You could self-host Lemmy and use RSS to Lemmy services to post to your personal communities.

The opposite of VPS is more like “home lab”.

Managing a VPS yourself still counts as self-hosting.

The requirements asked for a web UI. You are right though, except for that, other kind of shared folder solutions might work.

Wordpress has become an all-purpose CMS known security vulnerabilities via unsafe plugins.

Ghost has APIs instead of plugins for nearly everything, so it eliminated a lot of security and maintenance headache that way.

Ghost focuses on just a few features centered around independent content creators: blogging, email newsletters and subscriptions.

So features for sending bulk emails and accepting payments are built in, but you won’t find native support for other things like podcasts or recipe markup.

Ghost meets my need, and I love not dealing with 30 plugins at risk of being exploited if I don’t upgrade them promptly.

Exactly. It’s not just downtime to worry about, either. It’s disks filling up. It’s hardware failure. It’s DNS outages. It’s random DDoS attacks. It’s automated scans of the internet targeting WordPress. It’s OS, php and database upgrades. It’s setting up graphing, monitoring, alerting and being on-call 24/7 to deal with the issues that come up.

If these businesses are at all serious, pay for professional hosting and spend your time running the business.

Until it gets a security audit, I’ll stick with Signal.

I think there is a catch-22.

pg_dump needs to connect to a running PostgreSQL instance.

But if you upgrade the binaries and try to start up, you can’t because the old data format doesn’t work. Because you can’t start up, pg_dump can’t connect.

I’ve spend more than a decade supporting both Postgres and MongoDB in production.

While they each have quirks, I prefer the quirks of Postgres.

I just spent a massive amount of time retooling code to deal with a MongoDB upgrade. The code upgrade is so complex because that’s where the schema is defined. No wonder MongoDB upgrades are easier— the database has externalized a lot of complexity that now becomes some coders problem to deal with.

For minor version upgrades, the database remains binary compatible. Nothing to do.

The dump/restore required during major upgrades allows format changes which enable new features and performance improvements without dragging around cruft forever to stay backwards compatible.

For professionals running PostgreSQL clusters in production there is a way to cycle in the new server version with zero user-visible downtime.

Discussions about hosting on your hardware is more likely to be discussed as “homelab”.

It doesn’t improve security much to host your reverse proxy outside your network, but it does hide your home IP if you care.

If your app can exploited over the web and through a proxy it doesn’t matter if that proxy is on the same machine or over the network.

I would recommend automating only daily security updates, not all updates.

Ubuntu and Debian have “unattended-upgrades” for this. RPM-based distros have an equivalent.

What do you check two hours later?

https://www.cloudns.net/ Makes dynamic DNS very easy.

It’s so old it’s not called self-hosted.

Moneydance https://moneydance.com/

Started using it close to twenty years ago and keep using it because it seems fine.

At one time there were browser extensions that allowed you to comment on any web page and allowed other extension users to see your comments.

The comments were hosted through the extension and not on the pages themselves.

Something like that would be possible but I don’t know anyone offering it now. I presume no one wants to moderate that.

Good example. It’s true that an even a GET request not designed to mutate data might still fail to validate input, allowing a SQL injection attack or other attack that escalates to the privileges that the running app has.

Immich has a whole set of end-to-end automated tests to ensure they don’t accidentally make public any URLs they went to be private:

https://github.com/immich-app/immich/tree/main/e2e/src/api/specs

As a popular open source project, that would be e glaring security hole.

Using this proxy puts the trust in a far less popular project with fewer eyeballs on it, and introduces new risks that the author’s Github account is hacked or there’s vulnerability in he supply chain of this docker container.

It’s also not true that you “never need to touch it again” . It’s based on Node whose security update expire every two years. New image should be built at least every two years to keep to update with the latest Node security updates, which have often been in their HTTP/HTTPS protocol implementations, so they affect a range of Node apps directly exposed to the internet.

Yes, there are broken uses of the HTTP protocol verbs where filtering to GET won’t work.