Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
Is it just you that uses it, or do friends and family use it too?
The best way to secure it is to use a VPN like Tailscale, which avoids having to expose it to the public internet.
This is what I do for our security cameras. My wife installed Tailscale on her laptop and phone, created an account, and I added her to my Tailnet. I created a home screen icon for the Blue Iris web UI on her phone and mentioned to her, "if the cameras don't load, open Tailscale and make sure it's connected". Works great - she hasn't complained about anything at all.
If you use Tailscale for everything, there's no need to have a reverse proxy. If you use Unraid, version 7 added the ability to add individual Docker containers to the Tailnet, so each one can have a separate Tailscale IP and subdomain, and thus all of them can run on port 80.
if the cameras don’t load, open Tailscale and make sure it’s connected
I've been using Tailscale for a few months now and this is my only complaint. On Android and macOS, the Tailscale client gets randomly killed. So it's an extra thing you have to manage.
It's almost annoying enough to make me want to host my services on the actual internet....... almost... but not yet.
I use plain wireguard on me phone, always on essentially with no issues. I wonder why tailscale app can't stay open.
Same, wireguard with the 'WG Tunnel" app, which adds conditional Auto-Connect. If not on home wifi, connect to the tunnel.
I suspect that it goes down and stays down whenever there is an app update, but I haven't confirmed it yet.
Does the plain wireguard app stay up during updates?
Android wireguard all hasn't been updated in 18mo. Its extremely simple with a small code base. There basically isn't anything to update. It uses wireguard kernel module which is itself is only like 700 lines of code. It so simple that it basically became stable very quickly and there is nothing left of update right now.
https://git.zx2c4.com/wireguard-android/about/
I personally get the from obtainium to bypass play store
Look up your phone on dontkillmyapp.com and make sure tailscale is excluded from battery and network "optimization".
If you make Tailscale your VPN in Android it will never be killed. Mileage may vary depending on flavor of Android. I've used this on stock Pixel and GrapheneOS.
Under Settings > Network and internet > VPN
Tap the Cog icon next to Tailscale and select Always-on VPN.
Have you tried disabling battery optimization for tailscale?
I did this and it still seems to randomly disconnect.
My setup: Locally (all in docker):
- JF for managing and local access
- JF with read only mounted volumes that uses the network of my Wireguard client container
- Wireguard client opening a tunnel to Wireguard server on VPS ** Ping container regularly doing pings to Wireguard Server so the connection stays up (didn't manage it otherwise)
VPS (Oracle Cloud free tier, also everything in docker):
- Caddy as a reverse proxy with https enabled and geolocking (only certain countries are allowed to connect to)
- fail2ban to block IPs that try to bruteforce credentials
- Wireguard server
Usernames are not shown in the frontend and have to be entered. Passwords are generated by a password manager and can't be changed by the user.
So my clients just get the URL of my reverse proxy and can access the read only JF through my Wireguard tunnel. Didn't have to open any ports on my side. If someone is interested I can share the docker compose files later.
Edit: Here the link to the setup description. Please tell me if something is not clear or you find an error. https://codeberg.org/skjalli/jellyfin-vps-setup
I am interested in your docker compose
Will share this evening after work.
For web access, stick it behind a reverse proxy and use something like Authentik/Authelia/SSO provider of your choice to secure it.
For full access including native clients, set up a VPN.
I use Tailscale right now. Which, in fairness, I didn't state in the post. However, I was hoping to share it more similarly to how I used to with Plex. But, it would appear, I would have to share it through Tailscale only at this point.
I use fail2ban to ban IPs that fall to login and also IPs that perform common scans in the reverse proxy
also have jellyfin disable the account after a number of failed logins.
Tailscale is awesome. Alternatively if you're more technically inclined you can make your own wireguard tailscale and all you need is to get a static IP for your home network. Wireguard will always be safer than each individual service.
Love tailscale. The only issue I had with it is making it play nice with my local, daily driver VPN. Got it worked out tho. So, now everything is jippity jippity.
I have another site on a different port that sits behind basic auth and adds the IP to a short ipset whitelist.
So first I have to auth into that site with basic auth, then I load jellyfin on the other port.
I use Pangolin (https://github.com/fosrl/pangolin)
I was thinking of setting this up recntly after seeing it on Jim's garage. Do you use it for all your external services or just jellyfin? How does it compare to a fairly robust WAF like bunkerweb?
I use it for all of my external services. It's just wireguard and traefik under the hood. I have no familiarity with bunkerweb, but pangolin integrates with crowdsec. Specifically it comes out of the box with traefik bouncer, but it is relatively straightforward to add the crowdsec firewall bouncer on the host machine which I have found to be adequate for my needs.
You could put authentik in front of it too