this post was submitted on 13 Aug 2025
1 points (100.0% liked)

Selfhosted

60451 readers
946 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

Edit: thanks for all your help and replies, this is a such a great community!

I would like to host a public service for some family, probably Peertube so we can share some videos. Invite only.

There's no way I'm going to get everyone onto a VPN, it's a non-starter though I would prefer it.

I am thinking to use a VPS with anubis and either crowdsec or fail2ban (or both?!) in front of Peertube. Will apply as much hardening as I can muster behind that: things in containers, systemd hardening, SELinux/Apparmor enabled/tuned, separate users for services, the usual. All ports shut except 80/443, firewall up.

Despite all this I expect it will get scanned and attacked as it will have to expose ports 80/443 to the world so for family it will just work.

Is there anything else I should consider for security? Is Peertube the weakest link in the chain? (a little concerned their min password length is 6 it seems and no 2fa). So long as I keep whole thing up-to-date is it as secure as anybody can manage these days (without resorting to VPN)?

Is it all too much hassle and I should look for a company that offers hosted Peertube so they can worry about it?

Thanks for any and all advice.

all 11 comments
sorted by: hot top controversial new old
[–] Cyber@feddit.uk 1 points 10 months ago (2 children)

GeoIP blocking

You mention a firewall, but for any open ports still restrict the source IPs to limited ranges not "all".

Personally, at my home's edge firewall I have pfSense with pfBlocker and that uses a GeoIP database, so I can just pick the countries I want to allow in... you want to block as early as possible (ie at the VPS?), so you might have to look at options

If your family are in the same region, then it should be relatively easy to limit to a few ranges on the VPS

Here's a quick search result: https://lite.ip2location.com/ip-address-ranges-by-country

[–] glizzyguzzler@piefed.blahaj.zone 1 points 10 months ago (1 children)

Just came back to say the same thing, I use this for geo ip blocking and it’s so well featured it’s insane. Any VPS, just make sure to clear local IPs (incl. docker range if using docker - though it’s been improving so much it may handle that automatically now)

https://github.com/friendly-bits/geoip-shell

[–] IanTwenty@lemmy.world 1 points 10 months ago

Super useful thanks!

[–] IanTwenty@lemmy.world 1 points 10 months ago

Really good point. I can definitely restrict to one country and anyone using their own VPNs/TOR/whatever will be sophisticated enough to understand why its restricted and how to keep their access.

[–] jjlinux@lemmy.zip 1 points 10 months ago

If you're going to self-hosted instead of using a VPS (I know you said you're looking at a VPS solution, this is just in case) make sure you can segregate your networks. A router that allows you to create virtual LANs, same with the access points and switches if needed.

You don't want to expose all your devices to the internet for a few services.

[–] SidewaysHighways@lemmy.world 1 points 10 months ago

i hate to sound like a shill for one thing but pangolin tunneled reverse proxy is pretty cool way to expose stuff

[–] cantankerous_cashew@lemmy.world 1 points 10 months ago (1 children)

unethical life pro tip, but you can use the free tier of Cloudflare tunnels + Access to accomplish this. While technically against the ToS, I have been doing this with jellyfin for an over a year now, I don't cache anything, and my overall bandwidth usage is low it's probably not very noticeable. If I get banned at some point I'll just create a new free account ¯\_(ツ)_/¯

[–] KairuByte@lemmy.dbzer0.com 1 points 10 months ago

How is it against the ToS? I’ve never bothered to look that deeply into their rules, but this is exactly what I do now >.>

[–] ryannathans@aussie.zone 1 points 10 months ago (2 children)

Why can't use VPN? I got my family to, wireguard app with a configuration file you send them for import is pretty straightforward and needs no configuration on the user side

[–] IanTwenty@lemmy.world 1 points 10 months ago

I've got probably 30+ households of people and multiply that by number of devices....this is also something that will only be live for 12 months maybe. I think if I was doing something long-lived it might be worth the effort to get everyone onto VPN but for this....just can't justify the time. Thanks anyway.