Self-Hosted Main

502 readers

1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

Service: Dropbox - Alternative: Nextcloud
Service: Google Reader - Alternative: Tiny Tiny RSS
Service: Blogger - Alternative: WordPress

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

Awesome-Selfhosted List of Software
Awesome-Sysadmin List of Software

founded 1 year ago

MODERATORS

[email protected]

Best security practices when using a system like TrueNAS Core? (alien.top)

submitted 10 months ago by [email protected] to c/[email protected]

2 comments fedilink hide all child comments

I know that this is not the TrueNAS subreddit, but I wanted to get a fresh "outside of the box" opinion that might not be possible to get over there.

I don't really know much about networking, but I do know that ideal networks would theoretically have a single server perform a single task (ie web/email/file storage) and that each server would have a firewall server between them.

TrueNAS throws this out of the window because you can pretty much host everything together.

My question is to ask you guys what best security practices could be implemented (other than keep everything patched/updated frequently) if I were to try to run NextCloud and Navidrome and Jellyfin.

What threat mitigation tactics could I use inside and outside of this system to have reasonable security? The apps I listed seem to have pretty good support in TrueNAS Core, but maybe I should consider separate servers?

I wanted to add that I have a Sophos XG 115 that I will be putting OPNsense on and learning how to configure, and I have various Linksys routers that I can throw OpenWRT on too.

top 2 comments

sorted by: hot top controversial new old

[–] [email protected] 2 points 10 months ago

It depends on what your threat model is. If you concern about CVE level issues like the privilege escalation, you would better run images as non-root user. But what you care about is general security stuff, following the general rules for your networking topology would be enough.

[–] [email protected] 1 points 10 months ago

No open ports. I run my services as a combination of Cloudflare, Tailscale and reverse proxy. The only exception is Plex, I keep a port open for Plex because I heavily use remote streaming.