this post was submitted on 19 Sep 2024
51 points (89.2% liked)

Selfhosted

40152 readers
486 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
51
submitted 1 month ago* (last edited 1 month ago) by [email protected] to c/[email protected]
 

After the arrest of Pavel Durov, I wanted to move from Telegram to something end-to-end encrypted. I know Signal is pretty good, but I think it is better to have our messages in my own server.

I have already looked in XMPP, but it required SSL certs and I did not have the mood to configure them.

Do you know any other selfhosted messaging service for a group of 4-5 friends, or an easy way to configure an XMPP server? Or shall I use Signal after all (I don't really care that much about being selfhosted, I just thought it would be more privacy friendly)?

UPDATE: I managed to set up an XMPP server using prosody with the SSL certs. We have been testing it with my friend and it seems to go well.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 27 points 1 month ago (1 children)

SSL certs is so easy with let's encrypt, that really shouldn't be a blocker.

If you want something easy I think you have your answer with Signal

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago) (4 children)

I know, but for some reason my router does not let me access my domain (with duckdns) when connected to my network. So even if I get certs for the domain, I will not be able to access it. I have set up local DNS entries (with Pi-Hole) to point to my srrver, but I don't know if it possible to get certs for that, since it is not a real domain.

EDIT: Fixed it. (See reply for fix)

[–] [email protected] 1 points 1 month ago

I managed to fix this problem by pointing my domain name to my private IP address (with pihole's local DNS entries), so I could access it. Then, I just got certs for the domain and applied them with nginx.

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago)

Are you using a *.duckdns.com domain or is that only for Dynamic DNS pointed to something like jelly.domain.com? I'm not sure if you'll be able to get a cert in the former scenario.

Your router won't let you access it because you're trying to connect from your internal network to your external network, so you're just connecting in a loop and not getting routed properly. This could work if you had a firewall that would let you set up a loopback NAT, but my guess is your router won't let you setup NAT rules like that.

You won't be able to get a certificate using a local domain from a public certificate authority (like Let's Encrypt). You would want to define the FQDN you want to use, like jelly.domain.com, and generate the certificate for this domain. You can do this manually with certbot and import the certificate to jellyfin, or put jellyfin behind a reverse proxy like Caddy or Nginx and let it handle automatic renewal for you.

The local DNS entries would then redirect internal requests for jelly.domain.com to your local server, which presents the same certificate for jelly.domain.com regardless of whether you're accessing it via the private or public IP.

A bonus of using something like Caddy is being able to open a single port on your router for every service. I have multiple services all accessed via the same port, and Caddy just reads the requested subdomain (jelly.domain.com, nextcloud.domain.com, etc) to route the traffic to the corresponding local server. This lets it handle every cert for all services with no manual steps needed for any of them after the initial setup, and reduces your attack surface by only having one port open.

[–] [email protected] 3 points 1 month ago (1 children)

I have set up local DNS entries (with Pi-Hole) to point to my srrver, but I don't know if it possible to get certs for that, since it is not a real domain.

So long as your certs are for your fully qualified domain there's no problem. I do this, as do many people


mydoman.com is fully qualified, but on my own network I override the DNS to the local address. Not a problem at all


DNS is tied to the hostname, not the IP.

[–] [email protected] 3 points 1 month ago (1 children)

Can confirm, I do this as well for my local services (especially important for Jellyfin), I just point my local DNS server at my local IP and everything works perfectly.

[–] [email protected] 1 points 1 month ago (1 children)

Another fun trick you can play is to use a private IP on your public DNS records. This is useful for Jellyfin on Chromecast for instance


it uses 8.8.8.8 for DNS lookup (and ignores your router settings), so it wants a fully qualified domain name. But it has no problem accessing local hosts, so long as it's from 8.8.8.8's record.

[–] [email protected] 1 points 1 month ago (1 children)

I suppose, but then you're kind of screwed if you want to access Jellyfin outside of your network. I suppose you could use a VPN, but it's probably easier to just not use the Chromecast (or just accept that it's going to hit the WAN regardless).

[–] [email protected] 1 points 1 month ago (1 children)

Yeah I don't expose Jellyfin over the Internet, so it doesn't matter for me, and wouldn't work at all over WAN (unless VPN'd to home network).

Also, it's all reverse proxied, and there's nothing preventing having two Jellyfin hostnames, e.g., jf-local.mydomain.com and jf-public.mydomain.com.

[–] [email protected] 2 points 1 month ago (1 children)

Then you're all clear.

I personally want my Jellyfin to be on the WAN, and I have certain devices on my internal network VPN'd to my VPS, which exposes the services I want to access remotely. But if you don't need that, using the local addr in your DNS config totally works. Getting TLS certs will be complicated, but you don't need that anyway if everything is local or over a VPN.

[–] [email protected] 2 points 1 month ago

Getting TLS certs will be complicated

I just use Let's Encrypt with a wildcard domain


same certs for public and private facing domains. I'm sure this isn't best practice, but it's mostly just for me so I'm not too worried :)

[–] [email protected] 1 points 1 month ago

Why not use a different DDNS service? There are plenty out there. :) I think this may solve your issue. I've been using freemyip.com''s for a while and have had no problem in the past issusing LetsEncrypt SSL's. At the moment, I'm on Cloudflare tunnels so it's automatic with them, which I know is a huge trust issue for a lot of people, but I don't mind it for my stuff. But I do like to have my DDNS as a backup service from time to time.