Elvith Ma'for

Former Reddfugee, found a new home on feddit.de. Server errors made me switch to discuss.tchncs.de. Now finally @ home on feddit.org.

Likes music, tech, programming, board games and video games. Oh… and coffee, lots of coffee!

I � Unicode!

  • 0 Posts
  • 11 Comments
Joined 10 months ago
Cake day: June 21st, 2024
  • Elvith Ma'for@feddit.orgtoSelfhosted@lemmy.worldHow do I securely host Jellyfin? (Part 2)English
    2·
    20 days ago

    Came to suggest this. I ran into the same problem when I tried to host Jellyfin at home. Also I was fed up with all those certificate warnings, depending on which device I used. Since I was already using pihole in my home network, I just went and looked at all the DNS plugins for certbot to learn which provider allows for easy DNS challenges. Then I researched a bit and stumbled upon a provider that was running a sale - so I got a domain for less than 5 bucks/year.

    I set the public A record to 127.0.0.1 and configured certbot to use their API. This domain is now used internally in my network exclusively and I just added some DNS entries for several subdomains in pihole, so that it works for every device at home (e.g. jellyfin.example.com / dockerhost.example.com / proxmox.example.com / …).

    When I’m away, I shouldn’t be able to resolve the domain, and even if DNS were hijacked, the TLS certificate will protect me from connecting to $randomServices. Also my router is less restricted, which means that I can just use it’s VPN server to connect directly to my home network, if I need to access my server or need to troubleshoot things when away.

  • Elvith Ma'for@feddit.orgtoSelfhosted@lemmy.worldDo I really need a firewall for my server?English
    32·
    1 month ago

    If done correctly, those may only be open from the internet, but not from the local network. While SSH may only be available from your local network - or maybe only by the fixed IP of your PC. Other services may only be reachable, when coming from the correct VLAN (assuming you did segment your home network). Maybe your server can only access the internet, but not to the home network, so that an attacker has a harder time spreading into your home network (note: that’s only really meaningful, if it’s not a software firewall on that same server…)

  • Elvith Ma'for@feddit.orgtoSelfhosted@lemmy.worldDo I really need a firewall for my server?English
    121·
    1 month ago

    Instead of thinking with layers, you should use think of Swiss cheese. Each slice of cheese has some holes - think of weaknesses in the defense (or intentional holes as you need a way to connect to the target legitimately). Putting several slices back to back (in random order and orientation) means that the way to penetrate all layers is not a simple straight way, but that you need to work around each layer.

  • Elvith Ma'for@feddit.orgtoSelfhosted@lemmy.worldWhat does the 3-2-1 rule look like for you?English
    1·
    2 months ago
    • Daily incremental (and occasionally full) backup to an external HDD - a full image of my PCs, so that I should be able to restore anything back to what it was in the last ~14 days, assuming no ransomware or fire or…
    • All the data I care about gets synced to my Nextcloud (VPS, not home lab) - somewhat ransomware protected as I could restore VPS backups independently from my PC.
    • Most precious data (mostly photos) gets backed up regularly to an encrypted zip file and then gets send to a glacier tier S3 bucket. Some manual retention is done on the zip file level, so that I can get a tad older backup restored.
    • At least monthly a full backup image of my PCs is created on a separate external HDD which is not stored at home, but in a place I could access 24/7 if I really needed to restore something fast.

    Phones, etc? Just sync to the mentioned Nextcloud, PC downloads from there and everything gets then into the aforementioned backups.

    Homeserver? See “PC” above. With the caveat that some VMs/containers are not in the backup cycle, as they do not store any valuable data besides temp files, etc. For these, only things like docker compose files, custom config, ansible playbooks,… are in my backup.

  • Elvith Ma'for@feddit.orgtoSelfhosted@lemmy.worldWhat access points do you use?English
    9·
    5 months ago

    I really like them but they do have two downsides for “more advanced” users (or at least for me) - it is a home device as after all.

    1. No support for VLAN or VLAN tagging - you can set up you WiFi and a guest WiFi. You can also map the guest network to an Ethernet port. But that’s about it.
    2. There is no way to change the DNS suffix (*. fritz.box) to another value - I do own a domain that I use for the local services on my home server, etc. which then allows for Let’s Encrypt certificates, but I cannot use it “out of the box”.

    If you’re an advanced user, there’s plenty of ways around that, though. I just wished that these two thing were to exist in the firmware to have less work with my home infrastructure.

  • Elvith Ma'for@feddit.orgtoSelfhosted@lemmy.worldWhat access points do you use?English
    2·
    5 months ago

    Same, I needed to expand my Wi-Fi and was to lazy to run an Ethernet and a power cable across the attic. I settled for two TP-Link EAP and a TP-Link managed switch that also provides PoE. You can run all three devices stand alone, but Omada is also quite nice - you can run it without using their cloud on your home server and even connect their app to your local controller.