For legibility I split the post into: my current setup; the problem Iā€™m trying to solve; the constraints for solving the problem; what Iā€™ve tried and failed to do; and key questions.

When roasting me in the comments, go nuts, Iā€™m not a complete beginner, but I wouldnā€™t rank myself as an intermediate yet. My lab is almost entirely tteck scripts, and what isnā€™t built by tteck are docker containers. My inexperience informs some of my decisions for example: Iā€™m using nginxproxymanager because Nginx documentation is beyond me, I couldnā€™t write a nginx.config and NPM makes reverse proxies accessible to me.

My Current setup

I have a Proxmox based home server running multiple services as LXCs (a servarr, jellyfin, immich, syncthing, paperless, etc. Locally my fiancĆ©e and I connect to our services. Using pihole-NginxProxyManager(NPM) @ ā€œservice.serverā€ and thatā€™s good. Remotely we connect to key services over tailscale using tailscaleā€™s magic DNS @ ā€œlxcname:portā€ and that worksā€¦ fine. We each have a list of ā€œservice: addressā€ and itā€™s tolerable. Finally, my parents have a home server, that I manage, it is Debian based with much the same services running all in Docker (I need to move it to Podman, but I got shit to do). We run each othersā€™ off-site backup over tailscale-syncthing and that seems good. But, our media and photos are our own ecosystems.

The Problem

I would like to give someone (Bob) a box (a Pi, a minipc, a whatever). The sole function of this box is to act as a gateway for Bobā€™s devices to connect to key LXCs on my tailnet. Thus Bob can enjoy my legally obtained media and back up their photos.

The constraints

These are in order of importance, I would be giving ground from the bottom up. The top two are non negotiable though.

A VPS has low to zero WAF. Otherwise I would have followed the well trodden ground.

Failsafe. If the box dies bob canā€™t access jellyfin until I can be arsed to fix it. Otherwise, they experience no other inconvenience.

No requirement to install tailscale on Bobā€™s devices. Some devices arenā€™t compatible with tailscale: Amazon fire stick. A different bob doesā€™t want to install a VPN on their phone. Some devices I donā€™t trust to be up to date and secure, I donā€™t want them on my tailnetā€¦ I have no idea if the one degree of separation is any more secure, but it gives me the willies.

Iā€™m pretty sure I can solve this using pihole-nginx-tailscale with my skillset. But then I have to get into bobā€™s router, and maybe bob might not like that. If I could just give them a preconfigured box that would be ideal. They would have pretty addresses though.

I donā€™t currently have a domain, I do plan to get one. I just donā€™t currently have one.

My attempts and failures to solve the problem.

Iā€™ve built a little VM to act as a box (box), it requests a static IP. On it I installed Mint (production would probably be DietPi or Debian) Tailscale,Docker (bare metal) and NPM as a container. In NPM I set a proxy host 192.168.box.IP to forward to 100.jellyfin.tailscale.IP:8096. I tested it by going to box.IP and jellyfin works. Next up Jellyseerrā€¦ I canā€™t make another proxy host with the same domain name for obvious reasons.

I tried ā€œbox.IP:8096ā€ as a domain name and NPM rejected it. I tried ā€œbox.IP/jellyfinā€ and NPM rejected that too (Iā€™ll try Locations in a bit). I tried both ā€œservice.box.IPā€ and ā€œbox.IP.serviceā€ and Iā€™d obviously need to set up DNS for that. Look, Iā€™m an idiot, I make no apologies. I know I can solve it by getting into their router, setting Pihole as their DNS, and going that route.

Next I tried Locations. The required hostname and port I set up as jellyfin.lxc.tailnet.IP:8096 and I set /jellyseerr to go to jellyseerr.lxc.tailnet.IP and immich set up the same way. Then I tested the services. Jellyfin works. Jellyseerr connects then immediately rewrites the URL from ā€œbox.IP/jellyseerrā€ to ā€œbox.IP/loginā€ and then hangs. Immich does much the same thing. In desperation I asked chatGPTā€¦ the less said about that the better. Just know Iā€™ve been at this a while.

Hereā€™s where Iā€™m at: I have two Google terms left to learn about in an attempt to solve this. The first is ā€œIP tablesā€ the second is ā€œtailscale subnet routersā€ and I have effort left to learn about one of them.

During this process I learned I could solve this problem thusly: give Bob a box. On this box is a number of virtual machines(vm). Each vm is dedicated to a single service, and what the fuck is that for a solution?! It would satisfy my all of my constraints though, its just ugly.

Key questions

Is my problem solvable by just giving someone a Pi with the setup pre-installed? If not Iā€™ll go the pihole-npm-tailnet and be happy. Bobā€™ll connect to ā€œservice.boxā€ and itā€™ll proxy to ā€œservice.lxc.tailnet.IPā€.

Assuming I can give them a box. Is nginx the way forward? Should I be learning /Locations configs to stop jellyseerrā€™s rewrite request. Forcing it to go to ā€œbox.IP/jellyseerr/loginā€. Or, is there some other Google term I should be learning about.

Asssuming I can give them a box, and nginx alone is not useful to me. Is it subnet routers I should be learning about? They seem like a promising solution, but Iā€™ll need to learn how the addressing worksā€¦ Or how any of it worksā€¦ IP tables seem like another solution on the face of it. But both I donā€™t know where to send bob without doing local DNS/CNAME shenanigans

Finally assuming Iā€™m completely in the weeds and hopelessly lostā€¦ What is it I should I be learning about? A VPS I guessā€¦ Thereā€™s a reason everyone is going that route., Documentation on this ā€œboxā€ concept isnā€™t readily findable for a reason I imagine.

  • David From Space@orbiting.observer
    link
    fedilink
    English
    arrow-up
    2
    Ā·
    7 days ago

    Can you share what the final desired goal is? It sounds like your goal is actually to provide your services to Bob securely over the internet, is that a fair description? You mentioned eventually grabbing a domain, how do you feel about publicly exposed services with authentication? For instance, I use authentik in front of Jellyfin and paperless myself for a little extra authentication juice.

    • Fedegenerate@lemmynsfw.comOP
      link
      fedilink
      English
      arrow-up
      1
      Ā·
      6 days ago

      Yeah, thatā€™s a fair description. I am not comfortable exposing ports currently, I donā€™t think I have the skill to do it securely and my Homelab is definately not secure enough.

      Not to get side tracked, and to highlight the horror, my media library is chmod 777 until I figure permissions across LXCs.