222
I've written a series of blog posts about a "hands-off" self-hosting setup intended for relative beginners.
(cyclicircuit.prose.sh)
this post was submitted on 01 Jul 2025
222 points (99.1% liked)
Selfhosted
46672 readers
1306 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This is very cool, but also very dangerous. Many projects release versions that need some sort of manual intervention to be updated, and automatically updating to new versions on docker can lead to data loss in those situations.
Here’s a recent example from Immich:
https://github.com/immich-app/immich/releases/tag/v1.133.0
It is my humble opinion that teaching newbies to do automatic updates will cause them to lose data and break things, which will probably sour them from ever self hosting again.
Automatic OS updates are fine, and docker update notifications are fine, but automatic docker updates are just too dangerous.
That's reasonable, however, my personal bias is towards security and I feel like if I don't push people towards automated updates, they will leave vulnerable, un-updated containers exposed to the web. I think a better approach would be to push for backups with versioning. I forgot to add that I am planning a "backups with Syncthing" article as well, I will take this into consideration, add it to the article, and use it as a way to demonstrate recovery in the event of such an issue.
You say this as though security is naturally a consideration for most docker images.
Been in it since the web was a thing. I agree wholeheartedly. If people don't run auto updates and newbies will not run manual updates, You're just teaching them how to make vulnerabilities.
Let them learn how to fix an automatic update failure rather than how to recover from ransomware. No contest here.
I’m with you on this. It has to feel at least somewhat low-fuss/turnkey or people aren’t going to stick with it. The people who don’t get this are the same people who can’t see why Plex is more popular than Jellyfin despite the latter’s overall superiority
My experience after 35 years in IT: I've had 10x more outages caused by automatic updates than everything else combined.
Also after 35 years of running my own stuff at home, and practically never updating anything, I've never had an outage caused by a lack of updates.
Let's not act like auto updates is without risk. Just look at how often Microsoft has to roll out a fix for something an update broke. Inexperienced users are going to be clueless when an update breaks something.
We should be teaching new people how to manage systems, this includes proper update checks on a cycle, with appropriate validation that everything works afterwards, and the ability to roll back if there's an issue.
This isn't an Enterprise where you simply can't manually manage updates across hundreds or thousands of servers, and tens of thousands of workstations - this is a single admin, small environment.
I do monthly update checks, update where I feel it's warranted, and verify systems afterwards.
Well, you just saved me a bunch of time trying to figure out how to auto-update my humble little server. Granted, I only have Plex and Samba Share right now, but I like the principle. Hell, an update once blanked my smb config file for whatever reason
Now auto-backups are another thing; because I would like to use a .tar file, but then it leads me down a rabbit hole because I don't know how to repair Grub if needed for a restore, or what Grub really even is vs Bios... I've just been learning as I go
I'm a few weeks away from getting a couple parts for an upgrade, and then it'll be some fun. I want to redo it from scratch and maybe set up proxmox and change my file system to zfs, then start looking at docker, figure out Jellyfin and look at some ARR stuff... maybe tailscale or headscale. Idk, it's just fun cause it's a hobby. I just haven't had the storage or ram really, but soon
I don't disagree with any of that, I'm merely making a different value judgement - namely that a breach that could've been prevented by automatic updates is worse than an outage caused by the same.
I will however make this choice more explicit in the articles and outline the risks.
Don't expose anything outside of the tailnet and 99% of the potential problems are gone. Noobs should not expose services across a firewall. Period.
with properly limited access the breach is much, much less likely, and an update bringing down an important service at the bad moment does not need to be a thing
This is really the truth. Auto-updating is really bad form when you are getting into server management. The first admin position I had back in the day had the rule that no automatic updates are to run, a manual update can only be run after 1 month of that update being released, and it had to accompanying documentation confirmed before it could be approved. The one time we did not follow that we ended up having to re-image the server in question from backup (as that was the quickest solution to getting it back online).
it'll still cause downtime, and they'll probably have a hard time restoring from backup for the first few times it happens, if not for other reason then stress. especially when it updates the wrong moment, or wrong day.
that's the point. Services shouldn't be exposed to the web, unless the person really knows what they are doing, took the precautions, and applies updates soon after release.
exposing it to the VPN and to tge LAN should be plenty for most. there's still a risk, but much lower
Consider warning the reader that it will not be obvious if backups have stopped, or if a sync folder on the backup pc is in an inconsistent state because of it, as errors are only shown on the web interface or third party tools
Yeah I agree with the warnings. One of the things I'm trying to ensure I get across accurately (which will be discussed later in the series) is how to do monitoring. Making sure backups are functioning properly would need to be a part of that.
Immich is still unstable. This shouldn't happen to a stable project.
What it tells me is that you need a regular backup
This absolutely can happen to stable projects. This has happened with Mastodon many times, and Mastodon has been stable for years.
It also has happened with Nextcloud many times, and again, Nextcloud has been stable for years.
It’s not a stability thing, it’s an automation thing. We as devs can only automate so much. At a certain point, it becomes up to you, as the administrator, to manually change things. Things like infrastructure changes, and database migrations, where the potential downtime if we automate it is something we need to consider.
Your probably right, you can't catch each bug I guess
I use diun for update notifications. I wish there was something that could send me a notification, and if I gave it an okay or whatever it would apply the update. Maybe with release notes for the latest version so I could quickly judge if I need to do anything besides update.