Since I’ve published the previous blogpost, I thought about some additions. Furthermore, I got some feedback from @[email protected] and @[email protected], as well as @[email protected] and @[email protected] that I wanted to include too.

Note that this is an addendum to my previous blogpost about selfhosting, which will be directly added to it. I made a separate post for the RSS feed.

The bus factor (more like the Isekai factor)

From Brodokk:

You didnt talk much about the bus factor in the end. While you don’t host a mail server you host a pwd manager and this can become problematic if you are the only to admin the servers or they are at home.

With an additional response:

[… If] you or the server have an “hardware” issue, what happen, what to do? Like when server need hard reboot or you just at the hospital and you need to do something with a server and you can’t fix the service you need (like an email to your assurance)

---

This is something that I didn’t mention, and I think it’s really important to add a section about this.

When you host your own website, your own services, when you take your online presence into your hands, you must also think about what would happen when you’re no longer here.

Murphy’s law corollary: When you get hit by a truck, your server will break.

Behind this morbid joke is a serious topic: What if the servers you administrate need some maintenance, but you’re no longer here to handle it?

This is less of a problem when you rely on some collectivized hosting, as long as other members have the required information to manage services while you’re away. It is more of a problem when you’re handling everything yourself.

First and foremost, you should have some documentation about your infrastructure. Here are some obvious information you should put in it:

• What computer/server handles what service?
• What is the network configuration?
• How can each service be turned on/off?
• If you’ve had some issues earlier with a given service, write the solution you’ve used, in case you (or someone else) stumbles across a similar issue.
• Put passwords in some password manager (in a KeePass, on a VaultWarden instance…)
• Make backups

This way, if someone who isn’t you has to work on your infrastructure, they’ll have all the required keys!

If you’re putting everything behind a VPN, you might want to add some trusted pairs inside your network, so that they don’t have to physically access your servers if it’s not needed.

And obviously, when the hardware is located in your house and software support can’t help you (e.g., a failing drive, a power loss, etc.), either your trusted friend has access to your home or you’ll have no other option than waiting to get out of the hospital to handle it yourself~.

You may want to think about “degraded states” too:

• Should I have an “emergency” page ready to be displayed if my website goes down? (for example, a custom HTTP 502 error page)
• Can some services be temporarily hosted on some alternative hardware/server? (for example, putting your static website on a temporary VPS)
• Can I redirect users to an alternative host providing the same services (other members of your collective, some public instance of the service…)?

Getting Thanos-snapped

What I mean is that if you choose to fully rely on services you have full control over, there will be multiple “Single point of failure”, like your domain name expiring, your certificates not renewing, your server crashing, your VPN being down… or even if your ISP infrastructure is down, or you have some power loss at home (which is much more likely to happen when you host your services at home).

For some people, this is ideal, as it means they can instantly erase nearly entirely their online presence (except for archive services like Google Cache or the Wayback Machine). For others, it can be a huge issue.

Try to have at least one way of getting contacted that doesn’t rely on your own services. It can be an obscure mail address you rarely check, a forgotten Fedi account, an XMPP account, anything!

About mail server

From Brodokk:

I do host my own mail server and i still don’t find it complicated with mailcow since you just need to the configuration, even so it would have took me some years to fully understand what i was doing and still not perfect. And yes I am the only user so I don’t trigger the anti spam system really. But as soon as you have more than 3 users i guess the systems start to get mad for no valid reason. But in the end i do think it’s a bas idea for mail and password management, even on a dedicated server at ovh, for example. Can be hard to talk with your bank or the company if you can’t pay and they shutdown both of them. But this is maybe me being to scared to face the situation… Because phone exist…

---

I quickly mentioned hosting your own mail service in the blogpost, but told that it was hard to configure and often ended up being useless, as big companies tend to block custom mail servers. Let’s qualify this opinion.

Installing a mail server, especially using a fully-featured Docker image or some helper tools, can be easier than before. Furthermore, you have fewer risks^{citation needed} to get blacklisted if you’re the only user on it, as Spam can only come from you.

I have contradictory reports about this, as my flatmates already had issues with their mail servers being blocked by Google or Outlook.

However, it is true that relying on a custom mail service, without any backup plan (a standard Big Tech ™️ address) can be dangerous, especially regarding administration. Like in the previous section, if your infrastructure is down, you can’t access your emails anymore. It would be pretty problematic to miss important bank information because of this…

So yeah, another argument against hosting your mail server if you’re not ready to handle the consequences~ 😰

About using a VPN rather than exposing your IP

From @[email protected]:

Tbf, I think that exposing our home IP address when hosting web services is not as much of a problem as it seems, at least not to the average people Honestly, I don’t care at all, even I’m very careful about my personal data on the internet (not showing my face, blurring my fingerprints, not talking about some parts of my life, etc) Maybe the fact that the city returned by geo IP is totally wrong helps me to don’t care about it, but tbh most people don’t care about sharing where they live so anyway All this to say that the VPN advice should be put into perspective imo

---

I agree that protecting your IP address isn’t a magical solution, and you must take care of your other personal data. After all, a bad actor doesn’t need your IP address if you post a selfie with geolocation EXIF tags on…

It would be far easier ^{citation needed} for a bad actor to DDoS your services if they have your IP address, rather than with only your VPS’ public IP.

Using an encrypted VPN and a reverse proxy builds a protection layer around your network. This way, you make sure the only attack surface bad actors have is the one you chose. This is to be put in perspective because it also means, as when you open ports directly on your Internet Box, that you give an easy way to access your internal network if your security layer is insufficient and an even deeper access.

In the end, both solutions involve exposing services from your own network to the outside, it is a risk, and the two solutions have different threat models.

I personally find it less dangerous to use a VPN+reverse proxy rather than opening ports on your box, especially if you don’t know what you’re doing. (That’s a personal opinion)

“What if I disabled my box’s firewall so that I could open my Minecraft servers to my friends? 🙂” - A 12-years-old, 5 minutes before disaster

Another interesting point when you’re using a VPN+reverse proxy setup, is that if you’re sharing an internet access with multiple (non)people, you don’t have issues with common ports being already taken.

One last setup you can have is to only use the reverse proxy part and open multiple ports of your box, one per service… but you really don’t want to do that, as it would require you to set up yourself the encryption between the reverse proxy and your box, which could mean two set of HTTPS certificates…

Sometimes you don’t even have a full IPv4 for yourself!

Quick note about IPv4 here (most of the blogpost should be applying to both IPv4 and IPv6):

Some ISPs (I know Free does that in France) no longer attribute a full static dedicated IPv4 address for each of their customers, but give them “shared” IPv4 instead. Here is a short post explaining the difference if you want, but Tl;Dr, they can “split” IPv4 (which is getting costly and rare) between several clients, each of them getting a subset of the ports, and using NAT to make it seamless. See here for how they use NAT to reuse IPv4 between clients.

If you get the port range which includes [0-1024], well, you won’t see the difference. If you get other port ranges, you can’t just use your public address and must use a reverse proxy.

Again, this is an IPv4 specific problem, which doesn’t matter anymore with IPv6, but sadly the former is still in use, and we don’t know how long we’ll still have to support it before it finally gets retired.

Quick remarks about encryption

In one setup (VPN+Reverse proxy), you can rely on your VPN’s encryption, so you don’t have to setup HTTPS between your home services and your reverse proxy. It means that the reverse proxy is the one making the certificate requests.

In the other setup (ports opened on your internet box), you must use HTTPS encryption, or rely on the encryption provided by the underlying services.

In all cases, do not ditch encryption.

Other self-hosted solutions

Here are some additional self-hosted solutions I didn’t include in a previous post and wanted to add:

• Cryptpad, an encrypted collaborative office suite. Think of it like an Etherpad or a Google Doc, but with shared access, encryption, and the ability for multiple clients to edit it at the same time
• PrivateBin, an equivalent to Pastebin, but encrypted and without accounts
  • The idea is to have an encrypted paste of text available only with a given link, and where the host can’t have access to said data
  • To quote their website: “As a server administrator you don’t have to worry if your users post content that is considered illegal in your country. You have plausible deniability of any of the pastes content. If requested or enforced, you can delete any paste from your system.”
• Syncthing is a decentralized file synchronization solution. Basically, you register your devices together, and it allows you to synchronize a folder between them using direct connections, or relays.
  • If you already have a Nextcloud, or it may be useless to use Syncthing at the same time.
  • I personally find it useful to use Syncthing to synchronize non-vital files between my phone and my various computers. I don’t use the relay feature, though.
• SearxNG is an internet metasearch engine. It aggregates results from multiple search engines privately, without tracking.
  • As for Invidious, I wouldn’t recommend allowing public access to your instance
  • You may enable or disable each source search engine at will. For example, you may disable Bing or Google search for your instance or your account.
• Bookstack is a self-hosted information host in the form of “books”. You can create pages and edit them using Markdown or the WYSIWYG editor.
  • This is like having a collection of mdBooks, but which you can edit directly.

Closing words

Again, don’t hesitate to give me some feedback on my blogposts, as you can see it gives some interesting additions!