A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
If you want to set-up disk encryption you should probably understand that while the server is booted up as far as I know there will be no disk encryption leaving it completely available for anyone to take data from
Although most people entering your house would probably unplug the laptop and open it at there own home the data could still be valuable if it stays powered up with battery power.
Good point, thanks for clarifying that. I suppose the theft scenario is iffy, but it'll still help in case I ever sell (or junk) the disk.
Since you’re not using proxmox as an OS install, why not check out Incus? It accomplishes the same goals as proxmox but is easier to use (for me at least). Make sure you install incus’ web ui, makes it ez pz. Incus does the VMs and containers just like proxmox but isn’t focused on clustering 1st but rather machine 1st. It does do clustering, but the default UI is set for your machine to start so it makes more sense to me. The forums are very useful and questions get answered quickly, and there’s an Ubuntu-only fork called LXD which expands the available pool of answers. (For now, almost all commands are the same between Incus and LXD). I run the incus stable release from the Zabbly package repo, I think the long term release doesn’t have the web ui yet (I could be wrong). Never have had a problem. When Debian 13 hits I’ll switch to whatever is included there and should be set.
https://linuxcontainers.org/incus/docs/main/installing/#installing-from-package
I use incus for VMs and LXC containers. I also have Docker on the Debian system. Many types of containers for every purpose!
I installed incus on a Debian system that I encrypted with LUKS. It unlocks after reboots with a USB drive, basically I use it like a yubikey but you could leave it in so the system always reboots no problem. There’s also a network unlock too but I didn’t try to figure that out. Without USB drive or network, you’ll have to enter the encryption key on every reboot.
I was wondering if anyone would bring up Incus. I'm still pretty new to all this. From what I can tell, there seems to be a larger community around Proxmox, but I've seen enough mentions of Incus to pique my curiosity. I'll have to explore this some more. Thanks for mentioning it.
There is a larger community. I have proxmox and incus on two devices and for the basics (LXC container/VM) Incus is way more straight forward. Ditchin proxmox next reinstall on the other device (that proxmox install is the OS version). If you’re doing regular stuff it’s easy enough even with the reduced community! They’ve covered the basics well.
But again, proxmox community is larger. I started with it for that reason too.
This looks interesting, how do you handle automated backups of all the VMs/Containers? Their docs kind of seem to say "stop everything and figure it out", but with Proxmox I'm used to it handling everything automatically to my PBS server every night.
https://linuxcontainers.org/incus/docs/main/howto/instances_backup/#instances-snapshots
This describes the jist, it’s all about snapshots! Incus loves BTRFS/ZFS.
There’s no true need for stop everything as far as I can tell.
Stop everything is applicable for databases for any backup system (snapshot avoids backing up a database mid write (guaranteed failure) but the snapshot could be during a live database multi-step operation and while intact is left in a cursed state). For databases I make sure to stop and backup (SQLite losers) or backup live (Gods’ chosen Postgres) specially so no very niche database failures occur even though it was done with instant/write-safe snapshots!!
Recovery plan is restore snapshot and if 0.1% chance of database bad bc was mid big multiple step operation then I have the .gz to restore from.
That's what proxmox has too, but snapshots aren't backups and aren't being sent to a remote backup server.. You're also not supposed to keep snapshots around for very long, whereas I have backups going back several months.
Or are you sending snapshots to a remote server? I think ZFS can do that, so maybe that's an option I can look at.
https://linuxcontainers.org/incus/docs/main/howto/instances_backup/#instances-backup-export
A bit down from the snapshots section is the export section, what I do is I export to a place then back it up with Restic. I do not compress on export and instead do it myself with the —rsyncable flag added to zstd. (Flag applies to gzip too) With the rsyncable flag incremental backups work on the zip file so it’s space efficient despite being compressed. I don’t worry about collating individual zip files, instead I rely on Restic’s built-in versioning to get a specific version of the VM/container if I needed it.
Also a few of my containers I linked the real file system (big ole data drive) into the container and just snapshot the big ole data drive/send said snapshot using the BTRFS/ZFS methods cause that seemed easier, those containers are easy enough to stand up on a whim and then just need said data hooked up.
I also restic the sent snapshot since snapshots are write-static and restic can read from it at its leisure. Restic is the final backup orchestrator for all of my data. One restic call == one “restic snapshot” so I call it monolithically with one call covering several data sources.
Hope that helps!
I have a luks encrypted proxmox machine.
And the easiest way i found to do it was to install debian with full disk encryption and then doing some magic to swap the kernel from debian to proxmox.
Or that's what i think i did at least. I'm no linux magician, i just use it.
On another server i use dropbear to unlock LUKS over ssh. Those two things should be easy to combine.
I took meticulous notes, so i should be able to give you some direction to go if you need some help and can't find a decent guide out there.
You swapped the kernel? I guess I'll find out soon enough when I attempt my setup, but as I gather up the motivation to dive in, I'm assuming it will be as simple as installing a proxmox package or something. I guess I should re-read the guides. 🤣
That would be dope if you wouldn't mind sharing your notes. There's a decent amount of documentation out there already, but I often find it extremely valuable to read different people's perspectives from real life experience in addition to the official guides. No pressure. Either way, thanks for chiming in!
It took some time as i had to find a moment to translate my notes.
I did my best with formatting but for some reason new paragraphs aren't a thing i can get working in an untiered list in a lemmy comment 🤷
I presume some basic knowledge of linux and how to install an OS on a machine, but i've tried to add every single step with commands.
If anybody knows an easier way or have any comments regarding this, feel free to educate me.
Here is the way i installed it:
Switching the kernel:
hostname --ip-address, it should return the ip-addressecho "deb [arch=amd64] http://download.proxmox.com/debian/pve bookworm pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.listwget https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpgapt update && apt full-upgradeapt install proxmox-default-kernelsystemctl rebootInstalling the packages
apt install proxmox-ve postfix open-iscsi chrony
apt remove linux-image-amd64 'linux-image-6.1update-grub
apt remove os-prober
systemctl rebootAdding SSH access for root user
It's easier to copy/paste commands, this requires SSH access to the server
This can be done at any point. I did it as soon as i installed debian, and then removed it as i booted into proxmox
nano /etc/ssh/sshd_configPermitRootLogin yes.
/etc/init.d/ssh restartRemoving debian user
This removes the user that was made as part of installing debian. It can probably be used, but i found it better to add all needed users once i got in to proxmox instead the [username] of course needs to be changed out for the username you used when you installed debian.
grep ‘users’ /etc/groupdeluser [username] to remove the userThese notes are gold—thank you so much for sharing!
I'm happy to help.
Good luck with proxmox and selfhosting.
Another idea for you: if you use ZFS for the install, check Debian directions on OpenZFS or zfsbootmenu and you’ll get directions for an encrypted installation. You’ll be able to specify the path to a key file, which you can keep on a thumb drive. When the machine boots up, it’ll see the thumb drive and decrypt the zpool automatically; yank the thumb drive and it won’t (backup the key of course).
Thanks for the tip. I have no experience w/ ZFS, but I'll keep this in mind in case I go that route. Thank you!
Here is a more or less automated install for root on zfs. Need at least three hdds preferably in an hba and can withstand the loss of at least one drive.
https://github.com/Reddimes/ubuntu-zfsraid10/tree/debian-raidz1
There is also an Ubuntu ZFS RAID 10 branch.
I think you can do the same with LUKS (https://www.cyberciti.biz/hardware/cryptsetup-add-enable-luks-disk-encryption-keyfile-linux/) if that’s your preferred route.
Good to know. Thanks!
I used to do this. Didn't know the tutorial but used this part of the documentation: https://pve.proxmox.com/wiki/Installation
I switched to have an unencrypted proxmox partition and have all VM disks on an encrypted partition, mostly to have reboot working.
I think when people want to remotely decrypt fde the usual advice is installing dropbear SSH to remotely enter the password. Sorry for not providing links but it should be easy to find.
Thanks, I'll look into dropbear. I've seen it mentioned in other posts, and with a quick search I found what appears to be a nice, solid guide: Full Disk Encryption Reboot with DropbearSSH. Thank you!
If you have more than one server, running a tang server is super easy. Clevis can then be used to unlock a LUKS partition automatically on boot.
Any reason you need to encrypt the host OS information? I would assume anything interesting would be in the VM and you could probably have the VM encrypt it's own storage.
Peace of mind.
You can use one of a few ways to use the TPM to auto decrypt on boot without passphrase. Systemd cryptenroll is my favorite.
I don't understand why you'd install Debian before the hypervisor.
Edit: TiL thx for the replies. I legit didn't know of these scenarios.
Proxmox is based on Debian, but its installer does not offer you as many options as the base Debian installer. People figured out you can just install debian with your prefered settings and then just slap the proxmox packages on top.
Because it says to do so?
Proxmox uses Debian as the OS and for several scenarios it says do Debian to get that done and just add the proxmox software. It's managing qemu kvm on a deb managed kernel
I had to do it for my atom d2550s because of the odd hybrid x86/x86-64 systems they are. I had to install what ended up being linux mint debian edition 5 because that was the best way to get an OS on the odd bootloader system for various reasons, then upgraded to 6 to get to the latest debian, then I installed proxmox and removed all the debian stuff.
What do I do with something as weak as a pair of D2550s? Don't you worry about that. I've found uses for both. :P
It's an unusual use case, but it's one reason you might need to install debian before proxmox.