Thank you, that’s an excellent read! This reminds me of the “expected value of perfect information” - sometimes it is worthwhile to answer a question, and sometimes it isn’t. Every once in a while I find myself in an engineering call discussing a minor problem, and I run the numbers to see if the change we are discussing is even worth talking about. One time the combined salaries of the people on the call had already outpaced the cost savings of the change over the next 10 years. We quickly stopped that discussion lol

Is American Pragmatism a thing? If you explain it to me, will I feel better about myself?

Indeed, and good points. How many users do you have? I assume this isn’t just for you, and setting up multiple nfs shares with tailscale access policies isn’t feasible. SMB might be the best play. I’ll have to refresh my memory on file sharing protocols

NFS for storage, tailscale / wireguard for access control?

Put http://0.0.0.0:11473

Your current setting is the “loopback” address. You’re listening for traffic to this address, and the only thing that can send to the loopback is yourself. This is a safe default, it means only the computer running the software can talk to it. Generally 0.0.0.0 listens on all available addresses. If that doesn’t work, use your local / internal ip.

This ui smells like it’s trying to hide the implementation details, but that makes things extremely difficult when troubleshooting

You can reduce doorknob turning dramatically by running on a non-standard port.

Scanners love 80 and 443, and they really love 20, but not so much 4263.

I used to run a landing page on my domain with buttons to either the request system / jellyfin viva la reverse proxy. If you’re paranoid about it, tie nginx to a waf. If you’re extra paranoid, you’ll need some kind of vpn / ip allow-listing

That looks promising. Just keep in mind that this will take a very long time to run. I believe there is a *arr out there that can manage this / show progress, but the name escapes me

Are you telling me that pop tarts are not in fact ravioli?

I don’t do anything interesting. I’ve got the ten workspaces, and win+p to start stuff.

The only interesting thing is win+PrintScrn, which takes a screenshot to /tmp, and then opens it in pinta to crop.

Actually I also have win+z bound to turning off the laptop screen. That’s all I can remember

Hey! Best of luck, I’m actually going down the same road at the moment :)

I would build it yourself - it’s more fun, and is cheaper than renting over a shorter-than-you-would-think time period.

The first thing to know is whether or not you can port-forward / if your isp has you behind nat.

Exposing virtual disks is relatively straightforward, or even just storage quotas on a single disk. I’m about to jump into the wide world of zfs; I need to glue together 4+ disks into a single storage array.

If you want everyone to have a separate VM, you’ll need some kind of hypervisor underneath. Could you grant everyone a user account in a single system, and use docker for separation?

It sounds like the others will be connecting remotely - make sure you use ssh keys (not passwords) and disable root over ssh. Once ssh is exposed to the internet, you’ll see a lot of failed login attempts

The VPN catches all network traffic and puts it far away - you can’t be on vpn and see local network resources (casting targets) at the same time.

If your vpn has an app, check your settings for something like “local network access”.

Otherwise, start reading about split-tunnels and/or default gateways

Optimus gets complex quick. You’ll be reading pci bus ids before you know it. Keep the wiki open, go slowly; you got this :)

Wireguard creates a new network interface that accepts, encrypts, wraps, and ships packets out your typical network interface.

If you were to create a kernel network namespace and move the wireguard interface into that new namespace, the connection to your existing nic is not broken.

You can then use some custom systemd units to start your *rr software of choice in said namespace, rendering you immune to dns leaks, and any other such vpn failures.

If you throw bridge interfaces into the mix, you can create gateways to tor / i2p / ipfs / Yggdrasil / etc as desired. You’ll need a bridge anyway to get your requester software interface exposed to your reverse proxy.

Wireguard also allows multiple peers, so you could multi-nic a portable personal device, and access all your admin interfaces while traveling, with the same vpn-failure-free peace of mind.