from versionc@lemmy.world to selfhosted@lemmy.world on 05 Mar 13:11
https://lemmy.world/post/43896259
Hello!
I’ve been playing around with self-hosting for a while now and I’ve started moving over to a VPS. At home I have a PC that’s on more or less 24/7 with an *arr stack, jellyfin and some other services. They can only be accessed through Netbird. The services aren’t that important, the data doesn’t really need to be backed up since it’s not very important. On the VPS, however, I would like to host some more critical services, such as:
- Vaultwarden
- Immich
- Gitea
- Overleaf
I want them available 24/7, even if I decide to distrohop and wipe my PC at home. The problem is how to structure all this. My current idea is to run Gitea and Overleaf out in the open behind some reverse proxy without authentication (Nginx or Nginx Proxy Manager). I’d like Vaultwarden and Immich to be on the same VPS, but, I don’t want those services to be accessible to anyone but me, so I’d need some form of ACL or authentication system. I’m thinking of using Netbird for this, since I already use it on all of my devices.
So I would set up DNS records from within Netbird that would point immich.domain.tld and vaultwarden.domain.tld to the internal Netbird IP of the VPS. In the reverse proxy, I’d set up access control such that it only redirects the Netbird IP range to those services. On Cloudflare, I’d point git.domain.tld to the external IP of the VPS with proxy enabled.
Everything would receive HTTPS certificates, and I’d block incoming traffic on every port except for 80 and 443.
Is this a good setup? Any tips or recommendations? Any pitfalls?
Thanks!
threaded - newest
I recommend Forgejo over Gitea, and you definitely need an AI scraper blocker like Anubis in front of it as otherwise they will kill your VPS rather quickly, as these AI scrapers absolutely love to scrape code forges.
Many thanks for mentioning Anubis!
I recommend managing it through Dokploy.
And put crowdsec in front of it to block attacks.
I also recommend forgejo over gitea. I’m running forgejo and I love it.
For your reverse proxy, look into pangolin. It combines proxy with wireguard tunneling and auth. So you can set up access controls on a service by service level. It’s great. I use it and love it. No affiliation. Just really happy with how it works.
If it were me, I’d get another machine as a dedicated homeserver and distro-hop on your pc.
The homeserver doesn’t have to be fancy. We’re running all our stuff off a Dell Vostro from 2012 we got for like $30 on Craigslist. (It did need another $30 replacement PSU though. And it has 8GB RAM and a 500GB SSD which is nothing to sneeze at for a machine that cheap and that old.)
this sounds like a good setup
i do everything from home using vlan/proxmox/nixos/podman
yours sounds better i reckon
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
5 acronyms in this thread; the most compressed thread commented on today has 16 acronyms.
[Thread #135 for this comm, first seen 6th Mar 2026, 08:50] [FAQ] [Full list] [Contact] [Source code]
For a reverse proxy I can recommend pangolin. Single sign on, pin password and also private services that you can access via a tail scale betbird like app.
@versionc
Nice setup, pretty close to what I run. Few thoughts:
Reverse proxy + auth: I'd look at Traefik over Nginx Proxy Manager - it plays really well with Docker (auto-discovers containers, handles Let's Encrypt certs). For the auth layer on Vaultwarden/Immich, consider Authentik instead of tying it to Netbird. Gives you SSO across everything and you're not locked into one VPN mesh for access control. I run Authentik in front of most of my services and it's been solid (minus the time I accidentally deleted its secrets and locked myself out of everything - back up your auth server config).
Netbird approach: Using Netbird IP ranges for access control on the reverse proxy can work, but it's a bit fragile. You're coupling your network topology to your auth policy. If Netbird changes IPs or you add a device, you're editing nginx configs. A proper auth proxy in front gives you more flexibility.
Gitea / Forgejo: I'd also recommend checking out Forgejo if you haven't - it's a community fork of Gitea that's been moving faster and stays fully open. I ran Gitea for years before switching. Either way, I'd push back on running it without auth entirely. Even for public repos, you want auth on the admin/write side. Forgejo (and Gitea) support public repos with anonymous read access - you don't need to skip auth, just configure repo visibility. The built-in controls are solid enough.
General structure: Your instinct to keep critical services (Vaultwarden especially) off the public internet is right. Password manager should have the smallest attack surface possible. The VPS-as-entry-point pattern is good. I do the same thing with a cheap VPS running a reverse tunnel so my home IP is never exposed.
One thing to think about: if you wipe your home PC, make sure your VPS services can stand alone. Docker volumes + a backup strategy (even just weekly to cheap cloud storage) will save you when something goes sideways.
@deepjoy @versionc name dropping Traefik AND Authentik in one comment? Ok, you’re talking my language. Followed.
Your split setup makes sense, but juggling Netbird DNS + reverse proxy ACLs + Cloudflare can get complex fast.
You might want to check out Syncloud — it’s a fully open source self-hosting platform that handles HTTPS, auth, and app installs (Nextcloud, Gogs, etc.) out of the box. Runs on any hardware and you don’t have to babysit configs. Could simplify the VPS side of things at least.