DeltaTangoLima

You do need to be able to reach your public IP to be able to VPN back in. I have a static IP, so no real concerns there. But, even if I didn't, I have a Python script that updates a Route53 DNS record for me in my own domain - a self-hosted dynamic DNS really.

You certainly can run Wireguard server in a docker container - the good folks over at Linuxserver have just the repo for you.

This may take us down a bit of a rabbit hole but, generally speaking, it comes down to how you route traffic.

My firewall has an always-on VPN connected to Mullvad. When certain servers (that I specify) connect to the outside, I use routing rules to ensure those connections go via the VPN tunnel. Those routes are only for connectivity to outside (non-LAN) addresses.

At the same time, I host a server inside that accepts incoming Wireguard client VPN connections. Once I'm connected (with my phone) to that server, my phone appears as an internal client. So the routing rules for Mullvad don't apply - the servers are simply responding back to a LAN address.

I hope that explains it a bit better - I'm not aware of your level of networking knowledge, so I'm trying not to over-complicate just yet.

Yeah, this is why I jumped ship to Immich last year. I was donating to PP, with the understanding that donating users would get access to multi-user features when they happened.

Then they put them behind a paid recurring subscription. For self-hosted users. That move broke all the trust with me.

Mullvad is great for outbound VPN, but inbound is a PITA without port forwarding (as you've said). I just host a Wireguard container for inbound connectivity now, and it works flawlessly.

The first time or the second time?

The first time was because I was sick of paying the "Australia tax" for new releases that took longer to reach us than most of the rest of the world. The second time was due to subscription fee hikes with associated reduction in quality & range of content.

I just wish Smarttube would support Piped instances - that would 100% complete the puzzle for me. Being able to use Piped on my streaming stick.

increasingly uncomfortable with paying forever

And paying more and more as time goes on. The thing that shits me the most is the increased prices but decreased range/quality of content. That's clearly not a business model aimed at customer satisfaction.

For my wife, I have a separate library folder, mapped to just her account in Plex. It doesn't appear in my library at all, so I don't really care. Even better, I've spun up an Overseerr instance for her, so she can just search and auto-add anything she wants for herself.

• Phone: yoda
• Desktop: bb8
• Firewall: c3po
• Switch: macewindu
• NASes:
  • anakin
  • r2d2
• Wireless APs:
  • biggs
  • garven
  • poe
  • typho
  • thane
  • wedge (virtual controller)
• Proxmox nodes:
  • chewy
  • hansolo
  • obiwan
• Raspberry PIs:
  • bobafett
  • lando
  • jangofett
  • quigon
  • rey
  • finn

Not heaps, although I should probably do more than I do. Generally speaking, on Saturday mornings:

• Between 2am-4am, Watchtower on all my docker hosts pulls updated images for my containers, and notifies me via Slack then, over coffee when I get up:
  • For containers I don't care about, Watchtower auto-updates them as well, at which point I simply check the service is running and purge the old images
  • For mission-critical containers (Pi-hole, Home Assistant, etc), I manually update the containers and verify functionality, before purging old images
• I then check for updates on my OPNsense firewall, and do a controlled update if required (needs me to jump onto a specific wireless SSID to be able to do so)
• Finally, my two internet-facing hosts (Nginx reverse proxy and Wireguard VPN server) auto-update their OS and packages using unattended-upgrades, so I test inbound functionality on those

What I still want to do is develop some Ansible playbooks to deploy unattended-upgrades across my fleet (~40ish Debian/docker LXCs). I fear I have some tech debt growing on those hosts, but have fallen into the convenient trap of knowing my internet-facing gear is the always up to date, and I can be lazy about the rest.

Believe it or not, a Netgear. Specifically this one. I don't have any fibre connected gear (yet!) and 180W of PoE+ was more than enough for my few PoE cameras and WAPs.

Yeah, 100% agree on the client devices. One of my VLANs is for the kids' devices. I don't trust their schools' admins or their shitty BYOD policies, so I just let them access Plex (via Nginx reverse proxy); Pi-hole; and the internet.