Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
Assuming you’re accessing the service (Peertube in this case) from a web browser and not an app - a thing I decided on “good enough” plus “easy enough” is Authentik sitting in front of the service.
Thought process is: Peertube or some other service’s first job is the purpose for the service, so security likely won’t be as good as a service who’s first job is security.
Authentik can also do stuff like OIDC if the service likes it - and you can chain them together. I’ve got services that hit Authentik 1st and then after you’re allowed to talk to service then you can log in with Authentik OIDC. Some services seem to do it seamlessly, some make you click a “log in with Authentik” again - either way painless enough. Everyone I know is haunted by the MS “remember this login y/n” page that pops up every time you log into some stupid MS thing and it never matters if you choose y or n, it’ll be back. So even 2 steps are chill in comparison for them.
Harden Authentik, and then you can apply it to any other service you want in the future too (maybe stirling PDF, don’t even need users for that). (Feel free to harden Peertube though too - just less important and likely not needed!)
Lastly: I say “not an app” because apps can’t deal with hitting Authentik 1st afaik. APIs for apps or other purposes can be cleared to go to the service directly if you’re confident that that’ll be ok (authenticated gets and limited scope of puts, etc. but I’m unfamiliar how to be truly confident in an API’s security). But like jellyfin’s api is too dangerous to expose so no go on that - it’s VPN city.
Really good point. I see many selfhost instructions now that say 'we don't bother with HTTPS, just use a proxy to handle that' and maybe auth should go the same way as in there's good solutions that specialise in auth so it's not worth each project doing it themselves.
Another good consideration. There is an early Peertube app but I doubt my users will be using it, web access is fine for this. Perhaps apps for things like Lemmy/Mastodon/Peertube etc will need to work better with these auth frontends in future.