deleted by creator

Just throw your services in a docker-compose.yml file, create a docker bridge network, and assign the:

networks:
    - YourDockerNetwork

To the services in the yaml file, specify the ports it want’s to open with

ports:
    - 8080:8080

And let it start up. If you want to get more complicated suggest reading the man page which really isn’t that long of a read.

Networking really cannot be simplified, you have to view it in a logistical way of how is Point A communicating with Point B which where Docker bridge networks come into play, they make the communication easy, if all your containers are all on the same docker network all you have to do is specify http://ContainerName:Port for them to communicate back and forth internally.

The other thing I tried was deploying an Element server so they could talk to family on their own without risk of exposure to the world at large, but ended up abandoning this.

Matrix is a PIA to configure properly, it is nice to have once you got it running but you’ll end up spinning like 8 different services (if you use Docker) for all the functionality to work.

Additionally, I recommend unbound for those already on pi-hole.

Never could get unbound to work properly, it would always knock my internet out to the point of troubleshooting for hours, whether that be Pi-Hole, OpenSense or Technitium I’ve always had issues with unbound.

As much as I like hosting my own services, I want them to be reliable.

Man I wish I spent time actually learning Proxmox, instead dumped everything into a headless Debian VM and called it a day.

deleted by creator

Oh yeah I’m aware, if people don’t want to use a VPN then I suggest this but give them the advisory warning.

Actually, recently I’ve been using a fork of IPAllowList which accepts DDNS addresses, but that usually is for more technical folk who would probably rather use a VPN then purchase a domain and associate it with their network.

Pangolin is based off of Traefik if I’m not mistaken, should be able to use Traefiks IPAllowlist middleware to blacklist all IP addresses and only whitelisting the known few, that way you can expose your application to the internet knowing you have that restriction in place for those who connect to your service.

Matrix runs great out of the box but once you start joining large rooms your server has to synchronize with every instance, this is very taxing on the network and in my experience was essentially DDOS’ing me until I started a cache at the reverse proxy level and forced it to use my secondary PiHole.

Huh, swear I’ve seen this somewhereX

Oh I am fully aware it just cosmetic, that’s why I added this line In my original comment:

but be warned if you take this route that the CSS can be re-enabled on the login screen using your browsers element inspect

hence why I also suggest just outright blacklisting all IP’s and only whitelisting the known few at the reverse proxy level.

I’ve been looking at VPNs, but it feels weird, to route everything through my home IP when I’m also trying to use a commercial VPN for privacy / to combat services fingerprinting me based on my IP.

My ASUS WRT router (running Merlin Firmware) forwards my Home WireGuard VPN server through one of my Proton VPN clients, I get all the added bonuses of being connected to my home network, utilizing my PiHole an such, while benefiting from appearing across the world.

I’m currently considering a reverse proxy setup with an authentication provider like authentik or authelia, but as far as I understand, that wouldn’t work well with accessing services through an app on my mobile device (like for jellyfin music for example.)

This is correct, you cannot host an authentication service in front of Jellyfin’s proxy otherwise the Jellyfin Media Player will not connect to your server however, there is a Jellyfin SSO plugin for authentication which is what I use and I disabled the manual login form via CSS but be warned if you take this route that the CSS can be re-enabled on the login screen using your browsers element inspect, I wish you can disable it outright but it’s heavily baked into Jellyfin from what I’ve read.

I suggest setting up a IP-Blacklist for Jellyfin and only whitelisting the known IP’s.

Jellyfin isn’t the most secure piece of software out there, I would avoid giving it permissions it doesn’t need.

Step 1) Check /dev/dri for the GPU

user@debian:~/compose$ ls /dev/dri
total 0
drwxr-xr-x  3 root root        120 Jan 25 11:50 .
drwxr-xr-x 18 root root       3360 Feb 11 03:03 ..
drwxr-xr-x  2 root root        100 Jan 25 11:50 by-path
crw-rw----  1 root video  226,   0 Jan 25 11:50 card0
crw-rw----  1 root video  226,   1 Jan 25 16:39 card1
crw-rw----  1 root render 226, 128 Jan 25 11:50 renderD128

Documentation indicates renderDXXX typically refers to Intel GPU’s

Make sure at least one renderD* device exists in /dev/dri. Otherwise upgrade your kernel or enable the iGPU in the BIOS.

2. Edit your docker-compose.yaml and add this In your Jellyfin block

devices:
 - /dev/dri/renderD128:/dev/dri/renderD128

3. Start your container and enter it to verify the device is recognized.

sudo docker compose up -d; sudo docker exec -it jellyfin bash

Once inside ls /dev/dri to confirm the GPU is recognized inside the container, once you confirm it then you can exit the container.

user@debian:~/compose$ sudo docker exec -it jellyfin bash
I have no name!@jellyfin:/$ ls /dev/dri
renderD128
I have no name!@jellyfin:/$ exit
exit
user@debian:~/compose$

4. On the Jellyfin dashboard go to the hardware acceleration page and follow the notes left by Jellyfin devs.

For a while my GoAccess instance wasn’t working properly so I couldn’t visualize my access logs from Traefik, got lazy trying to fix it and left it as is, well in the meantime I wasn’t lazy enough to setup Synapse and begin federating on my home network.

Finally fixed my GoAccess today to be surprised to see Synapse hits labelled as crawlers, well over a million hits.

I’m considering doing Jellyfin, but I’m not a huge movie/shows consumer,

Well, if you’re paying for [Insert Streaming Service Here] than I’d say it’s worth it. Save yourself the extra 10, 15, 20 dollars a month and use it on a company (or open sourced project!) that actually cares about its consumers, this can be said for Music streaming and “cloud” storage as well.

deleted by creator

Setting up Element Call on my instance was difficult on its own, I understand why Synapse doesn’t come with it out of the box, essentially you spin up Matrix’s JWT service for authenticating clients and it if approved forwards the connection to the Livekit ports which must be opened on your firewall (ie port forwarded), otherwise people will not be able to connect to calls.

Big PITA and in my experience, on my home network, can conflict with games with VOIP chats so don’t follow the default 50000:55000 port range Livekit recommends or you’ll run into issues like I did, each person consumes 2 ports so adjust the range to your need.

Edit: I don’t suggest running Element Call standalone, it has issues of its own, once you get Livekit and JWT running and follow This guide you should have your element call support in Synapse now, pro-tip for those running synapse behind docker and get confused on the whole ./well-known part of the documentation you can edit your ./well-known in your homeserver.yaml file like such:

serve_server_wellknown: true

extra_well_known_client_content:
  optional: client
  "org.matrix.msc4143.rtc_foci": [
      {
          "type": "livekit",
          "livekit_service_url": "https://livekit-jwt.your.domain/"
      }
  ]

Element and Element Call, although no streaming audio support on the horizon anytime soon.

I stand corrected, apologies.