I choose depending on whether I’ll ever have to touch the files in the volume (e.g. for configuration), except for debugging where I spawn a shell. If I don’t need to touch them, I don’t want to see them in my config folder where the compose file is in. I usually check my compose folders into git, and this way I don’t have to put the volumes into gitignore.

Recently set up cwa, mostly to have an easier way to get my books on my e-reader since koreader supports opds. It’s been super easy so far and has a great interface, like it way better thenz calibre desktop.

Same, always checking if I missed something on my own stuff :)

If you’re using Prometheus, Blackbox exporter checks cert expiration as well

Have you tried to automate it?

Probably because of the Circle A in the thumbnail

Don’t you think recommending k8s to someone who just wants to run some services, which partly don’t even have k8s support/helmcharts on the same machine is a bit too much? Compared to docker compose or whatever op is using, it’s way more complex if you’re not already familiar with kubernetes resources.

I don’t know much about k3s in particular admittedly, but I wouldn’t recommend k8s for this unless op just wants to use it as a lab.

You need different Subdomains as you suggested in your first paragraph. And add a reverse proxy like nginx or caddy to the machine which then proxies the different subdomains to the respective services (e.g. lemmy.your.site to localhost:2222, mbin.your.site to localhost:3333).

Theoretically, you could put a landing page behind some SSO/iam like authentik, and then link to the subdomains from the landing page, but eventually users will need be on the subdomain to use a specific site.

Yeah, I feel like exposing ports 80 and 443 towards an up to date nginx/whatever is referred to as a super dangerous thing in this community and also the selfhosted subreddit. Recommending cloudflare is almost the default, which I find a bit sad given many people selfhost to escape the reliance on big monopolist companies.

One can add different layers of security of course, but having nginx with monitoring in it’s own VM without keys to jump to another VM is enough of risk mitigation for me.

Op mentioned pixelfed for several people though, is it possible to reverse proxy through tailscale from a VPS or similar? It’s probably not suitable to have a service for several people behind a vpn

Yes! Mostly having a plan on how to make your service reachable in the internet while keeping the rest of your local stuff shutdown.

Many people recommend cloudflare, but I don’t think it’s necessary. If you get a public IP from your ISP, it’s relatively easy with dyndns. Personally, I have a virtual machine running nginx as a reverse proxy and configured the router to forward port 80 and 443 to that machine.

You got quite good answers already, here and in the other thread.

My suggestion is to not start with pixelfed but something else (simple stuff like dokuwiki, you can use it to document your stuff while you’re at it) to get an understanding of the whole process (running the service itself, making it available to the internet after hardening your infrastructure a bit etc).

Also, if you’re not settled for how to do it exactly, give Docker a try. There’s a reason it’s popular among selfhosters!