This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/arturcodes on 2025-12-18 09:38:33+00:00.

---

If not I'd be more than happy to make it.

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/Aruscha on 2025-12-18 10:17:50+00:00.

---

Life is short, and you never know when it will end.

Since I’m the admin of my own server, I’ve been thinking about how my wife could access important data if I were suddenly no longer around — regardless of the reason. That leads me to the question:

What is a sensible and realistic way to handle this? Specifically:

Written instructions or a video guide?

USB stick or external hard drive?

Where do you store it safely (fire, water damage, etc.)?

What should actually be included? e.g. Bitwarden master key / password access explanations or walkthroughs

How complex should encryption be without becoming a burden for survivors?

One idea I’m considering: Using an encrypted drive, where the decryption key is derived from a puzzle (e.g. a Sudoku) based entirely on shared life events only we would know.

I’m not fully convinced yet. And to be honest, thinking about this feels pretty strange.

How did you handle this — or how would you approach it?

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/solumath99 on 2025-12-18 13:32:14+00:00.

---

In july 2025 Let's encrypt announced they issued their first IP cert and that they were testing it for general availabality. Now it is available to anyone!

This switch will also mark the opt-in general availability of short-lived certificates from Let’s Encrypt, including support for IP Addresses on certificates.

Source: https://community.letsencrypt.org/t/upcoming-changes-to-let-s-encrypt-certificates/243873

There are however many cons for this

As a matter of policy, Let’s Encrypt certificates that cover IP addresses must be short-lived certs, valid for only about six days. As such, your ACME client must support the draft ACME Profiles specification, and you must configure it to request the shortlived profile. And, probably not surprisingly, you can’t use the DNS challenge method to prove your control over an IP address; only the http-01 and tls-alpn-01 methods can be used.

Source: https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate

I will keep my domains as they are handier than IPs but this could be useful to others if they for some reason don't want/can't afford their domain.

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/xbufu on 2025-12-18 07:38:42+00:00.

---

Just read this in r/cybersecurity:

Docker released their hardened images cataglog under the Apache 2.0 license for anyone to use for free: https://www.docker.com/blog/docker-hardened-images-for-every-developer/

Seems like a drop-in replacement, since you can simply change something like traefik:v3 to dhi.io/traefik:v3

Seems pretty awesome, I think I will be gradually rolling this out in my homelab.

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/FunnyRice8193 on 2025-12-18 03:05:44+00:00.

---

Hi,

I hate URL shorteners that share the same domain as others, like bit ly, but I realized that using a custom domain often costs money or is difficult with self-hosting. So I created openshort.link, an all-in-one, open-source, serverless URL shortener. It runs 100% on Cloudflare and offers one-click installation.

It provides a complete set of features:

• Multi-domain support
• Custom domains with Cloudflare routing support (it works on the exact same domain you already use for another website, unlike other self-hosted URL shorteners),
• Geo- and device-based redirects
• Multi-user support
• Full analytics powered by Cloudflare Analytics Engine
• Custom slugs
• Custom redirect codes
• QR code generation
• Export and import of data with flexible columns
• And more

It also offers one-click installation and can be ready in less than five minutes if you already have a domain on Cloudflare. Let me know what you think or if you have any suggestions for improvement.

Thank you

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/Open-Coder on 2025-12-18 03:14:20+00:00.

---

I was recently introduced to Ente by it's users who requested Ente's integration with Journiv. It appears to be very similar to Immich (my favorite for photos/videos management) but one major difference that Ente has E2EE.

With E2EE when implemented correctly means the server has no idea about the content (when it sees it, even before it is stored at rest) and hence it cannot do any kind of ML/Analytics works on the data which I believe is good for their model compared to Immich given Ente is a cloud first offering (no ML compute needed on their end). They do have self hosted version. From my initial research it seems like they rely on "on device ML" only for face/object detection etc. I am wondering how does their ML features compares to Immich given they do ML on device only.

Does anyone here have any experience using both extensively to share some insights?

Thanks.

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/Antiqueempire on 2025-12-17 20:53:40+00:00.

---

Hey everyone,

I’ve been working on a project to solve SSH key sprawl and sudo password risk without relying on cloud services or heavyweight enterprise tooling.

The result is Ephemera a self-hosted, air-gap-friendly SSH Certificate Authority built entirely on native OpenSSH features.

GitHub: https://github.com/Qarait/ephemera

What it does (high level):

1. Replaces static SSH keys with short-lived certificates (minutes)

2. Enforces WebAuthn-based physical presence for certificate issuance

3. Adds Just-in-Time sudo: when you run sudo, the command pauses and waits for an explicit approval (via PAM hook)

4. Policy-driven RBAC via policy.yaml (OIDC groups, IP ranges, time windows, device IDs)

5. Tamper-evident audit logging (hash-chained, streamed off-box)

6. Sovereign disaster recovery using AES-256 encrypted backups + Shamir’s Secret Sharing

7. Fully Dockerized, no cloud dependencies, air-gap capable

Design goals:

No MITM SSH proxy

No custom SSH protocol

No always-on root access

Use native OpenSSH + PAM wherever possible

I’m not trying to sell anything this is an open-source project and I’m looking for aarchitecture review.

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/w453y on 2025-12-18 01:41:17+00:00.

---

It's no longer maintained.

https://github.com/containrrr/watchtower/discussions/2135

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/Kellojoo on 2025-12-17 22:20:37+00:00.

Original Title: I built yet another homelab dashboard, which is configurable via a YAML file. This one has a dedicated backend server, doesn’t expose your credentials to the frontend, and keeps track of data in a history for you to marvel at from time to time.

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/legendaryflower on 2025-12-17 19:35:24+00:00.

---

I basically have setup a VPS using RackNerd to host Pangolin to publicly expose some services I run in my home lab. One of which being Jellyfin is quite difficult to do. Specifically, ios, android and android TV apps do not pass the authentication natively.

I just want an easy way to access the Jellyfin server without a VPN while still having great security for potential hackers. I would do an IP whitelist but if I or my wife goes to a hotel or even uses mobile data those IP's will always change. I just wish there was a native 2FA functionality to Jellyfin so all my needs would be pretty much met.

My question is how do you all secure your public facing Jellyfin instance. In my case I use Pangolin as a secure tunnel. I have scowered the internet and have not found any good options that really check all my boxes. Here are a few of my requirements.

1. Easy to access - (Easy enough for a wife / family member to understand)

2. Access to IOS, Android, Android TV apps

3. No VPN (Kinda goes into ease of access)

4. Secure enough to not allow any intruders access

5. No information to be distributed to any 3rd party apps. (Like Cloudflare would be able to see exactly what we are watching or potentially where we got said content)

EDIT 1: Authentik does not work on mobile applications. Only WebUI. I see a lot of people saying it but not really a solution for my use case or many for that matter.

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/ArtisticHamster on 2025-12-17 18:48:16+00:00.

---

It seems that these two tools are related a lot to each other. What are advantages or disadvantages of each of them? Which ones do you run yourself? Which one would you recommend? Are there any pitfalls?

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/KungFuDazza on 2025-12-17 22:37:27+00:00.

---

Couldn't see that this was already posted, but it looks like they changed their minds..... for now. Still probably worth researching other options.

https://www.theregister.com/2025/12/17/github_charge_dev_own_hardware/

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/Jhaspelia on 2025-12-17 20:57:35+00:00.

---

Edit: messed up the code junction. Will fix it asap

Hey folks

after years of “it works on my LAN” deployments and 3am outages caused by me, I rebuilt my self-hosted setup with one goal:

Make it boring. Boring = predictable routing, consistent auth, sane backups, and a clean way to add new apps without breaking old ones.

This is what I landed on (single node, but structured so I can grow to 2–3 nodes later).

Goals

One reverse proxy config style for everything

SSO/2FA for anything exposed (even “harmless” dashboards)

Automated brute-force mitigation without me babysitting logs

Backups that don’t rely on “I’ll remember next week”

“Add a new service” should be 5–10 mins max

Stack overview

Docker (compose) for services

Traefik for reverse proxy + automatic TLS

Authelia for SSO + 2FA (forwardAuth)

CrowdSec for bouncer-based protection (Traefik bouncer)

Grafana + Prometheus + Loki for basic observability

Restic for backups (to remote storage)

Watchtower only for patch updates on a shortlist (not everything)

Everything lives in a single repo with:

/core (traefik, authelia, crowdsec, monitoring)

/apps (each app gets its own compose file)

/scripts (backup + restore + bootstrap helpers)

What made the biggest difference

1. A “default deny” pattern for exposure

Anything not explicitly labeled for Traefik is not reachable.

No ports: on app containers unless truly required

Internal networks for service-to-service traffic

Only Traefik binds to 80/443

2. ForwardAuth everywhere

Even internal-only services get Authelia. It’s less about paranoia and more about consistency. If I later expose something, I’m not retrofitting auth.

3. Logs/metrics are just enough

I don’t need enterprise APM at home. But I do need:

“What changed?”

“Why is it slow?”

“What’s consuming disk/ram?”

Core compose (trimmed but functional)

core/traefik/docker-compose.yml

version: "3.9"

networks:

proxy: external: true

services:

traefik: image: traefik:v3.1 container_name: traefik restart: unless-stopped networks:

• proxy ports:
• "80:80"
• "443:443" volumes:
• /var/run/docker.sock:/var/run/docker.sock:ro
• ./traefik.yml:/etc/traefik/traefik.yml:ro
• ./dynamic.yml:/etc/traefik/dynamic.yml:ro
• ./acme:/acme
• ./logs:/logs environment:
• TZ=Europe/Istanbul

core/traefik/traefik.yml

api:

dashboard: true

entryPoints:

web: address: ":80" http: redirections: entryPoint: to: websecure scheme: https websecure: address: ":443"

providers:

docker: exposedByDefault: false file: filename: /etc/traefik/dynamic.yml

certificatesResolvers:

letsencrypt: acme: email: you@example.com storage: /acme/acme.json httpChallenge: entryPoint: web

log:

level: INFO

accessLog:

filePath: "/logs/access.log"

core/traefik/dynamic.yml (Authelia forwardAuth middleware)

http:

middlewares: authelia: forwardAuth: address: "http://authelia:9091/api/verify?rdhttps://auth.example.com/" trustForwardHeader: true authResponseHeaders:

• Remote-User
• Remote-Groups
• Remote-Name
• Remote-Email

Example app (everything looks the same)

apps/whoami/docker-compose.yml

version: "3.9"

networks:

proxy: external: true

services:

whoami: image: traefik/whoami restart: unless-stopped networks:

• proxy labels:
• "traefik.enable=true"
• "traefik.http.routers.whoami.rule=Host(whoami.example.com)"
• "traefik.http.routers.whoami.entrypoints=websecure"
• "traefik.http.routers.whoami.tls.certresolver=letsencrypt"
• "traefik.http.routers.whoami.middlewares=authelia@file"

That label pattern is now copy/paste for any service:

Router rule

TLS resolver

Authelia middleware

CrowdSec + Traefik bouncer (quick notes)

CrowdSec reads Traefik access logs

Bouncer blocks at the proxy level before the app sees traffic

Biggest win: I stopped writing my own half-baked fail2ban rules for container logs

If you’re doing this, the key is making sure Traefik logs include real client IPs (and you’re not behind some weird double NAT / CDN config without setting forwarded headers correctly).

Backups (Restic)

I back up:

Compose files + secrets (encrypted at rest)

App data volumes (for apps that store state)

Traefik ACME json (because reissuing certs on disaster day is annoying)

Daily automated backups + weekly prune. The most important part: I wrote a restore checklist and tested it once. That alone felt like leveling up.

Lessons learned / gotchas

Don’t auto-update everything. Watchtower only touches a “safe list” (Prometheus node exporter, some stateless things). Databases and core auth are manual.

Keep auth/SSO separate from apps. If Authelia is down, I can still SSH and fix things but most apps remain protected by default.

Name your networks intentionally. “proxy” network is the only place where routing happens.

Stop exposing random ports. You almost never need -p 3000:3000 if Traefik exists.

Question for the hive mind

If you’ve done a similar “make it boring” rebuild:

What’s your preferred approach for secrets (sops, docker secrets, vault, …) in a homelab?

Any opinionated alternatives to Authelia that you’ve found simpler (or more robust) for a small setup?

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/HariSeldon11 on 2025-12-17 13:02:03+00:00.

---

If you're in this sub, probably not, but I'm curious to know if you or someone you know experienced the classic bell curve. What I mean is: started by not caring about self hosting and using google cloud, developed a complex homelab system to self host everything, get tired of maintenance costs and got the feeling that in the end it all looks purposeless, go back to google cloud (you can add a middle stage of moving everything to Hetzner and friends before going to back to google cloud).

I'm just curious to know the experience of people about self hosting maintenance on the long term, thank you!

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/PanSalut on 2025-12-17 16:51:28+00:00.

---

Hey r/selfhosted!

I built a simple grocery list app for me and my wife. We needed something to sync our shopping list in real-time while at the store. Tried a few apps but they were either too bloated or required accounts/subscriptions.

https://preview.redd.it/nu836bfdos7g1.png?width=1900&format=png&auto=webp&s=dfcf8f271f865455a80f83be009e5a72a67a3e69

I wanted to share it with you - so if you need something like this, feel free to check it out!

Features:

• Real-time sync via WebSocket
• Organize items into sections (Dairy, Vegetables, etc.)
• Mark items as "uncertain" (can't find it in the store)
• Simple password login (no registration needed)
• Mobile-first responsive desig

Tech:

• Go + Fiber + SQLite + HTMX
• ~16 MB on disk, ~2.5 MB RAM
• Single Docker command to deploy

Links:

• GitHub: https://github.com/PanSalut/Koffan

⚠️ Note: The app is still in active development and there might be bugs. I appreciate any feedback and encourage you to test it out!

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/shol-ly on 2025-12-17 13:00:57+00:00.

---

Hey, r/selfhosted! I've been working on a post for the past several months that I thought would be a fun, appropriate Wednesday topic for this subreddit -- commonly mispronounced self-hosted software names.

The list includes software like Immich, Dawarich, and Forgejo, along with source links or direct quotes from devs when pronunciations aren't published publicly.

Let me know if there are any I've missed!

Self-Hosted Software Names You're Probably Mispronouncing

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/hedonihilistic on 2025-12-17 09:23:40+00:00.

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/NFTruth69 on 2025-12-17 08:47:58+00:00.

---

Hi everyone,

I’ve just finished a Raspberry Pi project where I already host several services to add a first layer of security and privacy at home (Pi-hole, Unbound, CrowdSec with Bouncer Firewall, PiVPN with WireGuard, etc.).

It might not be the best time (hello skyrocketing hardware prices 😅), but I’d like to start building and configuring a NAS from scratch.

I’m a big movie enthusiast. On one hand, this NAS will be used to host my movies and TV shows on media platforms (listed below), and on the other hand, it will also serve as storage for files and photos.

Hardware configuration:

• Intel Core i3-8100 (I need Quick Sync for H.265 / HEVC content)
• 8 GB DDR4 RAM
• M.2 SSD to keep the Ubuntu Server OS separate from data
• 3× 3.5" CMR HDDs
  • 2 for files/photos in RAID 1
  • 1 dedicated to movies

Software stack I’m planning to run:

• Jellyfin – media streaming server
• qBittorrent – download client
• Arr stack (Sonarr, Radarr, Prowlarr, Bazarr, Homarr)
• Nextcloud – file storage and collaboration
• MariaDB – database backend for Nextcloud
• Redis – cache to speed up Nextcloud (pretty much mandatory with 8 GB RAM)
• Immich – self-hosted photo/video management
• Vaultwarden – password manager
• Portainer – web UI for managing Docker containers
• Watchtower – automatic container updates
• Scrutiny – disk health monitoring
• Duplicati – automated backups to the cloud

The goal of this post is to get advice, both on the hardware choices and on the software stack.

I’d love to hear your feedback and real-world experience!

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/XanelaOW on 2025-12-17 07:30:14+00:00.

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/Legendexe07 on 2025-12-17 04:49:51+00:00.

---

I manage a bunch of Docker containers on my home server and got tired of typing docker ps constantly, so I built a TUI for it.

What it does:

• Real-time container stats (CPU, memory, network, disk I/O)

• Interactive logs and shell access

• Start/stop/restart with single keypress

• Works over SSH (terminal-based)

Built with Go and Bubble-Tea.

GitHub: https://github.com/shubh-io/dockmate

https://i.redd.it/ahf3gcvl2p7g1.gif

Would love to hear what y'all think, any features you'd want to see?

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/Guruthien on 2025-12-16 22:57:00+00:00.

---

Spent weeks researching distroless for our security posture. On paper it's brilliant; smaller attack surface, fewer CVEs to track, compliance teams love it. In reality tho, no package manager means rewriting every Dockerfile from scratch or maintaining dual images like some kind of amateur hour setup.

Did my homework and found countless teams hitting the same brick wall. Pipelines that worked fine suddenly break because you can't install debugging tools, can't troubleshoot in production, can't do basic system tasks.

How are you all actually solving this without turning into full-time image baby sitting job? What's your go-to for keeping familiar build workflows (apk, curl, etc.) while still shipping lean runtime images? Desperate for battle-tested hacks on multi-stage setups that don't explode CI/CD times or force constant rebuilds.

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/Th3Appl3 on 2025-12-16 20:52:49+00:00.

---

I certainly have had my fair share of failures throughout my journey in self-hosting. I figured it might be nice to have people share their embarrassing stories in an attempt to prove we all have our moments.

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/Servo__ on 2025-12-16 17:39:40+00:00.

---

I feel like I'm flying by the seat of my pants here, piecing together info from docs and reddit threads found through searches in order to write docker compose and .env files so things will actually run. My brain is filled with half-knowledge on a bunch of different things, but I always feel like I'm missing the big picture. I went down the rabbit hole of asking AI too much stuff, and tbh I have learned a lot, but I've also wasted a lot of time on hallucinations. I want to be a lot more self-reliant.

~~If I were to sit down and study what should I focus on? What would you say are some of the core concepts and skills to have and what are the best ways to learn them?~~

Let me rephrase this a bit. Yes I am looking for direction, but it doesn't quite make sense to ask strangers to just arbitrarily point me in a direction. These questions reflect questions I do have, but they're what I'm trying to answer with the question in the title and I should've been a lot more clear about that. What are the most important things YOU learned? That's what I'm really asking here. To go into more detail than the initial post, I'm asking if people are willing to share their experience in learning, which directions they went and why because I think that might be valuable to me and others. Did you go to school? What were some of your aha moments? What do you feel like that you do well and how did you develop that? I think in aggregate I can gain some information about what I may want to do, and maybe others can too.

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/Basic-Bobcat3482 on 2025-12-16 18:21:39+00:00.

---

0.002 EUR x minute

GITHUB? We just got the email today in the company and I am looping.

It is not about the price but it is self-hosted, it is like paying a license to GitHub for using GitHub. It is the start of paywalled FOSS

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/ForbiddenException on 2025-12-16 18:01:26+00:00.

---

https://preview.redd.it/ag2w5cdkul7g1.png?width=519&format=png&auto=webp&s=cf5ea7559778d6dd4cfbc835da4733ef7003f9b2

Just received this E-mail from GitHub... Beginning march next year, even self-hosting our own runner won't be free anymore.

https://resources.github.com/actions/2026-pricing-changes-for-github-actions/