Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
I've been testing out jellyfin for the last couple months but it doesn't really fill the void of this specific feature that's being locked behind a pay wall. If anyone has good recommendations for securely and reliably hosting jellyfin behind SSL and auth with email password resets where I don't have to worry about it as much as Plex.
I use jellyfin locally but for a handful of remote clients I have I may well block off their access they're not going to be able to figure out my hand spun services and wall of text.
I would go for a reverse proxy to get ssl running.
https://jellyfin.org/docs/general/networking/#running-jellyfin-behind-a-reverse-proxy
Handling users with forgotten passwords is, sadly, a manual chore for the administrator.
https://jellyfin.org/docs/general/server/users/adding-managing-users#profile
You can connect Jellyfin to an SSO provider. It still needs work, and client support is lacking. Ideally I think it maybe should be built in rather than a plug-in (would definitely encourage more client support). But it exists.
https://github.com/9p4/jellyfin-plugin-sso
Feature request for oidc/sso:
https://features.jellyfin.org/posts/230/support-for-oidc-oauth-sso
As it stands, you could enable both the SSO and LDAP plugins, and let users do password resets entirely through your auth provider.
Basically, this is all stuff that comes with Plex out-of-the-box, but you sort of have to glue it together yourself with Jellyfin, and it's not yet in an ideal state. Plex is much much easier to configure. I wouldn't allow yourself to believe that Plex doing all this for you will make you totally secure through -- there's been multiple incidents with their auth, and IIRC the LastPass attacker pivoted from a weak Plex install. Just food for thought.
Ah, that's good to know!
My jellyfin server is only available over vpn (and locally) so I haven't much looked into beefing up the security on the jellyfin server itself.
If I reverse proxy does the video stream itself travel via the proxy too?
In case this helps as a reference point, I use a $5 digital ocean droplet as my Plex and Jellyfin reverse proxy and it seems to handle the traffic of 3-5 simultaneous streams just fine. I use Haproxy in tcp mode (so no http interpreting, just passing packets) in an attempt to keep the CPU load minimal and just make it a pure I/O task.
i'm fairly familiar with reverse proxies and how to set them up, but I'm mostly worried about the monthly bandwidth limits here. especially with hetzner's recently lowered limits. since I have a life time plex pass i might be able to hold off from switching until I figure something else out, at least.
Gotcha, I've never actually considered the bandwidth limits. It looks like digitalocean includes 1TB per month and I used 242GB last month. If I ever get close to the limit I will just spin up another droplet. I don't think I would even need to load balance unless the first one is struggling since the bandwidth allowance across all droplets is pooled together.
If you aren't already using a reverse proxy, then do you currently just port forward or use the Plex relay? The only reason I use one is because of CGNAT. Before I moved to a place with only CGNAT I port forwarded for both Plex and Jellyfin.
I just port forward right now, so Plex’s system is basically an overpowered dynamic dns. I guess my next option is to self host a dynamic dns on a numbered xyz domain (yk the $1/yr ones)
Yeah, the reverse proxy will need to be able to handle the network bandwidth of your video stream too.
https://en.wikipedia.org/wiki/Reverse_proxy
Authentik + jellyfin SSO plugin?
I haven't tried it out personally, but I use authentik, for that you can just create a password policy, then add a new stage for identification (just make sure to add the email field), and an email stage, then create a flow.
More work on your end than paying someone else obviously.
Forget the Auth, use VPN profiles as access controls. Give them to trusted folks and you're gold.
Dumb question but should there be VPNs operating on both ends, server and client? Or just the client because I'm guessing the server might change the connection address.