.png)
The Uncast Show
Owning an Unraid server gives you the ultimate control over your data and reduces your dependence on The Cloud. Join host Ed Rawlings to learn how to get the most out of your Unraid server, stay up to date on relevant news and topics, and get to know members of the Unraid community!
The Uncast Show
Tailscale Magic
In this exciting new episode of the Uncast Show, we welcome Alex Kretzschmar, Head of Developer Relations at Tailscale and co-host of the Self-hosted podcast to talk about the magic that is Tailscale.
They discussed using Tailscale on Unraid and announced an exciting new partnership and integration between the two products.
Later, they delve into other technical topics like NAT traversal, remote access, ts.net certs, Tailscale Serve vs. Funnel, and much, much more.
Lastly, the conversation wouldn't be complete without delving into self-hosting best practices, discussing the advantages of containerization over virtual machines, and discussing emerging trends in the self-hosting space while finding a balance between self-hosted and commercial products.
Where to find Alex Kretzschmar
Timestamps:
1:15: Intros
02:15: When Ed first started using Tailscale at C-Base
03:34 New Tailscale on Unraid videos
04:25 Exciting partnership announcement between Tailscale and Unraid
05:00 What is Tailscale and how does it work?
12:50 Split DNS Magic with Tailscale
16:13 - Tailscale + Unraid = Exciting new functionality
18:00 ts.net certificates and MagicDNS will make reverse proxies, domains and API keys largely unnecessary for Unraid users
23:55 Tailscale Serve vs Tailscale Funnel
27:45 Sharing Tailnet Access out to other people: How Jupiter Broadcasting and the Self-Hosted podcast use this feature
34:20 Tailscale + travel router = a great travel hack for RVers, Roadtrippers, Cruisers or regular travel
40:00 Subnet routing in Tailscale
42:15: Tailscale is Hiring! Alex.ktz.me to get in touch
43:30 Essential steps for secure self-hosting
46:34 Setting up Unraid in a Datacenter
50:00 Beginner self-hosting services to start with
55:45 Benefits and downsides to Docker containerization
1:01:10 Underrated self-hosted services and the most challenging self-hosted services to run
1:05:03 Emerging trends in self-hosting
Other Ways to Connect with the Uncast Show
Hi guys, and welcome to another episode of the Uncast show where we explore the world of unread servers, self-hosting and the tools that make it all possible. Today, I'm really excited because we've got a special guest who many of you will already know. Today on the show, we've got Alex Kretschmar. He's the co-host of the self-hosted podcast and the leading voice in the open source world and the head developer of relations at Tailscale, so it's going to be an interesting chat. First off, alex, thanks so much for joining us today. In fact, I've been a longtime listener of the self-hosted podcast, so it's great to finally have you on the show. Well, that's pretty cool. Hey, ed, how are you doing? I'm very good. Thank you, in fact, actually, we did did meet, didn't we? Um alex in london at the um lime technology off-site meetup. But yeah, we did. It was in a bar with table tennis and a lot of music, so it was very loud.
Speaker 2:My overriding memory of that place is it was dark, it was loud and robbie from nas compares was being full Essex on us. And it was a fun time though.
Speaker 1:It was Well. We could barely hear each other there and at the moment it's raining here at the moment, so I'm not sure if you can hear it on my office roof, but hopefully we'll have a much clearer conversation, hopefully, yeah, anyway, it's great to have a Brit on the show, um, someone who understands that summer here is just two weeks of slightly warmer rain, but you live in United States now, alex, yes, yeah, I do.
Speaker 2:I'm from Basingstoke, originally Amazingstoke as we call it. But yeah, the journey of life has led me to Raleigh, north Carolina, these days. Nice, the journey of life has led me to Raleigh, north Carolina, these days.
Speaker 1:Nice. So you know, like I said, I've been listening to your podcast for quite a while. I haven't been using Tailscale for that long. Actually, it was Brent Gervis who convinced me to try it out. Really, I met him in Berlin last year when I went to visit the NextCloud offices, and he also took me to a place called Seabase. I'm not sure if you've been there.
Speaker 2:Well, no, but Brent is possibly my best bud and he and I talk about Seabase all the time. It's like a crashed spaceship or something in there, like an old bus. Is that the place?
Speaker 1:It's absolutely. It's insane. I've never seen anything like it for everyone watching. Okay, c base. Basically it's a ufo themed hacker space styled crash space station, so it's basically like a sci-fi dream come to life for me. Um, they host like meetups, collaborations for kind of techie guys. It's one of the oldest and most iconic hacker spaces in the world, um, and it's entirely run by its members. You can go and use kind of 3d printers, um, electronic stuff, things to fix your bike, and one of my favorite bits is they had a bar there, so that was um I hear they have a weekly nixos meetup as well.
Speaker 1:So if they do, yep, and actually brent tried to get me to install nixos and I did actually install it whilst I was waiting for a delayed flight in the airport, but then I never actually I never actually continued when I got home, I know I installed it as a vm like, logged in to the unraid server, installing it there, but I think it's still on the unraid server, but I haven't haven't actually started it up, okay.
Speaker 1:So, like I said earlier, um alex is in to do with um tail scale. So on my youtube channel recently I've put out a few videos showing how to use tail scale with unraid, demonstrating how to easily secure it and connect back to the server, access subnets and manage remote access.
Speaker 2:Those videos have been great, by the way.
Speaker 1:Oh, thank you.
Speaker 2:We've been really, really excited. There's been no you know no cahoots. We haven't been in cahoots about these videos, have we no?
Speaker 1:not at all.
Speaker 2:People.
Speaker 1:I've showed them to internally at tailscale have all been like oh, these are great. Thank you so much. So thank you from a bunch of tailscalers to you. Thank you well. Thank you very much, alex. I really appreciate that. But I've got something very exciting for all of the audience listening that I can announce on the show today and this is the first place that you're going to be hearing it Tailscale is officially coming to Unraid and is going to be built right into the OS. The team's been working with Derek Kayser, who's the author of the Unraid plugin, to basically make that happen and have it become part of the OS. Now I know some of our listeners, alex. They might not be familiar with Tailscale or why it's such a game changer. So, alex, could you start by explaining what tail scale actually is and why it's so important for us kind of home server enthusiasts and home labbers, etc.
Speaker 2:yeah, well, for those of you that are listening that don't know, I I cut my teeth on unraid, originally 10, 15 years ago now, my goodness, back when sort of one and two terabyte hard drives were the norm and what drew me to Unraid as a product was mismatched drive sizes. You know you could put any, you know any disks into your array and have one I think it was one parity drive back then. I know you can do more nowadays and you didn't have to be subject to the limitations that you were subject to with something like zfs and I know unranging. So now I did zfs too, but back then, um, I was a poor student, so there was, there was just no chance that I was going to afford an entire zfs arrays worth of disks. What I could do was run a server permanently in my house with a couple of disks in it. You know three, four, five terabytes worth of storage at most.
Speaker 2:When you've got a server running in your house full time, you start thinking to yourself well, what else can I do with it?
Speaker 2:And so you start putting something like Plex on there, which is the gateway drug for a lot of us self-hosters, and before you know it, you've got you know 20 or so different self-hosted applications, everything from invoicing to you know trying to figure out how I'm going to host my documents with NextCloud to who knows what else right.
Speaker 2:And when you're running that stuff on a server in your house, it's all fine, you're on your LAN, you can connect to that server and it gets a local IP address and you type 192.168, whatever and put a port number in and it's all gravy.
Speaker 2:And then back then I was working at the Apple store in retail and I was like I want to watch some of these videos on my lunch break that I've got on my server at home, and so that remote access bug started to trickle away and tick over in my head. So I started learning about things like port forwarding, which is where you open a hole in your firewall pointing directly to that server. Essentially, you're putting the thing in your house, directly on the public internet, and you're the behest then of the application developers to write safe code, which, as we all know, application developers never have bugs. Applications are totally secure, and so that was the way it was for a long time. To be honest, we had OpenVPN, which sometimes let us get into remote networks, securely bypassing the port forwarding thing for the most part, but you still had to run an open vpn server somewhere and forward that port to the, the node that's running in your LAN, and one thing.
Speaker 1:One thing, alex, I always used to find about open vpn sorry, sorry to interrupt you there, but um, and I'm sure many other people have found it as well is you'd end up getting a new laptop or something and you'd have all your open VPN configurations on the old laptop and you'd kind of be off out somewhere and think, oh, I really need to connect back, and you think, oh, I haven't got my configurations, but, as I'm sure you're going to go on to tell us, tailscale gets around all of that as well, yeah, and it does in a really interesting way.
Speaker 2:And so the reason that you do port forwarding is to because IPV4 addresses are limited, right.
Speaker 2:There's only so many uh different subnets and ciders and all the rest of it that you can uh you can have on the public internet. So your ISP probably gives you I say probably deliberately a public wan ip address. In version four speak, some isps put you behind what's called double nat, carrier grade nat, because they don't want to have an entire pool of ipv4 addresses that are quite expensive to acquire these days. So they'll give you. Essentially they're running their entire isp as a lan, effectively, so you get a local ip address, which means when you want to try and connect to that remotely, you can't because you don't have control over their firewall. Which brings me to another point. One of the real pain points, um, besides port forwarding, was knowing what your public wan ip address was. Do you remember you had to run like duck dns or dynamic dns, right? Yeah, um, this was essentially a script that ran on somewhere in your house and it updated to a remote server. Cloudflare d still does this, I think, and there's a bunch of other tools that still do it, um, and they had to update a dns record in the cloud in somewhat real time and there was a period of time tools that still do it, um and they had to update a dns record in the cloud in somewhat real time. And there was a period of time, I think, where it was either bt or virgin in the uk that were just rotating ip addresses every like six hours or something on my one and it was. It was just getting. Really the script just couldn't keep up and the dns stuff was always wrong and, um, it was just a pain.
Speaker 2:Enter Tailscale Okay, so the reason that I started working here was because probably about two years ago and I've been at Tailscale now for about a year I noticed in the Synology app store that there was a new app called Tailscale. I said, oh, what's this thing? I should give it a look. And it does something called NAT traversal and this is the absolute magic of tail scale and forgive me for sounding like a sales pitch, but I genuinely believe what I'm saying, like I wouldn't work there and I wouldn't do this job if I didn't personally find it solved, a huge challenge for me. But the reason that traversal is so amazing is because when you want to make a connection between two different devices, you have to have a direct path between them, and typically we would do that, as I say, with port forwarding. But with tail scale, the, the nat traversal piece, uses a third party what we call a derp server, a relay server, to establish a known point of contact between those two devices and then essentially abuse some advanced techniques within the NAT space to create a direct connection between your phone at the coffee shop and your Unraid server in your basement or under the stairs or wherever it might be. And that really means you don't need to do a whole bunch of stuff. You don't need to do dynamic DNS anymore, you don't need to open ports in your firewall anymore, you don't need to worry about ports and all the rest of it, because you can just use Tailscale's native tooling to provide TLS certificates for all your services.
Speaker 2:And the best part, coming back to what you said a moment ago we handle all the key exchange for you. The private keys never leave the devices in question. So there's no risk of Tail scale reading your traffic because we don't have the keys to decrypt. It's end-to-end encrypted and the private keys never leave your device. But when you install it on a new, a new phone or a new laptop or whatever.
Speaker 2:Like you were saying, you are authenticating to the cloud authentication server, the tail scale servers, the control service, and we do all the wire guard key exchange underneath. So we essentially just add your node to the tail net and then there's a bunch of rules. You can configure acls policies to say this node is allowed to talk to that node on this protocol, on this port. If you want to get really nitty-gritty, there's a whole bunch of stuff you can do. But essentially it just completely solved the remote connectivity piece for me to the point where I now have one personal tail net that's bridging a server running in norfolk, a server running in lancaster both in the uk and all of my servers here in raleigh, and I can use a single dns, like I have a subdomain linked to each of those sites. But as long as I'm connected to my tail net, I'm connected to those sites as well and it's the mesh network of my nerd. Dreams come to life really.
Speaker 1:I remember as well watching one of your videos, Alex, about how you actually have your naming convention with the subdomains to basically locate where they are.
Speaker 2:I thought that was um very, very clever this is born out of having um two or three different sites to manage really, and trying to figure out a logical way to to manage it, because the last thing you want is for one of these um sites to be dependent on a different site and if, uh, my internet here in raleigh goes out for whatever reason, I have a power cut or someone cuts through the fiber line or whatever, um, I don't want my mother-in-law to be without dns right, and so what I try and do is I set up each site as a standalone unit and then use subnet routers and a bunch of tailscales features to kind of bridge them all together. But the naming convention I came up with was service name, so it could be jelly fin, then host name, so it could be you know the name of your server unraid, or would be tower, right for you guys. So it'd be jellyfintower, and then I'd saynorfolk, for example, and then I'd have alexktsedcom, whatever you know. So you've got a five level deep sub name, a sub domain system, going on there. But I know just by reading that sub domain exactly where in the world it is, which box it's on and what the and what the service is.
Speaker 2:Now, if there's a if there's only one instance of jellyfin in the house, which is probably likely. You can omit a couple of different things if you want to to to make thing make your life simpler. But the nice thing about the having the subdomains is you can wildcard all of the dns for that specific host to a specific ip address in your LAN. You don't have to do an entry per service. You'd be like, right, well, all the toweralexktzcom stuff always goes to 192.168.whatever and it just, it just works like you don't have to ever think about it yeah, that's.
Speaker 1:That's really super cool. I haven't actually tried it out myself, but it is something I really want to do. I've always set up um public, um IP addresses in Cloudflare and that kind of thing for my Tailscale IP addresses.
Speaker 2:We've got videos about that topic and you can do that if you want to, because it's only so. Tailscale has a pool of what are called CG NAT, basically the 100.100 CIDR range, the subnet range. There is a reserved range range and we use that internally for the. I think you get four million addresses on a, on a tail net or something, and you can put those 100.ip addresses quite safely into cloudflare if you want to publicly um, and they'll only be rootable if you're connected to your tail net.
Speaker 2:So yeah you're not exposing anything, you're not risking, you're not poking holes in your firewalls like it's you can. Those packets can only flow over the wire guard tunnel underneath if the device has the correct key to unlock the door yeah, I don't think you used to be able to actually put kind of like local ips into cloudflare at one time.
Speaker 1:I think it's only the last few years you've actually been able to do it. I may be a hundred percent wrong, alex, but was that right? Yeah? Yeah, I think they had. They had to be kind of public ips, but anyway. So basically, you know, it looks like when we're going to have the official plugin in um, unraid, users are going to have great amount of ease of access and security. That's the idea.
Speaker 2:Yeah, so you'll be able to share your unraid server that's under the stairs with a friend of yours and do remote zfs replications, all encrypted, all over tail scale all for free, because that's another thing. We offer 100 devices and three users for free. Yeah, and I've always. I've always thought that unraid was missing a trick by not letting me carve out a few terabytes on my friend's server on the other side of the country and we tell scale. You're going to be able to do it without unraid being involved.
Speaker 1:Really so you know, unraid is adding support for the um tsnet certificates. So, um you know, could you explain how these certificates will make it easier for unread users to actually access their home networks?
Speaker 2:well, how much do you love reverse proxies? How much do you love configuring certificates?
Speaker 1:um, about as much as I like um mowing the lawn, and how long is your lawn right now? Knee height probably, yeah don't, don't ask.
Speaker 2:Yeah, um, you know what's weird? A quick tangent weird about moving to america is that grass doesn't really grow on its own here. You have to seed it and care for it and and like properly tend. It's weird, like I'm used to england where grass just grows.
Speaker 1:Here you need to, you need to dig up a piece of turf, alex, and bring it with you, and bring some english grass, and then you have to do it.
Speaker 2:It would survive in north carolina in summer. If I'm honest, bud uh you go for, probably probably go for like june, july, august is well over 30 celsius every day, man, nearly 40, uh, some days, and it's humid, really humid. Anyway, we digress slightly. What was the question?
Speaker 1:um, I was just asking about um, yeah, the, the certs in in unraid and how that will make it easier for people.
Speaker 2:Yeah, and maybe kind of tie that into um, if you could explain about magic dns as well and why that's useful for users yeah sure, so the we've covered the dns a little bit already, but essentially every tail net gets its own unique dns name and that's on the tsnet subdomain, right?
Speaker 2:So there are, for free, several things you get with with tailscale um anyway, and one of those is a dot ts. Dot net domain for your tail net, so you can refer to devices anywhere that you can um reach them with the with their fully qualified domain name if you'd like, and so the. The benefit of that is that if you're running I'm going to use jellyfin again if you're running jellyfin and you think, right, I wish this had a TLS certificate, because the Jellyfin client's always complaining about a self-signed TLS certificate you can run Tailscale Cert and then use Tailscale Serve to actually generate automatically, via let's Encrypt, a certificate for any of your self-hosted services running on your own RAID box. You don't need to worry about API keys in Cloudflare to approve ownership of a domain. You don't even need to own your own domain. There's a bunch of complexity that it removes completely from the end user with just a couple of commands that mean that you can verify cryptographically that.
Speaker 1:I'm sorry, Alex. If you can hear a funny tune in the background. One of my servers has a beep speaker and I have it play a certain little song at a certain time to let me know it's that time of day. Well, it's 5pm on day. What is? It's 5?
Speaker 2:pm on a friday.
Speaker 1:So there we go you know, so it will stop in a moment.
Speaker 2:What song is it?
Speaker 1:playing. Um, I'm gonna sound very, very nerdy if I say here is actually a jared tell commodore 64 song that I converted into beep from using an emulator, putting it into an mp3 and then making it into beep I would expect no less of you, ed if I know, so yeah, um, yeah, sorry to interrupt you with um.
Speaker 2:With that, alex no, I, I don't think. I don't think there's much more to say. I mean the. The general idea is that there's a lot of, there's a lot of problems that require some specific knowledge.
Speaker 2:In fact, just last week, I was putting together a tutorial on how to host a cloud VPS, install Tailscale on that cloud VPS and then use the Tailscale tunnel on the back end to expose Jellyfin to the public internet. And as I was making this video, I sort of thought to myself oh, this is going to be a 10-15 minute tutorial, easy peasy. And then I'm like oh, shoot, we need to generate an api key for cloudflare, we need to do another one for digital ocean so we can spit up the vps with terraform, and then we need a tailscale auth key, and then we need to do dns. And it's just like when, when you do this stuff for a living, like I do it, it isn't that bad, but I, I always, I always come across the.
Speaker 2:I was trying to explain this to be like would I be happy to walk my mother through doing something? And if the answer is no, then the. The reality, the sad reality, is, is that many, many people in the real world also, I don't think sometimes I live in the real world they wouldn't be bothered either, and a lot of what Tailscale's core mission is is to really make things simple. So if there's a pain point like certificates, if there's a pain point like connectivity, smooth those edges round those corners and make it easy for people, and that really is what we're trying to do.
Speaker 1:So basically, with the um dot ts certificates, people connect to their unraid servers through a name so they can have their server name.
Speaker 2:You know, like I don't know whatever it might be called, yeah, so because unraid has a sort of cloud connectivity piece, right, and I mean that is nice, but the downside of that is it's obfuscated but it's still out on the public internet and there is no identity validation, whereas with a Tailscale connection you connect to the Tailnet client on your phone and then only you can reach that endpoint. It's not like you, ed, could guess the right string of characters and figure it out and reach my front door. No, literally, cryptographically you cannot, because you don't have the right keys. You cannot route packets to that endpoint. So I think it's going to be really interesting to see how it replaces or maybe augments the existing unraid remote functionality and also you don't have to touch your router at all.
Speaker 1:Yeah, that's a big one for a lot of people you know, at the moment, to use unraid connects you do have to forward a port. So oh yeah, if you don't do that it's not going to work. And so people who are on things like starlink, well, you're not going to connect your Unraid server.
Speaker 2:That way so.
Speaker 1:Tailscale gets around all of that.
Speaker 2:Starlink is a big one. So the reason that we say that is because Starlink does what's called the carrier-grade NAT piece, where they don't give you a publicly rootable IPv4 address. They give you either an IPv6 or some kind of double matted ipv4 address, so you don't have access to the uh, the starlink firewall.
Speaker 1:So you're kind of out of luck really yeah, um, I just wanted to ask you a question as well, alex, on to some of the kind of maybe more advanced parts of tail scale. I just wonder if you can explain to me the difference between tail scale serve and tail scale funnel. Oh yeah, absolutely so tail scale.
Speaker 2:Serve is essentially like a reverse proxy, so it's funnel too. Actually, the idea behind them is serve exposes things inside your tail net using proper certificates again, because you can integrate it with let's encrypt just one command. Essentially you redirect a port. So let's say you have a Proxmox front end, for example, running on port 8006. You want that to be actually just running at a specific domain name on port 443. So it's a transparent. You know, you don't have to type a port number. Well, you can use tailscale serve to redirect those ports a bit like you would with any other reverse proxy.
Speaker 2:Funnel does exactly the same thing, except it puts it on the public internet. So obviously there's a risk. There's a risk involved there because you can very easily, with one command, put your unraid box out on the public internet. Obviously that carries some risks with it and you want to be cognizant of those risks. The other, the other thing to consider with funnel is that we proxy all of the traffic.
Speaker 2:It's stilling, it's still um going through, uh, tail scale once it gets to us. But um, essentially you are beholden to some quality of service, uh, bandwidth limitations. So you're not going to be streaming jellyfin through funnel, not reliably? Um, just simply because it's a free service that we offer our users. As you know, many of our people at tail scale are developers, and so the reason that we created funnel as a as many of our people at Tailscale are developers, and so the reason that we created Funnel as a technology was well, I'm working on a website prototype and I want a quick way to share this database with my colleague over there that's running a web hook or something as part of their CI job that they're testing real quick, or it was just supposed to be a way to throw up quick and dirty prototypes onto the public internet, or very simple static websites. You know it's not designed for things like video streaming right.
Speaker 1:Would it be okay for something like next cloud, um, for self-hosting next cloud, or maybe?
Speaker 2:again, but it depends on the meat, like if you're putting your photos through NextCloud, I mean it would work but it wouldn't be performant. And what I would say at that point is that many people who think they need Funnel actually don't, because with Tailscale's direct connections, every device becomes a client on the network, and I I kind of want to draw an analogy at this at this point, because, uh, let me just bring up something one of my colleagues where's my mouse gone? That's my mouse there, it is okay. Uh, essentially it's, it's the difference between a hub and spoke model. So, rather than sending everything through a central thing, which is what you're doing with funnel and you're therefore bandwidth constrained you're making that direct connection from your phone back to home base, and so you get full line speed, full connection speed between those devices, which makes a huge difference.
Speaker 1:I know Unraid has got in the pipeline plans to be able to streamline a method for sharing SMB on the tail net, so I was wondering if you could tell me, alex, I know it's possible to be able to share parts of your tail net out to other people. How does this feature work and what kind of controls do users have on who actually gets access? Great question.
Speaker 2:This can get a little complicated if you're not careful. But the short version is let's say, I want to give you access to my server, and by access I mean I want to let you access things running on port 443 or port 80 or something like that, the web ports. I can go into the TailScout admin console and share a node with you. You will then be able to route packets from your TailNet into mine and essentially that's it. I can create access control lists if I want to, that limit you to specific ports. Like, say, I don't want you to have any way to route packets on port 22, for example, for SSH. I can put a rule in place that would prevent that. I can put a rule in place that would prevent that.
Speaker 2:In fact, by default, all of Tailscale is built on a process, a principle sorry, of zero it's not quite zero trust, but it's close Default deny is our default state, so you do have to explicitly allow anything that you want to any traffic you want to pass. But in fact we're doing this we, being Jupyteriter, broadcasting with the self-hosted podcast that I also do uh, we just threw up a server into a colo in canada and we don't want to put that thing on the public internet. But I also don't want that in my personal tail net. I want that in a jupiter broadcasting tail net because it's business infrastructure and we want it to be kosher and everything to be segmented. So I created a brand new tail net for Jupyter Broadcasting and I installed the Tailscale client on that backup server in Canada and then I shared that node into my personal tail net so that I can still do ZFS send using the fully qualified domain name of that remote host in the remote subnet.
Speaker 1:But it still retains full independence in both places cool and one thing people might wonder about say, for instance, alex, you were to share um something on tail scale with me, that doesn't mean that you would then be able to access my town.
Speaker 2:That does it no, not at all. Uh it, it's a, as I say, it's a default deny model. So unless you share something with me explicitly um the the blast radius I, I can't route packets from that node you've shared, for example, out to other nodes on your tail net, unless you let me.
Speaker 1:Yeah yep, so basically, we both have to share what we want with each other. So, yeah, now, if you're a family, don't need to worry it.
Speaker 2:It makes sense to have, uh, a single tail net with multiple users. So, you know, you got, you got yourself, you got a partner, a kid or two maybe, and you're running a self-hosted um, let's say image instance where you're backing up all your family photos. At that point, you don't want to create four tail nets, one each, and start sharing stuff between four different tail nets. You want to create one tail net and add multiple users. And actually, coming fairly soon I don't honestly know if I'm supposed to say this out loud but hey, we've had one exclusive in this show already, let's have another one. Uh, we are looking at I'm going to say, I'm going to say this, uh, very carefully we are looking at launching a personal pro tier which is going to allow people to have, I think it was up to half a dozen users. Don't quote me on that. Uh, the numbers changed a little bit over the over, the, the machinations and the, the brewing period of this one, but essentially for free, you get 100 devices and three users, as I've already mentioned. But we're going to make it fairly cheap for families to adopt a personal pro account that is going to support, I think, up to six people within a single family unit, a little bit like what Steam have just added and Apple family sharing.
Speaker 2:At this point, I think we're all used to family sharing, but the rationale there is that you don't want to be having to worry about the intricacies of multiple tailnets. Again, this comes back to a founding principle of Tailscale, of rounding off complicated corners and making things smoother and more easy to use. Complicated corners and making things smoother and more easy to use. Essentially, I want to treat any of my self-hosted services like I'm on the land, wherever I am, and that includes, you know, my kid's phone taking a picture and automatically backing up to image and all the rest of it from I don't know Scout Camp or wherever they're at. You know? Um, I still do scout camps. Is that still a thing?
Speaker 1:yeah, I don't know. I remember I went to scout camp when I was very young and I just couldn't wait to get home. But maybe they're not as good in the uk as they are in in the us.
Speaker 2:I don't know I mean, I went to a uk one. I actually remember we built a uh, there was this thing called the mayfair. Uh, fair, on like mayday, may 4th, may 4th, where bank holiday and we built this massive a-frame out of like tree trunks. There was a guy called kevin who was a volunteer firefighter, I think, fireman. Sorry gosh, I have americanized. I've only been here six years and I have I have seriously americanized.
Speaker 1:The thing is, alex, I still hear you actually do say zfs, then you don't say zfs yet.
Speaker 2:So I switch like crazy because my, my name has a z in it or a z in it, like I've always been alex ktz in my mind, but it's zfs. But it's z pool, it doesn't make any logical sense. It really genuinely depends what it is. And, uh, toronto's airport code is yyz, even though it's a song by rush, who are a canadian band, that uh would say zed like there's. There's zero logic in here. I I'm just going to warn you of that to anybody listening.
Speaker 1:Don't take a word I say seriously, because it's all just mush like you know, I I say zfs all the time. Now, I never I used to say zfs, but my wife is american so I get americanisms from her um and I have a lot of people in the uk. They go. You're meant to be from the uk. You're not meant to say zfs. Like, why are you saying that?
Speaker 2:oh, I said router the other day and I someone looked at me like I was made of stone, so you know, yeah, don't say don't say router in australia.
Speaker 1:No, what do they say? Um, wow, I can't say it like but, but um, no, sorry, you don't say root in australia. It has a different meaning. So the uk router, it has a very different meaning. Yeah, people can go and look it up after they watch this podcast. Not safe at work, got it? Um, I was talking to um one of the unraid staff recently, um larry, and he mentioned actually this kind of travel router thing that he picked up recently off amazon. I think it's the gli net, I think mt3000, yeah, and apparently that runs tail scale and he used it at the hotel connecting onto their wi-fi. Then he had the tail net going back to his house so he can route all of his traffic through his own internet at home and then the travel router has its own wi-fi network so then all of his devices can connect to that through tailscale back to his house through his own ip. Um, have you seen more people using tailscale in similar ways with these kind of standalone devices? Alex?
Speaker 2:well, you know that's. That's a travel hack waiting to be discovered. Right there is. This is quite popular amongst rvers. It's popular amongst people who go cruising, and by cruising I mean the the safe for work version of cruising.
Speaker 2:Uh, go on cruise ships for their holidays, uh, basically anywhere where somebody who provides you wi-fi tries to nickel and dime you based on the number of devices that you've connected. So you take one of these little travel routers with you, you connect it to the hotel wi-fi and then connect your phone. This is also true on planes, by the way. You connect to the wi-fi of the travel router through your phone or laptop or whatever. Do the captive portal thing. These networks typically authenticate based on mac address, and so the mac address you're authenticating isn't your phone or your laptop. You're authenticating the mac address of the travel router to that remote wi-Fi network and so, so far as the hotel is concerned, or the cruise ship or the plane or whatever, you've only got one device, and they have no idea that you've got actually three iPhones and two iPads and a laptop and an Apple TV and all the rest of it. The other benefit of that is it means you don't have to reconnect all of these devices to a new Wi-Fi every time you decamp to a new place, so you're taking a road trip and you're going through 10 different Airbnbs every night.
Speaker 2:It can genuinely be a bit frustrating to have to remember, well, what's the Wi-Fi password that this random person set here.
Speaker 2:And the really nice thing about those GLI-Net devices is it means you've just got that single configuration point and then, to put icing on the cake, you don't necessarily want all of that traffic going unencrypted across their network, and so Tailscale is a bit different from what we would call a traditional privacy VPN like a NordVPN or a private internet access or a surf shark or any of those.
Speaker 2:Instead, we can use something called exit nodes to kind of turn tailscale into one of those features, and so what we can do is on the, on the GLI net and indeed any client also, because it's a mesh network. Remember, we can. We can connect devices directly to you know, let's say, let's say I'm in the uk and I want to come out of my house here in raleigh because my online banking doesn't let me access it from another country, which is totally actually what they do. Yeah, um, I can turn on exit node functionality and route the packets from my phone out through this house as if I'm stood in or sat in this chair over what's called an exit node functionality. And you can do that same thing through the glinet too. The nice thing about that is it means all of the traffic between the glinet and the exit node is encrypted, so the person on the remote wi-fi has no idea what you're doing. They won't see the ns queries. They won't see.
Speaker 1:They won't see any of it I had one of the earlier um, glinet, um devices and I'm not sure if the new one is the same. But you also have a little switch on the back where you can turn the vpn on and off. Yeah, does um, is that? Is that the same on the new ones?
Speaker 2:alex, I'm not sure if you've seen them, they, they used to only have one or two models, but I think they've got like a dozen now. So I'm going to plead ignorance on that one.
Speaker 1:Take plead the fifth right, but you know I thought that's pretty cool so you can switch the vpn off if you kind of need to have regular traffic yeah but then you, you toggle the vpn and you're going back through um yeah the other.
Speaker 2:The other nice thing about it too, is that, let's say, you find a client that can't natively run Tailscale, which is quite tricky to do because we run on iOS, android, apple TVs, firesticks, ipads, laptops, anything pretty much from BSD right the way up to Windows we run on these days. But there are some embedded devices that have Wi-Fi ESP devices are a good example that don't natively support tailscale yet or don't support tailscale yet, and so if you connect those devices to your glinet router that's connected through tailscale, you can still gain some of the same routing benefits that you would otherwise get if it was a native tailscale client. So let's take the Jellyfin example again. Let's pretend you have a media player that can't run Tailscale natively and you want to access a Jellyfin server remotely. Well, if you connect through the GLI net, you can actually reach your remote Jellyfin server, even if the client itself isn't a Tailscale client.
Speaker 1:Can we talk a little bit about subnet routing as well, please, alex?
Speaker 2:Oh this is a fun one, funnily enough. So I have a backup server at my mother-in-law's house near Norwich, so I do cross-ocean geo-replications of my ZFS data. But that server is in a remote network and I have no way to access the IPMI capabilities of that system from here without something called subnet routing. So what this does is the remote subnet is, I think it's 192.168.16. I think it's a slash 24, so there's 250-odd devices in that subnet. I've no way to access those unless the Linux box is turned on, which can be a bit of a problem.
Speaker 2:Sometimes, let's say it's been a power cut or it's just not turned on for whatever reason. So I need a way to get to the IPMI interface of that box, and so my firewall at that place is an OpenSense box, and so what I've done is I've turned the OpenSense box into a subnet router which forwards all packets and publishes a route for that subnet to all of my tailscale devices and clients so that I can actually access any device in that 16 dot whatever subnet as if I was on that same LAN. So essentially, the short vote, the short answer is it takes a remote subnet and publishes a route to all of your tailscale clients so they can access non-tailscale native devices printers, ipmis, robot, vacuums, whatever so basically it just lets you pretty much be exactly the same as if you're connected to your wi-fi at home.
Speaker 1:You can connect to any anything on your subnet or, for people who don't know what a subnet is, that's basically your local ip range and I've done a totally the same thing you have, alex, except I'm a pf sense fan as opposed to open sense. But, um, I've got like a um a vlan I use for all of my cctv cameras. Yeah, so obviously you can't install tail scale on a reolink cctv camera, but I just use the subnet routing. It's a great example actually on pf sense to be able to connect to my cameras and see them, so I can run the geo what whatever called app is um reolink app and I'm able to actually still connect to my cameras without having to go over the cameras is a great example well, I think we've pretty much spoken everything I can think of about, about tails, tail scale personally, but is there anything?
Speaker 1:is there anything kind of in the pipeline for tail scale? Um, that's that's coming, um that you can talk about, alex, or oh, I don't know if I'm.
Speaker 2:I always get confused about what I can and can't say, so I think I'll plead ignorance and just say watch the youtube channel, take a, take a look at our blog and all that kind of stuff and we'll post announcements over there. We are, by the way, hiring in Europe for a dev advocate. So if you're into the DevRel space and you are a Tailscale super fan and you want to go to events and represent the company and write for us and do all the kind of getting people as excited basically what I'm doing, getting people as basically what what I'm doing, uh, getting people as excited about tail scale as as I am uh, get in touch. You can find me at Alex dot. Katie said dot me on the internet and uh, I'm on, you know, mastodon and uh, I'm going to say Twitter, but it's not more uh, all those, all those good places, selfhostshow as well, the podcast.
Speaker 1:I'm over there, um. So, yeah, get in touch if that, if that sounds interesting to you, we'd love to hear from you. Um, and whilst I've got you here, alex, excuse me, whilst I've got you here, alex, I wondered if we can speak a little bit about self-hosting yes, please, let's do that I would love to leverage some of your knowledge there.
Speaker 1:So the first question I've got about self-hosting is basically when it comes to self-hosting, um, it kind of it does tie in I know what you're kind of probably going to say with this but, um, people are often concerned about security when they self-host stuff. They kind of think, oh, I don't know about self-hosting, I know google is going to be secure. Um, what are some essential steps you'd say home users should take to secure their self-hosted setup?
Speaker 2:uh, this is a trick question. I thought we'd moved on from tailscale uh I think, keep it simple.
Speaker 1:I'm talking more, I guess, about kind of um services that are publicly accessible. I'd say so you something that's not private.
Speaker 2:I draw a line in the sand between services I want public and those that I don't. So I was Linode for a long time, it was DigitalOcean for a long time, I think it's Hetzner. These days I have a cloud VPS that I run the handful of things that I want to be public. You know my public blog, perfect media, servercom, a bunch of other stuff, right? Um, most of the rest of the stuff that I want to host is not for public consumption, and so I just keep it on my land, and now with tailscale, I can just connect to it from wherever I am.
Speaker 2:Um, so for me it's a very simple delineation keep the public things public and put it in a public vps. Okay, it cost me, I think, seven or eight euros a month for a heads in a box, but I then don't have to worry about dmzs or you know weirdness with, uh, putting things on my public land, and you know it just keeps things simple, and that's my philosophy is is keep it simple for your mental model. So when something goes wrong and it will go wrong at some point with self-hosting, because that's just the way it is you are able to quickly understand where something is, which again speaks to my dns philosophy, where something is what it's running on and um what the kind of impact, severity, like the blast radius of of a problem might be yeah, so.
Speaker 1:So basically, private stuff keep on a separate box, really, and public stuff have on a vps. I actually um set up a hetzner um box myself recently and it was, I think, because I watched the self-hosted podcast and you guys were talking about how reasonably priced they are.
Speaker 2:I think I pay surprisingly cheap.
Speaker 1:I think I pay 30 pounds a month. I got 64 gigs, about six terabytes um. It's either a four or six terabyte spinning rust drive, two, five, twelve nvmes and I managed to install unraid on there. Um, I made like a kind of install script to be able to put it onto their onto um their usb drive. But you, what I've put on there is the um esats tv oh ersatz so ersatz tv, which again I got from the self-hosted podcast yeah, that was chris, that one yeah, yeah, it's just like so cool I haven't yet.
Speaker 1:Um, and for people watching who don't know what ersatz tv is, it basically allows you to stream your own tv channel. So, yeah, me being a bit of a sci-fi nerd, I've got my favorite sci-fi shows on there, like Andromeda, star Trek, et cetera, and it just randomly plays episodes so you can turn it on and you might be 10 minutes before the end of an episode. But, like you were saying on the podcast, like chris was saying, is you don't always. You've got plex, nb jellyfin, but you kind of go on and think what am I going to watch, right, um, and I mean, it's the old days of, you know, just turning on bbc2 and being like, all right, I guess I'm watching.
Speaker 1:Uh, I guess I'm watching deep space nine, or whatever next generation at six o'clock now, whatever it used to be I, when I go to mom's house, like you know, um my stepdad, he might have something on the tv. He's watching just some random kind of star trek and I think, oh, I kind of get quite into it. Yeah, I think I forgot about that.
Speaker 2:I think there's an aspect of home I think there's an aspect of creative gap filling that you do with with with the narrative too, like you come in halfway through an episode. It's almost like you're inspector Clouseau trying to figure out what's happened in the first half. How did they get here? And you kind of miss that, if you. If you, how many times have you got to a hotel and turned it on and there's just been some crappy nineties movie playing and it's 11 pm at night and you get so invested in the last hour? Yeah, it happens all the time. And ersatz lets you essentially turn your media collection into a tv station. You can have multiple channels, different epgs, different times of day. You can even have the little uh, the little tester card of the, the girl with the chalkboard or whatever, if you want to at 2 am with the beat.
Speaker 1:Yeah, you know and people put actually the old-fashioned adverts in don't know they download the adverts from period commercials yeah, so it's really really super cool. Um, and the reason I put it on the over there is because I was worried about the bandwidth. I thought I'd rather it be the bandwidth coming from there. I know it probably doesn't really do you know that much, but I decided to do that anyway if you're a single user, uh, it doesn't.
Speaker 2:Honestly, unless you're watching 24 7, it probably doesn't matter, but as soon as you start sharing it with friends and family, then it can add up pretty fast, yeah another thing I thought of alex is um, I'm not sure you know if someone, if no one's watching it.
Speaker 1:Are the hard drives still spinning up? Is it still kind of pushing out the content, or does? It only okay so that was one thing. I didn't want my hard drives always spun up if I was running it locally at home.
Speaker 2:So I thought yeah, if you take a look. So I I'm a big fan of quick sync for hardware transcoding, uh, but you know low energy usage transcoding and um, it doesn't appear to be active, when I'm right okay, that's good to know.
Speaker 1:Yeah, um, anyway, kind of moving on, for someone who's new to self-hosting, what would you recommend as the first few services or applications to actually try?
Speaker 2:solve a real problem. Um, for me that was media. For you it might be something else completely different. It might be recipes, it might be document management, it might be invoicing, who knows what it is. But start by looking at a service you're paying money for, um through a proprietary service that you don't own the data for, and if you care about this kind of data sovereignty angle of, well, what happens when that company gets acquired or goes out of business or gets hacked? If you care about that stuff, bring those services in-house one by one. You don't have to rush, you don't have to do it all at once.
Speaker 2:This is a hobby that's kept me occupied now since I was 20, 19, 20. Um, when I got my, I think I started off with a Drobo and then I got a Synology and then I built my first Unraid box. Um, you know, this is a journey, that and the, the, the destination is the journey, like in terms of, for me at least, it's kind of like. Uh, if, like in terms of for me at least, it's kind of like. If I had to compare it to 3D printers, self-hosting is a little bit like buying a Prusa, where you have to build it yourself and assemble it yourself. I mean, I know you can buy a pre-made one, I know I know that, but for the most part it's a tinkerer's device, right? It's something that you're going to spend time fettling and tuning and loving and bringing to life.
Speaker 2:For some people, that's not what they want. They want the bamboo lab, they want the ready to go, pre-assembled, 10 minutes out the box, thank you. And for most people that means apple photos. For most people that means like google photos, or it means one drive or google drive or whatever it might be. But for me, I care sufficiently about where that data lives that I would much prefer it lived in my basement rather than a data center powered by who knows what in who knows where. Um, and really it's, it's a philosophical thing. It no, nobody ever gets into self-hosting to get rich or to get you know. Uh, I'm trying to think of the best way to describe it, but it's essentially just know what you're in for, right, you're in, you're in for, you're in for owning your data. That's a good thing, and it's also a bad thing, because when you screw up, there's only one person to blame, typically, and it's usually you. So you know, um, solve a real problem. To answer your question scratch an itch, learn some stuff, make some mistakes with a low, with a low hanging service, like if.
Speaker 2:If the question was, how do I get started in home automation? A great, a great answer for that would probably be, in my opinion, something like home assistant with a couple of light bulbs. Nobody's going to get injured if a light bulb doesn't turn on. You can still go and flick the switch on the wall if a light bulb doesn't turn on. So whilst you're learning, keep it low stakes and then over time you can, as, as your confidence grows and as your skill set grows, you can start to really become reliant on these things. Like all the lights in this you know filming room that I'm in my uh, my office, they're all hooked into home assistant and it's all automated and I I really seriously rely on some of the home automation stuff I've got going on in here. But you know at the beginning, if it didn't work it it didn't matter, you know. So like I can be like oh look, no light, light, it's all done from home assistant.
Speaker 1:So you know, uh sort of a real problem. I think, like you say, people have got to be like. The journey is very important. It's not the destination of just having the finished product.
Speaker 2:I think it's a bit like kind of like my dad in his day would tinker with his car yeah, I, I'm glad you went there, because that's a, that's a really good comparison too we tinker with our servers, but we couldn't tinker with cars.
Speaker 1:Nowadays they're too complex, or I'm sure some people can. You know they you know I can barely, you know, um, remember to top up my car with oil. So they do need it, though they do. But you know, I normally drive my car till it breaks and I know it's time to go to the garage.
Speaker 2:But yeah, fill up with some more oil. And you get there and they look at you weird and they say ed, did you know?
Speaker 1:this is an electric car talking about going back to our thing as well. I want to know, alex, what was the first um service you ever self-hosted yourself?
Speaker 2:hmm, it was probably remote desktop. So this was. This goes right the way back to when I was in sixth form college and I've been fascinated with remote access since forever. I mean, I've got a computer over here but I am over there and you mean I can connect to these two things. And for me it was going to sixth form college in Winchester and my house in Basingstoke trying to connect from school back to home to get around uh content, uh, internet content blocks, really. That was what I wanted to do and that meant putting port 3389 out on the public internet back then and my windows parks directly out on the it horrifies me thinking about doing that now, but that was what I did as a 17 year old. Um. So yeah, I would say probably the first self-hosted service was my own computer with remote desktop, if that counts yeah, I think it does um.
Speaker 1:So you know, docker, not only in the unraid world but everywhere, has become really popular in the self-hosting community. Now what are your thoughts on the potential benefits and downsides of using containerization versus, say like, um a v, um not a vpn? A vm, that's. That's the word I'm looking for.
Speaker 2:Thank you, alex how did we get an hour into this without mentioning docker? I think that's amazing, don't you? Um, so a little bit of personal history here. Uh, way, way, way back. This is like 10 years ago.
Speaker 2:I was very deeply involved in the Unraid community and I used to host something called the Arch VM, which was essentially a package repository, built around the same principles as the AUR, for people to host media acquisition apps. Let's put it that way, media acquisition apps. Let's put it that way. Um, and essentially around that time, john p and tom and a few other folks were looking at adding docker to unraid. I think eric schultz too. Um, and this was pre-docker being 1.0, so this is is a very long time ago. So they added Docker and there was a moment when I used to reinstall servers for fun back then. I don't do that now, but I did then and so I got actually really good at configuring all of my apps because I could just click through and be like right, I remember this setting does that? And yada, yada, yada. There was this one time where I'd spun them up using Docker. Literally just after Docker had been added to the product for the very first time, I blew my server away, but the app data lived somewhere else and I then just pointed the Docker containers back at the same app data volumes and everything was exactly where I left it. And I'm like, holy moly, this is the future, this is I understand containers now. This is why they're so cool.
Speaker 2:And 10 years later, I've ended up building a career on top of it. I ended up going into OpenShift stuff, at Red Hat doing Kubernetes work and now at Tailscale. I don't do as much containerization stuff as I can, but any chance I get all of my self-hosted infrastructure. Everything is running out of containers, like everything. I just find the encapsulation. It's very lightweight compared to a virtual machine. It just makes sense to me. It did what SystemD did for Linux in terms of accessibility. Containers allowed me to operate at a level well above my skill set. Back then I couldn't compile a Linux kernel. Back then I had no idea what I was doing, and yet I could type these few Docker commands in and suddenly, hey presto, I've got Plex running Okay, sick. Type these few docker commands in and suddenly, hey presto, I've got plex running okay, sick. Um.
Speaker 2:So around that time she must have been 2013, 14 era uh myself, johnny mo and uh, stian, who went by the name lonix on the unraid forums. Uh, we all got together and co-founded LinuxServerio. We noticed that there was, at that point, there weren't really many standards behind creating these containers for the community. There weren't shared base images. The documentation was, if it existed, was all over the place if it existed, was all over the place.
Speaker 2:Um, and so we kind of took it upon ourselves to create a unraid first containerization project. Just take other people's apps and package them up. Really, um, it kind of snowballed into a bit of a juggernaut and, uh, I'm not involved in the project actively anymore for various reasons, but uh, it's something I'm deeply proud of and I know that many of your listeners will be using it today. I run into people all the time that are using Linux server containers, myself included, by the way. I still use them and it was just that standardization thing really, that kind of tipped the scales in favor of Docker for me and I've never really looked back. I mean, I still use virtual machines for some things, but for the most part I'm a container-first sort of guy.
Speaker 1:So your home assistant. How do you run home assistant, alex? Is that running on a real box, a VM, or in a container?
Speaker 2:It's running on top of Proxmox as a virtual machine because Home Assistant specifically provide what's called HAOS, which is Home Assistant OS, which is an encapsulated way of running Home Assistant with a bunch of containers kind of baked into that virtual machine image. And the reason I do that is because it makes it easy to back up that. That virtual machine as an atomic thing, as a, as a holistic, I can take that entire blob and just pick it up and move it somewhere else. And so right now it's a virtual machine running on proxmox. It's moved from being running on the bare metal a couple of times and I moved it around several times over the years and it always just comes back. So, uh, haos for me yeah, I do the same.
Speaker 1:I run it as a vm. I used to run it in a container but it was just not not as good as running it in a vm and, like you say, if I do an update or anything, I'll just do a cfs snapshot on the v before I do and then if it goes wrong, I can just literally just go back. So I think using a VM for that is really cool. So any self-hosted services or tools that people might not be aware of but have been a game changer for you personally.
Speaker 2:Oh, sterling PDF? Definitely. Have you heard of this one? I haven't. No, how much do you love Adobe Acrobat? Yeah right, nobody ever says lots. If you ever need to do anything with a PDF, just type it into Google Sterling S-T-I-R. Sterling PDF pdf. Um, bring this one up and have a look at it, because it's. It's a tool that lets you split pdfs, annotate them, rotate them, password compress, password protect, compress them, modify the message, like any operation you need to perform on a pdf. You can do with this application in a web browser and it is so nice and I don't think hardly anybody knows about it no, I've never.
Speaker 1:Never heard of it. I will be. I'll be checking that out when we finish the podcast, alex, I think. Good, good, good. Um, I also would like to know is what's the most challenging service or application you've ever tried to self-host, and why, and what did you learn from doing that?
Speaker 2:I'm not going to include open stack, because that's a beast, or open shift, because that's what that was. Open shift three, because that was also a beast. Uh, probably invoice ninja, because it didn't ship with a web server built in. So I had to figure out. I had to figure out how to kind of tie together multiple different containers and namespaces and you know it was just a whole mess.
Speaker 2:But things have come such a long way. I mean the standardization that Linux Server brought to the containerization space should not be underestimated. In my opinion, the work that they still do today on using the S6 supervisor to essentially recreate an init system inside the container means that nowadays you can run multiple services in one container. Even though it's a little bit of an anti-pattern from a purist's perspective, these days using s6 lets you run the web server and the app and the database and who knows what else all in the same place, which for most of us that are home users, that's actually what we just want the simplicity. We don't need the purism that perhaps some people would tell you is required for containers. Yeah, so for me I think probably In invoice ninja was the most difficult one, um, but doesn't mean there weren't others that I. Maybe there's others I just completely gave up on. Yeah, I managed to. I managed to get invoice ninja working in the end, but uh, yeah just going back to the linux server containers.
Speaker 1:We haven't actually mentioned it, but I believe all of them now have um a docker mod you can do to actually integrate tailscale directly into the container yeah, uh, I think I think most, if not all, of them do.
Speaker 2:Um, you can. I did this with one of the tailscale demo containers about a year ago, so I'm a little bit rusty on the details, but essentially you can bake tailscale directly into the linux server containers and put the containers directly on your tail net. Now, another way you can do that is to run what's called a sidecar container, and I've got a whole video about this on the tailscale channel. It's about 30 or 40 minutes long, talking about how the linux kernel namespacing works for networking and stuff like that. It's super nerdy if you want to get into that kind of stuff. But, uh, there's a few different ways to do it. Um, and if you're running linux server containers, the docker mod is a really good way to do it. If you're running other containers, then the sidecar way is the way to go.
Speaker 1:So, um, yeah, um, what trends do you see emerging in the self-hosting space? Are there any new kind of technologies or practices that are kind of reshaping people's home labs that you can see?
Speaker 2:hmm well, 10 years ago it was containers. You know you were mad if you ran containers in production 10 years ago and now you're crazy if you don't. These days, I think a lot of it's moving towards uh, click ops type stuff. You know, home assistants moving more towards ui-based configuration from yaml files and you've essentially there's a phrase uh called crossing the chasm, that essentially we we have mostly exhausted the technical early adopters for self-hosting. I think, think you know people like you and me who are fairly technical, who are willing to put in the time and effort to put all the nuts and bolts together. And, um, you know the the journey is the destination type people, the trend I think I see coming.
Speaker 2:And there's websites like, uh, self-host. You know s-e-l-f-h dot st. You know the one, uh, bringing more polish, bringing more fit and finish to deploying apps to the media around the space. You know you look at people like techno tim on, who I know was on this show a few weeks ago. Uh, tom lawrence, um, who else wendell's like these people in in the world, like these guys are deeply technical. But there's there's there's a new crop coming through of folks who are just bringing a level of of polish to the space that we haven't seen before. Yeah, uh, some of it comes around. Some of the stuff that our friend robbie from nas compares talks about like there's a whole bunch of new nas companies starting to come through in the in the marketplace as well, like Ugreen, have started making NASs Synology of course have moved away from consumers towards business, but they still exist.
Speaker 1:I know we've been speaking for a long time, alex. I just got one last question for you, really 42. In your latest self-hosted podcast it was your five-year anniversary of the podcast. I can't actually believe it's been five, it just seems like about three weeks ago that I listened to the first episode. But you were talking about, you know, what's happened over the last five years and you were kind of wondering what's going to happen over the next five years With the rise of decentralized and peer-to-peer technologies like IPFS and Matrix. Do you see a future where more self-hosters are moving towards a fully decentralized internet, and what do you think would be the pros and cons if that shift happened and what you think would?
Speaker 2:be the pros and cons if that shift happened? It's an interesting question because the self-hosted podcast itself, our primary chat platform, is discord, which I'm aware is ironic. It's not a self-hosted platform. Jupiter broadcasting hosts a matrix server, but matrix is it's a poorly optimized application. Let's let's put it that way when you're running it at scale, um, it's most of its when you create a new, when you bring up a client on your phone or whatever, and it does the sync. That's a single-threaded operation, and so you can end up, if you have 20 or 30 users all connecting at the same time, you need 20 or 30 threads available for all of those syncs to occur.
Speaker 2:And probably the biggest impediment to self-hosted stuff at scale is just the cost of the infrastructure.
Speaker 2:This box on linode that we're hosting matrix on right now is generously provided to us by them for the duration of their sponsorship, which ended fairly recently.
Speaker 2:So we are, we are moving that to canada fairly soon, I think, um, but there's that saying that if you are the, if you're, if you're not paying for it, you are the product, right, well, with self-hosting that's not true, but somebody somewhere is paying for it and, um, I think that's probably the biggest impediment to properly decentralized infrastructure is just the costs of hosting. So that's why we go with Discord, because I actually think that, for me at least, the benefits of furthering the mission ie getting more people interested in self-hosting, ie getting more people interested in self-hosting outweighs the the you know, the pros and cons outweigh uh, not having a place for us to gather and talk and and meet. And one of the things actually about unraid that's really stood the test of time are your community forums, and so we've had these ways of async communication, decentralized. I mean, it's not decentralized, it's a forum. It's hosted by a company but it's not controlled by, uh, you know, a massive corporation. At least the unread forums.
Speaker 1:Yeah. Um, like everything else seems to be you know, I think there's um a balance you can have between self hosted and commercial products, you know right. It's hosted and commercial products. You know right, it's about pragmatism. It's striking the balance and using using tools. You know um, sometimes a self-hosted tool might be better for what you want and sometimes a closed source tool might be better for what you want.
Speaker 2:Until fairly recently, we saw that with uh, google photos and self-hosted photo alternatives. I wrote for Ars Technica back in, I think, 2020. I did a whole comparison article for them on self-hosted photo tools. Image didn't exist back then, but now you look at what image can do with the image search and you know I can literally just search for blue car in my photos that a google photos only solution three years ago. An image has come from nowhere in the space of a couple of years and built something that is as good as google photos, which is insane. Um so, in terms of the trends and where things are going, I think we're going to see more images appear in different spaces. I'm hopeful that things like jellyfin catch up to plex, although I don't know. I don't know historically if their trajectory is proof that that can happen, although I hope I'm wrong so what do you think plex has got that jellyfin hasn't.
Speaker 1:Then, alex, what would you like to see? I'm not a plex user. I use mb myself, but I want to switch to jellyfin. Yeah, it's all.
Speaker 2:It's all, clients that jellyfin is the problem. Uh, that is jellyfin's problem now. Probably 18 months ago, on the self hosted podcast, we did a jellyfin january challenge. I fully expected jellyfin to be not ready for prime time because that was my experience a year or two prior. However, I'm still running it. It's still my primary media server and on my NVIDIA Shield, which is an Android-based client, the experience is pretty great. But if you jump to the Apple TV, the experience is mid.
Speaker 2:It's the best way I can put it. You can't do things like user switching and a bunch of other stuff. It's just not up to par with the Plex experience. And then you have things like because Plex has the cloud component, which has some privacy concerns, of course, you can't do things like remote access and sharing servers quite as easily without some kind of putting the batteries in yourself with a cloud VPS or whatever that you want to do with Jellyfin. It's just a case of different business models and you look at where plex is trying to extract the value versus jellyfin being a free and open source project with people contributing their time freely to develop it. You know, it's just. They're both products of different sides of the capitalist coin, really, and I'm so glad that jellyfin exists and I really hope it continues to go from strength to strength, but at the moment it's probably probably just a few steps behind plex and probably always will be. I don't know.
Speaker 1:Hopefully not but at least they don't have plex's own tv shows injected into the ui. That's um, that was, yeah, one thing that I don't like about plex pretty egregious. Yeah, anyway, alex, I'm not going to take up any more of your time.
Speaker 2:Thank you so much for being so generous with your time today, alex well, thank you to everybody for watching and listening and thank you for having me and all the rest of it, and maybe at some point we'll have you on the podcast, huh that would be absolutely awesome.
Speaker 1:it's been an incredible conversation. I'm sure the listeners will have a lot to take away from it. How can people get hold of you, alex? Obviously the self-hosting podcast and you were saying that Tailscale are looking for a European advocate. How would someone apply to be able to do that?
Speaker 2:Job listings will be at tailscalecom. Slash careers, I think. Uh, not quite live yet as we record, although they might be, but the time this airs I'm not sure. Uh, you can find me at alexktzme. I have a link tree there that you can go and all self-hosted, by the way, a statically built website running out of a docker container, of course, because that's how I roll. Um, yeah, you can find more of me at self-hostedshow perfectmediaservercom. Blogktzme. Like I'm pretty easy to define. Self-hostedshow slash discord. Alex ktz over there.
Speaker 1:Yeah, lots of ways to find me my last question for you is what's your dog's name, alex?
Speaker 2:well, he sat down here, actually right by my feet. He's called archie, named after arch linux yeah, there we are.
Speaker 1:Anyway, thank you very much, alex. Um, you know, and for those of you listening, please make sure to check out alex on the self-hosted podcast if you're not already a listener, and keep an eye out for the official tailscale integration coming to an unraid os near you soon. So thanks again, alex, and thanks for all of our listeners for tuning in. Bye.
