I’m still a newcomer to self hosting, and I could use some guidance on how to best accomplish what I’m trying to do.
Right now, I’ve got AdGuard, Jellyfin, and Nextcloud running on a Raspberry Pi 4 with a 500 GB external hard drive, using YunoHost. Those services are all available at my free domain name provided by YunoHost.
I’d like to run all of those services on the same Pi they’re on now, but using Docker, so I have more control and access to more applications. I would also like to configure a reverse proxy so I can access them at, for example, nextcloud.mydomain.com. (YunoHost doesn’t support custom domains from Porkbun, which is the registrar I’m using.)
What would be the least painful way to go about this? I understand how Docker works conceptually, but I admittedly don’t really know how to use it in practice. Are there any resources available that would get me up to speed quickly?
Appreciate the help - thanks!
You must log in or register to comment.
That reverse proxy thing Yunohost has going is a bad habit to get selfhosters into.
How so?
Gotcha!
Why is that? I’m switching away regardless, so I’m just curious. I started using it because it made everything simple
Every application you expose to the internet, even via a reverse proxy, increases the chances you’ll get popped. Set up Tailscale or another VPN for every device that accesses these applications. If you absolutely need real SSL certs because you can’t just use private certs, you can turn on forwarding to a proxy like Nginx Proxy Manager for long enough to pull a cert, but otherwise you should just reference the internal address of that proxy from devices over the VPN or locally in the network. Tailscale has very good documents on how to set up a secure network using VPN. You can also use DNS-only certs instead of opening the firewall.
If you have to, set up a local DNS like Technitium or even Pihole with custom entries to give you internal name resolution for your registered domain/host names.
If you absolutely, positively need to expose an application, at least use Basic Auth on that hostname. It drastically reduces the attack surface before it gets to the application.
To add to this, you should practice good security elsewhere as well:
- host everything in containers, and only let them access what they need
- manage TLS behind your firewall, so a vulnerability doesn’t expose packets for other services
- run your containers with minimal privileges (look into podman, for example), so they’ll be limited if they escape the container
- use a strong root password (or no root), and put passwords on any SSH keys you use there (e.g. for git repos, accessing other servers, etc)
Once you expose something inside your network, you need to ramp up security.
backup your data and configs. Run docker. Run portainer to manage docker compose. Make a stack for each container and deploy. Use Nginx-proxy-manager to manage routing your domains. Open the ports on your router to NPM. If public run strong passwords and 2fa. If private but with local ssl you can use your local ip and it works the same, at least via cloudflare and npm.
Thank you! That’s helpful. How would you go about setting up a password and 2FA for your own site? I would like to make my services “publicly” available (to myself and friends/family)
I highly recommend getting them to access your sites over VPN not publicly then you don’t have to worry about this at all. For services that don’t have 2fa you can route the services from NPM to authentik. Then in authentik you have another password and can setup 2fa. Authentik is awesome.
You will be shocked how many times your sites are attacked by bots per day. Think five thousand plus.
You can also use fail2ban to block those IPs.
I’ll definitely do that! Thanks for the recommendations
I’ve done that before.
Docker is pretty easy to use, don’t get intimidated. Start with a simpler service that you’ve used before so you can understand which string is tied to where.
What’s great with Yunohost is it’s domain controls. It’s very easy to set up a free domain, or use your own domain with it. So that’s the main reason I’m keeping Yunohost around.
One thing if you think to use them in conjunction that YH has a firewall and occupies some port that could got conflicts with Docker containers.
Thank you!
Are there any simple services you’d recommend starting with to get a feel for things? I’ll probably start with AdGuard, unless there’s a better option
And I don’t plan to use both at the same time, so conflicting ports shouldn’t be an issue.
Is the process for configuring your own domain with Docket enough of a pain that I should consider sticking with YunoHost?
Put Adguard in second spot since it does some non-basic stuff with networking.
Do you use any *arr? Those are easy enough. Or Jellyfin maybe? My top recommendation would be Portainer, which offers a handsome interface for Docker management. That will help you out of the sea.
Docker doesn’t really offer any domain-related functionality at all. You can host an app for that as well, but I found YH is just easier.
I don’t use any *arr, though I’ve been meaning to look more into it. I do use Jellyfin though, so I’ll probably start there.
I’ll take a look at Nginx proxy manager for domain configuration, like another user in this thread suggested
Docker doesn’t have anything to do with your own domain, the process is the same either way. Essentially your reverse proxy will handle the domain traffic and SSL, and your local DNS server will resolve the domain to the server IP.
Personally I use Dokploy. It’s a dead simple docker web UI that makes domains and ssl easy peasy
Dokploy
This is neat, but not having an install guide and just a “run this script you got off the internet” is a huge no-no.
They need to just provide the docker-compose and .env files.
Sadly it’s a bot more complicated than just a docker container, but there is the manual install doc that goes into a bit more detail.
For anything deeper you’d have to read the script.
That script just runs a single docker container at the end. But it also inits swarm so would break an existing setup that doesnt use swarm. I don’t like this project so far.
I started learning on Unraid OS and its pretty easy to get started as a newbie. They have a CA Apps plugin/store (free, though) that have pre-built docker templates for popular software. Makes it easy to get started.
In the same OS you can also host VMs in case you’re trying to run something not suited to docker.
Depends how deep down the rabbit hole u wanna go?
I assume ur accessible via ipv4 (no cgnat) otherwise ur in for a far bigger pain in the ass.
Simple u can use portainer and it makes it relatively easy. Otherwise u can use docker compose if u want more fine grained control and are willing to learn a little more.
Dr GPT is usually pretty good at writing docked compose files given the application readme.
