Ask HN: What's on your home server?

Hi Andrè! I just wanted to thank you for mailcow! We used it a few years ago at my previous job to getting a new domain up & running and got a porfessional, best-practices-configured email server in no time. Great experience also for day 2 operations! Nothing like the other mail solutions available at that time.

Wishing you the best in your next endeavors!

To the new owners: I googled mailcow, got to the web site and found nothing to explain what it is, not even in the docs. Eventually I noticed the "People also ask" section in the Google results page:

> What is Mailcow?

> fully managed by Elestio. Mailcow is a Docker-based email server, based on Dovecot, Postfix and other open-source software, that provides a modern web UI for administration.

Hopefully this is correct but who knows.

Hi André.

First of all, thanks. I used hosted my own email 20 years ago, and when I saw how easy it was with mailcow, I decided to try again.

Looking forward to the mailcow successor. Is there anything up already?

Cheers.

I absolutely _loved_ mailcow. Worked out of the box way better than my hand rolled solution, and ended up using it for some small orgs too.

Thanks for all your work on it!

Wait, what? Was mailcow sold? What does it mean for future development and features? Should we start to look for an alternative?

There are alternatives. I chose paperless because was the most mature opensource solution.

Be aware that there is paperless, paperless-ng and paperless-ngx.

When I did the setup last year paperless-ngx look like the most maintained.

I used paperless for a while but ended up just saving pdfs to directories instead. I can find what I need without fancy OCR features by organizing and naming files sensibly. And I am fairly certain this will still work in 40 years, while paperless, or even Linux, might no longer exist.

I can recommend paperless. I am running it locally in a Docker container and sync database/files with iCloud (so they are backed up). I've been thinking about putting them on the actual web to access them anywhere, but so far having paperless "just" on my computer was enough.

I just don't assign public Ip addresses to private VM.

Public (with different public ips) I have:

  * Mailcow
  * Postal
  * Code server (just a dev machine with public ip)
  * Wireguard
  * NginxProxyManager

  * PiHole
  * containers (where i run most of the staff)
  * Monitoring

One option is to use Tailscale or plain Wireguard.

You could also use https://nextdns.io. It’s basically pi-hole in the cloud.

Why wouldn’t you be able to? Pihole is just dnsmasq with a frontend.

You should not open its port to the internet at large (look up: open resolvers) but yes you can run it anywhere and access over VPN, etc.

Seems like a smart way to do it, but that relies on having another always-on system standing as the server. OP's solution only requires the one device, the rPi unless something needs to be changed.

Can you netboot from a desktop computer that's not always on? If the desktop is running when the pi is booting, does the pi then need the "server" (desktop pc) again until it needs to reboot?

This one: https://github.com/philippe44/AirConnect

And here's a containerized version that works with the Pi: https://github.com/1activegeek/docker-airconnect

If you want a Pi (or alike) for specific reasons, go for it!

But, if you are looking for cheap and relatively low-power compute, I strongly recommend looking at used ultra small form factor PCs. You can get much more computational power and expansion, often for cheaper than a Pi. And eBay is riddled with these things, unlike recent Pi availability.

https://www.ebay.com/sch/171957/i.html?_from=R40&_nkw=%28len...

The pricing gets even better if you want to buy them in a lot.

I'm using a Model 4 with 4GB of RAM, but 2GB would probably also be ok. (I haven't measured peak memory usage, but I imagine that having some spare memory for file caching reduces read contention for the SD.)

Home Assistant can take a minute or two to start up, keeping all four cores quite busy, so I wouldn't recommend trying this on an older model myself.

If you want to use the Pi's internal Bluetooth module, obviously you'll also need one that has one and supports Bluetooth LE. Again, I can only speak for the Model 4 here, which works great for that.

In terms of minimum requirements, you could even run that on a 0 or older.

In practice, you probably want at least 3b+ for reasonable performance. If you're buying new anyway and can get them for MSRP I don't see why you wouldn't get a 4.

Maybe DevPi would work?

https://devpi.net/docs/devpi/devpi/stable/%2Bd/index.html https://blog.jcharistech.com/2022/08/13/how-to-run-a-pypi-mi...

another option is https://pypi.org/project/python-pypi-mirror/

I don't know of any particular solution for the python ecosystem, I don't use it often enough to justify dealing with that can of worms.

But for npm, there is Verdaccio which does exactly what you want, and is what I'm using.

Basically just a bunch of shellscripts for most part, that is run with systemd timers on a PC-like server (consumer components), served via Caddy.

Npm registry is using verdaccio, arch packages is using https://gitlab.archlinux.org/archlinux/infrastructure/-/blob... + what is outlined at https://wiki.archlinux.org/title/DeveloperWiki:NewMirrors, clojars is just reading the list of packages and downloading them one by one each day.

Not a unified or nicely done setup by any means, just thrown together to solve the problem at hand.

I setup apache archiva [0] to cache maven binaries at work. It was okay.

[0] https://archiva.apache.org/

Gitea works really well for this - just choose "new migration" and set the remote up as a mirror - super easy.

I used to do that for my servers. It works quite well but packages update so frequently you don’t see a major benefit

I've done it some year ago last time, in order to dig out some statistics, it was around 1.8TB then, just counting the latest available version of each package (not every version of every package).

But as another commentator said, I'm only caching packages that already been fetched now, as I have no need for everything in the registry (most of it is junk to be honest).

It sounded like they're essentially caching npm, not mirroring the whole thing

> Some of them are mirroring dynamically (basically a cache at that point, do this for npm for example)

I've run into this too, and there's been an open issue on this for some time now:

https://github.com/tailscale/tailscale/issues/3363

Yah it really does destroy my battery on iOS.

Since it's all a yaml file I just use vscode's remote-ssh to check (files opens in vscode, one click opens a shell at the bottom (ie for docker-compose ps), nice thing is that remote-ssh also allows dragging and dropping files to the server without needing anything else, rarely need that though). If you add the `restart: unless-stopped` line, all containers just come up again after crashes/reboots.

On Arch I just `sudo systemctl enable docker` (after `sudo pacman docker docker-compose`), I wrote a bit about it here: [0]. This starts docker automatically, and docker automatically starts any containers with the above mentioned line in their service entry.

[0]" https://blog.hmrt.nl/posts/wordpress_using_swag/

Look into portainer

I religiously keep everything up to date, for anything exposed to the public I use https (Traefik does let's encrypt, caddy as well) and set 2FA for Nextcloud for example, there is also a brute-force protection app for NC.

Some services, like HA, my minecraft servers, Paperless, in fact most of them, I would indeed feel less comfortable exposing, and I don't, but for NextCloud I also use it to share large files with friends so it needs to be internet facing, as do the blogs, but Hugo generates static sites, so that is quite secure (like earlier mentioned blog).

One extra layer I put on my externally facing sites is a simple auth prompt (after redirect to https!) as an unlikely-to-have-a-compromise gate before any logon for a self-hosted service. You can make it a fairly easy to remember username/password for anyone you want to share your self-hosted apps with, since its a mostly irrelevant extra step just to guard against exploits in more complicated software stacks

In addition to the other comment, look into fail2ban: it's a bruteforce protection that isn't application-specific, it can be configured to protect form bruteforce any service that logs login attempts somewhere.

I use Borg (https://borgbackup.readthedocs.io/en/stable/) with some Python and Bash scripts.

All my containers write to the same volume mount (e.g., /mnt/docker_share/$service_name), the scripts shutdown the LVM, run the backups from Borg, sync the files to rsync.net and turn the LVM back on when the backups finish.

My choice with their new house was pretty simple. They wanted a smart home, and being the tech son I would inevitably have to help them at some point. So either I debug a system that is open and familiar, with remote access and reliable software/hardware. Or I deal with some closed proprietary trash which will end-up with me on the phone with some incompetent cash grab company. As mentioned in my post, the latter would have cost 3 to 4 times the price of all the hardware we bought (see the link) and we would just get some SBC or cheap tower instead.

With the current setup, I can easily connect via VPN to configure network devices. Ubiquiti also makes it very simple to apply network changes or upgrade it remotely (as long as it's from the same brand). I set up extensive monitoring and alerting to proactively resolve issues. I also gave my parents some training and docs on how to plug things to the Ethernet sockets (if they want to setup a new printer for example) or what to do to bypass the router (rewiring) in case the main router fails.

As a side note to helping my parents. They are both 70, not the most tech literate people but they manage to do all basic things without much trouble. I put them both on Ubuntu 8 years ago, never had any issues whatsoever. I get maybe one message or call in 6 months for a question, but it's usually web related. Once in a while when I get home I update the distro, but that's pretty much all the maintenance I do. I have Teamviewer on all their devices, just in case but never really had to use it so far.

In my experience signing up to do it or not is irrelevant because I'll end up doing it anyway since they're my parents, so i'd rather have full easy remote teamviewer/ssh access to the stuff I know works and how it works because I set it up instead of going there to debug some crap they downloaded or bought in the app store/mall that claimed to do x and now it doesn't work and now nothing is working etc etc.

Still can't avoid having at times to go and fix the god damn printer however. Printer driver programmers/designers really make me question if politicians should be the most hated profession in the world.

My colleagues and I call this the "Ever since you..." and it's one of our longest-running chuckles.

"Ever since you installed that ad-blocker, the Wi-Fi signal in the den is really weak"— uh, that's not how that works.

It's why I make every effort to never touch or even give advice on technical matters to friends and family anymore. Almost zero upside and unlimited downside—getting angry texts and phone calls at all hours of the day and night, and offering free support for life (and almost always accompanied by zero thank you's).

I thought the same. Having run HA at my own home for a couple years now, theres no way I would take ownership of someone elses install. I love the setup, its just not a "non-tech savvy friendly" ecosystem. Thats what I assume you pay for on the COTS ones.

The setup your inlaws have probably doesn't rely on the cloud, and report everything they watch to advertising companies, unlike your setup.

The second you want multiple streams of higher quality then 1080p 10mbs you will want a dedicated card. I got a <200$ old Quattro card (can't remember which) and it can handle pretty much everything I've thrown at it now.

4k TVs are common, planning for 1080p use is a mistake at this point imo.

The place you specification is a thread posted in 2019 talking about a Dell prebuolg. Do you mind posting the link for the nucs? Or is it in that thread somewhere? Or is that dell actually a nuc.

I just do this. Update the ubuntu line every 2 years or so. This runs as a cronjob on my synology with the working directory set to a directory that the Synology "Download Station" is watching. It picks up the torrents and does its thing. I come in every now and then and clean out the dot releases. It's not the best but it's not the worst either.

  #!/bin/bash
  wget -nH --cut-dirs=4 -r -l1 --no-parent -R "*.tmp" -A "*.torrent" https://cdimage.debian.org/debian-cd/current/amd64/bt-dvd/
  wget -nH --cut-dirs=4 -r -l1 --no-parent -R "*.tmp" -A "*.torrent" https://cdimage.debian.org/debian-cd/current/amd64/bt-cd/
  wget -nH --cut-dirs=4 -r -l1 --no-parent -R "*.tmp" -A "*.torrent" https://releases.ubuntu.com/22.04/
  rm *-DVD-{2,3}.iso.torrent debian-mac-*.torrent *.tmp *.loaded

I pretty much update things manually when I think of it (usually every ~2 months or so) or when I am downloading a new version for whatever reason (like to flash yet another computer I picked up). I've been looking for something to do in my downtime , so I might see if I can whip something up to automate updates, could be a fun project.

Maybe you do, but some of us are actually, unironically, torrenting Linux distros.

A very shitty Tapo camera made by tplink. It was cheap and exposes its RTSP stream on the network with some URL.

Define cheap. I'm running an Intel NUC d54250wyk (launched 2013) which takes up to 16GB DDR3L. You can't definitely find that class of hardware got cheap on eBay these days. Update SSD and memory and it's still great.

Not sure which those are, but all the J/N 4000 series CPUs are only rated for 8 GB, yet I never heard of anyone having issues with 16, though not always at the maximum supported frequencies.

I have a 6th generation with 32GB:

    hw.model=Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz
    hw.physmem=34227793920

Yeah it's a i10 NUC (not exactly super cheap), which takes 2x16 gb without problems. I'm running debian...

cdk8s works really nicely with gitops.

> Where do you store volumes?

Back when it was a single node cluster, I just used hostFolder mounts with restic backups. I added Longhorn once the cluster grew, but there's still some local hostFolder mounts left around. For example, zigbee2mqtt needs to be on the node that has the zigbee controller plugged into it, so the node is tagged and zigbee2mqtt has a nodeSelector. This means the hostPath still works and I haven't needed to migrate it to Longhorn.

Longhorn initially scared me off with its relatively high listed resource requirements, but after configuring it to not run on the RPis it turned out to work quite well, most of the time just using a few percent CPU.

Interesting, I have a CX and a G1 and it works flawlessly. I didn't do anything special so might have just gotten lucky.

I'll answer in his place, he said he's using ArgoCD and running everything on k3s. ArgoCD watches the files in a repo (kubernetes yaml manifests for example) and applies them in the cluster, so that the state of the running cluster (applications) is synchronized with the git repo.

Seconded. Just get a Synology NAS. I'm incredibly happy with mine, they really seem to make a great product on both the hardware and software side.

I think it's like most home devices, it comes down to ownership. We've gotten into the habit of streaming everything from someone else e.g we're in cloud rental economy, but there's opportunity to restore ownership. Maybe there's a generation that just wants to rent but it wasn't really by choice, it's because ownership cost too much, ownership of homes, servers, storage, etc. We can reduce these costs and we can make ownership of services a thing once more. Sure, you might need someone else to fix things when they break, but it's not like I'm doing my own plumbing or electrical work in my house either.

So it's really this idea of pulling all your services back into your home server. Something you own, something that then becomes private by proxy of that. Something primarily for you and your family, no one else.

I know of an avid ham, and one of his favorite jokes is "Why use the radio when I can just call them on my cellphone?".

At some point, stuff like home servers really are more about the tinkering rather than any practical desire or need.

If someone's only interested in getting from Point A to Point B, he's just not going to care how fancy or interesting the mode of transport is.

I love tinkering but not with my data. For my data storage I want a stable and tested solution. I have done enough "shit I destroyed my RAID array" for my taste.

I wrote up a larger reply to this, but simplified it a bunch:

1. Hardware needs to be good enough. Raspberry Pi proved that. Ubiquity of common parts solves a bunch of issues. The main limiting factors here are likely transcode speed, ethernet speed, encryption speed.

2. Software needs a good modularization story. Linux in general suffers from the idea that everything is configurable and to configure everything you have to learn about how it interacts with everything. There's a lot of focus on how to do things rather than matching common use cases to profiles that just work. As a concrete example rather than selecting the "I'm at a coffee shop or airport" profile, I need to select that I'm on an insecure network that I don't trust with a specific password and a configuration for my VPN that forces traffic ... Addressing componentization via use case design seems lacking (and a good place to introduce standardization). A lot of the "tinkering" level software seems to start with "How" rather than "Why" as the impetus.

3. Security. We have security principles that are evolving to solve these sorts of problems (OAuth2 RAR, Passkeys). Invest in them.

4. Support. Common solutions for common problems breed easier conversations. There are consultants that do NAS support for small businesses because those NAS companies have gained enough market share. Secondly we need to spend more time to start with the why rather than the what. Software developers (myself included) obsess over the latter and build systems at that level that can answer (how fast is my connection) rather than systems that inherently answer the real need (why is my connection slow or intermittent).

5. Perhaps the answer is just build a better NAS company where the focus is on home server software rather than purely around adding server software to a bunch of disks in a box. Perhaps the answer is really embracing the idea of U in NUC?

Perhaps this has been done elsewhere? Perhaps it's been done too many times to really work?

Thanks for taking the time to provide such a detailed response. All your points make sense and it's those things that have to be resolved one by one to make anything like this not just a viable product but an actual sustainable business. I do keep coming back to this idea mostly because unlike a lot of people here, I don't want to tinker anymore, I don't want to hand build something from scratch, those days are long gone. I'm happy and willing to pay for something that works and maybe even a subscription for a period of time (think mobile phone contract).

Ultimately as you say privacy is the clear selling point. So much of what's in the cloud is now being exploited or hacked. Obviously the cloud is here to stay and we'll continue to rely on it for a ton of high compute, high bandwidth and high storage needs, but there's so much of what we do on a day to day basis that just doesn't require it e.g let's just say I need to talk to my family, leave notes between us, share sensitive documents, etc. All of that can very much be local in my house. All the things that we do in our physical houses we deem private, the digital should be the same. But we've shifted from the personal computer to public cloud services. There was big benefits but equally there will be huge benefits to going private once more.

I can't say this problem will be solved anytime soon. Someone has to really want to solve the problem for themselves first. I'm hacking on a little toy that might manage DNS, email, web serving, file storage, etc as one binary but I'm not sure it will go anywhere, it's just an experiment.

Maybe hosting this service behind a firewall / on a private network would make the most sense. I notice many people here are running Tailscale at home — perhaps this is why?

About 15 meters of one USB 2.0, one displayport and one HDMI cable. Of course a 5V power supply for USB at the client end, soldered to the cheapest USB hub I could find.

I never need more than the speed USB 2.0 provides anyway, and those USB 3.0 optical extensions are way too expensive.

Joplin is old but gold in terms of open source not taking. However, I always found the experience to be a bit too clunky even after writing 100s of notes.

Obsidian is much nicer but you gotta set up your own sync or pay. Same basic premise of markdown files on your local file system. I've been enjoying it a lot and written more since switching.

You do not even need to run a dedicated server if for example you already have an owncloud/nextcloud setup, since all clients (desktop and mobile) can sync from a WebDAV folder (among other backends).

Have been getting $20-50/mo for sharing 15TB. Probably won't be worth it for the average developer with insane salary here, but I'm not complaining!

If I replace it one day, it might be for a "miniITX" (whatever MB size corresponds to ~1 liter PCs) but I fear the cost of the case + specific MB + low-power processor with many threads + good NVME SSD will be through the roof, compared to this cheap used T320, and they're hard to find in used form, at least for now.