I’ve recently been able to set up Lemmy and PieFed instances on a Raspberry Pi 5 and wanted to share the process for anyone else interested in self hosting an instance.

The following instructions are based off using a used Raspberry Pi 5 (ARM64) plus a USB external hard drive for the hardware. I used the Raspberry Pi 5 image which is based off Debian 12. The following instructions should be similar enough for other Debian 12 distributions and should hopefully get the same results.

The only other purchase I’ve made was a domain name which was super cheap ($15 a year which includes hiding WHOIS information). Everything else is free.

My residential ISP service blocks incoming data on “business” ports such as Port 80 and 443. Users won’t be able to access your site securely if these ports block incoming data. To work around this I used Cloudflare Tunnels. This allows users to access your site normally. Cloudflare Tunnel will send incoming data to a port of your choosing (between 1024-65,535) and users can access your self-hosted instance.

Cloudflare also has Top Layer Security (TLS) which encrypts traffic and protects connections. This also means your website goes from HTTP:// to HTTPS:// in the address bar. Federation will require TLS so this will be useful. Cloudflare Tunnel also introduces some complications which I’ll address later.

Edited Feb 1/2025
Changed PieFed cron jobs to match recent changes
Adjusted RSync sections

  • taters@piefed.socialOPEnglish
    3·
    5 days ago

    …Continued from PieFed Instructions…

    Cloudflare Website Settings

    These settings are suggested to help manage traffic. See here for more detailed information.

    1. Exclude Settings
      1. From the main page -> Your DOMAINNAME.COM -> Security -> WAF -> Custom Rules -> Click Create Rule -> Change the following settings and values on Cloudflare to match what’s listed below:
        • Rule Name: Allow Inbox
        • Field: URI Path
        • Operator: contains
        • Value: /inbox
        • Log matching requests: On
        • Then take action…: Skip
        • WAF components to skip: All remaining custom rules
      2. Click `Deploy’ to complete
    2. Caching Settings
      1. From the main page -> Your DOMAINNAME.COM -> Caching -> Cache Rules -> Click Create rule -> Change the following settings on Cloudflare to match what’s listed below:
        • Rule name: ActivityPub
        1. Custom filter expressions: On
          1. Field: URI Path
          2. Operator: Starts with
          3. Value: /activities/
        2. Click Or
        3. Repeat until you have values for 4 rules total containing the values:
          • /activities/
          • /api/
          • /nodeinfo/
          • /.well-known/webfinger
        • Cache Eligibility: On
        • Edge TTL -> Click + add setting
          • Click Ignore cache-control header and use this TTL
          • Input time-to-live (TTL): 2 hours
        • Click Deploy to complete
      2. Click Create rule again
        • Rule name: ActivityPub2
        1. Custom filter expressions: On
          1. Field: Request Header
          2. Name: accept
          3. Operator: contains
          4. Value: application/activity+json
        2. Click Or
        3. Repeat until you have 2 rules total containing the values:
          • application/activity+json
          • application/ld+json
        • Cache Eligibility: On
        • Edge TTL -> Click + add setting
          • Click Ignore cache-control header and use this TTL
          • Input time-to-live (TTL): Type 10 seconds
        • Click Deploy to complete
    3. Optimization Settings
      1. Speed -> Optimization -> Content Optimization -> Change the following settings on Cloudflare to match what’s listed below:
        • Speed Brain: Off
        • Cloudflare Fonts: Off
        • Early Hints: Off
        • Rocket Loader: Off
    4. Cloudflare Tokens for .env.docker File
      1. Create an API “Zone.Cache Purge” token
        1. After logging in to Cloudflare, go to this page
        2. Click Create Token -> Click Get Started under Create Custom Token
        3. Token Name -> PieFed
        4. Under Permissions -> Change the following drop down menu’s to match what’s listed below
          • First drop down menu: Zone
          • Second drop down menu: Cache Purge
          • Third drop down menu: Purge
        5. Click Continue to summary -> Click Create Token
        6. Copy the generated API Token. This will be used for CLOUDFLARE_API_TOKEN in the .env.docker file. Note, once you leave this screen, the API token will remain but the generated code that can be copied will disappear forever.
      2. Copy API Zone ID
        1. From the main page -> Your DOMAINNAME.COM -> Scroll down and look for API Zone ID in the far right column
        2. Copy API Zone ID Token. This will be used for CLOUDFLARE_ZONE_ID in the .env.docker File.
      3. The following step must be completed on the Raspberry Pi (LOCAL HOST) where PieFed is running:
        1. nano ~/pyfedi/.env.docker
          1. Add the following lines with your copied API Tokens & Save
            • CLOUDFLARE_API_TOKEN = 'ZONE.CACHE_PURGE_TOKEN'
            • CLOUDFLARE_ZONE_ID = 'API_ZONE_ID_TOKEN'
        2. Restart PieFed Docker container
          • docker compose down && docker compose up -d

    Troubleshooting

    • If you receive an error while posting images, the folder permissions will need to change. Change USERNAME with your username.
      1. cd ~/pyfedi
      2. sudo chown -R USERNAME:USERNAME ./media
    • taters@piefed.socialOPEnglish
      4·
      4 days ago

      Backup/Restore Setup

      I decided to keep it simple and use the rsync command which comes already installed on Raspberry Pi OS. The guide linked below does a good job of explaining rsync in a step by step process.

      Below the linked guide I’ll provide an example of the commands I use to Backup and Restore my raspberry Pi. This creates a copy of the /rootfs folders that make up your Raspberry Pi Operating System and User folders. The commands will exclude some folders that may cause issues when restoring a backup. The guide linked below has more details.

      Since I am going to power down the Pi and physically connect it’s hard drive to my computer, I don’t have to worry about making backups on a live and running storage.

      The below commands assume I also have an additional EXTERNAL_STORAGE hard drive connected to my computer. This means the backup command will copy the contents from the Raspberry Pi drive (/rootfs folder) to the EXTERNAL_STORAGE drive (/EXTERNAL_STORAGE/backup folder). The restore command will copy the contents from the EXTERNAL_STORAGE drive (/EXTERNAL_STORAGE/backup/rootfs folder) to the Raspberry Pi drive (/rootfs folder)

      rsync WILL delete data on the target location to sync all files and folders from the source location. Be mindful of which direction you are going to avoid any losses. I suggest testing it out on some other folders before commiting to backing up and restoring the entire Raspberry Pi. The guide linked below also covers exclusions to minimize backup sizes.

      The backup storage MUST be formatted in EXT4 to make sure file permissions and attributes remain the same.

      1. nano ~/.bash_aliases
        1. Add comments & Save
          • alias rsyncBACKUP="sudo rsync -avxhP --delete --exclude={'proc/','sys/','dev/','tmp/','run/','mnt/','media/','home/USERNAME/.cache','lost+found'} /media/USERNAME/rootfs /media/USERNAME/EXTERNAL_STORAGE/backup/"
          • rsyncRESTORE="sudo rsync -avxhP --delete --exclude={'proc/','sys/','dev/','tmp/','run/','mnt/','media/','home/USERNAME/.cache','lost+found'} /media/USERNAME/EXTERNAL_STORAGE/backup/rootfs/ /media/USERNAME/rootfs"
      2. Reset bash in terminal
        • . ~/.bashrc
      3. Backup system TO EXTERNAL_STORAGE
        • !!EXT4 file system only!!
        • rsBACKUP
      4. Restore system FROM EXTERNAL_STORAGE
        • rsRESTORE

      Firewall (LOCAL HOST)

      1. Install: Choose ONE
        • Command line only
          • sudo apt install -y ufw
        • Graphical Interface with command line access
          • sudo apt install -y gufw

      I haven’t figured out how to properly set this up for myself yet, but I figure it’s probably worth having for an additional layer of protection.