We aim to introduce additional paid services (not paywalled features, as we will never implement paywalled features), which will help support the project and that enhance self-hosting, making it easier and more reliable. First among the many services already planned is an end-to-end encrypted, off-site backup and restore feature, built directly into Immich. This will enable a buddy backup feature as well.

I love this.

Free features, but offering actual useful services for self-hosters (encrypted cloud backup). Great business model for a project like this.

Dropbear. You can run a small SSH server in initd that allows you to SSH in and type the encryption password. It doesn’t run a shell, just cryptsetup.

No it’s not. Tell them to learn to switch or lose access. It’s your server, do what you want.

Linode has good, cheap VMs, and are a better deal than the AWSs of the world.

Also, when you set up Nextcloud, also set up something like samba-domain with LDAP for users. That way you have central user management as you add new services.

I made an 8 outlet box with relays connected to each outlet (might post a how to). That’s connected to a Pi via GPIO.

The Pi runs PiKVM, but also has a service that:

• Checks if the router can be pinged
• Checks if the internet can be pinged
• Checks if the router webUI is up

If any of those fail, it toggles the plugs for modem and router.

I run OpnSense on a 5V miniPC. I have a second one and will be setting up CARP, too.

Note: Cellular backup is more involved, but a separate Cellular inbound might not be. I’ve considered putting one on the Pi above.

Not that I think you need it for this, but a DynDNS implementation would give you a hostname you can dynamically change to your VPN ip, thus solving the SSL host issue.

It you want to try something new that gives you more freedom than the print bed, consider 2020 alluminum extrusion. I’ll be doing a custom enclosed rack with it soon, using the printer to make shelves/containers between beams.

My one change: I do SSHFS over LAN, because of guest machines and sniffing potential.

I do NFS on direct wire or on a confidently set up VLAN (maybe).

Samba-Domain is extremely lightweight, surfaces LDAP and AD, and can manage Linux and mac laptops, not just Windows. I wouldnt call it overkill.

Also, restoring single files from a snapshot is simple, I don’t get this? Lastly, of your whole data drive is one dataset in ZFS, you are ZFSing wrong.

Before you get too far, consider setting up users with a domain like Samba-Domain. This way you get centralized user management for anything you decide to host alongside it.

Also, ZFS is great for backups.

Are you using/going to use LibreOffice or OnlyOffice? Libre is more popular, but Only was built for web and has better MS compatibility.

I bet this could be used to load balance regional servers with a bit of tweaking. (I made Plex-sync a long time ago for a similar purpose)

All fair. For me, their SSL direction is a good one. Most self-hosters use a central proxy, so why maintain one users just ask to disable.

I do run mine behind a VPN, always will and recommend others do the same.

Well, I wouldn’t say the media issues are worse than a full domain access issue, but despite my comment above, I agree with you.

The security split-issue feels reminiscent of when Plex didn’t use SSL and wouldn’t implement it until a white-hat POC token exploit was produced and provided to them (of which I was the author). If JF was my project, these would be top of my list.

I’ve tested the worst of these endpoints and they were already secured, just the issues haven’t been updated.

For instance, from the security split-out issue list: https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825369811

I took the only one that could lead to admin/system infiltration (LDAP config escalation, others are about media access), and found it to have already been secured: https://github.com/jellyfin/jellyfin/issues/13989

Kavita. It started for comics and moved on to books. It supports OPDS, the standard by which readers like KOReader and Mihon connect to fetch books.

I have tried so many, Calibre (not good for graphic novels), Komga (very dated in comparison to Kavita), and more, but for both graphic novels and books, it won’t be beat.

@4dpancake92@lemmy.world if you like Komga, take a look at Kavita. I was happy with my switch.

Ahhh. I put the wireguard client on the router, so it’s more of a site to site setup for TVs.

Yea the catch was we were asking for TLS for a long time, and this was pre- Let’s Encrypt, so those patching on their own didn’t have a free (minus work) way to handle it. It took a releasable POC to get action.

All out devices just have a permanent Wireguard client since it uses basically no battery, and then a allow rules for households. If you don’t want to run the client, and don’t want to take the time to learn, you don’t get access. But I totally get how that’s not for everyone.

I posted a while back, tested the biggest open endpoints and they were properly secured, the issues just weren’t updated.

Note: Plex didn’t have SSL, and refused to implement it, until ~6 weeks after I created a POC token exploit. Here’s the GitHub repo I posted as a patch before they got their system in order: https://github.com/Fmstrat/plex-ssl. In other words, don’t give them too much credit.

Cloudflare is a good choice. I used DNSExit for a while, and also NS1, but settled on Cloudflare. You don’t have to use their proxying, just DNS.

Here’s a Docker Compose for you that will set myhost.mydomain.com to point to your public IP of wherever it is run:

dyndns-cloudflare:
    image: oznu/cloudflare-ddns
    container_name: dyndns-cloudflare
    environment:
      - API_KEY=<key>
      - ZONE=mydomain.com
      - SUBDOMAIN=myhost
      - PROXIED=false
    restart: unless-stopped

How are you hosting? And do you have a domain? Lot’s of good advice here, but knowing if you’re running on a Pi, in Docker, etc, would help others give you the easiest/best method.

In short, you do not need a static IP.