There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

Best practices for media + piracy server

I am a bit befuddled over what the best practices are for an internet connected or local server running the *arr stack.

Should we be using cosmos for security, reverse proxy, and container management or other tools like nginx, traefik, authentelia, authentik, and portainer?

Furthermore what’s the advantage of using proxmox containers to host docker instead of installing docker on conventional Linux?

possiblylinux127 ,

Just a note about piracy: Please don’t give the corporate overlords any reason to legally go after a Lemmy admin. There are plenty of dark web sites that I won’t mention but they are a better fit.

NeoNachtwaechter ,

sites that I won’t mention but they are a better fit.

I would be very interested, too. Could you send me a link?

Decronym Bot , (edited )

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
Plex Brand of media server package
SSL Secure Sockets Layer, for transparent encryption
VPN Virtual Private Network
nginx Popular HTTP server

[Thread for this sub, first seen 23rd Jan 2024, 00:25] [FAQ] [Full list] [Contact] [Source code]

keyez ,

I think the simplest setup is keeping all the apps and services on the local network and doing something like this guide so they are always behind a VPN. Then setup another VPN on unraid or another device to access from outside the local network. There are plenty of other guides for unraid and Plex and the arr stack out there, unraid is just what I use but can use whatever OS you would prefer.

unraid-guides.com/…/how-to-route-any-docker-conta…

areyouevenreal OP ,

a) I am not using unraid

b) I was aware of using tailscale or a VPN. I don’t really want to do that as it requires running my whole connection through home Internet.

c) I also want to setup a reverse proxy even if I do only use it locally just so I am not dealing with ports and IPs. No bookmarks are not practical I have too many as it is.

d) At this point I am doing this the “right” way or at least the complex way because I can.

jmp242 ,

Well, what you could do is run a DNS server so you don’t need to deal with IPs. You could likely adjust ports for whatever server to be 443 or 80 depending on if you’re internal only or need SSL. Also, something like zerotier won’t route your whole connection through your home internet if you set it up correctly, consider split tunneling. With something like zerotier it’ll only route the zerotier network you create for your devices.

constantokra ,

A, great. Overly complicated. B, wireguard lets you set your allowed IPS to your networks’s subnet so you only tunnel that traffic. C, that’s ideal. Use nginx proxy manager. It’s super simple. Buy a domain and you can use letsencrypt for SSL so you don’t get http nag messages from your browser. Old suggest something with cheap renewals like ‘.rodeo’ or ‘.top’. D, there are many right ways. Personally, i’d set up your services in a docker compose file, all behind gluetun as a VPN for your torrent service. I’d set up a wireguard VPN on a pi zero elsewhere on your network so you can access everything from outside, and on your wireguard clients i’d only tunnel the traffic to your network’s subnet. Unless you want everything behind the same VPN you use for torrenting. In that case i’d run a wireguard service in the same docker network as gluetun, so you can tunnel all your client traffic through that. You could even out a dns server in there as well, and manually set a domain name to your server’s ip so you don’t have to buy a domain name. Course, then you can’t use letsenceypt SSL.

monkeyman512 ,

I think 2 good concepts come to mind to help you make choices:

  1. Least privilege - Only give things/people just enough access/authority to get the job done. A good example is sonarr doesn’t need access to your personal photos to do it’s job, so don’t give it access if to them.
  2. Defense in layers - Nothing is perfect and you can make mistakes in configuration. Don’t rely on a single point of failure to protect you. If you want remote access use a VPN. But also take steps in your network like putting a password on the logins.
N0x0n , (edited )

I’m also interested :)

What I can add is that if you selfhost locally your arr stack with jellyfin, there is no need for reverse proxy, authelia…or whatsoever !

If you are going to host you stack and make it available over the net and open ports in your router, yeah it’s mandatory ! With a wireguard tunnel… (I think portainer is the way to go for most user).

Locally you can just connect to your jellyfin’s private ip without to much complicated overheat.

Just secure and isolate your torrent connection and use a good VPN (like proton VPN).

A good starting point: github.com/navilg/media-stack/blob/…/README.md

areyouevenreal OP ,

What’s a cie?

N0x0n ,

Edited! XD maybe that wasn’t the best acronym ?

An other way to express “etc” xD

areyouevenreal OP ,

Why use a VPN instead of a proxy? I found configuring a proxy much easier. I hate to say it but that stack is too simple for my setup. It’s missing half the stuff I use. I have also been avoiding qbittorrent because of issues with it forgetting login details.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •