Put your local Jellyfin server in a tin, and securely serve it up on the internet 🚀
This project is especially helpful if you:
- Have a local Jellyfin server that you want to access over the internet
- Do not currently have any infrastructure to expose services to the internet
- Wish to hide + secure Jellyfin behind an identity provider
- Wish to use Jellyfin clients (Android, etc.)
If you're wondering, "why can't I just expose my Jellyfin server to the internet?" I recommend reading Collection of potential security issues in Jellyfin
The final deployment looks like this:
👤 -> VPS
-> Nginx
-> Tailscale
-> Nginx
-> Authentik
-> Jellyfin
- Virtual Private Server (VPS)
- BuyKVM is $2/month, but any VPS with an IPv4 address will do
- Additional layer of security, e.g. hide your personal IP
- Nginx Proxy Manager
- Management UI for Nginx
- Tailscale
- Tunnel from VPS to your local network
- Authentik
- Provide authentication via LDAP, SSO, etc.
- Jellyfin
- You should already have a Jellyfin server
-
Keep an eye on Jellyfin's SSO plugin and incorporate it here, once it is stable and no longer "100% alpha software."
-
Await NPM's Fail2Ban feature request.
-
Await NPM's CrowdSec feature request.
If you're using a Raspberry Pi, then you will need the 64-bit OS.
- Skip if already installed on your system
- Otherwise, install via ./docker_install.sh
- Deploy via ./authentik/
- Generalize yourself with Outposts, Providers, & Applications
- tl;dr to deploy an application in Authentik, you need an Outpost to service a Provider, which services an Application
- Deploy via ./nginx_proxy_manager/
- Configure via ./docs/cloudflare_domain.md
- Harden via ./docs/vps_harden.md
- Configure via ./docs/tailscale_configure.md
- Deploy via ./vps_tunnel/
- Deploy via ./npm_tunnel/
- Configure via ./docs/vps_routing.md
- Configure via ./docs/npm_to_authentik.md
- Configure via ./docs/authentik_to_jellyfin.md
- Deploy via ./authentik_ldap/
- Configure via ./docs/jellyfin_ldap.md
- Create via ./docs/jellyfin_ldap_users.md
- Configure via ./docs/jellyfin_client_whitelist.md
You can use the helper script at ./all.sh
to control this stack.