Feel free to ask, even in pm, if I can help. Not a guru myself, but getting a bit more experience overtime.
Comment on Immich: opinion revised
ReallyActuallyFrankenstein@lemmynsfw.com 1 month ago
Thank you for this. I plan to look at the authentication part more closely, but that’s the part I can’t quite figure out (being an amateur at this stuff but still trying), since I’m nervous with just a password accessing it remotely or from the phone.
Authelia, NGINX, there is so much that’s confusing to me, but this might help.
Shimitar@downonthestreet.eu 1 month ago
enumerator4829@sh.itjust.works 1 month ago
I’d recommend setting up a VPN, like tailscale. The internet is an evil place where everyone hates you and a single tiny mistake will mess you up. Remove risk and enjoy the hobby more.
Some people will argue that serving stuff on open ports to the public internet is fine. They are not wrong, but don’t do it until you know, understand and accept the risks.(’normal_distribution_meme.pbm’)
Remember, risk is ’probability’ times ’shitshow’, and other people can, in general, only help you determine the probability.
gray@pawb.social 1 month ago
good general advice until you have to try to explain to your SO the VPN is required on their smart TV to access Jellyfin.
enumerator4829@sh.itjust.works 1 month ago
Then you expose your service on your local network as well. You can even do fancy stuff to get DNS and certs working if you want to bother. If the SO lives elsewhere, you get to deploy a raspberry to project services into their local network.
pirat@lemmy.world 1 month ago
This piqued my interest!
What’s a good way of doing it? What services, besides the VPN, would run on that RPi (or some other SBC or other tiny device…) to make Jellyfin accessible on the local network?
AtariDump@lemmy.world 1 month ago
It’s one thing to expose a single port that’s designed to be exposed to the Internet to allow external access to items you don’t care if the entire internet sees (Jellyfin).
Ots other thing when you expose a single port to allow access to items you absolutely do care if the entire internet sees (Immich).
enumerator4829@sh.itjust.works 1 month ago
If you’ve taken care to properly isolate that service, sure. You know, on a dedicated VM in a DMZ, without access to the rest of your network. Personally, I’d avoid using containers as the only barrier, but your risk acceptance is yours to manage.
Shimitar@downonthestreet.eu 1 month ago
Very low WAF score tough.
enumerator4829@sh.itjust.works 1 month ago
You mean ”hardcore WAF challenge”?
Shimitar@downonthestreet.eu 1 month ago
More like hardcoded WAF challenge.