Pi. They recommend 3 or 4, but I would say Raspberry Pi 4 is more than capable of running this. It mostly depends what you want to, or what extent you want to use it, as with many services. By the end of this series, I would like to end up with a GitHub or GitLab repository with scenarios and example configuration files, which you can then download and replicate it yourself. I believe a few links in the show notes where you can check out these communities and a few interesting services, which can be useful in a small infrastructure for a family, the more a small company I would say. You've been listening to Hecker Public Radio at HeckerPublicRadio.org. Today's show was contributed by an HBR listener like yourself. If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is. Hosting for HBR is kindly provided by an honesthost.com, the internet archive and our sync.net. Unless otherwise stated, today's show is released under Creative Commons, Attribution, Share Like it's Dito Tonyell License.