Wireguard.

Dunno if Cloudflare does effective auth for the tunnel or if you have to set that up yourself, but I don’t bother trying to expose services to the internet in any way because some of this stuff was just never designed for proper web security (cough Jellyfin).

It’s still worth setting up a wildcard cert with ACME so you get nice https and a real domain.

I’ve been trialing Vaultwarden for a while and while I do like the server sync setup and clean web access, the Bitwarden browser plugin is just okay despite being an “enterprise” solution. It misses probably about 20% of websites when creating a new account, forcing you to grab the password from the generator history and make a new entry manually.

KeepassXC is much better in that regard, and it’s almost as good as the default credential handler of Firefox, and it lets you set up a bunch of custom stuff to extend the functionality if you want. Plus it has some neat kbdx options aside from AES256.

Only downside is syncing, which I’m debating how I’ll deal with something better than syncthing on android (protocol is great, android makes it a PITA to have a background process if its not Google spyware).

(I don’t need strong censorship resistance; it just has to work in offices and hotel WiFis.

Wireguard on 443 or OpenVPN + Stunnel on 443

Wireguard is easier to setup because there’s no OpenVPN app that packages stunnel (afaik), so you have to run 2 apps on your phone to make it work.

A server like caddy can also accept HTTPS traffic for some regular websites next to the VPN server.

Wireguard uses UDP, so just run whatever you want on 443 TCP with caddy (unless you want QUIC for some reason?)

Anything beyond that and you’d be looking at using a proper obfuscation solution like Shadowsocks or obfs4, in which case you should look into Amnezia or Tor bridges.

Use our easy bash oneliner to install our software!

Looks inside script

if [ $(command -v apt-get) ]; then apt-get install app; else echo “Unsupported OS”

Still less annoying than trying to build something from source in which the dev claims has like 3 dependencies but in reality requires 500mb of random packages you’ve never even heard of, all while their build system doesn’t do any pre comp checking so the build fails after a solid hours of compilation.

Gamefreak used an additional hardcoded RSA public key auth in Pokémon Black/White because for some reason they didn’t trust OpenSSL to not fail for their HTTPS API connections, and yet here we are in 2026 with unauthenticated API endpoints.

Was ChatGPT unable to generate swagger docs they could have lazily plugged into an API scanner bruh

Or better yet notice the big fat “unathenticated” label when you look at the endpoint list.

No sweat, try mirroring a private tracker and you’ll very quickly run out lol. You need a couple of petabytes worth.

The real problem is the price of HDDs not going down due to lower production in light of SSDs.

I fully expect WD to drop this as some stupidly expensive SAS drives that almost no consumer will buy. They should at least apply the dual heads for speed tech so we get faster HDDs for the same price.

How I sleep knowing Fedora + podman actually uses safe firewalld zones out of box instead of expecting the user to hack around with the clown show that is ufw.

I could be wrong here but I feel like the answer is in the docs itself:

If you are running Docker with the iptables or ip6tables options set to true, and firewalld is enabled on your system, in addition to its usual iptables or nftables rules, Docker creates a firewalld zone called docker, with target ACCEPT.

All bridge network interfaces created by Docker (for example, docker0) are inserted into the docker zone.

Docker also creates a forwarding policy called docker-forwarding that allows forwarding from ANY zone to the docker zone.

Modify the zone to your security needs? Or does Docker reset the zone rules ever startup? If this is the same as podman, the docker zone should actually accept traffic from your public zone which has your physical NIC, which would mean you don’t have to do anything since public default is to DROP.

Couldn’t you just lazy build your own images if you don’t trust the source?

Even then most of these containerized apps can be run perfectly fine as a host binary, you just have to make your own start script and a systemd unit which isn’t that bad.

You could then build a completely custom image if you’d like, or move it into a VM if you don’t like the idea of running it baremetal.

How does it compare to Photoprism? Been on that solution for a while and I really like it, but have seen lots of people suggest Immich as well.

EDIT: https://github.com/photoprism/photoprism

Ubuntu and Docker.

Really? Netplan alone disqualifies Ubuntu as a “friendly stable starter distro”, and I can guarantee you that your guide will somehow become outdated with a single new Ubuntu release, or some poor soul who accidentally selected an LTS release.

Docker doesn’t matter as much, but there’s a reason beyond just FOSS licensing why podman exists.

Would highly recommend Debian instead.

I started on Ubuntu similar to this many years ago and both the server and desktop experience was not fun at all.

HEVC support is enabled for Firefox 134

Cool for anyone not using AV1 which I assume is a big chunk of the userbase because not everyone has good AV1 hardware acceleration lol

“No”

– everyone using compose to orchestrate software deployments

I kinda hate to agree with the other suggestions here, but entry level and even dedicated NAS products are pretty expensive for providing something you can very easily DIY for significantly cheaper even with the latest hardware.

Was in a similar boat and just ended up taking an old HP desktop and added some cheap HDDs. I ended up playing around with proper Fedora for some LVM cache tricks and running some other services, but the common suggestion for this is SnapRAID and Nextcloud.

Lol wait till you see any of the Pakistan or India related articles. Its like the Ganges river in text form.

There’s more *arr tools that aren’t aggregator automation tools than there are aggregator automation tools.

Also It was only funny when using an existing words like "sonar, “radar”, “lidar”. Jellyseerr is dumb, even Jackett was pushing it.

I guess it makes it somewhat easier to associate them as part of a group of software, but now we have stuff like Homarr that is entirely unrelated, but still a useful tool.

Proxmox or even just lazy old KVM GUI for anything that needs to be deployed manually in a VM (Home Assistant, WIndows VM, etc.). Otherwise you can even just spin up whatever manual service you want to run on an LXC container or bare metal host with the correct security settings with systemd and selinux if you want to be extra careful.

Docker/Podman (the superior one lol) is just an automated deployment system in container form (like Ansible). It great for automated deployment without having to manually configure the installation process and worry about upgrades, changes, etc. You can even easily create your own images on the fly just for the purpose of having it run a single service inside a container.

Proxmox equivalent would be like using Terraform/OpenTofu to deploy VMs to do the same thing. Its possible, but just not that common because of the reduced overhead with containers, and well supported deployment images with docker/podman specifically.

Generally speaking, I’ve seen proxmox used more in lab environments were you want to emulate something like a complete network of machines whereas docker/podman has become the defacto server deployment platform.

You’re just much more likely to find software with a published docker container and default docker compose script than the same thing in Terraform or even K8s/K3s.

Does jellyfin do untranscoded video/audio?

Haven’t used it in years but finally building up my media server again and I remember it had some funky settings for hardware encoding back then which I didn’t need because I was connecting to it via a repurposed gaming laptop that could easily handle 4k content and surround sound by itself.

Cool, now we’ll get an influx into lemmy.world and I’ll finally have a reason to abandon this account lol

You might want to check what the actual hardware is first. You’ll probably be fine, but client 802.11 hardware can sometimes be underwhelming for hosting because they don’t have good stuff like beefed up MuMIMO.

Although that’s assuming you will have a lot of traffic going through it, so you could always just test throughput and latency with iperf to see how well it functions.

It depends on what it is really + convenience. There are lots of morons out here running basic info sites on full beefy datacenter VMs instead of a proper cloud webhost service.

The most you’d be getting out of cloud is reliability. Self host assumes you don’t have any bottlenecks (easy enough to pass), but also 99% uptime which is impossible unless you are running with site redundancy (also possible, but I doubt how many people own multiple properties with their own distribute or private cloud solution).

if 95% uptime is acceptable, and you don’t live in an area with outage issues from weather, I’d say go for it. Otherwise, you can find some pretty cheap cloud solutions for basic websites. Even a cheapo VPS would probably work just fine.