Halley / Sharing Self-Hosted Services Without Opening the Floodgates

Created Thu, 05 Jun 2025 11:03:00 +0000 Modified Sun, 31 Aug 2025 22:17:24 +0000
329 Words
SelfHosted

At some point, someone asks: “Can I use that too?”
A photo gallery, a Nextcloud, maybe a Minecraft server.
You want to say yes, but opening your services to the world feels like asking for trouble.

You don’t need to lock it all down for yourself alone.
You do need to share without exposing everything else.

Define Who and What

Scope is everything:

  • Which service is being shared?
  • Who actually needs access?
  • Do they need accounts, or just public links?

Clarity up front avoids future creep.

Keep the Perimeter Tight

Don’t just port-forward and hope:

  • Put shared services behind a reverse proxy
  • Use TLS everywhere, even for “just friends”
  • Limit exposure to specific domains or subpaths

The less surface you expose, the better.

Authentication That Works for Humans

Friends and family won’t tolerate complex flows:

  • Use accounts with minimal privileges, not your own admin login
  • Consider OAuth with providers they already use, but separate from your core identity
  • Rotate or revoke access easily when people drift away

If it’s too fiddly, they’ll share credentials — worse than no security at all.

Segregate the Environment

Never run shared services on the same box as your crown jewels:

  • Use containers, VMs, or a separate host
  • Firewall off internal-only services
  • Assume compromise is possible and design boundaries

Compartmentalisation is sovereignty.

Monitor Quietly

Don’t stalk, but do watch:

  • Log logins and failed attempts
  • Set up alerts for unusual activity
  • Keep an eye on bandwidth spikes

If something goes wrong, you want a breadcrumb trail.

Exit Strategy

Every share should be reversible:

  • Have a plan to revoke access without downtime for yourself
  • Delete accounts cleanly, not just disable them
  • Keep backups separate so “helpful users” can’t damage your data

Shared access should never mean shared liability.

Boring, Safe Sharing

The point of self-hosting isn’t to play sysadmin martyr.
It’s to control your tools.

Sharing them can work — if you keep boundaries clear, privileges minimal, and exits planned.
A little paranoia keeps generosity sustainable.