WxFisch

Eh, it can be a lot of work but doesn’t have to be. I’ve automated backups, and if you follow current best practice guidance from industry, you should use long pass phrases and not worry about regularly rotating them. For things like SSH keys, you can rotate them if you think you’ve had a breach but in normal usage there isn’t a huge benefit security-wise since they functionally can’t be guessed and would need to be stolen. If an adversary steals your SSH keys then you’re already pretty hosed as the next step is for them to establish another backdoor to access your server without needing your key.

Honestly it’s not a ton of time. A few minutes to run patches every few weeks, and the initial investment to plan, install, and configure your services (but then that’s the fun part no?). Self hosting IMO isn’t a great way to save time and money, or even to get out of the pocket of big tech. If those are your goals you’re better off looking at hosted solutions that are Open, and likely paying for it since running IT stacks isn’t free. Self hosting is a hobby, something you do to learn and because you enjoy it. It is hard sometimes, takes time, and comes with risks, but so do most other hobbies.

It doesn’t usually matter what the service is, the basic concepts are the same. If you want to access a service you host on your internal network from another external network you either need to use a VPN to securely connect into your network, or expose the service directly. If you are exposing it directly you should put it (or a proxy like NPM) in your DMZ. The specifics of how to do this though will vary from service to service and with your specific network config.

You can run a port scan against your public IP from another network to see what is open. But if you haven’t specifically set something up for external access through port forwarding you are probably fine.

Only expose services internally then use a secure VPN to access your services, this makes your network no more vulnerable in practice than not self hosting. If you need/want to expose something to the internet, make sure you setup your network right. Use a DMZ to separate that service and leverage something like CrowdSec along with good passwords, antivirus, and keep things patched.

This was posted here yesterday by the dev. Overall the reaction seems positive.

A quick look through the repo it looks pretty legit, it’s a lot of effort to create something that works, with all the documentation (including a lot of planning docs) just to collect data on you. Traffic to various IPs, foreign or otherwise, wouldn’t really be odd for an app like this either. You could try and run it through something like virustotal though to look for malicious code (there are more than a few docker scanning tools on GitHub that use virustotal).

I use cloudflare mostly because I buy my domains through them as they offer at cost domain names for many TLDs. Internally I use PiHole and then just point what I need externally to cloudflare trough a reverse proxy and a DMZ box.

I’m curious how everyone documents their core/critical configs to allow the non-technical in our homes work with it if needed. For instance if I’m on work travel and the Pi-hole goes down for whatever reason my wife wouldn’t be able to use pretty much anything online. I can remote in and fix it but that could be hours/a day or two later. Same then for the proxmox stack that everything runs on.

Along the same lines, how are folks documenting for EOL? It may not be a happy thought but we are all going to go someday, so what is your plan and how have you ensured loved ones can access/save important data?

Agree 100%. Most of the former Plex users turned Jellyfin users I have come across did so better Plex was broken in some way for them. For me it was the general lack of care in creating/maintaining a good Apple TV app. Over the past few years it’s just gotten buggier and buggier with a lot of complaints on the Plex forums where devs would essentially stop by to say they weren’t working on any fixes.

Jellyfin doesn’t fix 100% of the issues, but at least there is active development on Swiftfin that showed a desire to fully support all devices.

So paperless works as a service that ties into your storage. I point mine at an NFS share on my Synology and just backup that share. The documents are all stored as PDFs still so worst case I still have “dumb” copies without all the tagging available if my paperless instance goes offline for some reason.