"Self-host it" is not the answer

I'm going out on a limb a bit here.

I love self-hosting my own systems. I self-host almost but not quite everything for personal and work use.

But I think that, typically, "host it yourself" is a sub-optimal answer, especially when the reason for the recommendation is to deal with increasingly draconian or out of touch legal requirements, or lack of enforcement of privacy laws.

And here's why:

Self-hosting requires a heck of a lot of privilege. You need to bring a lot to the table, and continue to bring it to the table for as long as you want your stuff to run well and securely.

Of course, I'm not saying "you shouldn't self-host stuff". I'm not saying that at all. I'm saying that you shouldn't have to do it, and you shouldn't feel bad or inferior (not that it really matters what others think) if you don't self-host your own stuff.

What do I mean by "self-hosting"?

It appears that "self-hosting" might mean different things to different people.

To me, it means running software atop your own hardware, connected to your own Internet connection. That's the prism through which you should view this blogpost.

If you are running stuff on someone else's hardware / platform, or using your hosting provider's installer to get your service up and running on their infrastructure, great - you might have a perfectly good solution for your needs, so no criticism at all on that front - but that's not what I mean here by "self-hosting". I’d probably call it “self-managed”.

Cost

You need a surprising amount of stuff to self-host your own services.

Connectivity and IP addresses

Assuming you want it to be accessible outside your home LAN, you need an Internet connection.

I ran our systems off a VDSL line for years. Now I am fortunate I can justify spending money on a leased line.

But if your only Internet-connected device is a mobile phone, your options are greatly reduced.

You can get by without IPv6 and with a dynamic IPv4 address, especially if it doesn't change much, but it's sub-optimal; going with an ISP which offers IPv6 and fixed IPv4 is likely to make more sense if you want to host your own stuff for external access.

From ££/month to £££+/month.

A domain name

This is not absolutely essential - you could use a dynamic DNS server, or an IP address, or just host your service within .onionspace (all of which are valid options in different situations) - but, if you want your service to be readily available to others, on a domain over which you have slightly more control (which I guess is most of the point of self-hosting: control), you'll need a domain name.

(I say "slightly more" control, because your registry could take the domain name away from you, or alter the NS record so that it points to someone else's (e.g. their own) DNS.)

About £10/year?

DNS services

Probably, but not necessarily, part of what you buy when you buy your domain name.

(Yes, of course you can host your own authoritative DNS too.)

Hardware

You'll need some kind of computing device. That might be an old computer (warning: might not be as power efficient) or a small, low power computer (such as a Raspberry Pi), but a cheap computer is still a computer.

(I most using Raspberry Pi units, but second hand Mac Minis running Debian make for nice, low power, low noise, hypervisors.)

You'll need some storage (e.g. a hard drive/SSD, or an SD card), and a power supply.

And unless you're going to learn about SSH (fine, but another thing to learn, and secure), you'll also need a keyboard and monitor.

You'll probably also want a robust hardware firewall (in addition to the firewall on the machine itself).

Power

You'll need to power your infrastructure.

Hopefully, you've picked a low power system, but low power is not no power, and so you've got a cost there too.

Is it terrible that I don't know what the power bill is for the rack full of kit running here? I should probably get on top of that.

And if you don't want your devices crashing when there's a momentary power glitch (and potentially corrupting databases when it happens), you'll want a UPS. Don't forget to factor in the cost of new batteries every few years.

I guess you might live somewhere where you could rely on solar power, but then you've the cost of your PV units, storage, and so on.

Service-specific stuff

If you want to run your own PBX (telephony server) and want to connect to the PSTN, you'll need a SIP trunk. Or, if you really are going to go the whole way yourself, you'll need a number range, and you'll need to get that range hosted and interconnected with the PSTN, so that you can terminate calls made to numbers in your range.

If you're running a media server (e.g. jellyfin), you'll probably need a hard drive or SSD on which to store your videos.

Backups and resiliency

How are you going to be backing up your systems? To where?

Is the service you are running important enough that it needs to be resilient - that you need a second set-up, configured, synced, and ready to go?

Perhaps it's just a hard drive, but it could be rather more than that.

Knowledge and time

Buying the kit is only one of the costs.

The other cost is your time. And, if you are working three jobs, you probably don't have the luxury of time to learn things.

I am lucky, in that I both enjoy this and have the time to do it. But let's not beat around the bush, that's both unusual and fortunate.

Self-hosting stuff is not that hard, IMHO, but I say that having done it from years. I say that as someone who uses Linux for their desktop computing.

Frankly, I say that as someone who knows what an IP address is, how DNS works, how to configure a firewall, how to lock down SSH, and so on.

For someone starting from scratch, sure, there are guides available (hope it is correct, still accurate for the latest operating system revision / software version, and so on), but the sheer amount of knowledge you need to know whether what you are reading makes sense is considerable.

And when you've got it working, how confident are you in its security? Getting a TLS certificate is, thanks to the amazing Let's Encrypt, much easier these days, and free (as long as you have a domain name). And certbot makes using it a breeze. As long as you know about certbot. But what about the local firewall? Locking down ssh to a cert-only configuration? Malware scanning? fail2ban?

You could simplify it, by buying hardware with server components build in. For example, buy a Synology server, where you can flip a software switch and turn on services. Fine, if they do what you want, and you can afford to pay the price of entry.

You can also simplify it with Linux distributions aimed at self-hosting, such as Yunohost. I want to explore this more when I get a chance, as it looks like a great piece of software. However, by default, I don't think it encrypts the storage on which it is installed, and that's sub-optimal in my view.

Some applications have entire environments available, ready to be flashed onto an SD card (another thing you'd need to learn about, if you are starting from scratch!). For example, Home Assistant has an image for hosting on it a Raspberry Pi (although it didn't work for me when I tried it).

It's not just the time and knowledge to get the thing running. There's an ongoing burden too - don't forget the time for regular updates, for pen testing, for more significant upgrades, and so on.

You self-host the risk too

If you are self-hosting, the risk is yours.

You are the CISO.

You are the devops team.

You are the technical support team.

If you use Gmail for email, you know that the people running it and securing it are some of the best in the world.

If you want an end-to-end encrypted chat service run by world-class engineers and operations teams, you look to WhatsApp or Signal.

Sure, you can run your own matrix server (e.g. synapse), but how confident are you that you've secured it correctly? How quickly are you patching it?

You can run your own email - some people have more success with this than others; it can be finickety - but that's quite a lot of responsibility, especially if you are letting family and friends use it. How much of a pain would it be if it stopped working? How are you monitoring it for unauthorised access attempts? What happens when Microsoft or Google one day decide to (incorrectly?) flag your traffic as spam?

Dropbox is convenient and easy to use. Nextcloud is amazing - I love it - but unless your server is connected to a reasonably fast Internet connection, using it when you are away is going to be a pain. And if someone's cracks that server, they get all your documents and photos.

Do you want to take on this in your spare time?

"Self-host it" is exclusionary

How many people want to spend their time doing this, let alone have the time? How many have the knowledge, or want to spend the time getting it? It's not necessarily expensive, but nor is it free.

IMHO, pushing self-hosting is, now at least, an exclusionary approach.

It's also - again, IMHO - looking down the wrong end of the telescope. Self-hosting shouldn't be the answer to bad laws or repressive regulations, or lack of effective enforcement. One shouldn't have to run Pi-Hole to prevent online tracking and surveillance. One shouldn't have to run one's own mailserver (not terrible, but not for the faint of heart) to stop a company scanning your email.

The better answer, in my view, is to address the problem at source, not push people towards self-hosting.

Am I a hypocrite?

Probably, because I do self-host. Almost everything. And I write about it on this blog - I've written about email, jitsi, WireGuard (algo), bitwarden, Pi-Hole, mastodon, VoIP systems, matrix, web hosting (including in .onionspace), and probably others which don't spring to mind.

I put the time into it. Hours and hours and hours (and I have enjoyed it).

I have a fantastic Internet connection (thanks, RevK, Bloor, and everyone else at A&A, and my job for enabling me to pay for it).

I have the hardware. And spare hardware. And numerous backups. And scripts for automating deploying and securing new machines.

And so on.

There are a couple of bits I don't self-host, and I'd like to rectify that. Authoritative DNS is on my list. I'd love to move our accountancy system onto a spare Raspberry Pi.

I actively prefer self-hosted solutions over something running on someone else's computer. If an IoT device relies on a manufacturer's server running, I'm likely to approach it very nervously, if at all.

So I'm definitely not suggesting that anyone shouldn't give it a try if they want to. But I am suggesting that (a) "self-host it" is not the answer to dumb laws or lack of enforcement, and that (b) having someone else host the service is far more realistic for the vast majority of people.

(Does it have to be a massive company? No! You could pay someone to run a nextcloud instance for you, for example. But this is about self-hosting, not alternatives to it.)


Author: neil

I'm Neil. By day, I run a law firm, decoded.legal, giving advice on Internet, telecoms, and tech law. This is my personal blog, so will be mostly about tech stuff, cycling, and other hobbies.

You can find me (and follow me) on Mastodon and Twitter.