it is quite obviously not scope creep, as the systemd init system does not contain a DNS resolver.

the systemd family of tools does contain one, because the creators decided to create one with functionality not existing in alternatives. but the init system does not have a built in DNS resolver.

resolved is not part of the init system.

I don’t understand why isn’t it talked about more that the new outlook uploads your email account login passwords to microsoft, and accesses your emails through microsoft servers. a gaping violation of privacy and security

shouldn’t fe80::1 always just work if IPv6 is enabled?

it would still the ISP router be the one that connects to the network outside the building, so chances are that if it comes again over tge network cable, it will still only fry the ISP router

yeah, it’s the operator’s job to help setting that up

wow not just totally unprofessional, but even downvoting the calling out the lack of credible security! you can be ashamed of yourself, and hope that your clients never find out you are a contrarian

I really doubt your work has anything to do with computers

would not ever use your services in that case

much of the internet is run on simpler software or by full time employees tasked to deal with all this. but sure, ignorance is bliss, what you don’t see does not exist, etc etc, keep running your Jellyfin exposed to the internet. you wouldnt even get to know when your system is compromised. but you know what? you could even remove your password for extra convenience. who would want to log in to a random jellyfin account anyway! surely no one! just don’t recommend these practices to anyone, because you are putting them at risk.

idk man, I wont keep my front gate unlocked just so my friends can come in without keys. either they accept having to carry an additional key, or they won’t have access without me, but I’m not going to compromise on reasonable security. oh the burden I know.

I’ll help them set it up if they want it, they are not on their own. but zero effort won’t work.

to be fair, Jellyfin had multiple unauthenticated vulnerabilities in the past so it makes sense to talk about it

well, at least you are not depending on the application to do TLS properly, and you may be able to set up some access restrictions that your clients may support

you are better just closing up shop then, because it’s not like the other services you are hosting are much better. vulnerabilities being discovered don’t mean they don’t exist, it just means the software is not popular enough or too complex for someone to look into it

they are not setting up the Jellyfin server either, why would they need to bother with the VPN?

Tvs game consoles rokus so on so forth typically don’t support VPN clients.

and that’s why you set up a VPN client box on the location, set it up as a regular VPN client, and install a reverse proxy on it that the dumb clients can connect to.

the VPN box could be as simple as an old android phone no one uses, and termux

I know way too many people who won’t remember to toggle it on, or just won’t deal with it

they need a VPN app that toggles automatically. turn off when they happen to connect to your network, otherwise on, and only forward jellyfin and such apps through it.

I know way too many people who won’t remember to toggle it on, or just won’t deal with it

they need a VPN app that toggles automatically. turn off when they happen to connect to your network, otherwise on, and only forward jellyfin and such apps through it.

yeah but even with plain wireguard the peers can be limited. you just have to figure out the firewall rules, or use opnsense as your wireguard server because it figures the harder part out for you.

Yes, not everyone. My grandmother would struggle setting up a VPN, for example.

that’s a weird take. your grandmother doesn’t need to set up a VPN. It’s not like this is where they would get stuck, they would have problems much sooner with running their own Jellyfin. that’s why you are hosting it for them, and why you go there and set the VPN up yourself.

there is just too much place in the codebase for vulnerabilities, and also, most projects like this are maintained by volunteers in their free time for free.

I guess if you set up an IP whitelist in the reverse proxy, or a client TLS certificate requirement, it’s fine to open it to the internet, but otherwise no.