← Back to the notebook

Jellyfin, Tailscale, Domains, and the Question of How Public Is Public

I wanted to host Jellyfin locally and reach it through a domain. That sounds simple until the next question shows up: how public do I actually want this thing to be?

There are a few paths. Keep it local and only use it inside the house. Use Tailscale and treat it like a private network. Put it behind a domain and reverse proxy. Add authentication in front. Each step makes it more convenient in one way and more annoying in another.

The constraint is that Jellyfin is not just an app. It sits on top of storage, networking, user access, transcoding, DNS, and whatever box is hosting it. If I expose it badly, I create a maintenance problem. If I lock it down too much, I may not use it. The right answer is probably not the fanciest architecture. It is the one I will actually maintain.

Tailscale is attractive because it solves a lot of the remote access problem without me pretending I want to become a full-time reverse proxy administrator. A domain is cleaner for normal use, but then I have to think about certificates, routing, auth, ports, updates, and what happens when something breaks while I am not home.

What I would check first is the use case. Is this just for me? Is it for family? Does it need to work on TVs and phones without explaining VPN steps? Do I care about access outside the house often enough to justify public exposure?

The surprise is that the boring answer might be best: Tailscale first, public domain later if there is a real reason. Prove the media server, storage, transcode, and device experience before making it internet-facing.

Notes for next time: do not start with the domain. Start with local reliability. Then private remote access. Then maybe public access. A service that works privately is better than a public service I do not trust.

← Back to the notebook