For legibility I split the post into: my current setup; the problem Iām trying to solve; the constraints for solving the problem; what Iāve tried and failed to do; and key questions.
When roasting me in the comments, go nuts, Iām not a complete beginner, but I wouldnāt rank myself as an intermediate yet. My lab is almost entirely tteck scripts, and what isnāt built by tteck are docker containers. My inexperience informs some of my decisions for example: Iām using nginxproxymanager because Nginx documentation is beyond me, I couldnāt write a nginx.config and NPM makes reverse proxies accessible to me.
My Current setup
I have a Proxmox based home server running multiple services as LXCs (a servarr, jellyfin, immich, syncthing, paperless, etc. Locally my fiancĆ©e and I connect to our services. Using pihole-NginxProxyManager(NPM) @ āservice.serverā and thatās good. Remotely we connect to key services over tailscale using tailscaleās magic DNS @ ālxcname:portā and that worksā¦ fine. We each have a list of āservice: addressā and itās tolerable. Finally, my parents have a home server, that I manage, it is Debian based with much the same services running all in Docker (I need to move it to Podman, but I got shit to do). We run each othersā off-site backup over tailscale-syncthing and that seems good. But, our media and photos are our own ecosystems.
The Problem
I would like to give someone (Bob) a box (a Pi, a minipc, a whatever). The sole function of this box is to act as a gateway for Bobās devices to connect to key LXCs on my tailnet. Thus Bob can enjoy my legally obtained media and back up their photos.
The constraints
These are in order of importance, I would be giving ground from the bottom up. The top two are non negotiable though.
A VPS has low to zero WAF. Otherwise I would have followed the well trodden ground.
Failsafe. If the box dies bob canāt access jellyfin until I can be arsed to fix it. Otherwise, they experience no other inconvenience.
No requirement to install tailscale on Bobās devices. Some devices arenāt compatible with tailscale: Amazon fire stick. A different bob doesāt want to install a VPN on their phone. Some devices I donāt trust to be up to date and secure, I donāt want them on my tailnetā¦ I have no idea if the one degree of separation is any more secure, but it gives me the willies.
Iām pretty sure I can solve this using pihole-nginx-tailscale with my skillset. But then I have to get into bobās router, and maybe bob might not like that. If I could just give them a preconfigured box that would be ideal. They would have pretty addresses though.
I donāt currently have a domain, I do plan to get one. I just donāt currently have one.
My attempts and failures to solve the problem.
Iāve built a little VM to act as a box (box), it requests a static IP. On it I installed Mint (production would probably be DietPi or Debian) Tailscale,Docker (bare metal) and NPM as a container. In NPM I set a proxy host 192.168.box.IP to forward to 100.jellyfin.tailscale.IP:8096. I tested it by going to box.IP and jellyfin works. Next up Jellyseerrā¦ I canāt make another proxy host with the same domain name for obvious reasons.
I tried ābox.IP:8096ā as a domain name and NPM rejected it. I tried ābox.IP/jellyfinā and NPM rejected that too (Iāll try Locations in a bit). I tried both āservice.box.IPā and ābox.IP.serviceā and Iād obviously need to set up DNS for that. Look, Iām an idiot, I make no apologies. I know I can solve it by getting into their router, setting Pihole as their DNS, and going that route.
Next I tried Locations. The required hostname and port I set up as jellyfin.lxc.tailnet.IP:8096 and I set /jellyseerr to go to jellyseerr.lxc.tailnet.IP and immich set up the same way. Then I tested the services. Jellyfin works. Jellyseerr connects then immediately rewrites the URL from ābox.IP/jellyseerrā to ābox.IP/loginā and then hangs. Immich does much the same thing. In desperation I asked chatGPTā¦ the less said about that the better. Just know Iāve been at this a while.
Hereās where Iām at: I have two Google terms left to learn about in an attempt to solve this. The first is āIP tablesā the second is ātailscale subnet routersā and I have effort left to learn about one of them.
During this process I learned I could solve this problem thusly: give Bob a box. On this box is a number of virtual machines(vm). Each vm is dedicated to a single service, and what the fuck is that for a solution?! It would satisfy my all of my constraints though, its just ugly.
Key questions
Is my problem solvable by just giving someone a Pi with the setup pre-installed? If not Iāll go the pihole-npm-tailnet and be happy. Bobāll connect to āservice.boxā and itāll proxy to āservice.lxc.tailnet.IPā.
Assuming I can give them a box. Is nginx the way forward? Should I be learning /Locations configs to stop jellyseerrās rewrite request. Forcing it to go to ābox.IP/jellyseerr/loginā. Or, is there some other Google term I should be learning about.
Asssuming I can give them a box, and nginx alone is not useful to me. Is it subnet routers I should be learning about? They seem like a promising solution, but Iāll need to learn how the addressing worksā¦ Or how any of it worksā¦ IP tables seem like another solution on the face of it. But both I donāt know where to send bob without doing local DNS/CNAME shenanigans
Finally assuming Iām completely in the weeds and hopelessly lostā¦ What is it I should I be learning about? A VPS I guessā¦ Thereās a reason everyone is going that route., Documentation on this āboxā concept isnāt readily findable for a reason I imagine.
Can you share what the final desired goal is? It sounds like your goal is actually to provide your services to Bob securely over the internet, is that a fair description? You mentioned eventually grabbing a domain, how do you feel about publicly exposed services with authentication? For instance, I use authentik in front of Jellyfin and paperless myself for a little extra authentication juice.
Yeah, thatās a fair description. I am not comfortable exposing ports currently, I donāt think I have the skill to do it securely and my Homelab is definately not secure enough.
Not to get side tracked, and to highlight the horror, my media library is chmod 777 until I figure permissions across LXCs.