this post was submitted on 18 Jul 2025
83 points (85.5% liked)

Selfhosted

49647 readers
514 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
83
Just created my own zero trust network! (lemmy.world)
submitted 2 days ago* (last edited 2 days ago) by HurlingDurling@lemmy.world to c/selfhosted@lemmy.world
50 comments fedilink hide all child comments
 

No awards are needed, just wanted to share my excitement that while my Jellyfin server still keeps loosing my entire library every 24 hours at least now it has a domain and ssl cert!

That is all. Happy Friday everyone

top 50 comments
sorted by: hot top controversial new old
[–] Brkdncr@lemmy.world 82 points 2 days ago (1 children)

a domain and cert doesn't equal zero trust network.

[–] chaospatterns@lemmy.world 15 points 2 days ago

Right. Zero trust means at the very least you need to add AuthN and AuthZ to every endpoint with no exceptions for internal IP addresses.

[–] vivalapivo@lemmy.today 51 points 2 days ago

I do also have a zero trust network. Zero friends= zero trust

[–] Onomatopoeia@lemmy.cafe 16 points 2 days ago (1 children)

Lol.

Still got the library issue, eh? Gonna have to just turn off services/apps/processes until you find the culprit.

[–] HurlingDurling@lemmy.world 6 points 2 days ago (2 children)

lol, yeah. Gitea is next on the list, but I don't have much more I'm afraid, Immich and Nextcloud are critical apps for me, so if it isn't gitea or minecraft, then I might just setup a new server out of an old laptop to be my Jellyfin server and migrate my library there.

[–] Dhs92@piefed.social 5 points 2 days ago (1 children)

Are you losing your library on reboot?

[–] HurlingDurling@lemmy.world 3 points 2 days ago (2 children)

Not even on reboot, it just get's deleted somehow, been happening for the past couple of months and I haven't been able to figure out why yet. I posted all about it here (https://lemmy.world/post/32756942) if you are interested in reading about it.

[–] gdog05@lemmy.world 3 points 2 days ago (1 children)

Do you have the media cleanup plugin installed for Jellyfin? I wonder if you change the PUID and/or GUID if you couldn't make sure Jellyfin wasn't the source of the deletion.

[–] HurlingDurling@lemmy.world 3 points 2 days ago (1 children)

I don't have that plugin from what I can tell, and I did not install it manually either. What should I try changing the PUID and GUID to?

[–] gdog05@lemmy.world 1 points 2 days ago (1 children)

I would think the Jellyfin logs would say if it deleted something. But I have to say, I cannot fully understand GUID and PUID in all cases. But you can try to subtract 1 digit from PUID (100 to 99) and then try to delete a show or movie within Jellyfin's interface. If it won't do it, then you've got the permissions at least where it can't delete things. It is possible to not view things as well, so it might take some research or trial and error and make sure you write down where it is now. But, it will remove one factor at least.

[–] HurlingDurling@lemmy.world 4 points 2 days ago (2 children)

Finally caught it! It was Jellyfin stupid ass deleting my media!

collapsed inline media

[–] gdog05@lemmy.world 4 points 2 days ago

Fuck yeah! One issue down, 9,374 to go!

[–] MolochAlter@lemmy.world 0 points 1 day ago (1 children)

Wtf why?

[–] HurlingDurling@lemmy.world 2 points 1 day ago (2 children)

Apparently is a known bug 🙃

[–] keepee@lemmy.world 1 points 1 day ago (1 children)

Link to bug?

[–] bitwolf@sh.itjust.works 1 points 1 day ago

Maybe this

Although it looks like the nasty docker bug link in that thread is fixed.

So maybe ro mounts can mitigate the problem.

[–] MolochAlter@lemmy.world 1 points 1 day ago

Jesus that is not a small bug lol

[–] Dultas@lemmy.world 2 points 1 day ago (1 children)

Any de dupe tasks running and removing them since it sees them in a backup?

[–] HurlingDurling@lemmy.world 2 points 16 hours ago

There where no tasks running outside whatever is setup out of the box when installing jellyfin. I have recently discovered that jellyfin can delete your media if it thinks the media has been removed...

Wierdest logic by the devs.

[–] Onomatopoeia@lemmy.cafe 3 points 2 days ago (2 children)

Can you spin up a VM or a docker image?

I've done this when services misbehave, and just migrate the DB over (Syncthing in particular).

[–] garshol@infosec.pub 2 points 23 hours ago

Curious to how syncthing misbehaved. Care to elaborate?

[–] HurlingDurling@lemmy.world 2 points 2 days ago

I may try that at some point but work keeps me pretty busy so it may take me a few weeks before I can try.

[–] _core@sh.itjust.works 8 points 1 day ago (1 children)

What did you use for zero trust?

[–] bhamlin@lemmy.world 3 points 1 day ago

Why do you want to know? Huh?

[–] tazeycrazy@feddit.uk 6 points 1 day ago

I don't trust my self with this kind of responsibility.

[–] possiblylinux127@lemmy.zip 0 points 2 days ago (2 children)

You didn't expose it to the internet right?

If you want remote access setup client certs

[–] BaroqueInMind@piefed.social 3 points 2 days ago (17 children)

How?

[–] archy@lemmy.world 0 points 2 days ago (1 children)

Kleopatra

[–] possiblylinux127@lemmy.zip 1 points 2 days ago

That isn't mutualTLS

It just is a frontend for gpg. You need OpenSSL for mutual certs.

load more comments (16 replies)
[–] dataprolet@lemmy.dbzer0.com 3 points 2 days ago (9 children)

What's wrong with exposing Jellyfin to the internet?

[–] mic_check_one_two@lemmy.dbzer0.com 9 points 2 days ago* (last edited 2 days ago) (1 children)

There are a few security issues with it, but all of the worst known issues require a valid login token. So an attacker would already need to have valid login credentials before they could actually do anything bad. Things like being able to stream video without authentication (but it requires already having a list of the stored media on the server, which means you have been logged in before). Or being able to change other users’ settings (but it requires already being logged in to a valid user).

Basically, make sure you use good passwords, and actually trust any other users to do the same.

[–] Dhs92@piefed.social 8 points 2 days ago

The bug you mentioned actually just requires the attacker knows your local media paths to generate the hash. The issue is that most people use trash guides to setup *arr which means they probably have the same paths for everything

[–] smiletolerantly@awful.systems 1 points 2 days ago

Nothing. People fearmonger

load more comments (7 replies)