this post was submitted on 24 Feb 2025
155 points (99.4% liked)

Selfhosted

52504 readers
1111 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hi fellow self-hoster.

Almost one year ago i did experiment with Immich and found, at the time, that it was not up to pair to what i was expecting from it. Basically my use case was slightly different from the Immich user experience.

After all this time i decided to give it another go and i am amazed! It has grown a lot, it now has all the features i need and where lacking at the time.

So, in just a few hours i set it up and configured my external libraries, backup, storage template and OIDC authentication with authelia. All works.

Great kudos to the devs which are doing an amazing work.

I have documented all the steps of the process with the link on top of this post, hope it can be useful for someone.

you are viewing a single comment's thread
view the rest of the comments
[–] ReallyActuallyFrankenstein@lemmynsfw.com 5 points 8 months ago (2 children)

Thank you for this. I plan to look at the authentication part more closely, but that's the part I can't quite figure out (being an amateur at this stuff but still trying), since I'm nervous with just a password accessing it remotely or from the phone.

Authelia, NGINX, there is so much that's confusing to me, but this might help.

[–] enumerator4829@sh.itjust.works 12 points 8 months ago (2 children)

I’d recommend setting up a VPN, like tailscale. The internet is an evil place where everyone hates you and a single tiny mistake will mess you up. Remove risk and enjoy the hobby more.

Some people will argue that serving stuff on open ports to the public internet is fine. They are not wrong, but don’t do it until you know, understand and accept the risks.(’normal_distribution_meme.pbm’)

Remember, risk is ’probability’ times ’shitshow’, and other people can, in general, only help you determine the probability.

[–] gray@pawb.social 3 points 8 months ago (2 children)

good general advice until you have to try to explain to your SO the VPN is required on their smart TV to access Jellyfin.

[–] enumerator4829@sh.itjust.works 4 points 8 months ago (1 children)

Then you expose your service on your local network as well. You can even do fancy stuff to get DNS and certs working if you want to bother. If the SO lives elsewhere, you get to deploy a raspberry to project services into their local network.

[–] pirat@lemmy.world 2 points 8 months ago (1 children)

deploy a raspberry to project services into their local network

This piqued my interest!

What's a good way of doing it? What services, besides the VPN, would run on that RPi (or some other SBC or other tiny device...) to make Jellyfin accessible on the local network?

[–] enumerator4829@sh.itjust.works 1 points 8 months ago

Well, I’d just go for a reverse proxy I guess. If you are lazy, just expose it as an ip without any dns. For working DNS, you can just add a public A-record for the local IP of the Pi. For certs, you can’t rely on the default http-method that letsencrypt use, you’ll need to do it via DNS or wildcards or something.

But the thing is, as your traffic is on a VPN, you can fuck up DNS and TLS and Auth all you want without getting pwnd.

[–] AtariDump@lemmy.world 1 points 8 months ago (1 children)

It’s one thing to expose a single port that’s designed to be exposed to the Internet to allow external access to items you don’t care if the entire internet sees (Jellyfin).

Ots other thing when you expose a single port to allow access to items you absolutely do care if the entire internet sees (Immich).

[–] enumerator4829@sh.itjust.works 1 points 8 months ago

If you’ve taken care to properly isolate that service, sure. You know, on a dedicated VM in a DMZ, without access to the rest of your network. Personally, I’d avoid using containers as the only barrier, but your risk acceptance is yours to manage.

[–] Shimitar@downonthestreet.eu 1 points 8 months ago (1 children)
[–] enumerator4829@sh.itjust.works 1 points 8 months ago (1 children)

You mean ”hardcore WAF challenge”?

[–] Shimitar@downonthestreet.eu 1 points 8 months ago

More like hardcoded WAF challenge.

[–] Shimitar@downonthestreet.eu 2 points 8 months ago

Feel free to ask, even in pm, if I can help. Not a guru myself, but getting a bit more experience overtime.