I have some doubts about self-hosting for my business

This is not a post about me having some current troubles, it’s about getting to know if Younohost could be a good tool for me. I’m new to this, I bought a Raspberry Pi 3b+ as a personal home server but I had no time to begin to use it yet.

I want to create a debate academia for my community as a business model and people would have to create an account (we would have to give them permissions for that). I thought of using Yunohost for this task (since I can use it with Nextcloud, Moodle, a business email account for us, and a website). Although I have lots of questions, some of them are:

  1. I’d like to know if I could easily migrate all the data and config from one server to another in case I want to upgrade it in the future.
  2. What is the minimum hardware required that could work properly (From a Raspberry Pi to a very good brand new server with eg. 8Gb of RAM and Intel i7)
  3. Should I have to keep in mind anything regarding GDPR policies? (I live in Spain); for example: I imagine that YunoHost by default doesn’t allow the host to see any data from the guests, right? so everything would be truly private and safe.
  4. Any tip/recommendations?

Yes, you can “migrate to another machine” by backing up all the system/apps (or just those who matters) and restore this backup on another server.

It really depends on which apps you want to run, the load (how many users / visitors at the same time), and what margin you want for “future stuff you may want to install”. Naively from what you mention, I guess 2GB or 4GB RAM would be okay, why not on a RPi.

Not sure what you mean, but no : there is no mechanism such that you can’t see the data hosted by your users. Being a root user implies great power (and great responsibilities) because you can basically control quite a lot of things in your user’s digital life (or at least the service they use on your server). For example, you can read their emails … Which is conversely the issue with GAFAM : if you have your emails on GMail, then you trust Google not to read your emails … Though the context of self-hosting or hosting-for-your-team may be different because you are likely to know the person you are hosting and may have (probably bad) “reasons” to want to spy on them at some point … But yeah, “there is no cloud, it’s just somebody else’s computer”.

Hosting your own stuff has ethical, practical, economical, or others advantages - but it’s a responsibility. Don’t install random stuff you won’t need. Upgrade at least every 2~3 months. Setup a backup policy. Don’t panic if some stuff break.

4 Likes

Thank you so much for your complete response!

I’m still seeing what stuff would we want but it’s probably something similar to what I noted above. In this case: if it’s not too much to ask, would you have any specific server in mind that could help me see how much could it cost?

I’m sorry if I’m not understanding you correctly but if there is no such mechanism, so I can’t see the data hosted by my users, why “trusting” Google not to read the emails? is it because of the software used? (meaning YunoHost doesn’t allow it but we don’t know if Gmail may or not because of Google using private software). If so, why this could be a possibility:

you are likely to know the person you are hosting and may have (probably bad) “reasons” to want to spy on them at some point

This implies that I technically can spy on their data, which contradicts the first part of the parragraph :sweat_smile:

Thank you so much! :blush:

If you have the admin or root password on the server you can spy on your users.

The law forbid you to spy, but you can spy… In yunoHost there are no technical stuff to avoid admin to be able to read users data.

Note: some apps like lufi allows your users to store their data in a end to end encrypted format that the administrator can’t read. But if you have technical skills and a root access, it could be possible to change source code of the lufi setup…

I see, thank you for your response. Could it be a legal problem, then?

The best way to learn about all this stuff is to try it out. (not the spying, I mean Yunohost in general :smiley: )

You should give it a go on your Raspberry Pi. If it ultimately doesn’t work out for your business, you will have learned a lot more about self hosting.

If you’re worried about buying the hardware and stuff, you could also test out running Yunohost on a VPS like DigitalOcean or Hetzner for example.

Yes and no, it’s both a technical and a legal issue.

The fact that’s it’s forbidden to do something doesn’t mean you can’t do it anyway

Technically, it’s quite complex to create what’s called “zero-knowledge” storage or computing. There are examples like zerobin or lufi which allows to host encrypted files where the server has no way of knowing what it stores (but as ljf suggests, the admin could still theoretically send malicious javascript code to the user to intercept the key). But for example for email or many other applications, the server does need to be able to read the files, which means the server administrator can read all the stuff.

I mean in everyday life, when you use an online service and store any kind of data on that service, it’s pretty much like storing some book at somebody’s else house. The house owner can at any point just grab that book and start reading it (or even edit it). Or if you work at some company, your boss can go to your desk while you’re not there and dig in your drawers.

There’s no magical solution to this, it’s “just” a matter of “trusting the admin of the service” - or conversely not putting important stuff on the service if you don’t trust the admin enough for it. Like maybe at your company’s office, you won’t keep secret love letters because you wouldn’t want your boss finding it if for some reason they happen to dig in your drawers…

This is a great idea! But regarding the learning process, I can’t afford to say “my platform doesn’t work” when it comes to opening an academy :sweat_smile:, I need to know all the answers before doing it but I’ll definitely try it with my Raspi first :hatching_chick:

LMAO I love it!! But I guess I need to make sure that everything is fine and I’m not breaking any law by using this.

I understand what you say below, it’s basically what you said before: there’s no cloud. I think I’ll use Zerobin or Lufi too as a protection anyway.

N.B. : zerobin and lufi are specific applications. They allow users to store content on the server in such a way that the server doesn’t know what it hosting. But that only applies to the files send with zerobin/lufi … Everything else on the server remains unencrypted, for example if you’re using nextcloud or email or whatever, it doesn’t matter that there’s zerobin/lufi installed on the server …

Hmm, I guess the main issue would be stuff done on the platform we choose for the courses since it’s the only place we host somebody’s data, which could be Moodle or even Wordpress. So I’ll check it out if I can find something.

In which country are you ?

Law could be quite different, in general using yunohost is not a problem, but you can be in a situation where your specific use is illegal. For example if you use transmission to donwload copyrighted movies it’s illegal. Other example, if you are in France and you deploy moodle without legal info at the bottom of the website, if someone publish a copyrighted content and nobody is able to warn you about this content you are in illegal situation.

Other example, if you are in europe GDPR could be difficult to follow at 100%.

Thanks to buraucracy laws are more and more complex, patched and repatched. So as in every situation of the day you are probably close to do something illegal.

In real life, my doctor still send medical data on onedrive to get it on its personnal computer… (probably illegal to do that in UE)

Spain, but I think the biggest limitation is the GDPR (by EU)

Hmm didn’t think about this, this is actually a good point, but I guess they can in this case since they would have my email.

yes, this sounds very illegal to me.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.