Admittedly I don’t really know what I’m doing when it comes to relays just thought it would be cool to set up. My Umbrel is a BTC and lightning node, Alby Hub, mining pool for Bitaxe and some other things. So Tailscale is how I access all that from my other devices remotely. I don’t want to have to open ports through my router.
Discussion
So maybe not possible?
Not possible on your Umbrel if you don't want any open ports. You'll need to run it on a VPS.
If you just want to have a relay for backing up your notes that is not accessible to anyone else for read or write access, you can just run the Nostr RS Relay that is in the Umbrel app store.
Haven can still be useful behind a VPN if you intend to use it as a backup relay and media server (think Citrine on steroids), as mentioned above. One thing to note: client relay connectivity status can be a bit misleading in this case. For example, a client may perform a mix of local requests from your browser or native application, but it might also implement its own backend or use a proxy to connect to the relay. Meaning that some clients will try to connect to your relay over the Internet.
This means that, depending on the client and the operation, it may happily report that it can connect to your relay (based on client-side logic), but still fail to function properly.
Before Haven, I tried Citrine with a few clients, and while most of them would happily "connect" over HTTP to a Citrine running on localhost, in practice, quite a few clients would only write to an HTTPS-enabled relay accessible over the internet.
Your zapper down, sir?
Good information! That explains issues I have had with Citrine being used for local NIP-46 signing at times. 😂
If using Haven behind a VPN like Tailscale as a media server, wouldn't it be the case that only those who have access through his tailnet would be able to view the media? That is, unless he is keeping copies on other Blossom servers, too.
I dunno I wasn’t considering others accessing my relay. I wanted notes I post from clients in my devices (that are in my Tailnet) to hit the relay, then Haven should blast those notes to relays on the import list.
My zaps should be working.
Ah, yes. That blastr functionality could definitely still be useful to you, even if you aren't using anything else Haven has to offer.
Hey, not sure. It's Coinos under the hood—I'm just doing some well-known/lnurlp trickery to redirect to it. I managed to zap you from the same wallet though (try again, and if it still doesn’t work, feel free to zap anthony.accioly@coinos.io or anthony.accioly@walletofsatoshi.com).
As for your second question: out of the box, yes, you're absolutely correct. There are some very clever folks doing things like syncing Haven's backup folder to a public S3 bucket and redirecting or proxying Blossom's GET /{SHA256}. So, in theory, you can expose Blossom blobs to the internet without exposing Haven itself. Having said that we don't officially support this yet (hopefully coming soon).
Very clever indeed. The draw of Haven for me is that it's an all-in-one solution for outbox model, so I probably wouldn't use it for blossom without making the relay itself accessible. I'd just run a separate blossom server in that case. Cool that it is possible, though.
Oh I totally missed this reply. So using Tailscale is not ideal. Even if https is enabled, clients that use anything in between (i.e. not on my Tailnet) will fail.
Yes. There are well behaved clients though. E.g., Amethys. Also, if you are doing this for fun / learning experience, you can even run a Nostr client yourself. E.g., I'm running a private instance of nosotros.app.
Yeah, and they might be using one method to connect to your relay for the purpose of displaying that it is "online" and a completely different method for actually sending it notes, such as via a proxy, etc as nostr:npub1a6we08n7zsv2na689whc9hykpq4q6sj3kaauk9c2dm8vj0adlajq7w0tyc mentioned above. So even if your client is able to connect to your Tailnet, the notes still won't publish.
I am guessing the same issue could happen with a Tor-only relay for the same reasons. Even if your client itself is connected through Orbot, if it is using a proxy to write notes to your specified relays, it will fail unless that Proxy is also connected to Tor.
Makes sense. And I don’t trust my security skills to protect my home network with holes punched through my router, unless there is some other way.
Assuming a relay from my client could reach my relay over Tailscale, the blaster feature would work, right?