Selfhosted

Used to mess around with multiple Apache Proxy Servers. When I left that job I found Docker and (amongst other things) NPM and I swear, I stared at the screen in disbelief on how easy the setup and config was. All that time we wasted on Apache, the issues, the upgrades, the nightmare in setting it all up...

If I were to do that job again I would not hesitate to use NPM 100% and stop wasting my time with that Apache Proxy mess.

NPM is awesome until you have a weird error that the web GUI does not give a hint about the problem. Used it for years at this point and wouldn't consider anything else at this point. It just works and is super simple.

+1 for NPM! Used to even do things manually, but I'm too lazy for that and NPM fulfils nearly all my use cases lol

@randombullet@programming.dev

Don’t listen to this guy. You don’t have to turtle all your stuff inside a VPN if you don’t want to. Hosting services on the internet is what the internet was created for. It’s up to you whether what you want to host is exposed to the internet or not, and as long as you’re aware of the risks do what you want man. I will mention that Immich specifically might not be the best idea to expose since it’s so unstable, but that depends on your level of comfortability. Worst case scenario is somebody gets into your Immich and can see all your photos. Would this be a dealbreaker for you? If so don’t expose it publicly. Otherwise you’re perfectly fine.

I want to be able to upload/download/share my photos from anywhere in the world without using a VPN. Additionally, this satisfies the wife requirement. It works in the background without her needing her to turn on the VPN. I don't want her to keep asking me how do I turn on the VPN? If it's just me, then no issue, I'll use a VPN.

I don’t even bother with the internal DNS server. I just set my A records in Cloudflare to point to the private IPs

You can still use a reverse proxy inside the VPN and use your own DNS server that spits out that internal address to your devices for your various applications.

Excuse me what? Here's my dumb ass navigating to "[device name]:[port] over tailscale.

I've tried this a couple times and I've always failed. I could never figure out how to get a http://service.domain request to my Nginx install to be proxied in the first place. I tried putting pihole on tailscale and setting that as tailscale's DNS. It blocked ads but I couldn't navigate to custom domains. I put NPM on tailscale hoping that was the issue. I looked for LocalDNS/CNAMES in tailscale to see if I could do it that way. Do I have to set a local machine as an exit node and do split DNS shenanigans, service.domain goes through to my local and everything else the wider web? Do I set a router node?!

Not expecting you to troubleshoot, I don't have time to see it through anyhow. Just annoyed at myself I couldn't figure it out and driven to try again.

Opening it up lets you use it from devices that aren't on tailscale, or for friends and family. I have the same idea with Nebula instead of Tailscale, if I can figure it out.

The only thing I don't like about caddy is that using DNS challenge requires recompiling the program itself, and the plugins themselves can be a bit quirky. Mind you, you can easily handle this with a separate program like lego or certbot so not a huge deal.

I'll try to ELI5, if there's something you don't understand ask me.

Op has a home server where he's running immich, that's only accessible when he's at home via the IP, so something like http://192.168.0.3:3000, so he installed Tailscale on that server. Tailscale is a VPN (Virtual Private Network) that allows you to connect to your stuff remotely, it's a nice way to do it because it is P2P (peer-to-peer) which means that in theory only he can access that network, whereas if he were using one of the many VPNs people use for other reasons, other people on the same VPN could access his server.

Ok, so now he can access his immich instance away from home, all he has to do is connect to the VPN on his phone or laptop and he'll be able to access it with something like http://my_server:3000 since Tailscale adds a DNS (Domain Name System) which resolves the hostnames to whatever IP they have on the Tailscale network.

But if you want to give your family access it's hard to explain to them that they need to connect to this VPN, so he rented a VPS (Virtual Private Server) on some company like DigitalOcean or Vultr and connected that machine to the Tailscale network. He probably also got a domain name from somewhere like namecheap, and pointed that domain name to his VPS. Só now he can access his VPS by using ssh user@myserver.com. Now all he needs to do is have something on the VPS which redirects everything that comes to a certain address into the Tailscale machine, Caddy is a nice way to do this, but the more traditional approach is ngnix, so if he puts Caddy on that VPS a config like this:

immich.myserver.com {
    handle {
        reverse_proxy my_server.tailscale.network.name:3000
    }
}

Then any requests that come to https://immich.myserver.com will get redirected to the home server via Tailscale.

It is a really nice setup, plus OP also added authentication and some other stuff to make it a bit more secure against attacks directly on immich.

Pretty much I have caddy on a VPS that's pointing to my internal IP using a tailscale tunnel. You are still exposing the web gui to the Internet so I just changed authentication to OAuth to mitigate since risk. There is still a possibility of attacks via zero days, but my immich is on a VM and I'm creating firewall rules to just allow certain ports out.

It does a couple things. It's one service that routes requests to multiple services. So if you have radarr, sonarr, etc., you can put a reverse proxy in front and use the same ip-port to connect to all, and the proxy routes the request to the service by hostname.

If you have multiple instances of the same service for HA, it can load balance between them (though this is unlikely for a homelab).

Personally I run all my services through docker and put traefik in front, so that I don't have to keep track of ports. It's all by name.

It's also nice because traefik handles HTTPS termination, so it automatically gets certs for each name, and the backing service never needs to worry about it (it's http on the backend, but all that traffic is internal).

I don't think a tailscale tunnel helps this anyway, maybe just from standard antispoofing and geoblocks, but it still gets to the application in full eventually, when they can do what they'd do if it was directly exposed. The attack surface might be an entire API, not just your login screen. You have no idea what that first page implements that could be used to gain access. And they could request another page that has an entirely different surface.

If someone has Nextcloud exposed, I'm not stopping at the /login page that comes up by default and hitting it with a rainbow table; I'm requesting remote.php where all the access goodies are. That has a huge surface that bypasses the login screen entirely, might not be rate limited, and maybe there's something in webdav that's vulnerable enough that I don't need a correct token, I just need to confuse remote.php into letting me try to pop it.

You can improve this by putting a basic auth challenge at least in front of the applications webpage. That would drastically reduce the potential endpoints.

I only let things I trust are secure (e.g. ssh) have access from the internet, other services I hide behind a VPN (e.g. Tailscale).