When it finally came to the firewall, after realizing I was working with docker containers and my brain said “no more rabbit holes, friend.” Thanks for the information.

Also gufw is just a simple graphical user window that that’s built on top of ufw. I was using VNC when I began learning all this and planned on using gfuw. By the time I finished the guide, I had become comfortable handling everything from the terminal alone. It’s was just kinda there in the guide at that point.

That’s good to know about docker. I ran into issues modifying docker-compose.yml files while a container was up so I just made it a habit to shut containers down before making changes. I can see using pull while a container is up being more important for places concerned about unnecessary downtime though.

I’ll be using whitelists to manage federation in order to keep things small. Also I am only interested in allowing people in my local community to join since that’s the goal I am working towards.

I am also interested in seeing how it does hold up in the future but it’s not a permanent solution. It’s why I went through the process of learning RSync so I can hopefully have a simpler data migration process and setup whenever that time comes.

I wanted to share the process for everyone since a lot of what’s in the guide could be useful for anyone with more appropriate server solutions, especially regarding Cloudflare’s services.

The Pi itself was convenient for learning since wiping everything to start over is simple and quick.

For verification I used the built in certificate manager in Nginx Proxy Manager. I generate an API key from Cloudflare for a DNS zone:zone:edit key with the domain I am using. Then I chose DNS verification in Proxy Manager and put the API key in the edit box. This has been successful every time.

Do you use Cloudflare Tunnel or are you using Cloudflare as a Dynamic DNS? I’ve had issues with certbot but I think I just wasn’t using it properly, what process did you use for DNS verification?

I’ll give your suggestions a try when I get the motivation to try again. Sort of burnt myself out at the moment and would like to continue with other stuff.

I am actually using the Cloudflare Tunnel with SSL enabled which is how I was able to achieve that in the first place.

For the curious here are the steps I took to get that to work:

This is on a Raspberry Pi 5 (arm64, Raspberry Pi OS/Debian 12)

# Cloudflared -> Install & Create Tunnel & Run Tunnel
                 -> https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/
                    -> Select option -> Linux
                    -> Step 4: Change -> credentials-file: /root/.cloudflared/<Tunnel-UUID>.json -> credentials-file: /home/USERNAME/.cloudflared/<Tunnel-UUID>.json
              -> Run as a service
                 -> Open new terminal
                 -> sudo cp ~/.cloudflared/config.yml /etc/cloudflared/config.yml
                 -> https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/
              -> Configuration (Optional) -> https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/configuration-file/
                 -> sudo systemctl restart cloudflared
              -> Enable SSL connections on Cloudflare site
                 -> Main Page -> Websites -> DOMAINNAME.COM -> SSL/TLS -> Configure -> Full -> Save
                    -> SSL/TLS -> Edge Certificates -> Always Use HTTPS: On -> Opportunistic Encryption: On -> Automatic HTTPS Rewrites: On -> Universal SSL: Enabled

Cloudflared complains about ~/.cloudflared/config.yml and /etc/cloudflared/config.yml not matching. I just edit ~/.cloudflared/config.yml and run sudo cp ~/.cloudflared/config.yml /etc/cloudflared/config.yml again followed by sudo systemctl restart cloudflared whenever I make any changes.

The configuration step is just there as reference for myself, it’s not necessary for a simple setup.

The tunnel is nice and convenient. It does the job well. I just have a strong personal preference to not depend on large organizations. I’ve installed Timeshift as a backup management for myself so I can easily revisit this topic later when my brain is ready.

Nginx Proxy Manager has been handling certs for me, I’m not sure how it handles certs since it’s packaged in a docker container. I can only assume it does something similar to Caddy which also automatically handles certificate registration and renewals. So probably certbot.

All I know is that NPM has an option for DNS challenges which is how I got my certs in the first place.

That’s what I thought. NPM is handling the certs just fine.

Could it be that I’m setting up the reverse proxy wrong? Whenever I enable SSL on that reverse proxy, the connection just hangs and drops after a minute. I’m not understanding why it’s doing that.

My ISP blocks incoming data on ports 80 and 443. I also require a Dynanic DNS to handle my changing IP address. The only way I found to obtain a Let’s Encrypt certificate is through a DNS challenge in this situation.

I can definitely run without Cloudflare but I won’t have SSL which will affect federation.

The modem/router also handles port forwarding which has been pretty common on all the modem/routers I’ve used in the past. Didn’t even register that as a concern haha.

That’s good to know the Pi can handle DynDNS as well. Would be nice to keep all that information contained to one device, simply for my sanity.

I checked the router settings and there seems to be a setting specifically for Dynamic DNS Client. There’s three options included with DynDNS, NoIP and DtDNS. NoIP says it’s free so I will probably use that service.

I’m going to assume having that setting there is a good sign for me and what I want to do. Possibly reduce some potential headaches.

I’ll consider PieFed in the future as well. It does have some features and ideas overall that seem appealing to me. One thing at a time though.

I do intend to buy appropriate storage when the time comes. It’s convenient to backup and restore an sd card image while I figure things out as I’m just starting out.

Would the public IP in this situation just be my home IP address? I’m assuming that the TLD provider would have an account settings page to set the IP reference?

Is there any recommendations for any additional security for a lemmy instance, or is it even necessary for a small scaled, social media site?

I had a very different reaction to my duct tape wallet. I saw a slim, front pocket design online that was exactly what I was looking for in a wallet but I was unable to find one to buy. This was around the time that front pocket wallets just started to become a fad with the mininalism community so they were still quite uncommon.

Used an old thin plastic board as a frame and duct taped the outside. One pocket for cards, one for money and a stretchy band to slip over to prevent things from accidentally falling out.

Everyone loved it because it was so unique I guess. Kept adding more tape to repair it as it aged but eventually I retired it because the old glue was smearing all over my cards and money.

I made many great memories with that wallet since it travelled with me around the world for a good number of years.