I recently got my hands on a lightly used Raspberry Pi 5 and have been playing around with it and breaking things while trying to learn my way around self hosting. I have a a couple questions now that I’ve hit a bit of a road block in learning.
-
Is it possible to set up lemmy for local host on a local network only? I’m not worried about federated data from other instances. At this point I just want to experiment and break things before I commit to buying a Top Level Domain name.
-
How exactly does a TLD work? I’ve tried searching up how to redirect traffic from a TLD to my raspberry pi. Since I don’t know much about hosting or networking, I don’t know what to search up to find the answer I’m looking for.
-
How do I protect myself while self hosting? I know the Lemmy documentation suggests using Let’s Encrypt, is that all I need to do in order to protect any private data being used?
My goal in the future is to have a local, text-only instance that may connect with a small number of whitelisted instances.
Lemmy is very database write heavy once federated, so unless you get the nvme extension for your Rpi5 it will not work very well. The database is also very RAM hungry as a result.
Anyways, if it is just about testing, it should not be a problem.
Lemmy by itself should be accessible without a domain name, but federation depends on it. Just give it a try and access it via “localhost” or the local IP of the server hosting it.
A TLD is just a reference to an public IP. Basically you ask a server what IP does this name reference and that’s it.
TLS certificates (via Lets Encrypt) are necessary for participating in the federation and protect data like passwords of the users while being send to the server. It is not strictly speaking a security measure for your server.
I do intend to buy appropriate storage when the time comes. It’s convenient to backup and restore an sd card image while I figure things out as I’m just starting out.
Would the public IP in this situation just be my home IP address? I’m assuming that the TLD provider would have an account settings page to set the IP reference?
Is there any recommendations for any additional security for a lemmy instance, or is it even necessary for a small scaled, social media site?
For a domain name:
You go to something like NameCheap.org and buy a name (hackers4life.xyz or something cool like that). Then their web interface has a place for you to enter the IP address that you want associated with that name. Whenever someone then types “hackers4life.xyz” there will br a series of computers asking other computers “do you know the IP address for this?” until they do.
If you have that Pi in your house, there are (at least) two steps for you then: (1) Getting your home IP address (2) Forwarding the port
(1) Your router admin panel may have this, or else if you search the web for “what is my ip” there are sites that will tell you (basically, you connect to their webpage and they just print out the IP they are sending data back to). There are two concerns here, though.
(a) Do you have a unique IP? There arent enough IPv4 addresses in the world for all the computers connecting to the internet. To get around this, ISPs will essentially group customers together under the same IP and then they figure out how to get the traffic to the right place. If you dont have a unique IP, you might be screwed (but i havent looked into dealing with that much).
(b) If you have a unique IP, you still probably dont have a stable IP. Your ISP might reallocate all the addresses in their network every day/week/month/whenever. This is the case for me. Namecheap (or whatever other domain vendor) has a process for you to use a script to send them your IP address, and so you make a script to recheck it and send namecheap updates every hour or something like that.
(2) Forwarding the port
Some other machine on the web knows your IP (because it is associated with hackers4life.xyz) and so they try to connect. This comes down the wire from the street into the side of your house/apartment, into the modem, and into your router. If your router isnt expecting it (or prepared to do something with it), itll just ignore it. You want the router to instead send it to your Pi. To do this, you go to your router’s admin settings and forward the messages based on the port they are coming in on. The standard ports for HTTP and HTTPS are 80 and 443, and so you can forward those ports to the Pi. Making sure that then the Pi does the right things with those is outside the scope of me writing right now.
Can use duckdns
You need to make sure you get a unique public IP from your home ISP. Some utilize a so called CGNAT which allows them to share one IP with multiple customers, but this makes self-hosting from home much more difficult. Less bad is a so called dynamic IP, which is unique but can change randomly. For that you need some system to automatically update your DNS records when a IP change is detected.
And yes, the domain registrar and dns server operator has an webinterface to associated your public IP with the domain name. The better and larger ones also provide an API to automate it should your public IP change.
There are many things you can do to improve security, but mostly you should run a firewall to not expose any internal services to the public internet.
Sure, you’d need a domain name, a certificate, an IP address that’s reachable from the outside, and the RasPi or some other computer.
If it’s some residential internet connection, you might be able to open up a port and forward that to your RasPi. You’d need to do that in the internet router. Port 80 and 443 are for HTTP(S). (protocol: TCP). Some internet providers don’t allow any of that.
Your IP address will change with most regular internet providers, so you’d want to buy your domain name somewhere you can change it automatically with a script. Or use DynDNS. duckdns.org would be one of those DynDNS providers.
If your internet service provider doesn’t allow incoming connections and port forwards, you need to work around that. Use Cloudflare, or better, some better tunnel provider.
Free certificates for HTTPS are available from letsencrypt.
And if it turns out Lemmy is too heavy on the Raspberry Pi, try PieFed instead.
I checked the router settings and there seems to be a setting specifically for Dynamic DNS Client. There’s three options included with DynDNS, NoIP and DtDNS. NoIP says it’s free so I will probably use that service.
I’m going to assume having that setting there is a good sign for me and what I want to do. Possibly reduce some potential headaches.
I’ll consider PieFed in the future as well. It does have some features and ideas overall that seem appealing to me. One thing at a time though.
Nice. Hope it does the port forward as well, because in my experience that’s the part where you could face some issues. DynDNS is relatively easy, in case your router hadn’t supported this, it’d be possible to let the Pi handle that.
The modem/router also handles port forwarding which has been pretty common on all the modem/routers I’ve used in the past. Didn’t even register that as a concern haha.
That’s good to know the Pi can handle DynDNS as well. Would be nice to keep all that information contained to one device, simply for my sanity.
I think the package “ddclient” is the most common DynDNS client. Should be available on almost any Linux distribution and handle most providers. Take one of the ones you found. Or afraid.org , desec.io , duckdns.org
I’m not really up to date any more, so I’m not 100% sure. I’m paying like 6€ a year for a regular domain I properly own.
Your instance has to be accessible from the outside world for it to federate (remote instances push new posts to your instance, it’s not your instance polling remotes for new posts)
As said in another comment, federation requires HTTPS, which itself requires a domain name. You can probably do it for cheap with a Dynamic DNS service (for the domain name) and Let’s Encrypt (for the SSL certificate required for HTTPS)
A “TLD” is a Top-level Domain, examples of which are
.com
and.org
. They sell names within their domains.You’d just be buying a “domain name” within some TLD and redirecting traffic from that domain name, not from the TLD.