User accounts are a reasonable isolation mechanism for reasonably trustworthy server software.

Run everything in docker containers. Much easier to manage than virtual machines and lighter on resources.

Until you’ve given it a go it’s hard to recognise just how much a containerised solution simplifies things. There is a bit of a learning curve to get your first few deployments done, but once you have it all set up it’s like magic, you can test other software out quickly and tear it down easily if you don’t like it, and you can update most software on your host without worrying about breaking compatibility or stopping any users from using your services. Then when you chain in an autoupdate system like watchtower it’s even more magical!

Imho any form of containerization/virtualization is better than a dedicated machine, for server duties - if only for (in my case) easy backup and rollback in case of human error.

Going with Proxmox VMs atm, and slowly wrapping my head around LXC on a separate “playgound” Proxmox machine.

I honestly don’t think it matters much. I run my instance on a 2 cpu vm on hetzner, and I’ve noticed no negative impacts - it’s plenty snappy and has plenty of database space and all that. It’s pretty lightweight for a one person instance.

If you’re going for a bigger instance, it still doesn’t matter much as long as your instance is capable of handling the load.

You want so isolate the things you host from one another (security, making updates easier etc). So if you host just one thing you can do so on the host directly. If you host multiple services you may seek some separation method.

VMs is one method, but it wastes a lot of resources, especially RAM. A more elegant way is containers. Both the docker/podman route as well as the LXC way are quite polular.

I run everything in docker compose and the two wins I feel like I get out of doing so are:

• State in well-identified volumes. I’ve run multiple services on shared bare metal, and multiple services in isolated VMs. In both cases, I was equally terrified of upgrades and migrations because I frequently had no idea where in the filesystem critical data was stored. I would often have some main data dir I knew about, but little confidence that other important data wasn’t stored elsewhere. With docker volumes, if I can restart a container without losing data I can migrate to a new host without losing data just by copying my volume dirs. And I restart containers frequently so I always have high confidence in my ability to backup, upgrade, and migrate.
• Library and os-userspace isolation. This is the thing docker is known for, I never worry that upgrading a lib for app-a is going to break app-b. This is really a secondary benefit for me, though. I rarely had this problem even on shared metal with many apps, and never experienced it in isolated VMs. For me it’s a secondary benefit to the nice volume management tools.

Docker is in no way unique in its ability to provide state management, but ephemeral container enforce good state management, and the docker tools for doing it provide a very nice experience, so it is my preference.

In any case I wouldn’t host on a machine I use daily (i.e. a personal computer). Worst case is an attacker wiping your machine or encrypting everything and holding your data hostage. If that happened to one of my servers I’d just shrug and reimage.

If performance is paramount or you have a low resource device like a rPi then containers are fine. If you have something with decent processing power I say go the extra mile and setup a simple VM using Qemu. A few distros offer cloud images so you don’t have to install from an ISO.

Personally, I would prefer docker containers as I can move them to a new server or even create backups very easily.

I feel like putting it in a VM is probably overkill. I just have everything running in Docker containers and it’s pretty good like that.

Only time you dont use virtualisation or containers would be if real time performance is critical. Eg: a firewall inspecting packets in/out or some other service or appliance where small delays can impact performance. Same kind of reasons why gaming on a vm is never quite as good as a bare metal machine.

If you use a full VM you’ll lose plenty of performance and I don’t think it’ll cope really well with domain names. If you really want to go the “keep everything separated” route use container software, like Docker. It’ll use the same kernel as the host, so no weird networking rerouting/bridging etc… I don’t have any experience with containers, since I run all of my “homelab” bare metal on a Pi, and with this approach I never faced any issues. Containers could be useful if you were running something unorthodox like Gentoo and you need to run software that won’t work on it, even if compiled to run, but it exist as a package on another distro. Then you can just spin up a container for that distro, install the software et voilà, you’re ready to go. AFAIK there shouldn’t be a package for lemmy on any distro, so just clone the source code and compile it, it should be fairly distro-agnostic. Maybe you could compile it in a container to keep your host clean of compile dependencies, but other than that, there’s no real gain. I like to compile stuff, so having a shitload of dependencies already there is pretty handy for me, but for a production system, it’s better to keep it clean.

One thing I think about is isolation. Do you want/need to strongly isolate the software and its data from the host operating system?

I have my Docker stuff in a VM. Much more reliable than bare metal OS