When it finally came to the firewall, after realizing I was working with docker containers and my brain said “no more rabbit holes, friend.” Thanks for the information.

Also gufw is just a simple graphical user window that that’s built on top of ufw. I was using VNC when I began learning all this and planned on using gfuw. By the time I finished the guide, I had become comfortable handling everything from the terminal alone. It’s was just kinda there in the guide at that point.

That’s good to know about docker. I ran into issues modifying docker-compose.yml files while a container was up so I just made it a habit to shut containers down before making changes. I can see using pull while a container is up being more important for places concerned about unnecessary downtime though.

I’ll be using whitelists to manage federation in order to keep things small. Also I am only interested in allowing people in my local community to join since that’s the goal I am working towards.

I am also interested in seeing how it does hold up in the future but it’s not a permanent solution. It’s why I went through the process of learning RSync so I can hopefully have a simpler data migration process and setup whenever that time comes.

I wanted to share the process for everyone since a lot of what’s in the guide could be useful for anyone with more appropriate server solutions, especially regarding Cloudflare’s services.

The Pi itself was convenient for learning since wiping everything to start over is simple and quick.

I haven’t had a chance to really test how Lemmy and PieFed work long term on the Pi 5 yet. So far it’s been quick and responsive and I’m still using wifi instead of a direct ethernet connection to the main modem. Ethernet is for the future. I still have more work to finish on the Pi 5.

The Pi 5 is also running Kiwix, Dufs for file sharing and a static page. All run through their own docker containers. With only me using it, everything seems to run just quite smoothly.

My goals with the Pi 5 aren’t long term. I’m using it more as a working example until I can get better equipment for hosting but that involves other plans for a local project I want to put my energy into now.

You’ll definitely want to use a reliable type of USB media storage with good read and write speeds. An SD card won’t do well considering these webapps are database heavy and will be constantly writing stuff.

Lemmy easy deploy seems interesting, if you can get caddy in that script to handle TLS encryption certificates, It should do nicely. I struggled with Let’s Encrypt and went a different route for now.

When I get the motivation again I will give this a try. A while ago I was wondering if a tool like this existed so it’s nice to see it pop up now. Thank you for this.

For verification I used the built in certificate manager in Nginx Proxy Manager. I generate an API key from Cloudflare for a DNS zone:zone:edit key with the domain I am using. Then I chose DNS verification in Proxy Manager and put the API key in the edit box. This has been successful every time.

Do you use Cloudflare Tunnel or are you using Cloudflare as a Dynamic DNS? I’ve had issues with certbot but I think I just wasn’t using it properly, what process did you use for DNS verification?

I’ll give your suggestions a try when I get the motivation to try again. Sort of burnt myself out at the moment and would like to continue with other stuff.

I am actually using the Cloudflare Tunnel with SSL enabled which is how I was able to achieve that in the first place.

For the curious here are the steps I took to get that to work:

This is on a Raspberry Pi 5 (arm64, Raspberry Pi OS/Debian 12)

# Cloudflared -> Install & Create Tunnel & Run Tunnel
                 -> https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/
                    -> Select option -> Linux
                    -> Step 4: Change -> credentials-file: /root/.cloudflared/<Tunnel-UUID>.json -> credentials-file: /home/USERNAME/.cloudflared/<Tunnel-UUID>.json
              -> Run as a service
                 -> Open new terminal
                 -> sudo cp ~/.cloudflared/config.yml /etc/cloudflared/config.yml
                 -> https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/
              -> Configuration (Optional) -> https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/
                 -> sudo systemctl restart cloudflared
              -> Enable SSL connections on Cloudflare site
                 -> Main Page -> Websites -> DOMAINNAME.COM -> SSL/TLS -> Configure -> Full -> Save
                    -> SSL/TLS -> Edge Certificates -> Always Use HTTPS: On -> Opportunistic Encryption: On -> Automatic HTTPS Rewrites: On -> Universal SSL: Enabled

Cloudflared complains about ~/.cloudflared/config.yml and /etc/cloudflared/config.yml not matching. I just edit ~/.cloudflared/config.yml and run sudo cp ~/.cloudflared/config.yml /etc/cloudflared/config.yml again followed by sudo systemctl restart cloudflared whenever I make any changes.

The configuration step is just there as reference for myself, it’s not necessary for a simple setup.

The tunnel is nice and convenient. It does the job well. I just have a strong personal preference to not depend on large organizations. I’ve installed Timeshift as a backup management for myself so I can easily revisit this topic later when my brain is ready.

Nginx Proxy Manager has been handling certs for me, I’m not sure how it handles certs since it’s packaged in a docker container. I can only assume it does something similar to Caddy which also automatically handles certificate registration and renewals. So probably certbot.

All I know is that NPM has an option for DNS challenges which is how I got my certs in the first place.

That’s what I thought. NPM is handling the certs just fine.

Could it be that I’m setting up the reverse proxy wrong? Whenever I enable SSL on that reverse proxy, the connection just hangs and drops after a minute. I’m not understanding why it’s doing that.

My ISP blocks incoming data on ports 80 and 443. I also require a Dynanic DNS to handle my changing IP address. The only way I found to obtain a Let’s Encrypt certificate is through a DNS challenge in this situation.

I can definitely run without Cloudflare but I won’t have SSL which will affect federation.

The modem/router also handles port forwarding which has been pretty common on all the modem/routers I’ve used in the past. Didn’t even register that as a concern haha.

That’s good to know the Pi can handle DynDNS as well. Would be nice to keep all that information contained to one device, simply for my sanity.

I checked the router settings and there seems to be a setting specifically for Dynamic DNS Client. There’s three options included with DynDNS, NoIP and DtDNS. NoIP says it’s free so I will probably use that service.

I’m going to assume having that setting there is a good sign for me and what I want to do. Possibly reduce some potential headaches.

I’ll consider PieFed in the future as well. It does have some features and ideas overall that seem appealing to me. One thing at a time though.

I do intend to buy appropriate storage when the time comes. It’s convenient to backup and restore an sd card image while I figure things out as I’m just starting out.

Would the public IP in this situation just be my home IP address? I’m assuming that the TLD provider would have an account settings page to set the IP reference?

Is there any recommendations for any additional security for a lemmy instance, or is it even necessary for a small scaled, social media site?

I’ve personally never really bothered with respect after learning how authority figures and elders use respect as a tool to maintain what little authority, position or perceived power they have over others, such as myself.

Instead of giving them respect that they demand, I treat them with dignity. They aren’t special because I treat everyone I meet with dignity. This gives people a chance to earn my respect through their actions and treatment to both themselves and other people.

I do not feel comfortable allowing respect to be abused in a way that makes me feel submissive to anyone else. Also from my perspective, those who demand respect, do not deserve any respect because they fail to treat anyone else with dignity.

I generally lurk more than I post content or comment because I naturally tire from the vast majority of online and offline interactions with people. The exception being those people who share the same autism/adhd based experiences and perspectives that I do.

When I interact with fascists online, I already know it’s a dead end to the conversation before it starts. That’s why I begin an interaction with a fascist with the mindset of it being a chance for me to learn and understand their mindset instead of trying to change a person. I also have a 3 comment limit with a rough plan on how my comments will be used during this interaction.

The first comment generally asks to clarify a specific point that they are making. The second comment depends on the response I get but usually ends up with me pointing out a flaw or contradiction from the fascist. The third is a closing thought and a reminder of how they failed to have a clear and understandable argument to continue the conversation.

I have a very broad and hard to explain understanding of how hate and emotions work. This comes from experiences and observations from my life. So this comment format sort of plays out predictably when the fascist inevitably responds after my final comment. That’s where I find the most insight into their thoughts. That’s where I find that missing bit of information that makes it click for me.

I rarely engage them unless they spark a morbid curiosity in me. It’s better that way since it’s much easier and mentally healthier to just let them pass by my screen than to weigh down my thoughts with pure negativity.