I don’t like the idea of security by obscurity, seems like a lazy way of trying to protect a resource.

What do you mean?
The frontend yeah, but seems the S3 objects would still need to be public.

I resorted to buy a new one with android tv, so now I just have tailscale installed in it and can directly play jellyfin.

The issue is the chromecast can’t resolve back to the tailnet with subrouting. Probably connecting the chromecast to a network which resolves the connections for it could work, but I don’t know how to do that or if it’s actually possible.

The actions are amazing, and I was also able to integrate them with tailscale so I can build and deploy everything within my network automatically.
I run it in a vps with 1cpu and 2gb ram along several other services.

I’ve been thinking on pre-processing my library to be able to serve it on a low level device, have you thought about that option?
In my case since I know what content I’ll be watching the most in what devices and have the space to duplicate it (since I don’t want to lose the original files)

Here’s one I’ve been playing with https://github.com/jhj0517/Whisper-WebUI
The small model of fast Whisper has been amazing for the 3 options it gives (files, YT, or recording), tho I have in mind the limitations and I’ve only used it with somewhat clear audio.

Probably the federation is still trying to access matrix.example.com instead of just example.com to get the .well-known configuration.
I’m not sure how to make this work in general, you need a way for the federated instances to ask your instance for the configuration in the host you want.

I never understood this, it’s your selfhosted server but you kind of don’t own it and depend on them, so you just have an application which depends on a their service which means plex isn’t 100% selfhostable, correct?

I’m not sure how nextcloud handles it, but as long as you can resolve the domain then you can put whatever you want.
You usually purchase a domain so it appears in the internet with the major DNS’, but if you only have the site in your internal network then you can put whatever you want as long as you update your internal DNS.

Usually you can do this by manually updating the hosts file in your machines.
But a better way is to have something like PiHole, in which you can set your local DNS to resolve to your own IP.
After that the only annoyance are the SSL certificates which will be selfsigned since browsers show a warning but some services don’t have a way to work with them.

I thought this too, I hated docker because it was supposed to be the solution of “works on my machine” and the only thing that did for me was force me to learn more configurations besides the configuration of the service you wanted to install.
And as you said, plus the hassle of having to run some Linux distro.
But little by little I had to get deeper into docker and Linux, mainly because of my work, and now I can easily deploy any service in the VPS I have or test it with WSL. I even started dockerizing some of my own flows like building and deploying my own projects with docker.

Believe me, it’s worth all the time to learn docker and linux.
Start small, few lines or keywords each day, you won’t have everything you want to deploy in a day or two if you don’t already know all the technologies.
And remember, if you don’t easily find something you can always come to ask in a post and we can try to help you!

Plus you can’t add tags in Android.

About the DNS, you can use an internal DNS and find some way for your VPN to configure it in all the machines connected to it.
DNS usually has a fall back if the name is not found, so you can always have your custom DNS on and it’ll first check its own records then check for some level up (I’m basing this off of my experience with with pihole https://docs.pi-hole.net/ftldns/ )

About your ports question: you just need to change the ip to the VPN one.
For example, I have a VPS which has a public IP and I have tailscale installed.
If I were to make my service listen to all interfaces I could use 1.2.3.4:1194 or 100.100.100.100:1194 (this being the tailscale ip)
But I usually only configure them to listen to tailscale0, so I can no longer reach them with 1.2.3.4:1194, only with the tailscale ip.
In your DNS you need to configure this new IP to be served.

I’m guessing you can also do some configuration with a firewall.
Probably ufw add allow from 10.0.0.0/8 could work if this was the IP range of your VPN, then any one can still use your public IP and only your VPN will be able to connect (But don’t quote me on this, I haven’t done it).
(Just be sure to check the configuration of your service, docker can bypass ufw :/ )

Probably they have the service configured to only listen into the interface of the VPN.

I use caddy with PiHole. The Caddyfile is easy to set up with your hostname which will be automatically redirected to HTTPS.
The issue will be the annoying (but useful) alert of a selfsigned certificate if you don’t own the domain.
So I have a cheap domain for my local network and configure caddy to do the acme challenge via DNS instead of HTTP.

I can give you more details tomorrow.

And forgejo runner is basically github actions, I just started automating a lot of my personal projects. (it’s in alpha state, but my basic actions haven’t had any problems)