• 0 Posts
  • 14 Comments
Joined 7 months ago
cake
Cake day: April 5th, 2024

help-circle



  • Get your firewall right then maybe add fail2ban.

    You could also consider IDs/IPs on your primary router/firewall if this is internal. If not you can install surricata on a public server. Obviously if you go with something as powerful as surricata you no longer need fail2ban.

    Keep a sharp eye on any users with sudo. Beyond that consider docker as others have mentioned.

    It does add to security because it allows the developers a bit more control of what packages are utilized for their applications. It creates a more predictable environment.




  • I’m spoiled now. I prefer ubiquiti equipment for my network, security camera, and even door access.

    However, if you prefer completely open source I can recommend opnsense and openwrt. Personally I prefer a single point of configuration… So all ubiquiti for me… It makes it easy to restore a complete network configuration as you are discovering is a pain.

    Maybe start with the new cloud gateway max as a router if you are interested.


  • When I was experimenting with this it didn’t seem like you had to distribute the cert to the service itself. As long as the internal service was an https port. The certificate management was still happening on the proxy.

    The trick was more getting the host names right and targeting the proxy for the hostname resolution.

    Either way IP addresses are much easier but it is nice to observe a stream being completely passed through. I’m sure it takes a load off the proxy and stabilizes connections.




  • Not without good logs or debugging tools.

    You need to know what to observe. You are not going to get the information you are looking for directly from zfs or even system logs.

    What I suggest stands. You have to understand the behavior of the USB controller. That information is acquired from researching USB itself.

    Now if you intend to utilize something like a USB enclosure you indeed would be better off with something like ext4. However, keep in mind that this effect is not directly a file system issue. It’s an issue with how USB controllers interact with file systems.

    That has been my experience from researching this matter. ZFS is simply more sensitive.

    In my experience even for motherboards that have port limitations it’s possible to take advantage of pci lanes and install a hba with an onboard SATA controller. They also make pci devices that will accept nvme drives.

    Good luck with your experimentation and research.


  • This takes a degree of understanding of what you are doing and why it fails.

    I’ve done some research on this myself and the answer is the USB controller. Specifically the way the USB controller “shares” bandwidth. It is not the way a sata controller or a pci lane deals with this.

    ZFS expects direct control of the disk to operate correctly and anything that gets in between the file system and the disk is a problem.

    I the case of USB let’s say you have two USB - nvme adapters plugged in to the same system in a basic zfs mirror. ZFS will expect to mirror operations between these devices but will be interrupted by the USB controller constantly sharing bandwidth between these two devices.

    A better but still bad solution would be something like a USB to SATA enclosure. In this situation if you installed a couple disks in a mirror on the enclosure… They would be using a single USB port and the controller would at least keep the data on one lane instead of constantly switching.

    Regardless if you want to dive deeper you will need to do reading on USB controllers and bandwidth sharing.

    If you want a stable system give zfs direct access to your disks and accept it will damage zfs operations over time if you do not.


  • I use using docker networks but that’s me. They are created for every service and it’s easy to target the gateway. Just make sure DNS is correct for your hostnames.

    Lately I’ve been optimizing remote services for reverse proxy passthru. Did you know that it can break streams momentarily and make your proxy work a little harder if your host names don’t match outside and in?

    So in other words if you want full passthru of a tcp or udp stream to your server without the proxy breaking it then opening a new stream you would have to make sure the internal network and external network are using the same fqdn for the service you are targeting.

    It actually can break passthru via sni if they don’t use the same hostname and cause a slight delay. Kinda matters for things like streaming videos. Especially if you are using a reverse proxy and the service supports quic or http2.

    So a reverse proxy entry that simply passes without breaking the stream and resending it might ook like…

    Obviously you would need to get the http port working on jellyfin and have ipv6 working with internal DNS in this example.

    server {
        listen 443 ssl;
        listen [::]:443 ssl;  # Listen on IPv6 address
    
        server_name jellyfin.example.net;
    
        ssl_certificate /path/to/ssl_certificate.crt;
        ssl_certificate_key /path/to/ssl_certificate.key;
    
        location / {
            proxy_pass https://jellyfin.example.net:8920;  # Use FQDN
            ...
        }
    }
    

  • Music playlists are different from Plex. You can create them import them or generate an instant list.

    4k is seamless and performs better imo. You can use transcoding or not if you have files they way you want them. If you do you can select on a per user basis who gets to transcode.

    You can set bandwidth limits.

    I’ve seen a feature to allow multi user streaming the same movie so you ig watch at the same time. I use npm and often a couple peeps might watch a movie at the same time without using this feature and works fine

    I use the client app on Android and a firestick atm. I think I just downloaded it but you can side load too if you want. The media server app is available for various os. So technically you could set it up on whatever you want. Just check your app store

    https://jellyfin.org/downloads/clients/

    It can plug into homebrew or m3u playlists for live tv if that is your suggestion. It has a plugin for nextpvr and tvheadend if you utilize those for over the air or already have an m3u setup too in those pvr services. Those are great btw and available in docker containers.

    It always defaulted to what I have my files encoded. It absolutely can transcode to support other clients and you decide preferences. I did notice since most of my files are h.264 with few h265 sometimes it helped to turn off transcoding for me because the client supported it natively. Jellyfin was transcoding h265 mkv to like an MP4. Anyway a quirk

    Login is pretty simple. Passwords users can change. Has codes it can generate to approve a new device if you are already logged into an app on your phone. Like 6 temp numbers. Can also setup pins or whatever they call them under users.