Ahoy mateys! I’ve been doing some research into getting a self-hosted streaming setup built, and I’d like to ask the knowledgeable folks here for advice as well.
My goal is to be running a server that can host a jellyfin stack for acquiring and streaming media for myself and my partner. (I’d like to also run a matrix chat server on it for us to have secure chats as well, but I think that’ll be less of a hassle. I hope…)
I found a few guides that don’t seem too out of date. I’m an experienced full stack software dev, so the idea of running some docker containers and doing a little command line server set up doesn’t intimidate me.
These guides though, they just cover the software application set up mainly. I also need to know:
- Where should I host at? I’m on a shitty 5G internet at home, so VPS seems like the way to go but with who? What are some good secure hosts that aren’t super expensive? Considering Hetzner auctions maybe? Anyone used them?
- Will I need a VPN on the server too? If I’m torrenting, do I need to be careful which hosts I choose so I don’t get copyright pinged?
- Is there a good guide for securing and hardening my server? I’d like my partner and i to have easy access from home or on our mobiles, but I also don’t want to find out my box is suddenly mining crypto because I forgot to close one port. I don’t know what gotchas to be looking out for.
- Any other guides you’d recommend? Any must have software or sites to know about?
Thanks in advance!
Where should I host at?
Recently I became a huge fan of just renting a small dedicated server with a seedbox provider. Because they are specialized in providing hosting for pirates, they are usually located in jurisdictions that don’t give a fuck about the American DMCA. Check out seedhost.eu, they aren’t as expensive, or Appbox.
Will I need a VPN on the server too? If I’m torrenting, do I need to be careful which hosts I choose so I don’t get copyright pinged?
Not if you use a seedbox or a dedicated server hosted by a seedbox provider.
Is there a good guide for securing and hardening my server?
Just follow some basic Linux server hardening advice, e.g. disable SSH root login, disable password login and use SSH keys, don’t open unnecessary ports in your firewall, etc. If you’re feeling fancy, you can set up an SSH tarpit on default port 22 and use a different port for actually logging in. This massively wastes the time of script kiddies who run automated SSH scanners.
I’d like my partner and i to have easy access from home or on our mobiles
For that I recommend Tailscale or Netbird.
Any other guides you’d recommend?
@db0@lemmy.dbzer0.com posted an amazing guide some time ago: https://lemmy.dbzer0.com/post/5911320
Any must have software or sites to know about?
I like bitmagnet, it lets you run your own torrent indexer. It’s basically your own, self-hosted alternative to SolidTorrents, BitSearch or BTDigg.
Also check out Flood if you want a nicer web frontend for rTorrent, qBittorrent, Transmission or Deluge.
Transdroid is pretty nice if you want to control the torrent client on your server from your Android phone.
There’s also qBitController if you use qBittorrent, or qBitControl if you’re on iOS, but you have to sideload it using AltStore.Also make sure to join !qbittorrent@lemmy.dbzer0.com, !seedboxes@lemmy.dbzer0.com, !trackers@lemmy.dbzer0.com and !PrivateTrackers@lemmy.dbzer0.com.
So, docker is a viable solution, but since you’re a fullstack and will likely add more shit than you can imagine in the future, you might as well setup a proper solution.
Check out Proxmox. It’s a management platform that allows you to run containers and just about everything else you need for self-host. In addition to that, I recommend getting a very small VPS with a domain to reverse proxy your services if you want. I highly recommend caddy2 for this as it does rproxy and even ssl seamlessly.
I’m on a shitty 5G internet at home, so VPS seems like the way to go but with who?
Considering you have a poor internet connection, you’d want to keep as much locally as possible. You’re not going to be able to stream HD movies with shitty internet if you host your media on a remote server, but if you rely on a local wifi network, it’s fine. You won’t have remote access to your movies (I mean you can, but like you said, shitty internet) it’s not going to be awesome. Other services like your matrix server would be fine, but since you’re self-hosting, might as well host them at home, too. Matrix isn’t exactly resource heavy and doesn’t require a shit ton of upload to make usable.
If I’m torrenting, do I need to be careful which hosts I choose so I don’t get copyright pinged?
If you’re on 5G, and you torrent, you’ll be found out almost immediately, even with a VPN. I highly recommend a seedbox. Download to the seedbox, then use rclone or something to grab the files to your local NAS cluster (in proxmox) then stream the video’s locally.
Is there a good guide for securing and hardening my server?
I always recommend 2 things when dealing with *nix servers;
- Run SSH from a non-standard port and drop connections on port 22.
- Only open ports you’re using.
IMO this is really the only hardening you need, especially if you’re working with rproxy and the ports only have to be opened locally or tunneled.
I’ve read a lot about using a VPS with reverse proxy but I’m kind of a noob in that area. How exactly does that protect my machine? Couldn’t an attacker with access to the VPS still harm my local machine? Currently I’m just using a WireGuard tunnel to log into my server, from what I understand you’d tunnel the service from the VPS to the homeserver and then on the VPS URL you could watch right m?
And do I understand correctly that since we’re using the reverse proxy the possible attack surface just from finding the domain would be limited to the web interface of e.g. Jellyfin?
Sorry for the chaotic & potentially stupid questions, I’m just really a confused beginner in this area.
I’d also suggest authentication by key file.
This is the way to go. I also run sshguard on all publicly-accessible hosts just to reduce traffic from bots, otherwise I just ssh over tailscale.
I recommend posting in !selfhosted@lemmy.world, really helpful community there (although I’d refrain from specifically mentioning piracy).
I’ve heard Hetzner is quick to crack down on piracy. Some VPS hosters advertise that they don’t acknowledge DMCA requests, such as Njalla and 1984 (I’ve never used these, just found them by searching Lemmy). If you want to go with a traditional hoster I’ll echo what the other person said and recommend Gluetun to bind your container to a VPN service.
For security, if it’s just for you and your partner I’d just setup a Wireguard server on the VPS and tunnel into it that way. You’ll have to setup the VPN on any device you want to access your server with, which is a hassle, but I’d much prefer the small hassle than the constant worrying of hosting publicly-accessible services. Otherwise, I’d setup something like Crowdsec or Fail2Ban.
For the VPN, check out gluetun. Route your torrenting client container through this to funnel all the traffic through a VPN of your choice. I use this for my server.
Commenting to additionally note that Dockers can be found for both torrent and usenet clients that already have their traffic routed through glueton without further work. I use the Binhex versions of SABnzbd and qBittorrent. You just gotta put in your VPN info.
-
I host at home so unfortunately can’t give you any advice on a vps
-
If you’re torrenting, yes I would recommend a VPN. If you’re setting up docker containers, gluetun is what you want to use. It’s a client you can use to connect to most major VPN providers
-
You don’t need to open your server to the internet for you or your partner to remotely access it. You can use tailscale (or manually setup wireguard) to remotely access it without exposing anything. Alternatively, if you still want to open it, you can use fail2ban. I don’t know enough about networking to tell you exactly how secure it makes you, but assuming you’re a normal guy who isn’t pissing off any major corporations/states/etc it’s probably fine
-
I haven’t clicked on any of the links you provided, but I assume they mention the *arr stack. Some other goodies that may not have been mentioned though are jellyseerr, which has a nice frontend to search and request movies and TV, and homarr, which is a dashboard you can setup to sync with your other hosted apps. I have a couple extra I could tell you if you want, but I think these are the most important for a basic “official feeling” setup
-
Saving this thread since I’m looking into this too for my family :)
