Hi,
The last google product that is use is gmail, and while searching for a solid alternative, many threads mentionned self hosting, which has been on my mind for a little while but here is what’s stopping me so far: 1/ it sounds like a single point vulnerability 2/ I lack the skills.
As for #2, I’ve been down the privacy rabbithole for a couple years now, I know there are a lot of resources out there and I’m not afraid to learn, I just don’t know where to start.
But I don’t see the point in learning if in the end, I just build a server that could die in a domestic accident, resulting in me loosing a lot of important data.
Any help or advice is greatly appreciated,
Self-hosting works great for everything but email. Email these days requires a commercial IP for the MX unless you want to get blocked, so the closest you can get is hosting on a VPS.
Thank you for your reply, you are seconded by many others, if I get started on this self hosting journey, I’ll start with simple stuff I don’t care too much about, and test it out before leveling up on skills/security, and we’ll see if I eventually end up self hosting emails, but I don’t see it coming in a near future.
I have used my ISP’s email relay to avoid the IP address prejudice. A good ISP should have one.
I self-host mail from home. I don’t have reverse DNS, but I’ve set up the rest of it (SPF and stuff). It works about as well as email usually does. I needed to register my IP in Spamhaus.
Or proxying through a VPS.
-
Yes it is. As of now, this is why I don’t use it for anything I can’t have a redundancy for, or anything I care about very much. Meaning no email (self hosted email gets blocked anyway), password manager, etc. Maybe could get away with cloud sync for an authenticator app, since the data will still be on device in most cases. But also think about it: how often has your house been flooded or destroyed by a tornado? Also it can be more a hobby to build a skill set if you work in IT or want to.
-
Self hosting takes some doing, but I wouldn’t underestimate yourself either. If you want to figure it out you will probably be able to. Learn on something you don’t care about. I’m still using a 10 year old laptop as my server because hardware prices are stupid. You start by doing one thing at a time. Learn to do one thing specifically. Example: learn how to set up Jellyfin on Linux. Test accessing some files from your real computer or phone. Yay it works. Now learn how to SSH into the old laptop. Cool, got it. Then install a headless server in the laptop which you can SSH into. Nice. Deploy Jellyfin with docker this time and have fun with a home media server for a while. Then learn how to reverse proxy so you can access from vacation or whatever. Then learn the -arrr suite to have stuff auto download totally legal “Linux isos”. Then if this works for you have fun upgrading thr hardware maybe. Oh but then maybe you want all those huge hard drives in a RAID format. OK now I want to self host other stuff besides media. You’ll find plenty of stuff you’ll like doing, just start small.
Another smaller starting point is hosting your own Matrix or Mastodon instance, which is universal so you’d essentially be hosting your own account profile and nothing else, with no risk of server admits being nosey.
Thank you for taking the time to write such a long reply, I appreciate the advice and encouragement very much!
-
It’s as safe as you make it. Read up and use configurations documented for “production environments” and you have to monitor things yourself. Try to avoid exposing anything to the internet that you don’t have to and use a secure VPN if you can. That limits the exposed attack surface quite a bit.
Otherwise, use things like crowdsec and/or fail2ban along with ensuring your firewalls are configured to drop all ports not needed. A reverse proxy like Traefik or Caddy in front of all of your web services along with valid TLS/SSL certificates from Let’s Encrypt can help to only need port 443 open most of the time. Crowdsec or fail2ban can then be integrated into the reverse proxy as well to simplify things. It can be difficult to set up the first service, but then things start to fall into place over time.
Also, be sure to document everything you do, so that you can reproduce it if you need to recover from a disaster as well as to make setting up new services easier.
Thank you for the advice, I always prepare backups before my fuckups and i assume there will be some fuckups whike i learn haha
You’re right, and there’s two reasons I don’t host email or password vault.
I don’t host email because it’s out of scope and a ton of work for no real gain. Email is incredibly insecure by design. You can’t make it secure. Internalize that. Once you need to talk to someone else’s email server (to, you know, exchange mail) you throw all your security work on your server out the fucking window.
There used to be a bsd that advertised no exploits in the default install since <some year in the 90s>. They changed that recently I think, but it was a funny joke to everyone in the know because the default install had no services enabled. It’s pretty goddamned easy to have a secure default install when you don’t turn anything on!
The point of that digression is to show that for the security component of privacy, the best way to rest easy is to just not do certain things. You can’t cultivate a secure child left alone at home. The state of being is insecure.
Well, what if you’re willing to accept insecurity to be away from the prying eyes of Google! Okay, from a technical perspective setting up and configuring an email server in a way that will not immediately get flagged as spam and trigger blacklisting is a much higher bar than just downloading some docker image and pushing the go button. The stakes are higher too because failure to recognize and investigate failures results in mail simply being silently undelivered by other mailers.
So it’s more complex, heavily scrutinized and when you screw it up you silently lose the function of the server from a side you have no control over.
What should you do for email, then? Just use some other service. Let them handle dmarc etc. how will you know they aren’t scanning your emails? You won’t. You can’t. You can’t even know that the other party has a secure and private setup. When that starts to bug you, look into pgp.
I don’t host a password manager because of the same reason you brought up, it’s a single point of failure, what happens in a disaster?
Well just recently I was in a disaster. There wasn’t any power to run my home server, my offsite was unpowered and swept out the door into a ditch by flooding and there wasn’t any internet to reach my cloud backups.
Because I use a service for password management I was able to securely use all kinds of communication from public access and disaster response computers and store the credentials and secrets given to me in the process of beginning recovery (and oh boy were there a lot of em).
From my perspective a trustworthy service is miles better than hosting for credential management.
That is good advice, and I do trust reliable services over my poor skills. I understand self hosting emails is out of reach, but I think I’ll still give self hosting a try for smaller things.
It’s only as safe as you make it, and improving your sysadmin/security/devops skills is a requirement that never goes away imo.
It’s perfectly fine to try it with something you don’t care that much about for starters, a baikal calendar is a nice and easy start. Expose only the ports you need for your reverse proxy (and also ssh if you don’t plan having the machine in your local network), and the rest should be secure enough for just small services for your own and your family’s usage.
Eventually you will start learning how to backup your data with cronjobs, strengthening security a bit more, and as you go you can keep adding increasingly important services for yourself as the system becomes more reliable.
Edit: Hardware is very expensive now, but if you have an old laptop that is just sitting collecting dust, it’s the perfect starting point for a server. It’s not ideal long term, but it’s a free way to get your feet wet and learn.
Thank you for taking the time to write such a long reply, I appreciate the advice very much!
Search around for cheap VPS deals and start from there. That’s what I ended up doing. Yes, if you have the hardware available and lying around, absolutely. However, whatever I ender up hosting I wanted it to be accessible when I’m on the go. There’s always the ability to roll out tailscale or another VPN back to my home network but I rather keep the home network fully inaccessible from the outside. Just personal preference.
I do:
- Proxmox VE
- Traefik
- Zitadel
- Wireguard on non standard port
- Firewall
- Dynamic DNS resolver
And just host all the things and stick with what I use, which currently is:
- Home Assistant
- Trek
- Airtrail
- Jellyfin
- RomM
- Frigate
- Immich
- Linkwarden
- File Browser Quantum
- Homarr
- Dawarich & Reitti (though only one will survive)
- Stalwart & Bulwark (for internal homelab-related emails)
Start here -> https://yunohost.org/
Or alternatively -> https://alternativeto.net/software/yunohost/Then install nextcloud on the server OS.
And find a registrar to pay for a domain name.I’ll be sure to check these resources, thank you very much
Well, as everything, it is safe is you do it right. If you are just starting, you could try running some services in LAN, or if you don’t have the hardware, a cheap VPS with VPN or some other tunneling. That way, you’re not exposing your data to the wider internet.
Of course, you should keep backups of everything you deem important, and once you start feeling more comfortable, you may try opening up your services with a reverse proxy (caddy, nginx) and some authentication (authelia, authentik). You can try hosting simple things, things that expect to be open to the internet, like a game server.
If you’re limited by your hardware, you can start planning to buy something bigger. But I don’t recommend it to just get started; you can do a lot of learning with basic hardware (and the prices are crazy right now too).
Edit: seconded what ghost_laptop said, an e-mail server is kind of the hardest there is for self-hosting. There are solutions like mailcow, but even that is very hard to set up.
Most of the other reply go the same way, so I really appreciate all of you taking the time to write detailed messages, I have many resources/services I can check to take my first steps into self hosting now.
you can do a lot of learning with basic hardware
So so much.
I’m running video calls (Livekit) for ~50 users (dunno how active) through an ancient laptop that doesn’t even have USB3. Among other things - the same lappy is also doing email and TLS termination for a HLS stream.
I’m using an old phone, a Google Pixel 3a (that’s 4 GB of RAM) as a monitoring solution (Prometheus, Grafana, AlertManager, ntfy).
Self-hosting can be incredibly rewarding.
As others have said, email can be a tough one but there are other alternatives to Gmail that could work for you.
Start small, an unused pc or I’ve even seen some people use an old phone for some projects. Just running a service or two and see how it goes. I started with Jellyfin on a Linux mint PC. But you might setup Adguard Home to help stop adds at network level. Then progressing to bigger systems, more services, etc.
As far as security, if you don’t expose ports through your firewall on your home network then your services are only available if you’re connected to it. So if someone’s not connected to your WiFi they have no access. You technically don’t ever have to open ports thanks to services like Tailscale or Pangolin. They’ll act like a vpn and you can turn it on/off when you need to access stuff remotetly. For the sake of privacy, Tailscale runs all their own servers but you can run Headscale or Pangolin on your own VPS to completely control your network. If you jump for a VPS or remote server with enough storage you could probably store some of your more important/would dread losing stuff on there. Alternatively, setup a second server in a family members/friends house and keep a secondary storage there.
I have really enjoyed Pangolin. It has a really simple installer and there are a lot of security permissions controls in lock down services you might want to expose to the public internet. It’s an almost corporate level VPN solution.
Oh and Docker Compose. So many projects run in Docker and in my opinion Compose is the easiest way to run them.
Thank you for this detailed answer, I know most of what you mention only by name so I’ll look into it!
The last? What do you use for photo backup?




