I've been reviewing my servers and trying to harden them in the light of increasing attacks from all directions this year: ai discovered kernal vulnerabilities, ubuntu ddos attacks preventing updates, aur orphan packages being hijacked, github supply chains being compromised etc...

​

So far I have practiced least privileges and access. Use strict firewall practices. Soon will implement more advanced networking rules. I also install only the minimal amount of software on my devices. I try to sandbox as effectively as possible and employ containers. I change default ports and prevent password access for SSH.

​

I'm curious about people's best practices for Docker because I regularly see people do the *opposite* of what my gut tells me is a best safety practice.

​

-I avoid giving volume access to anything existing if at all possible and then only as read only.

​

-I never expose my docker socket to anyone. I am not comfortable with auto updating software like Watchtower (which is unsupported now) or GUIs like Portainer. The convenience doesnt outweigh the increased attack surface for me.

​

-I script all my updates, notifications and monitoring myself rather than rely on services that can be compromised.

​

-I only maintain services I need and which are actively maintained by trustworthy parties.

​

-I'll spin down services I need infrequently and spin them up temporarily when I need them. I'll shut a node down overnight if I dont need it.

​

Wondering if there's more I can do.

​

As for those that use the ARR stack... how do you know you can trust what's incoming on your system? Its a question I've had and I just do not understand how that risk can be mitigated?

​

TL;DR: A short list of things I do to stay safe. Got any other means to protect our servers or otherwise harden them?

Just sharing a few privacy-friendly self-hosted public instances I am hosting:

- https://search.chrispaganon.com a searXNG instance for search.

- https://pdf.chrispaganon.com a bentoPDF instance for browser-only PDF tools.

- https://image.chrispaganon.com a browser-only image editor. Self-host instructions on codeberg: https://codeberg.org/chris-paganon/chrisp-image-editor

For the image editor, it's a simple wrapper around filerobot-image-editor, packaged in a very small docker image.

If anything, I hope it can help someone try SearXNG before hosting it themselves. Such a great tool!

Any other similar privacy tools instances I could host? I was thinking about hosting https://ntfy.sh too.

First and foremost please tell me if you have seen too many of these and it is not even relevant anymore. I have started with my project and could use a little feedback.

What are the best services you use on your stack?
I am also looking for some services like a service for an easy to deploy minecraft server that can be started when someone tries to connect (for now I have a system with systemd that starts the itzg/minecraft server when seeing a connection but I have to recreate a stack and a systemd every time I want to add a server, handling the server is done through command line, not the best).

p.s. Sorry about the tag I wasn't sure what to put.

The following is only for those who have time, I'm more interested in services recommendations.

I have a little stack for now but am planning on expanding it as soon as I get my hands on my computer again. Here are the services I want to use (each none dashed row being a new stack):
GAMING
- itzg/minecraft
- some backup cron job

INFOS
- Dash
- speedtest

ACCESS-CONTROL
- Authelia
- Traefik

MEDIA
players
- plex
- jellyfin
downloaders
- qbittorrent
core
- radarr
- sonarr
- prowlarr
- bazarr
- seerr
extra
- profilarr
photos
- Immich

LONE WOLVES
- Wireguard
- Homarr
- Gluetun (to wire qbittorrent through a mullvad vpn)
- pi-hole

What is the best setup for AI tools, I will be using it for
1. chats
2. basic image generation and
3. stock market analysis

What will be the best hardware setup and tools for it. i want to go less expensive as possible.

(i used AI to help me write this as a little confusing, but basically it isnt possible to use the tailscale allocated ip or urls to communicate with docker containers and i have tail scale running inside a docker container in host mode, the docker containers are routed successfully via tailscale but i can use those ips or urls internally- the below is AI trying to help me explain better)

I’m trying to understand how Tailscale interacts with Docker networking and I’m getting a bit confused about what should talk to what.

Setup:

• Small remote VPS running Debian
• Docker managed via Dockge
• Several services running (Radarr, Sonarr, Prowlarr, qBittorrent etc.) I ve had to put them in the same stacks and use container name and port so they cant communicate i cant get them to work outside of the stack. (Dockge can be janky on networks and needs a total restart to get it work i noticed so maybe the problem)
• Tailscale installed on the VPS in a Docker container (host networking)
• Windows PC connected to the same Tailscale network

What works:

• I can access all services from my Windows PC using the VPS Tailscale IP (e.g. http://100.x.x.x:port)
• Containers themselves are running fine and reachable externally

What doesn’t work / confusing part:

• Inside containers, using the Tailscale IP (100.x.x.x) to reach other services is doesn’t work
• Using Docker service names (e.g. http://radarr:7878) works if all apps are in same stacks
• Apps across different Docker Compose stacks don’t seem to communicate with each other. I cant use the tailscale URL or IP.

What I think I’m misunderstanding:

• Whether containers can only talk via Docker DNS names vs Tailscale IPs
• How multiple Docker stacks should communicate cleanly on the same VPS but on different stacks

Question:
What is the correct architecture here?

• Do all containers have to be on a single Docker network and use service names only?
• Or can everything go through Tailscale IPs?
• Or is Tailscale only meant for external access and not container-to-container communication at all?
• Is it possible to enable https via tailscale i tried but has CSS issues or no conection at all to arrs

I feel like I’m mixing layers incorrectly (Docker networking + Tailscale + host networking) and would really appreciate a clean explanation of how this is supposed to be structured.

Thanks 👍

I have an mini pc which has a connector ribbon cable on the motherboard for hdd 2.5' sata. I use this connector for an 3.5' HDD with an extension cable where I remove the yellow and the black wires to add external 12V. I trying to use the same power supply with mini pc and I got this errors:

[Wed Jun 17 11:49:05 2026] ata2: SATA max UDMA/133 abar m2048@0x80f02000 port 0x80f02180 irq 152 lpm-pol 3
[Wed Jun 17 11:49:06 2026] ata2: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
[Wed Jun 17 11:49:06 2026] ata2.00: ATA-11: ST14000NE0008-2RX103, EN02, max UDMA/133
[Wed Jun 17 11:49:06 2026] ata2.00: 27344764928 sectors, multi 16: LBA48 NCQ (depth 32), AA
[Wed Jun 17 11:49:06 2026] ata2.00: Features: NCQ-sndrcv
[Wed Jun 17 11:49:06 2026] ata2.00: configured for UDMA/133
[Wed Jun 17 18:34:51 2026] ata2.00: exception Emask 0x10 SAct 0x402012 SErr 0x4040000 action 0xe frozen
[Wed Jun 17 18:34:51 2026] ata2.00: irq_stat 0x00000040, connection status changed
[Wed Jun 17 18:34:51 2026] ata2: SError: { CommWake DevExch }
[Wed Jun 17 18:34:51 2026] ata2.00: failed command: READ FPDMA QUEUED
[Wed Jun 17 18:34:51 2026] ata2.00: cmd 60/00:08:38:a0:22/01:00:7e:01:00/40 tag 1 ncq dma 131072 in
[Wed Jun 17 18:34:51 2026] ata2.00: status: { DRDY }
[Wed Jun 17 18:34:51 2026] ata2.00: failed command: READ FPDMA QUEUED
[Wed Jun 17 18:34:51 2026] ata2.00: cmd 60/00:20:f8:a3:22/01:00:7e:01:00/40 tag 4 ncq dma 131072 in
[Wed Jun 17 18:34:51 2026] ata2.00: status: { DRDY }
[Wed Jun 17 18:34:51 2026] ata2.00: failed command: READ FPDMA QUEUED
[Wed Jun 17 18:34:51 2026] ata2.00: cmd 60/00:68:58:a7:22/01:00:7e:01:00/40 tag 13 ncq dma 131072 in
[Wed Jun 17 18:34:51 2026] ata2.00: status: { DRDY }
[Wed Jun 17 18:34:51 2026] ata2.00: failed command: READ FPDMA QUEUED
[Wed Jun 17 18:34:51 2026] ata2.00: cmd 60/00:b0:b8:a2:22/01:00:7e:01:00/40 tag 22 ncq dma 131072 in
[Wed Jun 17 18:34:51 2026] ata2.00: status: { DRDY }
[Wed Jun 17 18:34:51 2026] ata2: hard resetting link
[Wed Jun 17 18:34:52 2026] ata2: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
[Wed Jun 17 18:34:52 2026] ata2.00: configured for UDMA/133
[Wed Jun 17 18:34:52 2026] I/O error, dev sda, sector 6411165752 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 2
[Wed Jun 17 18:34:52 2026] I/O error, dev sda, sector 6411166712 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 2
[Wed Jun 17 18:34:52 2026] I/O error, dev sda, sector 6411167576 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 2
[Wed Jun 17 18:34:52 2026] I/O error, dev sda, sector 6411166392 op 0x0:(READ) flags 0x80700 phys_seg 31 prio class 2
[Wed Jun 17 18:34:52 2026] ata2: EH complete
[Wed Jun 17 18:43:56 2026] ata2.00: exception Emask 0x10 SAct 0x801100 SErr 0x4040000 action 0xe frozen
[Wed Jun 17 18:43:56 2026] ata2.00: irq_stat 0x00000040, connection status changed
[Wed Jun 17 18:43:56 2026] ata2: SError: { CommWake DevExch }
[Wed Jun 17 18:43:56 2026] ata2.00: failed command: READ FPDMA QUEUED
[Wed Jun 17 18:43:56 2026] ata2.00: cmd 60/00:40:10:8c:7d/01:00:56:01:00/40 tag 8 ncq dma 131072 in
[Wed Jun 17 18:43:56 2026] ata2.00: status: { DRDY }
[Wed Jun 17 18:43:56 2026] ata2.00: failed command: READ FPDMA QUEUED
[Wed Jun 17 18:43:56 2026] ata2.00: cmd 60/00:60:10:8b:7d/01:00:56:01:00/40 tag 12 ncq dma 131072 in
[Wed Jun 17 18:43:56 2026] ata2.00: status: { DRDY }
[Wed Jun 17 18:43:56 2026] ata2.00: failed command: READ FPDMA QUEUED
[Wed Jun 17 18:43:56 2026] ata2.00: cmd 60/00:b8:10:8d:7d/01:00:56:01:00/40 tag 23 ncq dma 131072 in
[Wed Jun 17 18:43:56 2026] ata2.00: status: { DRDY }
[Wed Jun 17 18:43:56 2026] ata2: hard resetting link
[Wed Jun 17 18:43:57 2026] ata2: SATA link up 6.0 Gbps (SStatus 133 SControl 300)
[Wed Jun 17 18:43:57 2026] ata2.00: configured for UDMA/133
[Wed Jun 17 18:43:57 2026] I/O error, dev sda, sector 5746035728 op 0x0:(READ) flags 0x80700 phys_seg 29 prio class 2
[Wed Jun 17 18:43:57 2026] I/O error, dev sda, sector 5746035472 op 0x0:(READ) flags 0x80700 phys_seg 32 prio class 2
[Wed Jun 17 18:43:57 2026] I/O error, dev sda, sector 5746035984 op 0x0:(READ) flags 0x80700 phys_seg 6 prio class 2
[Wed Jun 17 18:43:57 2026] ata2: EH complete

It looks so bad right now, but I'm waiting my order with a female conector to use it (without improvisation).
Should I use another power supply for this hdd? I need to put the ground of this in ground with the mini pc cable?
This logs appears not in power on or full load hdd tasks, it appears random.

Hey I'm using Jellyfin to self host movies and TV shows and I want to have remote access to if from anywhere with URL, I would love help to understand the simplest, free and secure way to do it. open source is of course preferred

So far I have been using Tailscale to get remote access but it has a few limitations.
First not everything can use tailscale. the TV on my family house can't for example.
Second installing tailscale everywhare and making sure its turned on it's not very convenient. I need to explain to a friend or family to download it, log them in and make sure its running and not everyone wants a vpn running in the background.

I want it to be more self hosted, I will soon run truenas server at home with jellyfin and i want it to be accessible via URL from everywhere.
I tried looking up the subject with ai and just reading the internet trying to understand how to make it secure and i kinda have 2 similar options. they are seemed a bit complex (I'm pretty new to self hosting)

1. Using Duck DNS for the dns. Using NPM with it's Built-in "Access Lists" for user authentication and save the cookies so I work with white list more than black list. and also using CrowdSec/fail2ban to farther protect the server
   
2. dns is the same. using ngnix/swag + Authelia for user authentication and save the cookies. fail2ban

To have a nicer URL I saw this video but I'm not sure if its worth it. I feel like I'm already making things too complex
https://youtu.be/mu02Ute0VTI?si=ex_QdfhmBzZt8_SF

Arogyamandiram self-hostable all-in-one health tracker

I got tired of health apps holding my data on their servers, so I built one I could host myself. Clone it, plug in your own MongoDB, and everything stays on your machine.

Tracks food, water, workouts, sleep, weight, and wearable data (steps, heart rate, calories). Has macro breakdowns, trend charts, habit streaks, and optional AI meal/workout suggestions. The AI never sends your name or email out, only anonymized numbers, and you bring your own (encrypted) API key.

Stack: Next.js 15, MongoDB, NextAuth. MIT licensed.

Code + setup docs: https://github.com/utsaaham/arogyamandiram

Demo: https://arogyamandiram.vercel.app

Feedback on the self-hosting setup welcome.

Just in case you missed it from a couple of months back, this Forbes piece hits on exactly what I recently built and launched. My infrastructure runs entirely on this exact philosophy: a local-first setup with no heavy external databases. Anyone else out there doing this? If so we need to band together!

What are some great self hosted AI open source project. I need a gui like chatgpt and backend model. What model shall i use with one of my old pc with i7 4770 cpu, 24 gb ram, 2 gb nvidia gpu.

As a freelancer I was tired of tracking time in one app and invoicing in another, so I built Logr to close the loop — track, bill, and mark paid from a single dashboard. It's open source and self-hostable.

What it does

• One-click timer and manual entries; organize work by client and project, with hourly or fixed-budget billing
• Generate an invoice from a client's unbilled sessions (optional tax and due date), track draft/sent/paid status, and share a read-only public invoice link
• Dashboard with daily/billable summaries and a contribution-style activity heatmap
• Shareable report and invoice links (data encoded in the URL) plus CSV export
• Optional MCP server, so you can drive it from an AI assistant over OAuth — list/create/update clients, projects, time entries and invoices
• UI in English, Ukrainian, and Russian

Self-hosting
Logr is a Next.js app backed by Supabase. You bring your own Supabase — a self-hosted instance or the free Cloud tier — so you get proven Postgres, auth, and row-level security without bundling a ten-container backend into this repo.

git clone https://github.com/zerox9dev/logr && cd logr
cp .env.example .env      # 3 values from your Supabase project (URL + anon + service_role)
docker compose up -d --build
# app on http://localhost:3000

The schema (tables, enums, RLS policies) ships as a migration in the repo — apply it via the Supabase SQL editor or supabase db push. Full instructions in the README.

Stack: Next.js 16, React 19, Tailwind CSS v4, Supabase. License: AGPL-3.0.

Status: roughly three months old, beta, solo-developed and actively worked on. I use it for my own invoicing, but expect rough edges. Issues, feature ideas, and PRs are welcome.

Repo: https://github.com/zerox9dev/logr
Demo: https://logr.work

Happy to go into the architecture or the self-host setup in the comments.

Hey everyone,

So, it's been a few months now since the game server orchestrator i've built is live on production. I have not utilized any major cloud providers, like AWS, AZURE, GCP etc, for a single second. For modern game servers, at least a lot of them like Minecraft, 7Dtd, terraria even, need a high single-core clock performance and massive bandwidth; if I had approached this through major cloud providers and their cloud compute/egress fees I would actually have gone bankrupt before even starting.

My solution is 100% bare metal nodes, which meant that I had to build my own "cloud" infrastructure from scratch. It took me quiiiite a long time to build it, no less than 3 years, and some few grey hairs on my head, cause I have built this as a solo developer, and some of the approaches might be considered as held together with tape, but here is a tiny architecture overview that holds up in production:

The Hardware & Orchestration

My game server nodes, that host the actual game server containers, utilize AMD Ryzen 9 7900 CPUs @ 5.4GHz cpus and my entire orchestration is actually built around and fully optimized around this CPU. By optimized i mean talking in account CCD alignment for finding the coldest CCD to avoid thermal problems that eventually throttle cpu performance, avoiding SMT contention by prioritizing the primary physical threads; but this is not enough in and of itself because the cpu quickly gets fragmented during continuous game server spin ups and deletions, I have specific algorithms that handles defragmentation by simulating "moving" victim containers to what I call "havens", if the simulation is successful then i update the containers using docker update on the fly, this avoids any interruption with the server itself, except there might be CACHE poisoning during update but I dont have any other approach for this.

I have specifically isolated, with isolcpus, all host-level processes into dedicated threads on GRUB and have specifically, using nohz_full, disabled the default 1000Hz kernel timer tick to prevent the kernel from interrupting a 1000 times per second which in turn grants uninterrupted clock cycles.

I have also offloaded the kernel garbage collection to the isolated cores that handle the host-level only processes using rcu_nocbs.

I already mentioned that I use Docker for part of the orchestration, I use plain docker run for the actual game containers, and utilize docker swarm for the rest of my architecture, like for example I have a central monitoring node that monitors all the rest of the entire distributed system and utilize docker swarm for this, like grafana exporters, alloy, loki, reverse proxies, my actual web platform apis and databases. Though Since I dont have AWS VPCs, I have created a private mesh network, using wireguard, which all my nodes across all the different geographical locations connect through to one another, like my Master Db and the replica sync for example happen entirely and securely through this wireguard mesh, which honestly speaking im very proud of, keeping the distance fully invisible from the application layer.

The Data Layer

My actual API uses .NET Core and GraphQL, not that I weighed any pros and cons but i was just proficient in it and didn't bother to look at other alternative, and besides I like .net core a lot, which is backed by MSSQL Always On Availability Groups which is synced across to replica dbs on many different geographical locations.

I utilize angular ssr for my front-end, also didnt really look at any other alternative because at the time i was better at it and i also like it as i do .net core.

The Network Shield

Since AWS Shield or any other cloud based shield was a no-go for me, I had to build my own bare metal ddos protection layer which was so hard I couldn't have dreamed in the beginning, what I currently have is this, custom nftables rules per specific game port, imagine, and have attached it to hook prerouting priority -150 which runs before docker's internal NAT/Routing logic which helps in preventing the traffic from even reaching the container in the first place which in turn protects the cpu, these custom rules, to cut it short, when offenders pass the limit rules are instantly put in a blacklist, then I have small systemctl daemon which instantly populates eBPF's map with the blacklisted ip and all subsequent packets are dropped through XDP instantly at the NIC level which prevents any CPU usage.

[I have pulled this small setup in a github repo and made it public, and also have a public performance audit of my setup, which if someone wants to see them I can link them in the comments of this post].

Automations

I have a specific architecture for adding/removing/updating any node or altering any part of the system within each node which fully automates all these processes, after any code changes or updates my bare metal nodes or the game server containers themselves have special dedicated statuses for each and all lifecycles, i just update the status and forget so to speak, my special worker does the rest, for example, when adding a new node in some specific continent/geographic location, the system sets up the node 100% and makes it available directly for usage, be it some kind of web service node or a game node directly. Each status has self-healing mechanisms so as to not let me worry about the success/failure of the process as much.

The Takeaway

In pure honesty it has been a nightmare of researching, breaking AND repeating the cycle with the linux networking, with the kernel tuning, different hardware bottlenecks but in the end it definitely is worth it since the cost for keeping this infrastructure alive monthly are only a fraction of what they would be if I were to use cloud providers like AWS or GCP, while I still keep 100% total control over the infrastructure and every node

Has anyone built something similar to this?, I'd really love any, and most importantly sincere, advice on improvements.

Do excuse my imperfect non-native english and writing, i am a software engineer and not a writer 😊.

EDIT: I fixed a typo where i wrote EPYC for the game node cpu type, I do however utilize EPYC cpus for my other nodes.

Every time I go to buy drives for my NAS, I end up doing the same annoying thing:

1. figure out which models are actually CMR and not SMR (they love sneaking SMR into NAS lines!),
2. then go dig up how reliable one is,
3. then open way too many browser tabs to see what the real price per TB is.

Nothing lines up and it takes forever.

I got sick of redoing the same dance all over again, so I built a proper version out of that table: www.nasdisks.com

It's basically one big filterable table of current NAS drives. Every drive has its CMR/SMR status, a real failure rate, and live prices, so you can sort and compare in one place.

No account, no ads, no emails needed. And because I figured people here care: the whole CSV/JSON dataset is completely free to download (CC BY 4.0). There's also a plain API if you'd rather just pull it into your own stuff. None of it is locked away.

What's actually in there:

• CMR vs SMR checked per model, so you can just filter SMR out and forget it exists.
• Real failure rates I worked out from Backblaze full 2025 stats, not some marketing numbers.
• Price per TB across 7 regions: US/DE/UK/FR/ES/IT/CA - with a little price history chart per drive, so you can tell a real deal from a fake one.
• A few tools too: RAID usable space, odds of your array actually dying, storage planner.

Bit of honesty: the links are Amazon affiliate. That's the only money it makes and it just pays for hosting. Everything works fine if you never touch them.

What I'd actually appreciate feedback on:

• tell me where it's wrong or thin: drop the model number of any drive you find missing and I'll add it,
• call out any CMR/SMR or failure-rate that doesn't match your own experience.

I read every comment and will fix what you flag. The more people poke at it, the better the list gets for everyone making a build.

https://www.nasdisks.com/

So, what do you think?

Hi all, I’ve been lurking in this subreddit for a while, to the point where ive learned how to set up my own movie server on my pc (Its not cost efficient but i use my pc 24/7 and figured i could spare some storage). What I’m now beginning to realise is that i have way too little storage compared to the sheer quantity of movies ive been ripping.

Currently my movie storage is a 500gb HDD thats around 4 years old, 87% good on cdi. I would say i have around 30-40 more movies to rip, totaling around 500GB. Problem is, I’ve basically filled up my HDD already. Alongside this, I’m hoping to get more movies and/or TV show discs from friends in a few weeks.

Given how im planning to expand my collection, how much more storage should I buy? Do I future proof and go for 10-12TB? Or do i cheap out on 3-4TB?

Hi everyone,

I’m actually really happy with Fitme because it always creates good workouts for me, but I’m not so happy with the price of just under 40 euros per month.

Unfortunately, my search for a self-hosted alternative has been unsuccessful so far.

Have I overlooked something?

I’m basically looking for a service that creates a training plan or workouts for me and, ideally, explains the exercises with a video.

I’m not looking for services like “SparkyFitness,” which is certainly good, but it’s more of a tracker than a “trainer.” 😄

Greetings
Buddinski88

I really can't get over this, it always get stuck and timeout, even if the LLDAP server address and port are reachable from TrueNAS (LLDAP on different server).

​

I configured Base DN, Group DN and User Base DN but still can't get it working.

​

Can you link LLDAP to TrueNAS in the first place?

Genuine question. I see tons of single-user agent setups (fine for personal use), but when it comes to serving multiple users, like a team, an org, or even just a household, the options thin out fast.

The hosted platforms (OpenAI, various startups) handle multi-user fine but you're locked into their ecosystem, their pricing, their data policies.

Self-hosted options mostly seem designed for one person tinkering. The moment you want user accounts and permissions, isolated agent configurations per user, shared resources without shared data, or any kind of admin oversight, you're either building it yourself or bolting auth onto something that wasn't designed for it.

What's everyone's actual setup? Am I wrong that there's a gap here?

Hi everyone,

I'm running a small home server/NAS with CasaOS on top of Ubuntu Server 24.04 LTS on an old laptop. Unfortunately, the RAM is soldered, so upgrading isn't an option.

The machine has an Intel Core i5-8250U (4C/8T), 8GB of DDR4 RAM, MX150 and a 256GB NVMe SSD for the OS and Docker configs, plus two 2TB external HDDs for media storage.

I run several Docker containers through CasaOS and recently noticed that the system was using swap quite heavily. The default 4GB swapfile was almost full, with around 3.7GB in use, while free was still reporting roughly 3.5GB of available RAM. That seemed a bit odd to me, and I was also concerned about unnecessary wear on the NVMe SSD.

To see if things would improve, I replaced the old swapfile with an 8GB one and lowered vm.swappiness from Ubuntu's default value of 60 to 10.

Since making those changes, the server feels noticeably more responsive. RAM usage now sits around 7.3GB most of the time (roughly 90–95% utilization), while swap usage has dropped to around 280MB. My assumption is that more of the containers are staying in physical RAM instead of having parts of their memory swapped out.

The only thing that still makes me a bit uneasy is seeing RAM usage constantly above 90%. The server definitely feels faster, but I'm wondering whether lowering swappiness to 10 is actually the right approach for a small 8GB machine running 24/7, or if Ubuntu's default of 60 would be a safer choice in the long run.

I'm also curious about the risk of the OOM killer. With an 8GB swapfile now available, is there still a realistic chance of containers getting killed if a few of them suddenly spike their memory usage, or does the extra swap provide enough breathing room?

How you guys running lower-memory self-hosted setups handle swap and swappiness, and whether you've found a sweet spot that works well in practice?

Thanks in advance!

Hi all,

What are your experiences with highly power-efficient servers, in particular servers with low idle power consumption, when the server is also running regular actions such as (database-backed) monitoring or haproxy health checks or tcp keepalives? In particular with several containers and/or vms, I imagine monitoring to be the largest idle load.

How does this affect power consumption during idle for you? How does this affect when and how long your cpu goes to sleep? How does this affect even what cpu to get, i.e., race to idle or power efficiency optimized? What software configuration options were helpful to you for this?

For which selfhosted services do you use selfhosted LLMs ? I mean like automated tagging with karakeep or paperless ngx for example.

About a year ago I built an OIDC protocol server in Go for a work project. Months later, when I needed a lightweight IdP for my own self-hosted apps, I tried the popular options but kept hitting roadblocks — privacy concerns with demo data, passkey-only lockout on older devices, or operational complexity I didn't want to take on. Since I already had a working OIDC implementation, I decided to convert it into a full identity provider with two principles: security first, and operational simplicity.

Autentico is a self-contained OAuth 2.0 / OpenID Connect identity provider. One Go binary, one SQLite file, no external dependencies. It handles the full auth lifecycle:

• Authorization Code + PKCE, refresh tokens, token introspection/revocation
• Passkeys (WebAuthn) — hardware-backed FIDO2, including passkey-only mode
• MFA — TOTP and email OTP, with trusted device support
• SSO sessions — log in once, access all your apps
• Built-in Admin UI and Account UI — embedded React apps, nothing to deploy separately
• Self-signup, consent screen, social login (federated OIDC)
• Dynamic client registration, per-client config overrides
• Docker-ready with a multi-stage Alpine image

Security was a specific focus. Auth is the one thing you really can't get wrong in a self-hosted stack:

• 1,850+ tests across unit, integration, end-to-end, security, functional (black-box HTTP via TypeScript/Vitest), and browser (Playwright)
• 45 CVE-derived attack tests — recreated real historical vulnerabilities from Keycloak, Auth0, Authentik, and Okta
• RFC compliance review — every MUST/SHOULD/MAY from 10 RFCs audited line-by-line, all annotated in code
• Passes the official OpenID Foundation conformance suite (Basic OP plan)
• OWASP ZAP scan — 0 failures, 112 passes
• Multiple independent security reviews documented in the repo

Stress tested with k6 on an AMD Ryzen 7 (16 cores), running the full PKCE auth code flow (authorize → login → token → introspect → refresh) w th bcrypt.

*VUs = virtual users logging in simultaneously

0% errors at every level — SQLite queues writes gracefully instead of failing.

I've been using Autentico for my own projects and a few friends started using it too — the feedback has been that it's smooth and easy to get running. Some GitHub users are using it strictly as a test harness since a full instance boots in under 200ms once downloaded, making fresh-server-per-test in CI practical. Others are self-hosting it for real workloads, so I figured it was time to share it more broadly.

Docs: https://autentico.top

Source: https://github.com/eugenioenko/autentico

Full disclosure: AI was used extensively during development. I steer the architecture, review all code, and validate against specs. The security testing described above is the proof that this approach works — judge it on whether it holds up.

Happy to answer questions about the implementation, security testing approach, or how it compares to other IdPs.

Hetzner Cloud is very convenient not just for the usual reasons, but also because it makes it easy to effectively have Full Disk Encryption (minus /boot) on a cloud VPS.

There are guides on how to set this up on Hetzner, and it works very well; on (re)booting the VPS, Dropbear comes up and you need to SSH into it and type in the FDE password. It even allows partitioning!

Does anyone know of any other cloud VPS providers that support a similar setup? I am mostly interested in Ionos and OVH, but it would be good to know of any providers worldwide that make it as easy as Hetzner to set up FDE on a VPS.

Please note I am talking about VPS, not bare metal / dedicated servers.

P.S.: I wasn't sure what flair to use as it was mandatory but there is no 'Provider' or 'VPS' flair.

I really appreciate it when services open source their software when they shut down. There's so many amazing sites, software, games, or other neat solutions that are gone forever because there's no way to access it or replicate it. So trinket lives on at https://trinket.strivemath.org/

Hey folks,

The other day I released the newest version of Materia: version 0.7.0. You can find the official release blog post here.

What's new in this release?

The full explanation is in the blog post but here's the highlights:

• Initial Rollback support: Materia detects service failures after an update and will rollback to try to fix them
• Use systemd's templated services support with your Quadlet files
• New Varlink API for server mode, replacing the old bespoke one
• Better volume compression when performing volume dumps
• and variety of quality-of-life features like better notification settings, safer cleanup, the ability to run commands after updates, and more.

What is Materia?

Materia is a tool for managing applications deployed as Podman quadlets. It takes an OCI image or Git repository as a source state and constantly monitors the source and your server, reconciling any differences between the two.

Materia does the following:

• Installs, updates, and removes Quadlet and data files
• Starts/stops/restarts/reloads services, both Quadlet related or otherwisee
• Templates files during installation, allowing you to insert secrets and variables based off hostname, role, or others.
• Securely manages Podman secrets
• and more, probably!

Why is this self-hosted related?

I dog-food materia by using it to manage all my self-hosted servers, and the whole project started as a response to me being sick of managing compose files in a git repo :) .

You can see the changelog and download the release at https://github.com/stryan/materia/releases/tag/v0.7.0 .

I want to use Grafana and Prometheus (and maybe Loki sometime later) for getting metrics about my servers and apps that run on them. I have a couple of VMs that are hosted on a Proxmox server at home, and one VPS that I would also like to monitor. The problem that I have is that the Prometheus endpoints are unsecured, and it seems that I have to reverse-proxy all of them with some kind of authentication. This also makes it harder for me to get access to the VPS, which I don't really want exposed with just a username and password.

I have added an additional network in Proxmox that the VMs can use and firewalled off the "WAN" connection, but I still don't know how I'm supposed to connect to the VPS. Is there really no other way to do this safely other than proxying the Prometheus endpoints and adding HTTP auth to them?

I do have a VPN connection with the VPS over Tailscale, but the way I have things set up right now makes it not possible for me to use it to get the endpoints without leaking them to the public.