• 0 Posts
  • 7 Comments
Joined 1Y ago
cake
Cake day: Jul 07, 2023

help-circle
rss

You are correct. The provider owns the IP and also VPS. They theoretically have the ability to do anything within those confines. Same thing with your nameserver provider with your DNS records and the domain itself with the registrar. There’s a certain level of trust that needs to be accepted for anything that goes outside the confines of your house. The good thing is those companies have more to lose than you by breaking that level of trust.


  • Turn off password login for SSH and only allow SSH keys
  • Cloudflare tunnel
  • Configure nginx to resolve the real IPs since it will now show a bunch of Cloudflare IPs. See discussion.
  • Use Fail2ban or Crowdsec for additional security for anything that gets past Cloudflare and also monitor SSH logs.
  • Only incoming port that needs to be open now is SSH. If your provider has a web UI console for your VPS you can also close the SSH port, but that’s a bit overkill.

Ah, I know what you mean. I managed to get them both setup in docker containers on the same server, but I’ll admit getting Lemmy up was a pain. The documentation is vague on some steps, but it’s FOSS so I can’t complain.

  • Here is my pastebin with notes for my Lemmy docker compose which is modified from their example. You’ll notice it has an nginx web service. You can technically forego that and put it in your final reverse proxy. I chose not to so that it stays similar to their example.
  • For Mastodon, I am using the Linuxserver container. Their documentation is straightforward IMO, but then again I’m used to their setup.
  • With the two ports exposed for both services, you can then put it behind a reverse proxy.

Hope this helps!


Curious, what’s the reason for one in docker and one not?


You can obfuscate your location with a reverse proxy. The biggest problem with self-hosting is what can get compromised if they get access inside your network as opposed to a VPS. Keeping up to date on what is publically facing for vulnerabilities starts to become a chore.


+1 on MXRoute and lifetime plan. It has been solid for me. The unlimited domains is also icing on the cake. I haven’t even gotten close to 10 gigs but once I do I’ll just transfer all the emails with attachments locally and keep chugging along.


Setup for high availability. I have a hard time taking things down now since other people rely on my setup being on.