I have personally been very happy with FreshRSS. Nowadays I use Nextcloud News (just a Nextcloud) app for it. So if you already have Nextcloud you don’t even need to selfhost something extra.
They both have WebApps. FreshRSS has a few themes to fit your taste and Nextcloud News will obviously follow your Nextcloud theming.
As far as apps go, FreshRSS has (probably) more than Nextcloud News. I personally like Feeder (only in PlayStore but worth it imo). For Nextcloud there is an App with the same name. Also good imo, but FreshRSS/Feeder has more customization options.
I use wireguard and nginx but I set my WG DNS as the server ip. I have adguardhome running on the server and have added the external domains to map to their LAN address so they resolved locally when using the vpn or the LAN. A similar setup should work for you.
I assume when you say externally you mean via Tailscale, but without running Tailscale on each container/service?
What I currently do is run Tailscale on a few workstation-type devices, but everything else in my network doesn’t run the Tailscale client (partly because things like printers, outers, etc can’t run the client, and it’s less convenient for things like servers).
Those type of devices can be accessed by running one Tailscale node as a Subnet Router. This device is then able to route traffic to it’s subnet. Currently I use a Raspberry Pi for this.
My Pi also runs PiHole and acts as my DNS server, so it can name resolve local resources, though I don’t think this is required, because Tailscale has its own DNS resolution called Magic DNS. So your Subnet Router should be able to resolve those names anyway (going off memory here, so be sure to check the docs, I may be misremembering how it works since I use the same device for DNS).
You don’t even need Tailscale on a remote device to access your LAN - if you enable the Funnel service, you can provide an inbound encrypted path to specified resources.
That is almost the exact same thing I am doing. I have 2 Pi’s running PiHole in HA and I just made one of them the subnet router to allow this access. Since I will be the only one using this, I don’t care to use Funnel right now, but thanks for showing that to me. I am (obviously) new to using Tailscale, and that looks like a very neat feature.
I found that it really depends on the app and how they’ve set it up. For the vast majority, the users in your SSO will be added to the other app when they first login. I use Authentik and Nextdoor, and the user is automatically created from details from Authentik. Generally you can enable multiple login types so can play with SSO whilst still enabling access until it works. You can usually switch off non-SSO access afterwards too.
You set which field defines the user (e.g. username or email). If there is already a user then it’ll just login to that account you already created, so you can also create a user in both.
You can limit access to certain groups of users in Authentik. You can also setup headers that get passed along to apps (e.g. in Nextcloud you can setup a size limit for each group that gets passed on to Nextcloud when they first register - the Authentik or Nextcloud documentation tells you how).
I found quite a few apps don’t have SSO functionality, and I usually end up doing a reverse proxy pass through Authentik. Nginx Proxy Manager first goes to Authentik, you login then it’ll pass you to the app. If already logged into Authentik, NPM takes you directly to the app. I switched off login altogether on the apps, especially for tools where you don’t need users (e.g. Stirling PDF). Only logged users get to the app. Authentik can forward any headers you set so I have a feeling you can use it for the app’s own login (though not new users) but not managed to work it out.
One app I tried recently had SSO but you couldn’t enable access to the main household for new SSO users so had to create an account in the app first, then SSO would let users login. I ended up not using that app for other reasons anyway.
I do recommend Authentik and you can setup access one by one so definitely try it and see.
One “hammer” mitigation to most threats could conceivably face when self-hosting is to never expose your services to the internet using a firewall. “Securing” your services against a small circle of guests/friends/family members in your home network is a lot simpler than securing against the entire world.
If you need to access your services remotely, there are ways to achieve that without permanently opening a single port to the internet such as Tailscale or ZeroTier.
Otherwise, commonly used tools in self-hosting such as Docker or VMs usually offer quite decent separation even if a service is compromised.
Nothing replaces good security hygiene though. Keep your stuff up-to-date. Use secure methods of authentication such as hard to guess passwords or better. Make frequent backups (3-2-1). The usual.
I think mail forwarders are still a good way to go. It’s hard to predict how Internet providers will react to email running in their networks.
These days I have an ec2 at AWS for my mail server and use SES for outbound mail. I’m thinking of moving “receiving” back into my network with a simple chat forwarding service but keep SES for outbound. They handle all the SPF and DKIM things and ensure their networks aren’t on blacklists.
It’s spam they’re concerned about. Spam email is kinda “big business” and one way they thrive is by using bots to just scan for poorly-configured or vulnerable systems to hack and install an app that will let them send email from your system. By compromising hundreds or thousands of individual machines it makes it hard for mail providers to block them individually. It also uses a ton of bandwidth on internet service providers networks.
So some time ago service providers started to simply block port 25 (used to send email) on their networks except to certain services. I think they’ve backed off a bit now but inbound port 25 can often be blocked still. It may even be against their TOS in some cases.
I remember researching the topic a while back. SimpleMDM seems to do it, but it requires paying Apple $300 a year. Luckily, Mosyle allows up to 30 devices for free.
selfhosted
Top
This magazine is from a federated server and may be incomplete. Browse more on the original instance.