• 0 Posts
  • 7 Comments
Joined 1 year ago
cake
Cake day: June 6th, 2023

help-circle



  • You should do application level backups and put those in backblaze b2:

    • for postgres look here.
    • look at all the software you’re running and what they say about making backups.
    • for files that don’t change often, making a an archive (with tar) is probably good enough. But if it changes during making the archive, the backup will be inconsistent.
    • think about your RPO: how much data are you willing to loose in case of a crash? 1 day? 2 hours? 15min? Schedule your backups to be at least as frequent.
    • Don’t forget to test your backups! Otherwise you’ll only find out that the backup is unusable when you need it most…

  • Those are very good things to think about; I agree with all of that.

    None of the suggestions I made cover what actual information you (or your users) share ont the platforms (lemmy, mastodon etc).

    As long as you federate with other servers (I.e. allow content to be shared with other servers, like how my account on my own server can comment on a post from the server you’re using), all the information posted on the platform should be considered 100% public.

    If you want a place for just your friends, without talking with other instances, you should keep federation off.


  • I want to spin up my own services so that I own my data and have greater control over my connections, and possibly have a hub that friends and family can use.

    That’s a noble goal; but you’ll have to think about what kind of adversaries you want to protect yourself (and your users) from.

    E.g. if you don’t want to link your lemmy account to your government name you of course won’t use your real name, but you’ll also need to anonymize the WHOIS data of the domain, since that’s public information.
    Not all domain registrars allow this.

    And depending on how far you want to take this, you might also want to buy the server anonymously.

    All of that doesn’t even touch the security of the actual server, lol. Some pointers for that:

    SSH

    • use keys for to login, not passwords
    • use a different port than 22 (it’s not more secure, but will reduce noise in the logs)
    • install fail2ban (temporary blocks ips after a few failed attempts)
    • make SSH only reachable from your home IP with a firewall

    HTTP/S:

    • use a caddy or nginx proxy in front of anything that talks http.
    • use letsencrypt certificates (and check renewal is working)
    • use proper SSL settings: https://ssl-config.mozilla.org/

    VPS hosting:

    • setup 2FA for your login

    Monitoring: You can get very detailed, but try to cover at least the following:

    • uptime (request your lemmy homepage)
    • disk usage over 80%
    • SSL certificate expiration

  • If I spin up my own instance, won’t that expose my domain, since my username will be @username@example.com ?

    Yes (click on my username for example).

    What are your reasons for not exposing your domain? And why do you want to set up your own instance?

    If you don’t want that, just make an account at another instance. There’s a few big ones to choose from, I think.

    (I have no idea if this is true for xmpp too)

    If you do setup your own server. Please make sure you automate regular backups and put them somewhere safe. Otherwise you might loose all your stuff.