Edit: thanks for all your help and replies, this is a such a great community!
I would like to host a public service for some family, probably Peertube so we can share some videos. Invite only.
There’s no way I’m going to get everyone onto a VPN, it’s a non-starter though I would prefer it.
I am thinking to use a VPS with anubis and either crowdsec or fail2ban (or both?!) in front of Peertube. Will apply as much hardening as I can muster behind that: things in containers, systemd hardening, SELinux/Apparmor enabled/tuned, separate users for services, the usual. All ports shut except 80/443, firewall up.
Despite all this I expect it will get scanned and attacked as it will have to expose ports 80/443 to the world so for family it will just work.
Is there anything else I should consider for security? Is Peertube the weakest link in the chain? (a little concerned their min password length is 6 it seems and no 2fa). So long as I keep whole thing up-to-date is it as secure as anybody can manage these days (without resorting to VPN)?
Is it all too much hassle and I should look for a company that offers hosted Peertube so they can worry about it?
Thanks for any and all advice.
I think you will be fine as described.
If you want extra peace of mind with 2FA, you can use Authelia (https://www.authelia.com/integration/openid-connect/clients/peertube/) or a similar service that you can put infront of peertube to handle auth.
Authelia is great, but I’ve been using Authentik for a similar setup and it’s been rock solid with more user-friendly UI if your famly members aren’t tech savvy, pluss it has some nice passwordless options.
That’s a great suggestion, then I’m not relying just on the app/service to have super secure auth.
You can also check https://kanidm.com/ and https://goauthentik.io/ as well!
Oh also a friend of mine is developing this, that uses passwordless magic links or passkeys https://github.com/dzervas/magicentry I haven’t looked much into it though!
Email magic links are cool (personally hate when a website only allows this login because I don’t have my email available on every device, but that is unrelated sorta).
I probably wouldn’t go with a relatively new project that isn’t guaranteed to stick around long-term (big hassle to swap provider).
authelia and authentik both have a lot of eyes looking over the code so I’d also feel more confident going with them, even if I can’t get passwordless email login (don’t think they support it but not certain).
Oh of course, I just shared it because I don’t think I’ve seen anything similar and simple, just in case anyone wants to check it out and experiment etc
Hey thanks for these links I will check them out! Magic links would be great actually as then I am not relying on them to set decent passwords or giving them burden of TOTP/etc which some may not have used before.