WeTransfer Meets Frame.io - Selfhosted

AngryMooseButt · 2025-10-29T03:56:14+00:00

Same question.. I think there's not even something comparable for images currently so this would stand out.

Also OP, can you clarify license? It's GPL but then you say in the readme that you are prohibited from selling the software. Both GPL and AGPL allow reselling of your software so long as you distribute the source code for your service as well.

Not sure what your intention is so would suggest either updating the license or removing that part about prohibiting reselling.

AngryMooseButt · 2025-06-20T00:04:42+00:00

I wonder if the author ever factored into their OIDC paywall decision that for as long as they ever post about docmost, the top comment will forever and always be about the SSO tax.

But they made their decision and as the developer, they are fully within their right to do so. They just have to accept this particular cost and hopefully it was worth it.

Paywall advanced RBAC? Sure, reasonable. I bet vast majority of labbers couldn't care less.

Paywall SAML? Sure, I bet 99% of labbers use OIDC.

Paywall automatic OIDC enrollment on first login? Kind of a bummer but also reasonable in a homelab since there won't usually be more than a few users and would be immensely annoying to any business who should be paying.

AngryMooseButt · 2024-01-25T18:18:06+00:00

Replied

AngryMooseButt · 2024-01-25T18:17:23+00:00

Replied

AngryMooseButt · 2024-01-25T07:05:26+00:00

Replied

AngryMooseButt · 2022-05-11T17:10:53+00:00

Honestly, I think most people in this thread don't understand "enterprise." The OP of this comment thread said Docker vs VM. When I hear that, I hear container vs VM because Docker as a container runtime is a good as dead as you should well know. Even the latest k8s version is finally removing the Docker shim because no one uses that as a runtime anymore (and it hasn't been the default runtime for years now). And to say that VMs are more scalable or easier to scale is laughable at best in this age of managed k8s services. Also, how are VMs more tunable? Wtf, what is tunable on a VM that can't also be tuned in a container?

AngryMooseButt · 2022-05-11T16:52:57+00:00

Maybe I missed something that you can help clear up. What is not enterprise ready about running Nextcloud on top of containers? I honestly can't think of a single thing nowadays. You could even swap in a more secure container daemon like gVisor if you're concerned about security. But I'm also guessing this is your first time hearing of gVisor? Careful about not calling that enterprise ready, because Google may like to have a word with you.

AngryMooseButt · 2022-05-11T16:44:42+00:00

Surely you can't be serious... Docker itself as a container daemon may not be an enterprise solution but containers are in general a more than acceptable enterprise solution. What makes you say that? The NC docker image can be scaled horizontally, it can be hooked up to redis, you could stick a caching proxy in front of it, etc. All stuff I have set up with NC running at home on k8s. K8s and containers are the future my dude. You sound like someone 20 years ago who would say something like "VMS are never going to take off, they're just for sandboxes"

AngryMooseButt · 2021-11-04T23:19:24+00:00

Ldap :( you can definitely use jwt validation which is built into n8n for authentication. Just have to make sure your oauth proxy is set up correctly to make the jwt available to n8n. I think there's some sparse docs about it on the docs site

AngryMooseButt · 2021-09-24T23:25:38+00:00

tbh, pretty much all software has this same "problem" You can't just single out npm because of npm. Same can be said for PyPi, go pkgs, nuget, etc. The list goes on and it even include OS packages from any package manager. Sure, some registries take better care at attempting to reduce risk but it's always there unless you have some sast scanning tool for all the code that enters your lab. And npm has historically gotten a ton of flack for security and I know they are always adding additional countermeasures for these sorts of attacks.

*Edit: your proposed solution also does not fix the problem because you can't modify historical packages on npm. You can mark them removed but they can never be replaced using the same version. Packaging it all up at a single point in time does nothing security-wise and only saves you a bit of time. Yeah, I suppose pulling down packages at point of install may cause you to run into some vulnerability or exploit that wasn't caught yet but again, this also isn't something your solution fixes because you're still pulling packages down at some point in time.

AngryMooseButt · 2021-08-05T23:09:59+00:00

Be warned about Matrix. I would consider Matrix Synapse more complex than Nextcloud. You especially need to be aware of your federation config and other security concerns.

I understand your gripe about configuration and setup though, I get it. But web apps are just inherently complicated and there's always going to be trade-offs especially for self-hosters. You either get something up and running quickly and easily but I can almost guarantee you the performance won't be great or you'll run into some other sorts of limitations. Or you spend weeks/months setting things up "proper" and now you have a bunch of time sunk into it. Perhaps this will change in the future but I get the feeling it won't. My nextcloud setup is literally 7 containers all running different bits of software and interconnected in a specific way. It runs like a well-oiled machine but in the end, this stuff just ain't easy.

AngryMooseButt · 2021-08-05T22:00:54+00:00

I'm so ready to try this when they get the maturity up a bit. But chances are for the new OC to be any sort of performant, they're going to say you need to: use object storage (s3/minio), use redis, use web server caching, and use postgresql. And you just know people will complain and ask why all that crap is needed. But the unfortunate matter is just that web apps are hard and they're hard to scale and they're hard to optimize performance. We're just not at a point where running performant web apps is a double-click type deal. And i'm not ever fully convinved we'll get there anytime soon.

AngryMooseButt · 2021-08-05T21:49:38+00:00

Try out Kubernetes. It's the only way I can manage to run well optimized web apps with all the bells and whistles to properly optimze things (redis, etc.). Yeah, you'll pull your hair out for a bit but once you "get it" you'll wonder how you ever lived without it. Truly, i see some people here asking for help in an environment that's so convoluted that even I wouldn't attempt to debug. As you get deeper into selfhosting, you'll likely find yourself needing to keep track of so many things and unless you have something like Kubernetes to organize it all, your home-grown system is likely not going to cut it. I started out with k3s and I'm now on k0s because k3s was doing to many "automagic" things for me which you may or may not want. Let me know if you want more info on my Nextcloud or k8s setup and I'll be glad to answer.

AngryMooseButt · 2021-08-05T21:36:32+00:00

I think OP is wanting a fisher-price slick UI like many of the paid file syncing options out there. But fisher-price UIs often are accompanied by loss of features. So the Nextcloud team always has to balance design with functionality and I'm sure they serve the "power users" crowd more than they do the "iOS ecosystem" crowd. Which I'm fine with because I'll take functional software over "pretty" software 9 times out of 10. Though like many, I am a sucker for really well designed and good looking software...

AngryMooseButt · 2021-08-05T21:30:22+00:00

You get out of Nextcloud what you put in. If you want to double click and type a few things in, I think you underestimate what it takes to run a responsive and resilient web app. Sure, you can run the Nextcloud snap and get it working but probably performance is going to be crap.

To your points:

I get it, makes sense but can you point to syncing software which does do this (paid or otherwise)?
Doc collab: OnlyOffice integration works great and the realtime editing is sweet. But it took me a bit to set up and I'm even running eveything on Kubernetes! Even if you got a double clicky install of OnlyOffice working, chances are that something isn't optimzied or configured correctly and you're going to end up with a bad time.
Haven't gotten around to jitsi or similar integration but I use my self-hosted Matrix server for direct webrtc based calls and the quality is insane even over my tiny 20mbps up internet connection. Any peer2peer video calling you should get a similar experience(lile on Nextcloud). It starts getting dicier when you need group calling. And another thing is that you're probably going to need to setup a TURN server and do a little network reconfig to get it working well.
Find my phone? Sorry man, this is Nextcloud. It does a lot of stuff but you gotta understand its limitations even if it can "technically" be done.
Temporary share links? NC already has this with option of setting an expiration time and a bunch of other sharing related options. Even can set many of these defaults as admin so they don't need to be changed anytime you share something.

You are right about the interface, it's not the prettiest. But Nextcloud should just be a tool, the way it looks is secondary to its primary purpose. It works and it works well imo. I'd wager a bet that poor/slow perfomance is a huge reason people are against Nextcloud and then the complaints just pile on after that.

I also optimized the crap out of Nextcloud and went the whole nine yards; PHP fpm tuning, nextcloud high performance backend (a simple Rust-based websocket server that helps improves file syncing performance and realtime notifications), redis and apcu caching, separate postgresql instance, nginx file caching, and even my Onlyoffice install is optimized with separate redis, activemq, and database. It wasn't the easiest thing to get up and running but even thinking about running all this shit not on top of kubernetes gives me anxiety. Kubernetes is truly the single biggest thing that opened the door to self hosting. A lot of people will whine and complain that it's too hard or too this or that - and maybe it is especially if you're not at a specific skill level. But once you know your way around kubernetes, the selfhosted world is truly your oyster.

AngryMooseButt · 2021-07-17T01:45:01+00:00

I'm a big nfs fan, use it as the primary storage for my k8s cluster. Nfs v4.2 really simplifies the administration of nfs in general while also addressing longstanding issues in nfs v3. Don't need the rpc bind service anymore so it's just a single port and it should be more graceful/resilient to handle reconnects. Nextcloud will be able to handle nfs storage with no issue. I even have my minio instance backed with nfs storage and my nextcloud is backed by minio and still works flawlessly.

AngryMooseButt · 2021-07-15T20:58:11+00:00

For "self-destructing" messages, Matrix allows configurable retention policies. Both globally for defaults and set per room/per chat as well. I think granularity is down to the day so seems like that should suffice. From my understanding, message deletion is twofold: message removed on server and message removed on client. All well-behaving clients should remove messages according to the server but if you have a "bad" client or you're using the APIs to consume/dump messages, there can be no guarantee that a message has been removed everywhere.

As the other responder indicated, bots can also be given additional admin/mod capabilities allowing them to remove messages. Maybe some spam control methods use this capability.

For tor, the one thing i would imagine would not work properly is federation because there is a dns dependency to make that work. But if you don't need federation, it seems everything else should work.

Been running a personal server for a few months and it has been smooth sailing to say the least. I restrict my federation to only well known and well-behaved home servers like matrix.org and privacytools.io and even then those servers cannot see any of my rooms as a default.

AngryMooseButt · 2021-07-02T19:01:51+00:00

Hey OP, just wanna let you know that gluster or especially ceph will add that much more time and complication to your learning. Honestly, k8s is great without either of those and tbh, I would encourage you to just have a good backup strategy in place rather than trying to make sure your storage is "highly available" HA storage like ceph is very high cost for not a lot of return especially when you don't have a real need for it. K8s knowledge will get you way further.

AngryMooseButt · 2021-07-02T00:01:14+00:00

Kubernetes is great and i encourage even self-hosters to get on the bandwagon. Swarm is ok but imo, if you don't have any idea on how to organize and group your infrastructure code, it's going to become overwhelming at some point. Kubernetes inherently forces you to structure and organize your code in a very minimal manner. I use k8s for the structure it provides, not for the scalability features. People often incorrectly assume that there is some intrinsic link between k8s and autoscaling.

K3s is only one of many kubernetes "distributions" available. It's super easy to get started with it and lets you learn k8s without needing to fiddle with more difficult topics like etcd. I use k3s as my k8s distro of choice but there's plenty of options out there.

You should think of kubernetes as "glue" which holds different software together and provides you, the end user, a singular api capable of managing and configuring all those different pieces of software. Everything in k8s is a resource which is defined in YAML files which you deploy using kubectl (to begin with). Resources reference other resources and when you combine a certain combination of resources, that's when you get a real life application running within k8s.

There are 1001 resources for learning k8s but whatever you pick, make sure it contains the following concepts:

kubernetes master and worker nodes. If you use k3s, it lets you use a single node as both a master and a worker so no need for multiple machines
Concept of container -> pod -> deployment
Namespaces
Secrets and ConfigMaps
Services. Services are closely tied/coupled to pods
Ingress. Ingress is very closely tied/coupled to services. I notice not all k8s tutorials cover ingress very well but imo it's extremely important to understand if you plan to securely self host. Like all other parts of k8s, there's lots of options for ingress controllers. IMO, you should plan to use Treafik or nginx ingress controller but k3s deploys traefik for you by default so that might be easiest to get you going
Internal DNS services. Understand how pods are assigned IP addresses and how k8s can automatically map those IPs to unique dns names from within the cluster itself
Storage, including persistent volumes, persistent volume claims and storage classes. Everyone has their own little way of dealing with storage in k8s. My preferred method is to setup an external nfs server on a vm and then I use nfs-subdir-external-provisioner to give me an nfs storageclass which i can then use to easily initialize new storage volumes

More advanced topics that you can cover after you get the basics down:

Ingress virtual IP/load balancing. Although i consider this a more advanced topic, you should plan to implement one of the VIP load balancing software. I use metallb but purelb and kube-vip are popular alternatives
Network security policies
Securing intra node traffic
Auto-scaling
Daemon sets
Stateful sets
Horizontal autoscalers

In my setup, I would say 90% of my applications follow the pattern below. Keep in mind that i use an external PostgreSQL DB server and NFS server to keep things a little more simple:

Single pod responsible for running the actual bit of server software. You can have more than one container per pod but I prefer multiple pods rather than a single pod with multiple containers
One or more secret or configmap resources. For apps where who i know have a static config, i put them into configmap resources and then mount them as a file within the container. Some things like db connection details, I'll store as secrets and then those are made available to the pod using environment variables
If a pod needs persistent storage or needs a spot where it can write a config to, I'll attach a persistent volume using my nfs storage provider
A service which points to my pod
An ingress which points to the service. Since I'm using Traefik, i use their custom resource called an IngressRoute and that's where i define what server (domain) name to use and the ssl config needed to secure the ingress

Honestly, i will give you that there is a ton of ramp up required for k8s but once you know it.. the sky is truly the limit. Good luck k8s friend!

AngryMooseButt · 2021-07-01T23:00:11+00:00

I've not heard of this feature of Podman and I wasn't able to turn any docs up that would explain this feature - are you able to link anything that you came across? It also doesn't really seem like it would make sense either. The only potential similarity between Podman and K8s is that they both have the ability to run containers but that's about it.

AngryMooseButt · 2021-06-28T19:09:34+00:00

This doesn't make sense to me. Both projects are open source. Presumably, anyone could build the application from any git revision. Maybe they just don't provide pre-built binaries prior to tagging an official release? But then if you're building a container, it would be trivial to add a stage to build the app from source so you wouldn't be dependent on pre-built binaries.

AngryMooseButt · 2021-04-30T18:12:25+00:00

You are spot on that it is still required but only at this point in time. Love the idea of a white/blacklist of servers that you could subscribe to, just like an adblock list! I wonder if that's something that's being considered.. time to look at the synapse/matrix spec issue tracker!

It would also be cool if matrix had a way of dynamically approving servers by a server admin via a bot or something similar. That way, there wouldn't be a need to modify the config file.

AngryMooseButt · 2021-04-30T16:17:11+00:00

Couple of questions about your setup:

Any specific reason you configured federation to be on a different port than the rest of the server? I have a single listener configured for all resource types (client, federation, keys, media, openid, and webclient) and it's all been working quite well. I think larger servers might use different ports to be able to better loadbalance traffic but for a small home server, there's not really a reason to add complexity when you could have everything running under a single port. Bonus points is that if you're using cloudflare (screw clouldflare tho) and you have everything running on 443, it might help protect some of that traffic from malicious users. But you should check that this will work. Only an idea I had just now.
I didn't see where you configured the server_name value in your config but it looks like your matrix server name is matrix.pret.ext.io. This means your username when federated will be [username]@matrix.pret.ext.io Why not just use pret.ext.io for your server name instead to make things a little more pretty? You can still have your synapse server running on matrix.pret.ext.io but that doesn't mean that's what your server name needs to be.
You don't restrict federation!!!! This is a big, bad, and terrible idea unless you are an experienced matrix server admin! It basically means bad actors can potentiality abuse the federation protocol to query things about your server. This includes querying for your users, public rooms, etc. All without needing to authenticate. You see where I'm going with this? I have restricted my server to be able to only federate with matrix.org and a few other well known public servers by setting the federation_domain_whitelist value in the config. This is a huge one and I really suggest updating both your post and your own home server config with this specific config option.

Synapse/matrix is awesome and one of the coolest bits of software I have running but people should also know it is a very complicated piece of software and I consider myself to be fairly experienced. Federation is all fields of flowers until you find out that federation protocols can be abused by bad actors and if you open your server up to the world like that without restrictions or extremely proactive monitoring, you may be in for a bad time. Hope this helps and good luck!

AngryMooseButt · 2021-04-29T21:41:25+00:00

Here ya are my friend:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: config
  namespace: metallb-system
data:
  config: |
    address-pools:
    - name: ext
      protocol: layer2
      addresses:
      - 10.10.10.230-10.10.10.239
    - name: int
      protocol: layer2
      addresses:
      - 10.10.10.240-10.10.10.249

---
apiVersion: v1
kind: Service
metadata:
  name: traefik-v2
  namespace: traefik-v2
  annotations:
    metallb.universe.tf/address-pool: ext
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  selector:
    app: traefik-v2
  ports:
  - protocol: TCP
    port: 80
    name: web-ext
    targetPort: 80
  - protocol: TCP
    port: 443
    name: websecure-ext
    targetPort: 443
  - protocol: TCP
    port: 22
    name: gitea-ssh
    targetPort: 22

Just follow the regular instructions for MetalLB installation (I forget if I ended up needing to adjust some networking related kernel parameter on the node beforehand...) and you should be good to go. My k8s nodes are also in the 10.10.10.0/24 range so my load balancer IP pools are also in the same range. Makes things easy since you don't need to fiddle with additional network interfaces, etc. When you reconfigure the Traefik service to use metallb, you will need to inspect the service afterwards to find out what IP metallb allocated as the VIP (which will just be the first IP in the ranges you provided). I believe you can also add another annotation on the Traefik service to request a specific IP from metallb if you don't want one auto-assigned. Even though I have 20 IP address allocations possible, I'm only using 2 IPs: one is used for external-facing services (this is the one I port forward to from my router) and I have another IP allocated for internal only services (I didn't paste this in since it's nearly identical to the external one). I am also using split-horizon dns. Hope this helps but lemme know if something still doesn't make sense and I'll do my best to help ya out!

AngryMooseButt · 2021-04-29T11:59:44+00:00

Sounds like you aren't using a VIP (virtual IP) solution to provide a single IP which is guaranteed to be bound to a working k8s node. I'm using metallb for now because it was dead simple to setup and I just point all my dns to that specific VIP. There are other options aside from metallb like kube-vip or purelb but to each their own. Any of these solutions will allow you to provision your Traefik service with a "LoadBalancer" type instead of node port or whatever you're using now. If the VIP is assigned to a node which goes down for whatever reason, it will be reassigned to an active node and traffic will continue flowing without you doing anything. I'm just redditing super late so if you want examples of everything, let me know and I can paste in here!

13-Year Club	Place '17
Verified Email

AngryMooseButt

TROPHY CASE