Go lick the boot more. There’s more to the world than some fucking computers. Go download yourself some grass and touch it.
I will in fact, fuck the GPL, I will make sweet passionate love to GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright © 2007 Free Software Foundation, Inc. https://fsf.org/.
If you’re running externally, use a cloudflare tunnel.
No ports exposed = no attack surface. This is 99% of security.
HTTPS is provided by CF although only secures comms between your devices to CF, not CF to your Pi, meaning CF can see clear text technically.
If that’s not good enough then use a VPN server like PiVPN and put it on your pi and OpenVPN on your devices. *This has nothing to do with paid VPN Client subscriptions like Tunnelbear or Proton or whatever. *
You will be running a VPN server on your pi to which you will connect from your devices on which you want to watch JF by downloading a device profile to your devices and opening it in the OpenVPN app.
You do not need to pay for anything at all anywhere ever (other than something for DDNS and a domain name), use a strong password and make sure your JF is updated if there’s any CVE. Expose nothing else to the internet.
You don’t even need HTTPS at that point or any certs, a VPN will encrypt your traffic anyway. The only cleartext you’ll have is between your VPN and your JF, and if both are on the pi then the only MITM vector is literally inside your Pi which is unlikely to have any issues.
My life is on a bunch of HDDs dug out of failed laptops with SMART errors some of which have already failed in the past, they are duct taped together and shoved inside a drive cage they don’t fit in.
OpenVPN
Thanks!
What is an “Immich external library”? I’m a user of Immich but not sure what that means.
WebUI is streaming though on desktops though and I assume they’re also using iOS/Android/TV which all have clients, so I’m trying to get at the difference there.
Oh fair enough, I’d highly recommend enabling transcoding anyway it just eliminates all sorts of issues like this.
You can just download the episodes though? Like right in Jellyfin:
Because yes, you can just copy files from your NAS to your phone’s internal storage (assuming you don’t care about transcoding and the like)… at which point there isn’t much use to a metadata oriented media server/service.
No you do not need to do any of that.
Or you can just set up Plex to always download the next 10 episodes of whatever show you are watching when it has network access. I mean… that probably won’t work (see: 40%) but when it does, it is awesome. Which is the “it just works” functionality.
You can download in Jellyfin also, like in the screenshot above.
anyone asking for anything else is wrong and stupid.
I mean, you are asking for things that are already in the app, you tell me if that’s stupid or not. I’m just trying to help.
I’d never call anyone even trying to use these self-hosted alternatives stupid.
Jellyfin devs could actually get the “download the next N episodes” functionality to reliably work (even at 80-90%) it would be a killer app
Is there some reason you can’t do this manually? I actually can’t think of any app with this feature, not even Netflix way back not Spotify.
A VPN Server on the server or home network (look into PiVPN for instance), and a VPN Client on clients (look at openvpn for instance).
Good luck and let me know if you have any further questions - I’m more than happy to answer!
Forget the Auth, use VPN profiles as access controls. Give them to trusted folks and you’re gold.
Yeah don’t use a cloudflare tunnel for that, it’ll get you banned.
Huh? I used jellyfin just fine in the hospital on public WiFi on my ancient busted iPad air [some number].
The only thing I did was install pivpn and upload my VPN profile file to Google drive so I can remote into my network. I legit never even had to set anything up it just worked, didn’t even need to know the IP of the server because my locally run DNS server (and failing that, the basic hostname based DNSMasq in the router) took care of everything.
I don’t even have any reverse proxy or firewall because I still pretend to value my sanity and my time, nor did I expose it to the internet either, thanks to almighty NAT.
Didn’t have to do any caching or anything crazy like that, no idea what you’re talking about, but I think there’s an option to download the files right through jellyfin.
I watched star trek TAS while having fun with opioids and it was a great time.
Why would you ever bother to use either option when you can just access it via the WebUI on Firefox?
You’d think with how often android is updated ridding us of this technical debt is very easy. Disable multicast DNS, add a hidden setting tucked away in a menu somewhere to re-enable it. Ez pz.
No it must not lol what? The RFC says “may”.
And more importantly the devices don’t, it’s very noticeable via wireshark. The only multicast traffic comes from Android, every other OS does not bother, ironically not even Mac OS, whom is responsible for the whole Avahi/Bonjour nonsense to start with.
That would make the names much longer but would protect me against some asshat buying .lan as a new gTLD.
Another user pointed out that .home.arpa seems to be reserved, thus hopefully protected from TLD hijack which is what I’m worried about as well. I’d make it .homelab. I wonder if one can restrict recursion on certain domains?
If one server is marked as authoritative, but to recurse for other things, will it recurse for it’s authoritative domain, or give NXDOMAIN?
I do own a domain name via cloudflare so I might just utilize that, but I don’t like it.
It’s assigned in my local DNS server, cheers.
My devices should not be going around making assumptions about what is and isn’t assigned by someone else somewhere when the only thing that should concern them is what the DNS server tells them is the case.
Also NAT does literally nothing other than being a massive PITA, so… yeah, I don’t think there’s much I can agree with in your rant.
Only true if you don’t know what you’re doing. The only reason any network is safe at all is NAT and Firewalls that come with it.
I don’t have to worry about devices on a local network in as far as firewalls go, I can expose anything I want, in fact I delete iptables at first sight on any new distro install or VM, so long as none of it is port forwarded and everything is behind NAT it’s all okay. My network is my castle. Thanks technology! Thanks smart people for figuring this out!
Once you wrap your head around the fact your computer has IPs assigned statically or by DHCP per interface per network, not like a MAC address per device as IPv6 wants it to be which is the wrong way to think, you won’t have any more trouble with NAT.
Like, oh no, fully functional point to point connectivity across the internet, how terrible
Yes when you start out you may think so, but as you get into it you realise that actually complexity exists because it serves a purpose. IPv6 has to bolt on privacy extensions and then also still include NAT and actual tons of space for loopback because it’s fundamentally incompatible with how the internet works otherwise.
And yes, practically it’s a security nightmare to have any IP of any computer accessible from the internet. If you go around configuring firewalls forever you might get it right but oh boy one mistake and you’re done for. Instead, consider NAT, the solution to all problems. I’m writing this behind quadruple NAT rn and it’s honestly fairly easy to manage, I’ve been too lazy to change it, not that I’d advise anything more than 1 necessarily.
Edit: .home.arpa is actually designated as local TLD, and is what I use for a crappy old tablet that doesn’t support mDNS
Yikes! That’s a lot to type to hammer in a nail that sticks out (Android). Thanks but no thanks. I’ll find some way to cripple mDNS on the non-compliant device instead.
So are you saying you run some sort of mDNS server(not sure what the word would be there)/provider? Why? How?
So why does Google enforce mDNS when it leads to this confusion?
Everywhere else, Windows, Linux, iOS, etc etc. as far as I can tell mDNS doesn’t happen with .local as the default, nevermind only option.
Only the android devices throw a fit because of Google enforcing bizarre legacy technology of use to no one.
Maybe there’s a way to hint to the problematic android devices that it’s a no-no by restricting all multicast traffic of any kind on network level? Is that even possible?
How you measuring this? Looks very neat.
Cron job that evals some base64 encoded string which is actually downloading a script from a personal GitHub repo of an IT guy who left…