[ocius]

I can recommend the Rasperry Pi for self-hosting, if you pick one of the more recent models with more RAM (3 or 4 with 4GB of RAM at least). You just need to keep in mind that the availability of your website is not quite as good as if you were hosting in a datacenter.

Regarding security: you might want to have a look at cloudflared. This is a (free for small projects) service by Cloudflare where your server (Raspberry Pi) connects to cloudflare, and all HTTP traffic is proxied through Cloudflare. This has multiple advantages:

- you don't need to open a port on your router that forwards to your Pi, which is good for security and simplicity (some routers don't even have this option)

- you get all the cloudflare protection with the click of a button, including HTTPS with automatic Cloudflare certificates, DDoS protection, etc

- you don't need DynDNS to point to your dynamically changing IP

[spansoa]

> You might want to have a look at cloudflared

I think people self-host with their ISP to get away from centralized choke-points such as Cloudflare. Unless you're fine with having Cloudflare have yet-another-datapoint.

[treesknees]

Another option is to use a VPS + nginx + a wireguard VPN.

Your home web server can establish a VPN connection to the public IP of your VPS, meaning you still don't need to worry about dynamic addresses changing or opening ports on your router. This is essentially what a Cloudflare tunnel is.

Granted a VPS isn't usually free. But some places like Oracle Cloud do offer free-tier compute, as well as fly.io.

[dusted]

That's what I do, but without a real VPN (I don't want secrets on the VPS)

http://dusted.dk/pages/aWayOut/

[treesknees]

Oh interesting, so you only drop a public key onto the VPS, and you forward TLS to the VM at home instead of terminating on the VPS. That's a neat idea.

So with your statement, "I still don't want to trust a VPS provider", is this more about having your secrets or file contents leaked? Because even in your design, if the VM is compromised, then so are your users. At some level you still have to trust that the provider isn't malicious or vulnerable.

[dusted]

Yes you are right.

If my VPS is broken, I don't lose any secrets, and it does not permit any additional access into my LAN or VPN.

For plain HTTP, of course all traffic would be easily intercepted and readable. For HTTPS, I guess an attacker might compromise the software and IP tables configuration on the VPS and run a MITM attack to decrypt it.

So yes, I am putting a bit of trust on the VPS, for my specific use-case, the most sensitive information they'd be able to access if they went through the trouble of decrypting HTTPS, was getting access to my music-player :)

I am thinking though, that at that point.. well, even if I hosted at home on my own ISP directly, I still need to put that same amount of trust on my ISP, since they could MITM me as well I think.

[feet]

This is a great option IMO, I use it myself to host multiple services. A VPS can be had for $5 per month or less

[Hamuko]

I'd rather have someone DDoS Cloudflare than my home IP. Or just host somewhere that is not my home without Cloudflare.

[seanw444]

Yeah for small services like game servers for my friends and I, I'll host on my home IP. But for large websites and services... no thanks.

[ocius]

Good point. You are not dependent on Cloudflare, though, you can use other similar services or open the port on your router if it supports it. And if you pay for it, you can get an SLA so that they can't mess with you by terminating your project.

I would still consider it very nice of them to offer this free service that let's you break free from your dynamic IP, crappy router and at the same time giving you protection that you couldn't set up yourself.

I think many people just want to be able to make their device available from the internet - this type of liberty is not really important for many people.

[abdullahkhalids]

If you self-host with your ISP, then isn't your ISP also a choke-point? If your ISP decides to block you for some reason, you have to change ISPs or possibly your location if there is only one good ISP at your location.

[ocius]

Depending on your write load, the SD card could become a problem, but you could mount a USB SSD. You can even boot from a USB SSD now (https://www.makeuseof.com/how-to-boot-raspberry-pi-ssd-perma...)

[revicon]

Anyone know what the best practice is to guard against corruption on your SD card or your SSD if your home power goes out and your Raspberry Pi power-cycles unexpectedly (outside of just getting a UPS?)

I've had a previous RPI SD card get corrupted this way and I've been hesitant to do anything useful with home-hosting on one since I had that problem.

[snapetom]

Get an SD card specifically labeled "high endurance." They're a tad bit more expensive, but do work.

Corruption has always been an issue with using standard SD cards as a boot system. It's just something these cards were never meant to do. I run multiple Pis at home, one of them as a scraper/site hosting/MariaDB/Wireguard. Power outages would almost always corrupt the file system, and a few times, damage the SD card. Once I switched to high endurance cards, I haven't had a problem.

[mharig]

I have a datalogger based on RaPi running since around 2 years. It writes every 5 minutes more or less 25 bytes to a file on a standard SD card. I have frequent black outs (and maybe brown outs, too, but never investigated this), and I never had problems with FS corruption.

[dicriseg]

The only things I can think of do involve a ups. There are battery banks that support pass through charging but I’m not sure if you’re supposed to use that constantly. A low capacity power strip style ups seems like the next best. Or don’t use a pi at all - if you have an old laptop that you don’t use, that could be the server and it has its own built in ups.

Sorry I don’t know that I’m being helpful here. I had the same issue and just ended up with an ups - but I also ended up plugging my networking rack into it (router, cable modem, switch, nas) as well. We’ve only had one real outage since I set this up, but it kept my network alive for 90 minutes or so and then the power came back up.

[ghoul2]

Enable read-only overlay for your rootfs and make your /boot readonly. Just use raspi-config, and go into performance options.

There are some gotchas - everything you write after that goes to a tmpfs. Meaning it starts cutting into your available RAM. So this overlay is only really useful if you are using the high-memory variants like the 4GB/8GB RPI4. With the 1GB Pi variants, this gets painful.

Alternatively, You could setup a cron job to reboot every night thus clearing the tmpfs.

Do remember to disable the overlay (and make /boot rw) every few weeks to apply updates.

[yuvadam]

A good alternative is to use a similar SBC with eMMC module support, such as one of the ODROIDs

[joezydeco]

I have a Toradex Colibri with 4GB of eMMC formatted with ext4. As part of a system test I've been cutting power on it every 12 hours for two years now and haven't lost a byte.

[birdman3131]

Backup, backup, backup.

Also test your backups.

[ls15]

Or use tmpfs for things that get written, but actually don't need to be persisted.

[blacksmith_tb]

These days 'overlayfs' I think[1], though if you're running nginx on there to serve a site/app you might want logs?

1: https://forums.raspberrypi.com/viewtopic.php?f=63&t=253104&p...

[digitallyfree]

I run much heavier networking equipment (enterprise routing/switching + rack server) but I also host at home using cloudflared on a slow DSL connection. It works very well and the CDN's caching helps with my low upstream bandwidth.

You aren't tied to Cloudflare in the sense that there are other CDN services to choose from, each with their own pros and cons. With the servers on your own infrastructure you can choose the provider you like and easily switch between them. I also have ports forwarded for services that I don't want to proxy.

[tomekw]

Thanks. Fortunately I've a static IP.

[BlueTemplar]

Using a different IP than your home network might be a good idea ?

( Your ISP should give you at least a /56 : https://www.ripe.net/publications/docs/ripe-690 )

[ilyt]

Funny man thinking ISPs everywhere just give IPv6 willy-nilly.

Even funnier that you think you'd even be accessible if you put your website on IPv6 only

[vel0city]

I have a few personal things hosted on IPv6-only just for giggles. A few years ago those things would almost never be reachable. Now I can reach them at most places. I at least have IPv6 on cellular connectivity all the time.

[BlueTemplar]

Before long, not supporting IPv6 will make your website more unreachable than not supporting IPv4. (Already the case in Asia ?)

[aliqot]

It'd be helpful for others if you clarified whether you're asking a question or making a statement.

[BlueTemplar]

Let's say that I am considering this too, have looked a bit into it, but I am not a network engineer, and haven't done it yet, so I am not sure how good that advice is ?

I guess this depends a LOT your ISP, and especially the router they gave you, how much IPv6-only friendly are they ?

Yes, you can buy your own router, but this come with even more complications and potentially negotiations with the ISP.

[aliqot]

I'm starting to notice you end statements with question marks, which solves my previous question.

[officialjunk]

i concur it is unclear and hard to understand the intention.

[WhiteBlueSkies]

Aren't there obvious dangers for example if I use my Macbook and host it a server?

[rzzzt]

Constantly keeping the battery at 100% can be an issue, but modern versions of macOS allow you to limit charging. There are also utilities that work on older OS versions (they just issue an SMC command to achieve the same thing), like this one: https://github.com/zackelia/bclm

[RossM]

I did this for a bit. The main issue was that air intake on my older model was through the keyboard, so clamshell mode was inadvisable - not sure if that’s true of the newer models and M1 should run cooler.

If you’re wiping it and installing Linux it’s like any other server, but if you’re running macOS you’re open to a wider spectrum of vulnerabilities that wouldn’t normally apply (desktop software). Your apps could also have vulnerabilities that expose access to personal credentials, etc (e.g. filesystems, apple id) depending on your setup.

You can insulate yourself a bit with tunnels/proxies to expose specific services (e.g. cloudflare, ngrok).

I had a lot more peace of mind buying an old, cheap computer, raspberry pis, and eventually NUCs.