walden

Nice, glad you’re having fun with it.

Exposing things to the internet is a lot of fun, just keep in mind that there are bots out there just itching to break into your stuff. Use strong passwords. Use different passwords for every. single. website.

Tailscale is often recommended because it’s very secure. You don’t need to pay for your own domain name, either as far as I know.

For things that I expose to the internet (the Lemmy instance that I’m writing this from, for example) I like having a domain name. Especially when sharing it with friends since it’s what people are used to.

If you’re interested in going that route, each “thing” that you host gets its own sub domain. For example if the domain name you buy is called “kgrnd.com”, and you’re hosting a minecraft server – you might call it “minecraft.kgrnd.com”. Jellyfin might be jellyfin.kgrnd.com.

Starting from outside, sitting in a park bench looking at your phone – the steps that internet traffic goes through to reach your server is like this:

1. phone or device
2. internet connection
3. your domain registrar, which tells it where to send the traffic (to your house/server) using DNS records
4. your router (hopefully something relatively decent and up to date for security)
5. your reverse proxy, which your router is programed to send HTTPS traffic to (port forward 80 and 443 to your server)
6. the minecraft server, be it in Docker or whatever.
7. then back again all the way to your phone

A reverse proxy just decides "ok, here’s some traffic from minecraft.kgrnd.com, and I’ve been told that minecraft.kgrnd.com over on 192.168.2.32, port 25565.

Do not tell your router to forward traffic on port 25565. That is not secure. The only ports that you open (forward) on your router firewall are 80 and 443, and those both point to the IP address of your reverse proxy.

Reverse proxy’s come in various flavors. A lot of people like Caddy. I like Nginx Proxy Manager (NPM). Both handle SSL certificates for you which is very very nice.

The last problem to solve is the fact that your home IP address changes from time to time. This is pretty standard practice with non-business accounts. That’s where a dynamic DNS service comes into play. My router has a built in service to handle it, so when I set up my domain name DNS records to point to “my house”, I don’t tell it my IP address because that’s subject to change. Instead I give it what’s called a CNAME record which points to a web address that my router has provided me. If your router doesn’t have a feature like that, you’ll have to explore other options for handling dynamic IP addresses.

Once you have something up and running, you have to do 2 things –

1. At your domain registrar, add a CNAME record that points to your dynamic DNS address (however you’re handling that). Alternately, add an A record pointing straight at your IP address. This will break eventually when your IP address changes.
2. At your reverse proxy, add an entry telling it "when you see traffic coming from service.kgrnd.com, send it to the IP address of my server and port XXXXX.

Another thing that I like to do, which is a bit more advanced but in the end makes things simpler and more secure:

• If using Docker, set up your reverse proxy to run on a Docker network called “nginx” for example.
• Ever Docker container that you set up which you want to expose to the internet via Nginx Proxy Manager, manually assign it to the same network (otherwise Docker by default gives each thing its own network).

This is nice because you don’t have to tell docker to forward any ports. Whatever the default port is for the service your running, nginx can access it no problem because they’re on the same Docker network. For example if your Minecraft docker container is called “minecraft-minecraft-1” and has stuff on port 25565, you don’t need to know the IP address of Minecraft. In the NPM entry, you just point minecraft.kgrnd.com to minecraft-minecraft-1 and port 25565. Done. No exposing external ports to the docker container. Pretty cool.

1. Sure. Having more drives is typically done for reliability reasons and they’re set up in some sort of redundant file system like ZFS, BTRFS, or RAID. Having only one drive means when it fails (and it will) you’ll have some downtime while you replace the drive and restore backups.
2. Proxmox is great, and I recommend it. Proxmox gives you two important things: 1) A nice way to manage storage (this may not be applicable to you with just one drive, but if you decide to add more later you can explore the options 2) BACKUPS! You’re going to have lots of docker containers and stuff. Restoring docker containers on bare metal is tedious, because you’re dealing with all of the folders that you’ve set up as volumes, all of the compose files, etc. With proxmox, you run Debian in a virtual machine and have all of the Docker stuff in the VM. Your backup will be the entire VM, so restoring it is very simple.
3. I don’t have a good answer for this.
4. The best choice is whatever works best for you. Sort of a cop out answer, sorry. A lot of people like Tailscale (Headscale is another option), but the downside is you have to set it up on ever device you want to access stuff from. A reverse proxy like Nginx Proxy Manager or Caddy lets you use your own domain. They handle renewing certificates and everything in the background. It requires opening (forwarding) ports 80 and 443 on your router/firewall. Some see this as a security downside, but if everything is done using HTTPS then in theory it’s very safe.
5. I don’t have a good answer for this.

I have Frigate running with a reverse proxy, a coral, etc. I just use the internal Intel GPU on my CPU and it works with a 1080p and a not-quite-4k stream (4MP maybe?). It’s no sweat for the hardware.

GPU is only used to detect motion, and you can even configure a lower resolution sub-stream from your cameras to reduce that load, but I don’t think you’ll need to.

Once motion is detected, Frigate fires up the coral to determine what is there. A car, dog, person, etc.

I have everything get recorded with no processing to a single WD Purple, the biggest I could afford. It holds months of video before rewriting over old stuff.

I have Amcrest cameras which are rebranded Dahua I think. I’m relatively happy with them, but I’ve always dreamed of owning Axis cameras, though they are a bit pricey. My cameras are on a VLAN that can’t access the internet.

Hope that helps.

This photo is taken out of context, though. I mean, he slapped his chest before the salute, and he did it twice in a row… Ah shit nevermind, he’s a Nazi.

Wrapping my head around reverse proxy was a game changer for me. I could finally host things that are usefull outside my LAN. I use Nginx-Proxy-Manager which makes the config simple for lazy’s like me.

Immich. Come for the photo backup, stay for everything else because it’s awesome.