I recently got my hands on a lightly used Raspberry Pi 5 and have been playing around with it and breaking things while trying to learn my way around self hosting. I have a a couple questions now that I’ve hit a bit of a road block in learning.
-
Is it possible to set up lemmy for local host on a local network only? I’m not worried about federated data from other instances. At this point I just want to experiment and break things before I commit to buying a Top Level Domain name.
-
How exactly does a TLD work? I’ve tried searching up how to redirect traffic from a TLD to my raspberry pi. Since I don’t know much about hosting or networking, I don’t know what to search up to find the answer I’m looking for.
-
How do I protect myself while self hosting? I know the Lemmy documentation suggests using Let’s Encrypt, is that all I need to do in order to protect any private data being used?
My goal in the future is to have a local, text-only instance that may connect with a small number of whitelisted instances.
Lemmy is very database write heavy once federated, so unless you get the nvme extension for your Rpi5 it will not work very well. The database is also very RAM hungry as a result.
Anyways, if it is just about testing, it should not be a problem.
Lemmy by itself should be accessible without a domain name, but federation depends on it. Just give it a try and access it via “localhost” or the local IP of the server hosting it.
A TLD is just a reference to an public IP. Basically you ask a server what IP does this name reference and that’s it.
TLS certificates (via Lets Encrypt) are necessary for participating in the federation and protect data like passwords of the users while being send to the server. It is not strictly speaking a security measure for your server.
I do intend to buy appropriate storage when the time comes. It’s convenient to backup and restore an sd card image while I figure things out as I’m just starting out.
Would the public IP in this situation just be my home IP address? I’m assuming that the TLD provider would have an account settings page to set the IP reference?
Is there any recommendations for any additional security for a lemmy instance, or is it even necessary for a small scaled, social media site?
For a domain name:
You go to something like NameCheap.org and buy a name (hackers4life.xyz or something cool like that). Then their web interface has a place for you to enter the IP address that you want associated with that name. Whenever someone then types “hackers4life.xyz” there will br a series of computers asking other computers “do you know the IP address for this?” until they do.
If you have that Pi in your house, there are (at least) two steps for you then: (1) Getting your home IP address (2) Forwarding the port
(1) Your router admin panel may have this, or else if you search the web for “what is my ip” there are sites that will tell you (basically, you connect to their webpage and they just print out the IP they are sending data back to). There are two concerns here, though.
(a) Do you have a unique IP? There arent enough IPv4 addresses in the world for all the computers connecting to the internet. To get around this, ISPs will essentially group customers together under the same IP and then they figure out how to get the traffic to the right place. If you dont have a unique IP, you might be screwed (but i havent looked into dealing with that much).
(b) If you have a unique IP, you still probably dont have a stable IP. Your ISP might reallocate all the addresses in their network every day/week/month/whenever. This is the case for me. Namecheap (or whatever other domain vendor) has a process for you to use a script to send them your IP address, and so you make a script to recheck it and send namecheap updates every hour or something like that.
(2) Forwarding the port
Some other machine on the web knows your IP (because it is associated with hackers4life.xyz) and so they try to connect. This comes down the wire from the street into the side of your house/apartment, into the modem, and into your router. If your router isnt expecting it (or prepared to do something with it), itll just ignore it. You want the router to instead send it to your Pi. To do this, you go to your router’s admin settings and forward the messages based on the port they are coming in on. The standard ports for HTTP and HTTPS are 80 and 443, and so you can forward those ports to the Pi. Making sure that then the Pi does the right things with those is outside the scope of me writing right now.
Can use duckdns
You need to make sure you get a unique public IP from your home ISP. Some utilize a so called CGNAT which allows them to share one IP with multiple customers, but this makes self-hosting from home much more difficult. Less bad is a so called dynamic IP, which is unique but can change randomly. For that you need some system to automatically update your DNS records when a IP change is detected.
And yes, the domain registrar and dns server operator has an webinterface to associated your public IP with the domain name. The better and larger ones also provide an API to automate it should your public IP change.
There are many things you can do to improve security, but mostly you should run a firewall to not expose any internal services to the public internet.