Comment on Immich: opinion revised
gray@pawb.social 6 days agogood general advice until you have to try to explain to your SO the VPN is required on their smart TV to access Jellyfin.
It’s one thing to expose a single port that’s designed to be exposed to the Internet to allow external access to items you don’t care if the entire internet sees (Jellyfin).
Ots other thing when you expose a single port to allow access to items you absolutely do care if the entire internet sees (Immich).
If you’ve taken care to properly isolate that service, sure. You know, on a dedicated VM in a DMZ, without access to the rest of your network. Personally, I’d avoid using containers as the only barrier, but your risk acceptance is yours to manage.
enumerator4829@sh.itjust.works 6 days ago
Then you expose your service on your local network as well. You can even do fancy stuff to get DNS and certs working if you want to bother. If the SO lives elsewhere, you get to deploy a raspberry to project services into their local network.
pirat@lemmy.world 6 days ago
This piqued my interest!
What’s a good way of doing it? What services, besides the VPN, would run on that RPi (or some other SBC or other tiny device…) to make Jellyfin accessible on the local network?
enumerator4829@sh.itjust.works 6 days ago
Well, I’d just go for a reverse proxy I guess. If you are lazy, just expose it as an ip without any dns. For working DNS, you can just add a public A-record for the local IP of the Pi. For certs, you can’t rely on the default http-method that letsencrypt use, you’ll need to do it via DNS or wildcards or something.
But the thing is, as your traffic is on a VPN, you can fuck up DNS and TLS and Auth all you want without getting pwnd.