I’m still a newcomer to self hosting, and I could use some guidance on how to best accomplish what I’m trying to do.

Right now, I’ve got AdGuard, Jellyfin, and Nextcloud running on a Raspberry Pi 4 with a 500 GB external hard drive, using YunoHost. Those services are all available at my free domain name provided by YunoHost.

I’d like to run all of those services on the same Pi they’re on now, but using Docker, so I have more control and access to more applications. I would also like to configure a reverse proxy so I can access them at, for example, nextcloud.mydomain.com. (YunoHost doesn’t support custom domains from Porkbun, which is the registrar I’m using.)

What would be the least painful way to go about this? I understand how Docker works conceptually, but I admittedly don’t really know how to use it in practice. Are there any resources available that would get me up to speed quickly?

Appreciate the help - thanks!

  • ikidd@lemmy.worldEnglish
    2·
    2 days ago

    That reverse proxy thing Yunohost has going is a bad habit to get selfhosters into.

    • compostgoblin@slrpnk.netOPEnglish
      1·
      2 days ago

      Why is that? I’m switching away regardless, so I’m just curious. I started using it because it made everything simple

      • ikidd@lemmy.worldEnglish
        5·
        2 days ago

        Every application you expose to the internet, even via a reverse proxy, increases the chances you’ll get popped. Set up Tailscale or another VPN for every device that accesses these applications. If you absolutely need real SSL certs because you can’t just use private certs, you can turn on forwarding to a proxy like Nginx Proxy Manager for long enough to pull a cert, but otherwise you should just reference the internal address of that proxy from devices over the VPN or locally in the network. Tailscale has very good documents on how to set up a secure network using VPN. You can also use DNS-only certs instead of opening the firewall.

        If you have to, set up a local DNS like Technitium or even Pihole with custom entries to give you internal name resolution for your registered domain/host names.

        If you absolutely, positively need to expose an application, at least use Basic Auth on that hostname. It drastically reduces the attack surface before it gets to the application.

        • sugar_in_your_tea@sh.itjust.worksEnglish
          3·
          2 days ago

          To add to this, you should practice good security elsewhere as well:

          • host everything in containers, and only let them access what they need
          • manage TLS behind your firewall, so a vulnerability doesn’t expose packets for other services
          • run your containers with minimal privileges (look into podman, for example), so they’ll be limited if they escape the container
          • use a strong root password (or no root), and put passwords on any SSH keys you use there (e.g. for git repos, accessing other servers, etc)

          Once you expose something inside your network, you need to ramp up security.