view the rest of the comments
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
Shouldn't be any risk if it's all local.
For an internal domain you'll need to set up your own internal CA to sign certs for your fqdns. The risk comes from any mishandling of that new CA since you'll need to install it as a trusted root on all of your devices and if someone gets a hold of it nothing would stop them from creating a MITM attack for let's say yourbank.com
If you have the CA's key under lock then you should be good.
Don’t use internal domain, use standard domain + split DNS instead. Much simpler to handle certificates for internal services with ACME protocol.
Yes, use a split horizont setup.
Gotcha. Yeah I read about doing a self-hosted CA, but then I have to add the cert to every device that needs access to the service, which I don't think the family would be thrilled about. I was going to use the cert generator in NGINX and use the key from my actual domain. This way I don't need to add the certs manually.
My only worry is exposing something accidentally, but if my firewall rules prevent any outside access from my services (Jellyfin, Nginx, Homelab, etc) and the only thing with internet is the device accessing it (a laptop or TV), then I think I should be ok..
If you have a domain you own that's the way to go, I went by your .home naming assuming that's what you're using. Since .home can't be registered similar to .local, LetsEncrypt wouldn't be an option.
I have a split DNS setup on my end so a service like jellyfin would resolve only internally since I want to limit it, but others would be both public and internal.
No real need to run your own CA. As long as you have an actual domain name, you can use Let's Encrypt with DNS challenges to get certificates for internal servers.