Hi,

The last google product that is use is gmail, and while searching for a solid alternative, many threads mentionned self hosting, which has been on my mind for a little while but here is what’s stopping me so far: 1/ it sounds like a single point vulnerability 2/ I lack the skills.

As for #2, I’ve been down the privacy rabbithole for a couple years now, I know there are a lot of resources out there and I’m not afraid to learn, I just don’t know where to start.

But I don’t see the point in learning if in the end, I just build a server that could die in a domestic accident, resulting in me loosing a lot of important data.

Any help or advice is greatly appreciated,

  • Em Adespoton@lemmy.ca
    link
    fedilink
    arrow-up
    31
    ·
    1 day ago

    Self-hosting works great for everything but email. Email these days requires a commercial IP for the MX unless you want to get blocked, so the closest you can get is hosting on a VPS.

    • pHr34kY@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      19 hours ago

      I have used my ISP’s email relay to avoid the IP address prejudice. A good ISP should have one.

    • dihutenosa@piefed.social
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 day ago

      I self-host mail from home. I don’t have reverse DNS, but I’ve set up the rest of it (SPF and stuff). It works about as well as email usually does. I needed to register my IP in Spamhaus.

  • BladeFederation@piefed.social
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    8 hours ago
    1. Yes it is. As of now, this is why I don’t use it for anything I can’t have a redundancy for, or anything I care about very much. Meaning no email (self hosted email gets blocked anyway), password manager, etc. Maybe could get away with cloud sync for an authenticator app, since the data will still be on device in most cases. But also think about it: how often has your house been flooded or destroyed by a tornado? Also it can be more a hobby to build a skill set if you work in IT or want to.

    2. Self hosting takes some doing, but I wouldn’t underestimate yourself either. If you want to figure it out you will probably be able to. Learn on something you don’t care about. I’m still using a 10 year old laptop as my server because hardware prices are stupid. You start by doing one thing at a time. Learn to do one thing specifically. Example: learn how to set up Jellyfin on Linux. Test accessing some files from your real computer or phone. Yay it works. Now learn how to SSH into the old laptop. Cool, got it. Then install a headless server in the laptop which you can SSH into. Nice. Deploy Jellyfin with docker this time and have fun with a home media server for a while. Then learn how to reverse proxy so you can access from vacation or whatever. Then learn the -arrr suite to have stuff auto download totally legal “Linux isos”. Then if this works for you have fun upgrading thr hardware maybe. Oh but then maybe you want all those huge hard drives in a RAID format. OK now I want to self host other stuff besides media. You’ll find plenty of stuff you’ll like doing, just start small.

    Another smaller starting point is hosting your own Matrix or Mastodon instance, which is universal so you’d essentially be hosting your own account profile and nothing else, with no risk of server admits being nosey.

  • ghost_laptop@lemmy.ml
    link
    fedilink
    arrow-up
    17
    ·
    1 day ago

    for e-mail specifically i’d recommend not self hosting, specially if you have never self hosted before. one thing is to self host a server that only you have access and that it doesn’t need to do calls to other servers, or only minimal ones, with email is just more complicated. self host everything else, use protonmail/tutanota or something else for email.

    • dihutenosa@piefed.social
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 day ago

      Oh cmon. It’s not for the faint of heart, I agree, but it’s a learnable skill and totally can be done.

      • ghost_laptop@lemmy.ml
        link
        fedilink
        arrow-up
        7
        ·
        1 day ago

        sure, but i wouldn’t tell someone who has never touched docker to start their self hosted journey with email. my personal opinion, maybe i’m a noob.

        • Em Adespoton@lemmy.ca
          link
          fedilink
          arrow-up
          5
          ·
          23 hours ago

          I started my self hosting journey with email, but I did it in 1993 when things were much simpler. IMO, email self-hosting isn’t worth it today (and if you do it, definitely set up a VPS as a relay and don’t try to MX directly from a consumer IP).

  • iByteABit@lemmy.ml
    link
    fedilink
    arrow-up
    10
    ·
    edit-2
    1 day ago

    It’s only as safe as you make it, and improving your sysadmin/security/devops skills is a requirement that never goes away imo.

    It’s perfectly fine to try it with something you don’t care that much about for starters, a baikal calendar is a nice and easy start. Expose only the ports you need for your reverse proxy (and also ssh if you don’t plan having the machine in your local network), and the rest should be secure enough for just small services for your own and your family’s usage.

    Eventually you will start learning how to backup your data with cronjobs, strengthening security a bit more, and as you go you can keep adding increasingly important services for yourself as the system becomes more reliable.

    Edit: Hardware is very expensive now, but if you have an old laptop that is just sitting collecting dust, it’s the perfect starting point for a server. It’s not ideal long term, but it’s a free way to get your feet wet and learn.

  • whatiswrongwithyou@lemmy.ml
    link
    fedilink
    arrow-up
    4
    ·
    edit-2
    22 hours ago

    You’re right, and there’s two reasons I don’t host email or password vault.

    I don’t host email because it’s out of scope and a ton of work for no real gain. Email is incredibly insecure by design. You can’t make it secure. Internalize that. Once you need to talk to someone else’s email server (to, you know, exchange mail) you throw all your security work on your server out the fucking window.

    There used to be a bsd that advertised no exploits in the default install since <some year in the 90s>. They changed that recently I think, but it was a funny joke to everyone in the know because the default install had no services enabled. It’s pretty goddamned easy to have a secure default install when you don’t turn anything on!

    The point of that digression is to show that for the security component of privacy, the best way to rest easy is to just not do certain things. You can’t cultivate a secure child left alone at home. The state of being is insecure.

    Well, what if you’re willing to accept insecurity to be away from the prying eyes of Google! Okay, from a technical perspective setting up and configuring an email server in a way that will not immediately get flagged as spam and trigger blacklisting is a much higher bar than just downloading some docker image and pushing the go button. The stakes are higher too because failure to recognize and investigate failures results in mail simply being silently undelivered by other mailers.

    So it’s more complex, heavily scrutinized and when you screw it up you silently lose the function of the server from a side you have no control over.

    What should you do for email, then? Just use some other service. Let them handle dmarc etc. how will you know they aren’t scanning your emails? You won’t. You can’t. You can’t even know that the other party has a secure and private setup. When that starts to bug you, look into pgp.

    I don’t host a password manager because of the same reason you brought up, it’s a single point of failure, what happens in a disaster?

    Well just recently I was in a disaster. There wasn’t any power to run my home server, my offsite was unpowered and swept out the door into a ditch by flooding and there wasn’t any internet to reach my cloud backups.

    Because I use a service for password management I was able to securely use all kinds of communication from public access and disaster response computers and store the credentials and secrets given to me in the process of beginning recovery (and oh boy were there a lot of em).

    From my perspective a trustworthy service is miles better than hosting for credential management.

  • Jul (they/she)@piefed.blahaj.zone
    link
    fedilink
    English
    arrow-up
    2
    ·
    22 hours ago

    It’s as safe as you make it. Read up and use configurations documented for “production environments” and you have to monitor things yourself. Try to avoid exposing anything to the internet that you don’t have to and use a secure VPN if you can. That limits the exposed attack surface quite a bit.

    Otherwise, use things like crowdsec and/or fail2ban along with ensuring your firewalls are configured to drop all ports not needed. A reverse proxy like Traefik or Caddy in front of all of your web services along with valid TLS/SSL certificates from Let’s Encrypt can help to only need port 443 open most of the time. Crowdsec or fail2ban can then be integrated into the reverse proxy as well to simplify things. It can be difficult to set up the first service, but then things start to fall into place over time.

    Also, be sure to document everything you do, so that you can reproduce it if you need to recover from a disaster as well as to make setting up new services easier.

  • warmaster@lemmy.world
    link
    fedilink
    arrow-up
    5
    ·
    1 day ago

    I do:

    • Proxmox VE
    • Traefik
    • Zitadel
    • Wireguard on non standard port
    • Firewall
    • Dynamic DNS resolver

    And just host all the things and stick with what I use, which currently is:

    • Home Assistant
    • Trek
    • Airtrail
    • Jellyfin
    • RomM
    • Frigate
    • Immich
    • Linkwarden
    • File Browser Quantum
    • Homarr
    • Dawarich & Reitti (though only one will survive)
    • Stalwart & Bulwark (for internal homelab-related emails)
  • root@aussie.zone
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 day ago

    Search around for cheap VPS deals and start from there. That’s what I ended up doing. Yes, if you have the hardware available and lying around, absolutely. However, whatever I ender up hosting I wanted it to be accessible when I’m on the go. There’s always the ability to roll out tailscale or another VPN back to my home network but I rather keep the home network fully inaccessible from the outside. Just personal preference.

  • Sneezycat@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 day ago

    Well, as everything, it is safe is you do it right. If you are just starting, you could try running some services in LAN, or if you don’t have the hardware, a cheap VPS with VPN or some other tunneling. That way, you’re not exposing your data to the wider internet.

    Of course, you should keep backups of everything you deem important, and once you start feeling more comfortable, you may try opening up your services with a reverse proxy (caddy, nginx) and some authentication (authelia, authentik). You can try hosting simple things, things that expect to be open to the internet, like a game server.

    If you’re limited by your hardware, you can start planning to buy something bigger. But I don’t recommend it to just get started; you can do a lot of learning with basic hardware (and the prices are crazy right now too).

    Edit: seconded what ghost_laptop said, an e-mail server is kind of the hardest there is for self-hosting. There are solutions like mailcow, but even that is very hard to set up.

    • dihutenosa@piefed.social
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 day ago

      you can do a lot of learning with basic hardware

      So so much.

      I’m running video calls (Livekit) for ~50 users (dunno how active) through an ancient laptop that doesn’t even have USB3. Among other things - the same lappy is also doing email and TLS termination for a HLS stream.

      I’m using an old phone, a Google Pixel 3a (that’s 4 GB of RAM) as a monitoring solution (Prometheus, Grafana, AlertManager, ntfy).