Do not go gentle into that good night.

If you point Traefik’s forwardAuth at the internal service (e.g. http://<tinyauth-ip>:3000/api/auth/traefik), TinyAuth doesn’t see the correct X-Forwarded-* headers or original host, so it won’t return the auth headers properly.

if you switch to using the public URL instead, the headers should start working — but only once using the full endpoint:

https://tinyauth.domain.tld/api/auth/traefik

Not just the root URL.

That way:

• the request goes through Traefik
• forwarded headers are correct
• TinyAuth trusts the proxy
• and it returns the expected headers

Also worth double-checking that your header names match exactly (e.g. Remote-Groups vs Remote-Group).

So in short: don’t call TinyAuth directly by IP, go through the domain + correct path.

I run a modest Lemmy instance (lemmy.blehiscool.com). It’s not on the scale of lemmy.world or anything, but it’s been around long enough that I’ve had to deal with some real growth and scaling issues. I’ll try to focus on what actually matters in practice rather than theory.

Infrastructure

I’m running everything via Docker Compose on a single VPS (22GB RAM, 8 vCPU). That includes Postgres, Pictrs, and the Lemmy services.

This setup is great right up until it suddenly isn’t.

The main scaling issue I hit was federation backlog. At one point, the queue started piling up badly, and the fix was increasing federation worker threads (I’m currently at 128).

If you run into this, check your lemmy_federate logs—if you see:

“Waiting for X workers”

that’s your early warning sign.

What Actually Takes Time

Once your infrastructure is stable, the technical side becomes pretty low-effort.

The real time sink is moderation and community management. Easily 90% of the work.

On the technical side, my setup is pretty straightforward:

• Auto updates: Watchtower (with major versions pinned)
• Monitoring: Uptime Kuma
• Backups: Weekly pg_dump + VPS-level backups

Backups are boring right up until they aren’t. Test your restores. Seriously.

Where the Gaps Are

The main gaps I’ve run into:

• Pictrs storage growth Images from federated content add up fast. Keep an eye on disk usage.

• Postgres tuning As tables grow, default configs start to fall behind.

• Federation queue visibility There’s no great built-in “at a glance” view—you end up relying on logs.

My Actual Workflow

Nothing fancy, just consistent habits:

Daily (quick check):

• Check Uptime Kuma
• Skim logs for obvious errors

Weekly:

• Check disk usage (especially Pictrs)

Monthly:

• Update containers (after reading changelogs)
• Verify backups can actually be restored

As needed:

• Moderation decisions

What I’d Do Differently

If I were starting over:

• Set up proper log aggregation much earlier (still a weak spot for me)

TL;DR

• Infra is the easy part once stable
• Moderation is the real workload
• Backups matter more than you think (and need testing)
• Logs are your best friend—but painful without centralization

Happy to answer specifics if you’re planning a setup—there’s a lot of small gotchas that only show up once you’ve been running things for a while.

Not to mention the owner of simplex is a horrible person.

Something I’ve been thinking about: independent security projects often face pressure once corporate partnerships or funding enter the picture.

Does GrapheneOS have any structural safeguards to ensure development priorities remain community-driven if hardware vendors become more involved?

I’m not assuming there’s a problem — just interested in how projects like this avoid the “venture capital influence” problem that has affected other open source initiatives.

Librewolf potentially? You don’t need to use multiple browsers if you can contain them to profiles, this could be a good set up for you potentially.

CounterSocial blocks entire IP ranges and most VPN/datacenter networks as part of its anti-abuse policy. It’s not really decentralised, so if you’re blocked at the network level there’s usually no workaround unless they manually allow you.