zlacker

[return to "CLI agents make self-hosting on a home server easier and fun"]
1. simonw+g6[view] [source] 2026-01-11 22:01:25
>>websku+(OP)
This posts lists inexpensive home servers, Tailscale and Claude Code as the big unlocks.

I actually think Tailscale may be an even bigger deal here than sysadmin help from Claude Code at al.

The biggest reason I had not to run a home server was security: I'm worried that I might fall behind on updates and end up compromised.

Tailscale dramatically reduces this risk, because I can so easily configure it so my own devices can talk to my home server from anywhere in the world without the risk of exposing any ports on it directly to the internet.

Being able to hit my home server directly from my iPhone via a tailnet no matter where in the world my iPhone might be is really cool.

◧◩
2. drnick+ab[view] [source] 2026-01-11 22:25:31
>>simonw+g6
I'd rather expose a Wireguard port and control my keys than introduce a third party like Tailscale.

I am not sure why people are so afraid of exposing ports. I have dozens of ports open on my server including SMTP, IMAP(S), HTTP(S), various game servers and don't see a problem with that. I can't rule out a vulnerability somewhere but services are containerized and/or run as separate UNIX users. It's the way the Internet is meant to work.

◧◩◪
3. Schema+Em[view] [source] 2026-01-11 23:37:21
>>drnick+ab
If you expose ports, literally everything you are hosting and every plugin is an attack surface. Most of this stuff is built by single hobbiest devs on the weekend. You are also exposed to any security issues you make in your configuration. My first attempt self hosting I had redis compromised because I didn't realise I had exposed it to the internet with no password.

Behind a VPN your only attack surface is the VPN which is generally very well secured.

◧◩◪◨
4. sva_+Qn[view] [source] 2026-01-11 23:45:48
>>Schema+Em
You exposed your redis publicly? Why?

Edit: This is the kind of service that you should only expose to your intranet, i.e. a network that is protected through wireguard. NEVER expose this publicly, even if you don't have admin:admin credtials.

◧◩◪◨⬒
5. Schema+jp[view] [source] 2026-01-11 23:57:14
>>sva_+Qn
I actually didn't know I had. At the time I didn't properly know how docker networking worked and I exposed redis to the host so my other containers could access it. And then since this was on a VPS with a dedicated IP, this made it exposed to the whole internet.

I now know better, but there are still a million other pitfalls to fall in to if you are not a full time system admin. So I prefer to just put it all behind a VPN and know that it's safe.

◧◩◪◨⬒⬓
6. drnick+Kt[view] [source] 2026-01-12 00:33:04
>>Schema+jp
> but there are still a million other pitfalls to fall in to if you are not a full time system admin.

Pro tip: After you configure a new service, review the output of ss -tulpn. This will tell you what ports are open. You should know exactly what each line represents, especially those that bind on 0.0.0.0 or [::] or other public addresses.

The pitfall that you mentioned (Docker automatically punching a hole in the firewall for the services that it manages when an interface isn't specified) is discoverable this way.

◧◩◪◨⬒⬓⬔
7. jsrcou+Nw[view] [source] 2026-01-12 00:55:47
>>drnick+Kt
Thanks, didn't know about this one.
[go to top]