backup your data and configs. Run docker. Run portainer to manage docker compose. Make a stack for each container and deploy. Use Nginx-proxy-manager to manage routing your domains. Open the ports on your router to NPM. If public run strong passwords and 2fa. If private but with local ssl you can use your local ip and it works the same, at least via cloudflare and npm.
this post was submitted on 23 Jan 2025
24 points (96.2% liked)
Selfhosted
41572 readers
750 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Thank you! That’s helpful. How would you go about setting up a password and 2FA for your own site? I would like to make my services “publicly” available (to myself and friends/family)
I highly recommend getting them to access your sites over VPN not publicly then you don’t have to worry about this at all. For services that don’t have 2fa you can route the services from NPM to authentik. Then in authentik you have another password and can setup 2fa. Authentik is awesome.
You will be shocked how many times your sites are attacked by bots per day. Think five thousand plus.
You can also use fail2ban to block those IPs.
I’ll definitely do that! Thanks for the recommendations
I’ve done that before.
Docker is pretty easy to use, don’t get intimidated. Start with a simpler service that you’ve used before so you can understand which string is tied to where.
What’s great with Yunohost is it’s domain controls. It’s very easy to set up a free domain, or use your own domain with it. So that’s the main reason I’m keeping Yunohost around.
One thing if you think to use them in conjunction that YH has a firewall and occupies some port that could got conflicts with Docker containers.
Thank you!
Are there any simple services you’d recommend starting with to get a feel for things? I’ll probably start with AdGuard, unless there’s a better option
And I don’t plan to use both at the same time, so conflicting ports shouldn’t be an issue.
Is the process for configuring your own domain with Docket enough of a pain that I should consider sticking with YunoHost?
Put Adguard in second spot since it does some non-basic stuff with networking.
Do you use any *arr? Those are easy enough. Or Jellyfin maybe? My top recommendation would be Portainer, which offers a handsome interface for Docker management. That will help you out of the sea.
Docker doesn’t really offer any domain-related functionality at all. You can host an app for that as well, but I found YH is just easier.
I don’t use any *arr, though I’ve been meaning to look more into it. I do use Jellyfin though, so I’ll probably start there.
I’ll take a look at Nginx proxy manager for domain configuration, like another user in this thread suggested
Docker doesn't have anything to do with your own domain, the process is the same either way. Essentially your reverse proxy will handle the domain traffic and SSL, and your local DNS server will resolve the domain to the server IP.
That reverse proxy thing Yunohost has going is a bad habit to get selfhosters into.
Why is that? I’m switching away regardless, so I’m just curious. I started using it because it made everything simple
Every application you expose to the internet, even via a reverse proxy, increases the chances you'll get popped. Set up Tailscale or another VPN for every device that accesses these applications. If you absolutely need real SSL certs because you can't just use private certs, you can turn on forwarding to a proxy like Nginx Proxy Manager for long enough to pull a cert, but otherwise you should just reference the internal address of that proxy from devices over the VPN or locally in the network. Tailscale has very good documents on how to set up a secure network using VPN. You can also use DNS-only certs instead of opening the firewall.
If you have to, set up a local DNS like Technitium or even Pihole with custom entries to give you internal name resolution for your registered domain/host names.
If you absolutely, positively need to expose an application, at least use Basic Auth on that hostname. It drastically reduces the attack surface before it gets to the application.
To add to this, you should practice good security elsewhere as well:
- host everything in containers, and only let them access what they need
- manage TLS behind your firewall, so a vulnerability doesn't expose packets for other services
- run your containers with minimal privileges (look into podman, for example), so they'll be limited if they escape the container
- use a strong root password (or no root), and put passwords on any SSH keys you use there (e.g. for git repos, accessing other servers, etc)
Once you expose something inside your network, you need to ramp up security.
Personally I use Dokploy. It's a dead simple docker web UI that makes domains and ssl easy peasy
Dokploy
This is neat, but not having an install guide and just a "run this script you got off the internet" is a huge no-no.
They need to just provide the docker-compose and .env files.
Sadly it's a bot more complicated than just a docker container, but there is the manual install doc that goes into a bit more detail.
For anything deeper you'd have to read the script.
That script just runs a single docker container at the end. But it also inits swarm so would break an existing setup that doesnt use swarm. I don't like this project so far.
I started learning on Unraid OS and its pretty easy to get started as a newbie. They have a CA Apps plugin/store (free, though) that have pre-built docker templates for popular software. Makes it easy to get started.
In the same OS you can also host VMs in case you're trying to run something not suited to docker.
Depends how deep down the rabbit hole u wanna go?
I assume ur accessible via ipv4 (no cgnat) otherwise ur in for a far bigger pain in the ass.
Simple u can use portainer and it makes it relatively easy. Otherwise u can use docker compose if u want more fine grained control and are willing to learn a little more.
Dr GPT is usually pretty good at writing docked compose files given the application readme.