Not spesifically helpful with your cgnat-situation, but my jellyfin runs on a isolated network and it’s just directly exposed to the internet via named reverse proxy in order to share the library with family and friends. Should someone get access to that they can obviously use the VM for nefarious purposes, but it’s a known risk for me and the attacker would need to breach trough either my VLAN isolation or out of the virtual environment to my proxmox host if they wanted to access my actually valuable data.

Sure, there’s bots trying every imaginable password combination and such, but in my scenario even if they could breach either the jellyfin server or reverse proxy it’s not that big of a deal. Obviously I keep the setup updated and do my best to keep bad actors out. but as I mentioned, breach for that one server would not be the end of the world.

With cgnat there’s not much else to do than to run a VPN where server is somewhere publicly accessible and route traffic via that tunnel (obviously running a VPN-client on jellyfin-server or otherwise routing traffic to it via VPN). Any common VPN-server should do the trick.

Our opsec is pretty well managed, but I try to squeeze anything I’d need at home to work tasks. I get paid to learn the stuff at work and then I can just implement it on my own environment.

It’s pretty simple to set up. Generate CA, keep key and other private stuff stored securely, distribute public part of CA to whoever you want and sign all the things you wish with your very own CA. There’s loads of howtos and tools around to accomplish that. The tricky part is that manual work is needed to add that CA to every device you want to trust your certificates.

I didn’t know raspberry supports that. Searching for ‘atv remote’ just brings up androind apps, so maybe I misunderstood. Neat thing, but the hardware I have doesn’t support it and seems like usb-cec adapters are more expensive than usb-hid remotes.

I’d rather have a physical remote which acts as a keyboard so it’ll support waking the system up from suspend. Plus I prefer a dedicated device for that instead of a phone as I’m not a only user for the thing. There’s plenty of those around, only problem is to find one that works reliably and local stores don’t seem to have a lot of options so I might need to dig one up on ebay even if it’s a bit of a PITA to order from China to EU today with customs.

I installed Jellyfin on my server and threw kodi on a minipc I dug out of dumpster pile at work. Works pretty well, but my server needs more RAM and the minipc needs either a wireless keyboard or a USB-HID remote controller to finalize the setup. Also ran some wiring in the house and added two network sockets to a room where the whole kodi-tv-gamingpc-whatever-pile is going to live.

On the server RAM I found some on ebay, but if anyone is interested on 64G DDR4 ECC DIMMs I have a few. I thought they were supported on my server motherboard when I took them out from a old server at work but it supports only up to 32G ECC dimms.

How you imagine things send messages to reset your passwords, sending notifications and whatever is currently managed via email than some piece of code creating and sending messages, managing possible errors with them and potentially also monitoring/logging the message traffic for statistics or debugging?

User adoption matters if you want your thing to be actually useful for the actual users. And supporting any messaging system requires effort, so it makes sense to spend limited resources on a thing which has the biggest userspace. If you want to run matrix server which has you and your dog using it, go ahead, but don’t be surprised if you want to contact your neighbor and he’ll look like you have two heads when you start to explain how to reach you.

It’s a crapload more work to support XMPP/Matrix/whatever messaging on any platform than…SMTP

It’s absolutely not.

And you know this since you’ve written code to manage both on different environments, right?

Also, whatsapp supports all kinds of “bots” and it has absolutely massive userspace compared to pretty much any other instant message application. It doesn’t matter if you create the perfect protocol and platform for this kind of thing if there’s 7 people globally using it.

It’s a whole lot less work than configuring email.

It’s a crapload more work to support XMPP/Matrix/whatever messaging on any platform than just using a robust, reliable, resilient, widely supported good old SMTP. For you it might be easier to input your account (which at least on XMPP resemble quite a bit of email address) but for the developer it’s totally different thing. Also practically everyone accessing a website has an email address and if they’d decide to support some mesaging platform it’d make more sense to use whatsapp than XMPP since it’s vastly more popular.

Self hosting is not just one thing. You are system adminstrator, network engineer, security specialist, service architect and many other things, specially if you expose anything to anyone outside your very private network. And to get anything even running on that complex mess requires some knowledge on a lot of things. Making them run securely with proper backups requires even more knowledge on things.

Sure, you can just throw some docker images on your old desktop and be happy, even forward ports from the public internet to your things if you like. But that exposes your stuff to quite a lot of dangers and if you just click buttons without any understanding you’ll soon be a part of a botnet or lose your data or lose money if someone decides to mess around with your home automation or something else.

I get what you’re saying, not all of us are very polite and answers can be pretty harsh, but more often than not the generic idea behind those answers is not trying to be an asshole or gatekeep anything. It’s just that there’s a skillset you need to build things safely and if it’s clear from the start that someone looking for answers is way over their head it’s better for everyone to get them take a step back and learn instead of trying to create a meaningful answer since there’s too many variables or it’d just take immense effort to write down comprehensive guide on what to do, why and how for everything from the ground up.

I know for a fact that in my area there’s a bunch of surveillance cameras, home automation stuff and even some farm equipment directly open to the public network just because someone just plugged things in without any idea on the whole picture. Sometimes the correct answer is ‘stop shooting yourself on the foot and learn the basics first, then come back’.

Just for the sake of conversation, I recently did some crude math on this. I have few friends around who are well capable of running a backup server for me (hardware maintenance and stuff is always needed anyways) and at first it seemed like a good plan. Just get a 4TB SSD/NVME and throw that on a Raspberry Pi (or something small to keep electricity consumption low and setup silent), set up encryption, connect that to my network with wireguard or some other VPN and let it do it’s thing.

But I’d need to purchase everything as setting up a remote location with old hardware is just asking for trouble. The drive alone is 300€ (give or take) and the rest is easily another 100€. Currently my storagebox costs ~10€/month for 5TB. Even if I scored a fantastic black week offer and got everything for -50% discount that hardware with multiple single point of failures would cost nearly 2 years worth of cloud backups. And I’d still owe at least few beers to the friend for the trouble.

Your mileage may obviously vary, there’s a million different scenarios, but for me with my current setup it just makes sense to pick couple cloud providers and let them store my bits instead of getting more hardware to maintain and upgrade.

With backups two is one and one is none, so you are very much in a right track. Personally I have my stuff running on proxmox VMs with a proxmox backup server (VM as well) storing backups to Hetzner Storagebox. I’m planning to set up a another host in garage to have “local” backups too, as mine is detached as well the risk of both going up in flames in event of fire is pretty low. However, a voltage spike due to lightning on the grid or something else might blow up both hosts so that’s a threat model to be aware of. Also if your connection to garage is over copper it can cause other problems, fibre or wireless is highly recommended.

With backups it’s largely about the bandwidth available. I personally have enough so uploading to cloud is not an issue, but backing up a terabyte of data over 10Mbps connection might not work out at all.

For more info search for 3-2-1 strategy, that should give you plenty of ideas what you need to think about and what are industry best practises about making sure backups are in order.

So it is always DNS

I actually did something for quite a while. Finished long overdue wiring for outdoor access point and one more camera, replaced a main switch since the old one started to behave unreliably, installed frigate (which still needs some work), cleaned up some wiring while messing around, updated a bunch of firmwares, replaced switch in garage to managed one and made some changes on my workstation and some other minor stuff.

Next would be to move cameras into their own VLAN and harden that setup a bit. And I really should get around on better backups for my VPS. But it’s a new week coming up, if the work isn’t too busy I might get something more done.

And then you buy the storage from Dell or some other big player and the disk array with controllers, warranties and the kitchen sink costs 100k€. Which is still almost a rounding error on that scale.

Our team has office days once or twice per month and fuck all gets done on those days. Time is spent on social chitchat, longer coffee breaks and lunch with more small talk, discussing random ideas and almost anything else than actual work. And those are really nice to have, when we’re mostly scattered across few cities and limited to text chat or calls they tend to be strictly about the task at hand. The office days give a sort of a break on normal schedule and while very little gets actually done the discussions often include planning future stuff, going trough previous changes, current situation and workload more broadly and so on. After those days, even if nothing got done, we’re all a bit more on board on almost everything and it’s nice to actually meet the people we interact with every day.

But for actual work, for the stuff we do, the office doesn’t offer anything we couldn’t do remotely. I have more comfortable setup at home than at my cubicle at office, I can listen to whatever I want at how loud I want without disturbing others, no hassle with commute (even if mine is pretty much as short as it can be) and so on.

Another happy Hetzner customer here. ~10 years so far, both for business and for personal use. 1€/month won’t happen, but they’re not that expensive either.

Unfortunately that’s not valid.

$ tar -h
tar: You must specify one of the '-Acdtrux', '--delete' or '--test-label' options
Try 'tar --help' or 'tar --usage' for more information.

From man-page:

-h, --dereference follow symlinks; archive and dump the files they point to

DNS PTR records belong to the entity who owns the IP addresses, you can’t make reverse records for arbitary addresses like you can with forward zones. I haven’t heard about any residential ISP which would give access to PTR records and even on business lines that’s usually a premium.

What you could do is to get a VPN service which gives you these options, if there is one, I don’t know. Most likely you’re looking for a VPS for that and tunnel traffic with some kind of VPN-setup to your local instance. And at that point you might as well run the whole thing on VPS unless you happen to need a ton of storage or some other reason makes pure VPS server too expensive.

Depends heavily on what you need/want. My current installation doesn’t have anything extra, mail and calendar with “standard” file storage (with sync agents on desktop/laptop) is well enough on what I use it for as my photos are in Immich instance.