Right. Then if this would have been locally hosted, it’s like complaining about the service of their electricity company or ISP. Could similarly be reasonably considered on- or offtopic. But I think this sub is more in the spirit of “there is no cloud, just someone elses computer”. I’m with mod on this one.

Just a small number of base images (ubuntu:, alpine:, debian:) are routinely synced, and anything else is built in CI from Containerfiles. Those are backed up.

If not for political reasons then why limit first version to Google/GitHub rather than starting with generic OIDC (which should include those two anyway)?

We also took your feedback seriously and we are now implementing proper sign-in options like: Google GitHub (and more coming later)

Sounds like you have a stable life. Good on you.

The advantage to using something like terraform is repeatability, reliability across environments and roll-backs.

Very valuable for a stress-free life, especially is this is for more than just entertainment and gimmicks. I’d rather stare at the terminal screen for many hours than suddenly having to do it when I don’t for 1.. 2… 3… (oh god damn the networking was relying on having changed that weird undocumented parameter i forgot about years ago wasnt it)

NFS works great for media files and stuff but be careful and know what you are doing before you go put database storage on it.

Chimera Linux is very interesting. Has anyone here tried running it?

One way to go about the network security aspect:

Make a separate LAN(optionally: VLAN) for your internals of hosted services. Separate from the one you use to access internet and use with your main computer. At start this LAN will probably only have two machines:

• The server running Jellyfin. Not connected to your main network or internet.

• A “bastion host” which has at least two network interfaces: One connected outwards and one inwards. This is not a router and should be separate from your main router. This is the bridge. Here you can run (optional) VPN gateway, SSH server. And also an HTTP reverse proxy to expose Jellyfin to outside world. If you have things on the inside that need to reach out (like package updates) you can have an HTTP forward proxy for that.

When it’s just two machines you can connect them directly with LAN cable, when you have more you add a cheap network switch.

If you don’t have enough hardware to split machines up like this you can do similar things with VMs on one box but that’s a lot of extra complexity for beginners and you probably have enough of new things to familiarize yourself with as it is. Separating physically instead of virtually is a lot simpler to understand and also more secure.

I recommend firewalld for system firewall.

TLS (https) provides transport security that whatever is server by the mirror is really associated with the doman name for that mirror domain name. Each HTTPS response is signed live so the private key must be “hot” and loaded in memory on the mirror (or its reverse proxy).

PGP signatures provides integrity and authentication that the package files themsvelves have been signed by the repo signing key. This signing can be done once per package and the private key can be offline.

HTTPS is not a replacement for PGP sigs. They are for different things. HTTPS will provide a bit better privacy (and now that I think of it, theoretically some package manager could be vulnerable to downgrade mitm - substitute a package with a legit and signed but older vulnerable version - or other bugs).