First ask yourself what benefit you gain from isolating services.

Untrustworthy devices like work computers, smart TVs, and IoT sure have good reasons. Possibly a DMZ. But you might do as well to simply block all egress from a few internal IPs instead.

Move things slowly, because you’ll need to see what traffic needs to flow and what doesn’t, and you may find that you need some helper services for cross vlan (for example mDNS).

ETA: guest wifi is good too; force the traffic through firewall and keep it off your internal network

Young.

The original ticket is 2019. That’s 7 years ago.

Technically there’s no real problem here.

It responds to and serves content to unauthenticated requests. That’s sorta table stakes if you’re creating an authenticated web service and providing guides to set it up with a reverse proxy.

That’s never made sense to me; why build an authn frontend instead of just clicking your user if the security is just an illusion anyways. “Use a VPN” is fine for a mainframe, but an active project in 2026 should aspire to be better.

Edit: or make note of that on their several pages with reverse proxy configuration.

Examples dating back over six years https://github.com/jellyfin/jellyfin/issues/5415

Not for zfs. I mount zfs on proxmox. Why I don’t just run samba on proxmox, I’m not sure. There is some fuckery with permissions to make it work in a container and permissions are unnecessary for my use case.

But you don’t really need a ui for zfs. I ran it for 10 years on TrueNAS and only used it for initial setup.

Currently running proxmox and using cockpit to present smb, which is all that I was doing with TrueNAS. Gotta set up a few pieces manually but not really a hassle.

Caddy is a proxy

Your router is almost certainly also a firewall.

The point of the reverse proxy, caddy, is to enable hosting on 443 instead of 42069 (and other stuff). Don’t open that to the public Internet.

Caddy can’t reach your web server (or at least, get expected response from), iocane, so it’s throwing up 421.

Depends on what you’re controlling and your geographic location.

I have one of their devices with an intel CPU. I didn’t even boot the OS. Just popped in the firmware and told it to boot proxmox. But it’s an i5 with 32GB RAM so a different scenario than you’re thinking of. Im still bitter about waiting for Black Friday to upgrade the RAM and paying double.

It’s LPDDR, I think that’s not upgradable, and not a lot.

It may be simplest to move it to a hosted server. Depending on the length of outages, your comfort with electrical things, and your budget, you could get a bigger battery and use the inverter in the UPS (there are caveats-the inverter in the UPS is not rated for higher end of its load past the battery capacity it’s got and may burn itself out, and the charger may not work properly with the larger battery or with different chemistry), or get a battery/inverter box like a Ecoflow or that sort of thing. Solar may be a good bet too.

I don’t know about matrix but failing over between public IPs probably requires a HA sync of some type and also DNS failover.

There is a reason that cloud services are popular with businesses. How does self-hosting this provide value to your customers in line with the time that you spend on IT tasks instead of your product? Do you have enough faith in your build that it will be secure and reliable? If you have downtime, does your business have flexibility to accommodate you doing IT work for hours without loss of revenue? If you go on vacation, who is on call?

I’m not saying you shouldn’t, but do consider the time investment and risks. There are alternatives to M365 and Google.

Pfsense is shady on the OSS side these days. I think. I haven’t gotten into the drama. Opnsense is a popular fork.

Yes. If there’s another open source project that has the coverage I’m not aware of it.

Low tech options: a smart plug that power cycles if it can’t ping eg google and have your edge devices plugged in there, or a timer that reboots the firewall at 0200 daily. I haven’t implemented either of these, despite having a network other people rely on about 400km from my house. I should remediate that…

I have decided dual firewalls are silly without dual internet and dual power, as both those things go down more often than my FW.

I have two instances of pihole on two hosts, because I block dns outbound to the best of my ability.

I created a text file with all the IPs, server name, and function and some general notes. I don’t use good passwords in my home network, sue me. But my master password should go into the will stored with lawyer.

It’s enough to get started but my family will have to find someone to help them at some point as they don’t have the technical skills I do.

I have snort running on my firewall monitoring my LAN port. Does it help? No idea. Does it make me feel good because it blocks stuff? Yup. It does enforce IP blacklists from a feed, so it’s a start.

Keeping an loose eye on things and watching for extra network traffic, cpu, ram usage is what I do.

I get that. It’s never been easier to self host with minimal knowledge and people still say it’s too hard. I said terminal but I don’t mean that to limit to bash. It could be any server interface.

I deal with the tech all day. I get paid to. I’d rather spend my leisure time touching grass, but I’m at that point in my career where it’s difficult to get excited like I do in my 20s.

Well, like i said, I don’t wanna stare at a terminal at home. I’m running too many services as it is.

Automate the updates with a cron job and use family for outage notifications.

I get that but the setup investment up front. Wow. I’ve built out my services exactly once (over 10 years now), so I don’t really see the value for myself.

That’s not what I meant. I can self host without building layers upon layers of infrastructure and infrastructure management tools.

In fact your post could be misconstrued to suggest that if you can’t build out a home server cluster with enterprise tooling and automated deployment as in TFA, you shouldn’t self-host. Realistically, it’s not necessary.

The advantage to using something like terraform is repeatability, reliability across environments and roll-backs.

How much fucking work do you do at home anyways? The last thing I want to see when I clock out is another terminal screen. I’ve been doing this too long.