zlacker

[return to "CLI agents make self-hosting on a home server easier and fun"]
1. chasd0+Nn[view] [source] 2026-01-11 23:45:39
>>websku+(OP)
What I do at home is ubuntu on a cheap small computer I found on ebay. ufw blocks everything except 80, 443, and 22. Setup ssh to not use passwords and ensure nginx+letsencrypt doesn’t run as root. Then, forward 80 and 443 from my home router to the server so it’s reachable from the internet. That’s about it, now I have an internet accessible reverse proxy to surface anything running on that server. The computers on the same LAN (just my laptop basically) have host file entries for the server. My registrar handles DNS for the external side (routers public ip). Ssh’ing to the server requires a lan IP but that’s no big deal I’m at home whenever I’m working on it anyway.
◧◩
2. dizhn+oo[view] [source] 2026-01-11 23:49:56
>>chasd0+Nn
Put wireguard on that thing and don't expose anything on your public IP. Better yet don't have a public IP. Just port forward the wireguard IP from your router. That's it. No firewall no nothing. Not even accidental exposure.
◧◩◪
3. drnick+Fw[view] [source] 2026-01-12 00:54:56
>>dizhn+oo
> Put wireguard on that thing and don't expose anything on your public IP. Better yet don't have a public IP.

This is nonsense. You can't self-host services meant to interact with the public (such as email, websites, Matrix servers, etc.) without a public IP, preferably one that is fixed.

◧◩◪◨
4. tstrim+KF[view] [source] 2026-01-12 01:55:44
>>drnick+Fw
Sure you can. It’s what cloudflared and services like it are designed for.
◧◩◪◨⬒
5. drnick+MI[view] [source] 2026-01-12 02:15:32
>>tstrim+KF
Is it still self-hosting though?
◧◩◪◨⬒⬓
6. dizhn+Ug2[view] [source] 2026-01-12 14:34:30
>>drnick+MI
Of course it is. You get to maintain all the server architecture yourself.

I don't have a need to give people public access but if I did I would set up Authentik and proxy everything through it and hand out usernames to people I want for the whole thing (or per app). You would open only :443 and not worry about a thing.

As a bonus use caddy as forward auth, create a wildcard subdomain (cloudflare dns supports it), configure caddy for wildcard domains for sub-sub domains and dns cert verification via cloudflare token. This way nobody even knows your real domain names. Nothing they can see in DNS or certificate transparency logs. (This is my working theory. I haven't actually researched it too deep but I am doing it.) You add a new app/site in caddy's config and everything else is completely automatic. You can even use dynamic dns with a client or a script that uses the same cloudflare token to update your IP.

As I said above. Don't even need to have a public IP on this machine. Better if you don't in case something like docker or an AI agent accidentally opens a port. (Your router already protects you but I am talking about if this was on a cloud host or an ISP that gives you real IPs for each of your machines)

[go to top]