# Selfhosting **Selfhosting** means running useful programs on your own hardware that you control. You need to pay for electricity (and the hardware), but that's about it. # Security Client certificates provide a good method of securing websites (when properly setup), see https://fardog.io/blog/2017/12/30/client-side-certificate-authentication-with-nginx/ # Communication Selfhost means for communication. ## Matrix homeserver * Conduit: https://conduit.rs - config at /etc/matrix-conduit/conduit.toml ## Power saving Here's some useful knowledge from this [kind person](https://lemmy.world/comment/11182470) when building systems focused on low power usage: * *Eliminate features you don’t really need. E.g. do you realy need a RAID 10 configuration with 4 disks? Or can you get by with 2, or maybe even 1 (which might mean you experience downtime while waiting for a new HDD, but you do keep backups right?).* * *Standard 300-400w ATX power supplies are inefficient under low loads (meaning much AC goes to waste converting it to DC). Use a PicoPSU (or a motherboard that runs on DC). Search for a high-quality power adapter (e.g. Leicke) that’s rated for low loads. Just make sure your PSU can handle booting, when your system will draw much more.* * *Install drivers for motherboard features you don’t need (like soundcards or wifi) and then switch them off in the OS as this usually sets them in a more power-efficient state rather than disabling them in BIOS.* * *SSD’s use less power than HDD’s but get expensive for higher capacities. I use a Nvme SSD as a startup drive and to host my containers, and 2,5" 5400rpm HDD’s for storage. Those disks are slow but get the job done, and despite running 24/7 there hasn’t been any failures.* * *I installed a passive cooling-block on the CPU and optimized the airflow in the case. It has 3 (small, as it’s a 1u server case) case fans that are controlled by fancontrol and only kick in when the cpu’s temp is > 60°C, which is not very oten. This also means it’s very quiet ;-).* * *Make sure to configure all power settings in the OS of your choice (powertop and tlp for linux).* Security advice --------------- Some useful thoughts from this [kind person](https://lemmy.world/comment/11371355): *"Anything exposed to the internet will be found by the scanners. Moving ssh off of port 22 doesn’t do anything except make it less convenient for you to use. The scanners will find it, and when they do, they will try to log in.* *(It’s actually pretty easy to write a little script to listen on port 20 (telnet) and collect the default login creds that the worms so kindly share)* *The thing that protects you is strong authentication. Turn off password auth entirely, and generate a long keypair. Disable root login entirely.* *Most self-hosted software is built by hobbyists with some goal, and rock solid authentication is generally not that goal. You should, if you can, put most things behind some reverse-proxy with a strong auth layer, like Teleport.* *You will get lots of advice to hide things behind a vpn. A vpn provides centralized strong authentication. It’s a good idea, but decreases accessibility (which is part of security) - so there’s a value judgement here between the strength of a vpn and your accessibility goals.* *Some of my services (ssh, wg, nginx) are open to the internet. Some are behind a reverse proxy. Some require a vpn connection, even within my own house. It depends on who it’s for - just me, technical friends, the world, or my technically-challenged parents trying to type something with a roku remote.* *After strong auth, you want to think about software vulnerabilities - and you don’t have to think much, because there’s only one answer: keep your stuff up to date.* //All of the above covers the P in PICERL (pick-uh-rel) for Prepare. I stands for Identify, and this is tricky. In an ideal world, you get a real-time notification (on your phone if possible) when any of these things happen:// > *Any successful ssh login* > *Any successful root login* > *If a port starts listening that you didn’t expect* > *If the system watching for these things goes down (have two systems that watch each other)* *That list could be much longer, but that’s a good start.* *After Identification, there’s Contain + Eradicate. In a homelab context, that’s probably a fresh re-install of the OS. Attacker persistence mechanisms are insane - once they’re in, they’re in. Reformat the disk.* *R is for recover or remediate depending on who you ask. If you reformatted your disks, it stands for “rebuild”. Combine this with L (lessons learned) to rebuild differently than before.* *To close out this essay though, I want to reiterate Strong Auth. If you’ve got strong auth and keep things up to date, a breach should never happen. A lot of people work very hard every day to keep the strong auth strong ;)"* See also -------- * [Awesome-Selfhosted](https://awesome-selfhosted.net/) -> selfhosted programs directory * https://landchad.net/ -> layman's guide to selfhosting various services (website, email, etc) * https://cheapskatesguide.org/articles/raspberry-pi-website.html -> website from scratch on a raspberry pi