Bubblewrapped services

Simpler self-hosting with tmux and bubblewrap

A simpler way to self-host on Linux, by running user services in tmux windows, secured by using bubblewrap sandboxes, and started up on boot by cron. For motivations and rationale behind this repo, please see the blog post Simpler self-hosting with tmux and bubblewrap



BIN="linux-`uname -m`"
bin/$BIN/molly-brown -c ./molly.conf 

Configuring the sandbox: sandbox.args

You can configure the sandbox for each service by adding a text file called sandbox.args containing additional parameters to pass to the bubblewrap sandbox, e.g.

--bind-try /media/usb $HOME/usb
--ro-bind /etc/pki /etc/pki

The above will remove network access from the sandbox for the service, try to mount the /media/usb folder into the sandbox at ~/usb (writable), and read-only mount /etc/pki into the sandbox so that certain applications can verify SSL certificates. See the bubblewrap man page for more details.

Using Nix package manager: packages.nix

Once you have installed the Nix package manager, you can configure the packages to be installed into the sandbox using a packages.nix file, which should contain the names of packages available in the nixpkgs channel, e.g. to install nixpkgs.haproxy and nixpkgs.thttpd, the file will contain:


You can find the package names by searching on https://search.nixos.org/packages.

Notes about Fossil

Fossil is a lot like git so it's familiar to use if you know git - see docs here. Why not just use git? I switched from using GitHub for my projects to self-hosting my repos after GitHub was bought by Microsoft. Fossil is much easier to self-host: it's a single binary file, stores it's repository into a single sqlite database, and provides similar functionality of the GitHub service (like issue tracking, wiki, and additionally a forum, etc.). All the data (including issues, etc.) are stored within the repo sqlite database file, making backups really simple. Type fossil ui in the checked out repo and you will get the full web interface, all served from one database file by a single binary executable! See Fossil vs Git for more.