Ahoy mateys! I’ve been doing some research into getting a self-hosted streaming setup built, and I’d like to ask the knowledgeable folks here for advice as well.
My goal is to be running a server that can host a jellyfin stack for acquiring and streaming media for myself and my partner. (I’d like to also run a matrix chat server on it for us to have secure chats as well, but I think that’ll be less of a hassle. I hope…)
I found a few guides that don’t seem too out of date. I’m an experienced full stack software dev, so the idea of running some docker containers and doing a little command line server set up doesn’t intimidate me.
These guides though, they just cover the software application set up mainly. I also need to know:
- Where should I host at? I’m on a shitty 5G internet at home, so VPS seems like the way to go but with who? What are some good secure hosts that aren’t super expensive? Considering Hetzner auctions maybe? Anyone used them?
- Will I need a VPN on the server too? If I’m torrenting, do I need to be careful which hosts I choose so I don’t get copyright pinged?
- Is there a good guide for securing and hardening my server? I’d like my partner and i to have easy access from home or on our mobiles, but I also don’t want to find out my box is suddenly mining crypto because I forgot to close one port. I don’t know what gotchas to be looking out for.
- Any other guides you’d recommend? Any must have software or sites to know about?
Thanks in advance!
So, docker is a viable solution, but since you’re a fullstack and will likely add more shit than you can imagine in the future, you might as well setup a proper solution.
Check out Proxmox. It’s a management platform that allows you to run containers and just about everything else you need for self-host. In addition to that, I recommend getting a very small VPS with a domain to reverse proxy your services if you want. I highly recommend caddy2 for this as it does rproxy and even ssl seamlessly.
Considering you have a poor internet connection, you’d want to keep as much locally as possible. You’re not going to be able to stream HD movies with shitty internet if you host your media on a remote server, but if you rely on a local wifi network, it’s fine. You won’t have remote access to your movies (I mean you can, but like you said, shitty internet) it’s not going to be awesome. Other services like your matrix server would be fine, but since you’re self-hosting, might as well host them at home, too. Matrix isn’t exactly resource heavy and doesn’t require a shit ton of upload to make usable.
If you’re on 5G, and you torrent, you’ll be found out almost immediately, even with a VPN. I highly recommend a seedbox. Download to the seedbox, then use rclone or something to grab the files to your local NAS cluster (in proxmox) then stream the video’s locally.
I always recommend 2 things when dealing with *nix servers;
IMO this is really the only hardening you need, especially if you’re working with rproxy and the ports only have to be opened locally or tunneled.
I’ve read a lot about using a VPS with reverse proxy but I’m kind of a noob in that area. How exactly does that protect my machine? Couldn’t an attacker with access to the VPS still harm my local machine? Currently I’m just using a WireGuard tunnel to log into my server, from what I understand you’d tunnel the service from the VPS to the homeserver and then on the VPS URL you could watch right m?
And do I understand correctly that since we’re using the reverse proxy the possible attack surface just from finding the domain would be limited to the web interface of e.g. Jellyfin?
Sorry for the chaotic & potentially stupid questions, I’m just really a confused beginner in this area.
So you’re not letting people directly connect to your server via ports. Instead, you’re sending the data through your reverse proxy. So let’s say you have a server and you want to server something off port
:9000. Normally you would connect fromdomain.com:9000. With a reverse proxy you would setup to use a subdomain, likeservice.domain.com. If you choose caddy as your reverse proxy (which I highly recommend that you do) everything is served from port:443on your proxy, which as you might know is the default SSL port.I wouldn’t say that it decreases your attack surface, but it does put an additional server between end-users and your server, which is nice. It acts like a firewall. If you wanted to take security to the n^th degree, you could run a connection whitelist from your home server to only allow local and connections from your rproxy (assuming it’s a dedicated IP). Doing that significantly increases your security and drastically lowers your attack vector–because even if an attack is able to determine the port, and even your home IP, they can’t connect because the connection isn’t originating from your rproxy.
You’re good. Most of this shit is honestly hard.
I’d also suggest authentication by key file.
Very true! You can also take it a step farther and setup SSHFP records for your domain.
This is the way to go. I also run sshguard on all publicly-accessible hosts just to reduce traffic from bots, otherwise I just ssh over tailscale.