I don’t?

There’s a German Lemmy as well https://feddit.org/

It’s not about fascists on the platform but living in a fascist country where posting on a left leaning platform is already suspicious.

OP asked for 2TB and that’s easily done with SSD these days

No, but Vaultwarden is the one thing I don’t even try to connect to authentik so a breach of the auth password won’t give away everything else

Cool guide, I’ll keep it in mind when setting up my own Lemmy, even though I won’t go through cloudflare. Some things I noticed:

• Since I didn’t see you mentioning it, ufw (idk about gufw) doesn’t actually block the ports opened by docker. Make sure to only forward your docker ports to localhost and only make the actual webservice available (e.g. 127.0.0.1:8888:8080 for piefed adminer), otherwise the ports will be accessible from your LAN
• In your update process, you can docker compose pull before docker compose down, makes a little difference especially on a slow connection/big images. I think you don’t even need the down command since docker does that automatically if something changes (e.g. new build)

I’ve had similar problems with some other Fedi service once and it was indeed a permission problem. Good luck!

I used to host kanboard for a while, maybe I should set it up again for my homelab

Interesting, I think I should do the same for the services that are only used to people real close.

I’ll just start! Personally, I’m tinkering with my local network to create a subnet for my homelab.

I want to set up Lemmy and Audiobookshelf next, but I want to tweak the infrastructure a bit before hosting more stuff.

Before the firewall thing, I set up authentik and am integrating it in more services. Migration was mostly straightforward so far in Bookstack and Paperless. Also the proxy authentication is pretty cool, finally being able to ditch basic auth in Prometheus was cool.

I choose depending on whether I’ll ever have to touch the files in the volume (e.g. for configuration), except for debugging where I spawn a shell. If I don’t need to touch them, I don’t want to see them in my config folder where the compose file is in. I usually check my compose folders into git, and this way I don’t have to put the volumes into gitignore.

Thanks a lot for your explanation, this sounds like an interesting approach! And yes, I’m trying to deepen my mostly shallow understanding of networking a bit.

Makes sense to have it at that level instead of each client, thanks

Recently set up cwa, mostly to have an easier way to get my books on my e-reader since koreader supports opds. It’s been super easy so far and has a great interface, like it way better thenz calibre desktop.

Same, always checking if I missed something on my own stuff :)

If you’re using Prometheus, Blackbox exporter checks cert expiration as well

Have you tried to automate it?

Probably because of the Circle A in the thumbnail

Yes, discovering is easier on bigger instances. That’s why some smaller instances subscribe to relays, where the “magazine” gets copied to every other instance on that relay.

As soon as you follow accounts, you’ll get every magazine in chronological order though.

you will have a much easier time setting up database and networking, running backups, porting your infrastructure to other providers, and maintaining everything, than with legacy control panels or docker compose.

I really don’t see this. Database? Same but needs a service. Networking? Services and namespaces instead of docker networks. Backups? Basically same as Docker but k8s has cronjobs so you can have it at the same place as your other stuff which is a good point. Porting infrastrutcture? Copy compose file, env files and volumes vs. copying all resources and pv.

I am absolutely not against self hosting in k8s and if IP already had k8s running, I’d recommend it too. But I don’t see the benefits for the scenario op described.

You might be right with the better/more accessible docker docs everywhere being the main reason it’s so popular, but it’s also usually just one file that describes everything AND is usually the supported install method of many projects where helm charts are often third party and lack configurability.

CNPG is cool, but then OP also needs to learn about operators and custom resources :) More efficient? Yes. More complex? Also yes.

The biggest challenge for kubernetes is probably that the smaller applications don’t come with example configs for Kubernetes. I only see mastodon having one officially. Still, I’ve provided my config for Lemmy, and there are docker containers available for Friendica and mbin (though docker isn’t officially supported for these two). I’m happy to help give yaml examples for the installation of the applications.

As said above, I agree it’s one challenge, but added complexity is not to underestimate.

Completely off topic: Your post did make me think about running my own cluster again though. I also work on k8s at my devops dayjob but with a cloud provider it’s not the same than running your own ofc. I’ve also been thinking about tinkering with old smartphones in that potential cluster…