If your phone is android (I think so) and your jellyfin server has a file share (easy to implement anyway) you can use material files (https://f-droid.org/packages/me.zhanghai.android.files/). It has an option to connect via smb.

I use this https://github.com/spantaleev/matrix-docker-ansible-deploy

Having multiple interfaces in each vm can lead to issues with routing if you screw something up.

Like you said I’d expose the services via reverse proxy in the public vlan, and enable ssh access on the firewall only from a jumpbox or the ip of your pc (or maybe the vlan you are in).

I’ve been told that zerotier is even better. Haven’t tried it myself (it looks more complicated to selfhost) but the guy suggesting it knows waaaaay more than me on these things. Just if you want to look into another option.

For what it’s worth (from a random guy on the internet) selt-hosting tailscale is quite easy! 🙂

I’m self hosting headscale (foss implementation of tailscale control server) for this scenario. Works great!

sorry for late reply. So far is great. I can feed it custom paths on my NAS and it doesn’t touch the pictures/import them/etc. (which was the main requirement for me). It just works with what you feed it. Face recognition is good. Search is good. The 3rd party app (uhuru photos) is not great, but still under development. But the mobile interface works anyway well enough.

I have been using opnsense on a very cheap celeron nuc for a few years, very happy with it

As everyone said, debian. I use it for my mail server, the docker server, podman server, matrix, headscale. On docker I also have nvidia drivers for hardware video decoding in jellyfin.

I tried immich, photoprism and piwigo. I settled with librephotos. Iirc it was because of the face recognition capabilities and read the photos from my nas.

I host mine (for two users + WhatsApp bridge) on a 4gb 1vcpu vm. When I was using a smaller vm with only 2gb of ram it would hang frequently due to memory exhausting and swapping. I’m using a debian image, and the different components of matrix are containers.

one a VM, the other a container, with different upstream targets. I have to schedule maintenance when everyone is asleep or out of the house. I’ll swear one day I’ll have a proper (raspberry pi) cluster with KVM, I just need to finish implementing the other million things I find when I research it.

And it’s really easy to set up

If you want a gui to manage your containers, I use portainer (with debian as OS).

Joke’s on you, I login as root (no I don’t, but I do sudo -i instead of each command)

TECHNICALLY (yes, I’m fun at parties) you need 3 commands, as you also need to do an “apt update” after adding the repo. But we can chain commands of course. Do chained commands count as one? We could debate that for hours. Like why I prefer vi.

My point? None really, just having fun.

You have to set up proper routing, so the two vlans (your mobile/pc wifi vlan and the tv vlan for example) can communicate. But you don’t give Internet access to the tv/thermostat vlan, so they can’t “call home” and send all kinds of tracking back home.

The ultimate boss fight is hosting your email server AND making your family use it

I know it’s linux and you never reboot it and yadda yadda, but have you tried rebooting both machines?

For what it’s worth, that’s my fstab entry (it’s mounted with a normal user, which is the same which the containers use). I seem to remember I had to change ownership of the /mnt/nasdownload folder (before the mount) to the user used to mount it.

//192.168.1.10/Download /mnt/nasdownload cifs auto,user,uid=1000,gid=1000,rw,iocharset=utf8,suid,credentials=/root/.smbgringo,file_mode=0770,dir_mode=0770,_netdev,vers=3.0 0 0

Now you make a good point, you also have to perform the update within the app in nextcloud. I use a custom image so I have to do it anyway, I haven’t realised that.

But I guess npm is the one that needs to be updated automatically to avoid most of the attacks on the web

AFAIK one container at a time. Since the different parts of a stack (e.g. app and db) have different release cycles it’s not a problem (or it hasn’t been for me).

Also, the important bit (from a security perspective) it’s the front end (i.e. the web app).