If I have several backends that more or less depend on each other anyway (for example: Lemmy + pict-rs), then I will create separate databases for them within a single postgres - reason being, if something bad happens to the database for one of them, then it affects the other one as well anyway, so there isn’t much to gain from isolating the databases.

Conversely, for completely unrelated services, I will always set up separate postgres instances, for full isolation.

As a test, I ran this on a very early backup of lemm.ee images from when we had very little federation and very little uploads, and unfortunately it is finding a whole bunch of false positives. Just some examples it flagged as CSAM:

• Calvin and Hobbes comic
• The default Lemmy logo
• Some random user’s avatar, which is just a digital drawing of a person’s face
• a Pikachu image

Do you think the parameters of the script should be tuned? I’m happy to test it further on my backup, as I am reasonably certain that it doesn’t contain any actual CSAM

Any thoughts about using this as a middleware between nginx and Lemmy for all image uploads?

Edit: I guess that wouldn’t work for external images - unless it also ran for all outgoing requests from pict-rs… I think the easiest way to integrate this with pict-rs would be through some upstream changes that would allow pict-rs itself to call this code on every image.

This is already implemented in lemmy 0.18.1 for comments and posts!

I just want to point out that you don’t need to use neither Docker nor nginx to run Lemmy.

At the end of the day, the really required pieces are:

1. lemmy_server binary
2. Lemmy-ui
3. pict-rs binary
4. PostgreSQL database

How you get those things to talk to each other is totally up to you. There’s nothing stopping you from just using Apache as a reverse proxy, for example.

One possible Dockerless setup is described here: https://join-lemmy.org/docs/en/administration/from_scratch.html. This should give you some idea of how it could be done.