Hello!

I’ve spent a lot of time struggling with Hetzner’s KVM console, there are a lot of problems causing severe issues with settings up passwords and passphrases. I just thought I’d create this “guide” to get things rolling, for everyone who faces the same issues I’ve faced.

Step 1 - Firewall

Set up a firewall and only open port 22 with your IP (you can look it up using ip.me).

Step 2 - Installation

Perform the installation procedure as normal, setting very simple passwords and passphrases for the user accounts and the disk encryption. Set them to something like 123. These will be changed later!

I’m using Debian 13, the steps may or may not be the same for your choice of distribution.

Step 3 - SSH access

Unmount the ISO and reboot. Enter the console again, log in as root with your simple password. Now, if you have the same problem as me, keys like /, CTRL etc. won’t work, so I used tab completion and vi to to modify the config file.

# cd ../etc/ssh/
# vi sshd<TAB>

Inside vi, press o to create a new line and enter insert mode. Add:

PermitRootLogin yes
PasswordAuthentication yes

Press ESC and then <SHIFT>-yy (so holding shift and pressing y twice). This will save the file and exit vi.

Step 4 - Dropbear

ssh into your VPS. Now you have full keyboard access like usual. Install dropbear-initramfs, which is an SSH server that’s placed in the initial RAM filesystem so that you can ssh into your VPS during start up so you can easily enter your encryption passphrase.

Generate a new key pair and add the public key to /etc/dropbear/initramfs/authorized_keys

Run update-initramfs -u and reboot. You should now be able to ssh into your VPS using the key you just generated. The following command lets you unlock the encrypted disk:

cryptroot-unlock

This will probably disconnect you from the tunnel, simply re-establish the SSH tunnel again.

Step 5 - Changing passwords and passphrases

To change the encryption passphrase:

# cryptsetup luksAddKey /dev/sdXY
# cryptsetup luksRemoveKey

Lock the root user and change the password of your user (don’t forget to add the user to the sudo group!):

# passwd -l root
# passwd user

Done!

At this point you might want to use some other means to access the server, such as Netbird or Tailscale or Wireguard. Regardless of how you decide to access the server, you should revert the changes to sshd_config.

P.S.

I have no idea if this is a secure or good way to do this. Use at your own risk!

They might care if it’s 69420 since the max port number is 2^16 = 65536

You can fire packets as fast as you like, but if my end can’t process them that fast, either they’ll get dropped or you’ll knock me offline. Neither makes a valid scan.

Hi all, I’m desperate. This has been draining my brain cells one a time. I know for a fact that it is not an ABS issue, because it runs flawlessly locally and it has never even hitched once. The shit starts when I connect through my cloudflare “.com” domain that I just bought last week thinking it’ll solve all my problems (nope).

Every now and then, the frontend client I use (it doesn’t matter which one I use) just disconnects from my ABS server and things just start spinning for a very long time. Just out of nowhere and half of my books are just ghosts because it can’t reach the sever.

Sometimes it comes back, and others I have to go into my Debian server and restart the cloudflared service I have for it, in order for the service to resume. I often go to the web interface and either get a red error message complaining about websocket something something. Then I’d refresh the page and either get thrown into the login screen and get stuck there or get the “oops couldn’t find library……..”.

I’ve literally disabled everything I can on cloudflare dashboard that now probably a child can hack me. lol . I even put my audiobooks server in its own tunnel.

I’m at a point that I’m just gonna give up and deactivate all of this cloudflare shit and go back to tailscale and switching servers between home and out of home.

I’m asking for any suggestions if you’ve ever been through something similar. Searching the internet lead me to doing many things that didn’t even fix it. Don’t even get me started on AI.

Thank you in advance. Let me know if you want any details: Debian Trixie and the latest ABS server. Your average .com cloudflare domain are the things I have.

damn i do be loving how easy and robust pangolin is getting to be

Please tell me more about this forwarder thing. Right now. I have a local server that is your usual regular 192.168…..:13378 then I have my books.mydomain.com and this goes through a cloudflare tunnel on its own, and is the one giving me trouble. Anymore details on the forwarder would be great

I’m not sure anyone shares the same glee I feel when I view all the blocked IPs scrolling by in my pFsense firewall. Suricata does a lot of heavy lifting for sure.

What’s your selfhosting guilty pleasure or pleasures?

Iocaine? I followed the instructions on the website which were fairly easy to follow. Depending on your skill level it might suffice.

Good luck on achieving that.
You’ll be more successfull in whitelisting every possible vconnection instead ;)

Spend some time (IMO too much) mysealf researching ASNs and publicly accessible blocklists of datacenters/crawlers.
Not as easy task.

Found this utility barely mentioned given how useful it is in the context of limited selfhosting resources.

This could be handy for low powered devices with tools that you only use on occasion, particularly automated stuff

I use it with Grafana. No need to run it all the time especially when it uses CPU while idle.

Disclaimer: I am the developer

Long story short, after Huntarr exploded I still wanted an app that did the core of Huntarr’s job: find and fetch missing or upgradable media. I looked around for some solutions but didn’t like them for various reasons. So, I made my own.

No web UI, configured via environment variables in a similar manner to Unpackerr. It does one job and it does it (a little too) well. Even when trying a few different solutions for a few days each, Fetcharr caught a bunch of stuff they all missed almost immediately. This is likely due to the way it weights media for search.

Since you made it this far, a few notes: 1) I did still use ChatGPT on a couple of occasions. They’re documented and entirely web UI - no agents. Anything it gave me was vetted and noted in the code before publishing. 2) The current icon is temporary and LLM-generated. I’ve put out some feelers to pay an artist to create an icon. Waiting to hear back. 3) It’s written in Java because that’s the language I’m most familiar with. SSL certs in Java containers can be painful but I added some code to make it as easy as Python requests or Node 4) While it still has a skip-if-tagged-with-X feature, it doesn’t create or apply any tags. I didn’t find that portion necessary, despite other popular *arrs using it. Not sure why they do, even after developing this. 5) Caution is advised when first using it on a large media collection. It’ll very likely pick up quite a number of things initially if you weren’t on top of things beforehand. Just make sure your pipeline is set up well, or you limit the number of searches or lengthen the amount of time between searches using the environment variables.

Not sure what you mean by that. I occasionally use the web UI as the tool that it is and I’ve played around with opencode, cursor, etc previously on other home projects to get a sense for where things are and what the limits of these things are. That said, I take pride in my own work and this project is no exception. Is there something in this project that makes you think I threw a prompt into cursor and am passing that off as my own? Or are you against the idea of using an LLM and consider any person or project using them at all to be vibecoded?

That’s great! A cronjob can be effective if your indexer doesn’t mind the extra strain or you have a small library.

What’s everyone using to auto-transcode their media library?

Tdarr and unmanic are both freemium/proprietary. I dont mind paying for software but I prefer to support open source projects.

Is there anything similar worth looking at?

As far as I could tell: yes, and yes.

That looks pretty neat. Not what I’m looking for but would be handy for other projects.

I’ve been building a self-hosted task manager focused on something I couldn’t find in one package: true offline support and fast sync across devices.

Most open source task apps I tried leaned toward either: - good offline support but weak multi-device sync with no API support - or good sync but limited offline functionality

Will Be Done is my attempt to solve both.

Demo: https://demo.will-be-done.app/

GitHub: https://github.com/will-be-done/will-be-done

Home page: https://will-be-done.app/

What is supported right now: - True offline mode — reads and writes happen in the local browser DB and sync to the server when it becomes available again (so you can still use it even if your homelab is down!) - Fast sync across devices - Tasks and projects with drag-and-drop support - Kanban inside projects - Weekly planner - Recurring tasks - Vim keybindings

Planned in the near future: - CalDAV integration - Import from Todoist / TickTick / Microsoft To Do - API support - MCP support - Desktop app with global quick-add shortcut

Why I built it:

This is my third attempt over the last 3 years to build my ideal task manager, and I now use it daily.

I’ve worked on local-first and sync-heavy systems professionally, so offline-first architecture is something I care a lot about getting right.

Installation:

Single Docker command, no docker-compose, no external dependencies, SQLite included.

docker run -d \
  -p 3000:3000 \
  -v will_be_done_storage:/var/lib/will-be-done \
  --restart unless-stopped \
  ghcr.io/will-be-done/will-be-done:latest

Then open http://localhost:3000/.

Would love feedback from people here, especially if you care about self-hosting, offline-first apps, or replacing proprietary task managers.

Not gonna lie, this looks promising. Keep the good job.

Thanks! I am already building this iteration for one year, and I enjoy it! Both development and daily usage

I posted this over at https://discuss.tchncs.de/c/navidrome, but I thought I’d post it here, maybe someone has had experience with this.

I’ve been noticing demo.navidrome.org showing up in my firewall:

pFsense: https://discuss.tchncs.de/pictrs/image/3829f59a-fe76-4fd0-b988-c8b8896f2dd3.png

abuseipdb.com: https://discuss.tchncs.de/pictrs/image/fd0b1738-8a21-4cfc-a996-36b109268c28.png

As with anything entering or exiting my network, I am cautious and curious why my instance of Navidrome has the need to contact demo.navidrome.org.

I am running Navidrome as a Docker Instance. I have combed my compose file and can find nothing in that itself that would trigger Navidrome to ‘call home’.

Is this for stats, or other? As of right now, I have demo.navidrome.org blocked until I’ve gathered some information.

BTW, sweet piece of opensource software. I tip my hat to the dev team(s).

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

[Thread #147 for this comm, first seen 8th Mar 2026, 16:20] [FAQ] [Full list] [Contact] [Source code]

Ahah! Ok that makes sense. Thank you so much for clearing that up. I guess I can now unblock demo.navidrome.org.

According to the release:

Adds experimental PostgreSQL support

The code was written by Cursor and Claude

14,997 added lines of code, and 10,202 lines removed

reviewed and heavily tested over 2-3 weeks

This makes me a bit uneasy, especially as ntfy is an internet facing service.

Am I overreacting or do you all share the same concern?

It’s not virtue signalling, I know very well what I’m doing is hypocritical at best, but it’s also unavoidable for me. For one, I’m using it like this at work where they’d love nothing better than for me to start vibe coding. This is the compromise I’ve been able to make so far.

No judgement. I just thought it was funny.

I do run it in docker. It used to work great until few months ago. Maybe my provider (Hetzner) ip triggers captcha. Tried tor proxy and it didn’t make much difference. Brave, Startpage, DDG - all periodically throw captcha / too many request errors.

Yeah might be the IP range of the provide. Also sometimes it stops working till you update. But I expect the hetzner IP range has more than one self hosted instance on it so probably gets tagged for the whole range.