I expose most things to the web so long as they have auth and 2FA options. The one exception being my Jellyfin server. I share it with friends and needed to make it as easily accessible as possible.
With Cloudflare WAF, reverse proxy, and an isolated subnet with IDP I feel comfortable with public services. Nothings perfect but if they get through it and pwn my lab I’ll just nuke it and rebuild.
Nearly all of them. Nextcloud, Jellyfin, Vaultwarden, Spacebar, and 2fAuth, all set behind an NGINX Reverse Proxy, SWAG. SWAG made it very easy to set up https and now I can throw anything behind a subfolder or subdomain.
Same here. Taught my wife how to start WireGuard on her android phone and then access any of the services I run. This way I only have one port open and don't have to worry too much.
That's what I do. The beauty of wireguard is that it won't respond at all if you don't send the right key. So from the outside it will appear as if none of your ports are open.
How about running your wireguard server on a VPS and then connecting to the same interface as clients from your mobile and home network? No ports open on your side!
I had everything behind my LAN, but published things like Nextcloud to the outside after finally figuring out how to do that even without a public IPv4 (being behind DS-Lite by my provider).
I knew about Cloudflare Tunnels but I didn't want to route my stuff through their service. And using Immich through their tunnel would be very slow.
I finally figured out how to publish my stuff using an external VPS that's doing several things:
being a OpenVPN server
being a cert server for OpenVPN certs
being a reverse proxy using nginx with certbot
Then my servers at home just connect to the VPS as VPN clients so there's a direct tunnel between the VPS and the home servers.
Now when I have an app running on 8080 on my home server, I can set up nginx so that the domain points to the VPS public IPv4 and IPv6 and that one routes the traffic through the VPN tunnel to the home server and it's port using the IPv4 of the VPN tunnel. The clients are configured to have a static IPv4 inside the VPN tunnel when connecting to the VPN server.
Took me several years to figure out but resolved all my issues.
With DS-Lite you don't have a public IPv4. Not a static one but also not a dynamic one. The ISP just gives you a public IPv6. You share your IPv4 address with other users. This is done to use less IPv4s. But not having a dynamic IPv4 causes you to be unable to use DynDNS etc. It's simply not possible.
You could publish your stuff via IPv6 only but good luck accessing it from a network without IPv6.
You could also spin up tunnels with SSH actually between a public server and the private one (yes SSH can do stuff like that) but that's very hard to manage with many services so you're better of building a setup like mine.
Everything is behind a wireguard vpn for me. It's mostly because I don't understand how to set up Https and at this point I'm afraid to ask so everything is just http.
Thank you. It was mostly ment as a joke tho. I'm not actually afraid to ask, but more ignorant because it's all behind VPN and that's just so much easier and safer and I know how to do it so less effort. Https is just magic for me at the moment and I like it that way. Maybe one day I'll learn the magic spells but not today.
All software has issued, such is the nature of software. I always say if you selfhost, at least follow some security related websites to keep up to date about these things :)
I've been using YunoHost, which does this for you but I'm thinking of switching to a regular Linux install, which is why I've been searching for stuff to replace YunoHost's features. That's why I came across Nginx Proxy Manager, which let's you easily configure that stuff with a web UI. From what I understand it also does certificates for you for https. Haven't had the chance to try it out myself tho because I only found it earlier today.
I currently keep everything LAN-only because I haven't figured out how to properly set up outside access yet.
(I would like to have Home Assistant available either over the Internet or via VPN so that automations keyed off people's location outside the home would work.)
Yeah, same, except I tunneled HA out via that Cloudflare daemon. Kinda janky because I cannot use the app with it to do locations, but I can check in on the pets from anywhere.
I cannot get the app to connect to my HA with the current setup. I have Cloudflare doing email verification, and the app doesn't understand how to collect the cookies to make that possible.
I have used DuckDNS and Nginx to get Home Assistant outside but it was horrible, just constantly breaking. Around Christmas time I bought myself a domain name for a few years and Cloudflare to access it, and it's been night and day since.
Sure it cost me money but it was far cheaper than a Nabu Casa account.
It’s another dashboard like homarr. I set up homarr and homepage side by side to pick one and landed on homepage. No specific reason, I just gravitated to it over homarr.
As a general rule if it's a pubic-ish service like Lemmy (more a friends and family than public) or something where I want ready access like auto uploads it has public access, otherwise it's private. I make it a point to have everything facing outside to have 2FA enabled and/or limit the available sources to known IP ranges.