this post was submitted on 08 Apr 2024
24 points (92.9% liked)

Selfhosted

40394 readers
372 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hi! I know this is a kind of dangerous topic to ask :D And I am sorry this got so long.

I plan on building my own little home server. Currently I will mostly use it for nextcloud, maybe some other stuff, like git. I would like to be able to access nexcloud or git from outside my home (yes, i actually go outside sometimes.. dont know why though). I will run docker and portainer on a pi5 (i guess its enough for one person) and I have 4x4tb disks. I currently plan on creating a software raid 10 with the disks to get 8tb of storage.


I have two types of disks, a new set of ironwolf and a used set of wd 24/7 drives. How would you arrange them? Put both from one type in raid 1 or mix both types in raid 1? I just heared about LVM. Would you recommend to put that on top of the raid? I dont know If i plan to change the storage setup, but doubt it currently. Im not shure if ZFS would be a better solution for me, but it seems unneccesserry at the moment.


I dont quite know what i should search for to find a solution about accessing the services from outside. I would like to avoid a (wireguard) vpn so i can log in on a different device without setting it up, or that i can connect to the vpn at work or uni and still be able to use my nextcloud data. So dyn dns with portforwarding seems to be the only option. But I am a little afraid to open up my home network to the outside like this, without another protection like a login. I know nextcloud has that, but im not shure if that is enough or what can be seen and accessed from the outside if i use ddns and port forwarding.


For backups I plan on using dublicati and storing the backups encrypted to either pcloud (would need to by, additional cost..) or a server at a friends or my dads house. But with the second solution I am not shure how I would create a tunnel to their server, so its secure for both of us. He has a static ip, so no ddns needed. Maybe here would be a wireguard tunnel be best? My dad does not have a static ip but would create a wirequard vpn for me with MyFritz (avm ddns service). Any thoughts on that? I would create a disk image of the completed os (the sd card..) once the services are running, so i can revert if something breaks. I guess a manual image is enough after the setup, because the docker containers reset anyways on restart, right?

Thank you so much, I am greatefull for every advice!

you are viewing a single comment's thread
view the rest of the comments
[–] WbrJr@lemmy.ml 1 points 7 months ago (6 children)

But isnt tailscale not just a wrapper for wire guard that does not require big configuration? So I would still end up an VPN and send all my traffic over my home network?

[–] avidamoeba@lemmy.ca 2 points 7 months ago* (last edited 7 months ago) (5 children)

It is but by default it operates as a "split-tunnel." That is, only traffic directed to a machine on your Tailscale network is routed over the underlying WG tunnel. In practice it creates "an overlay network." It will require installing a client on every end point. If you want a setup-free solution, then you have to do some sort of authentication that you trust to be secure. E.g. rely on each app's authentication, front all apps with an http proxy that has authentication. Personally I wouldn't trust that. I'd probably use ssh which also requires some setup on the client. And that brings me back to Tailscale. 😂

You could theoretically have a firewall rule that only allows the IP address from which you're currently originating. You'll have to figure out a way to reconfigure the firewall as you move from one place to another. I've done this using ipsets and dynamic DNS. It works fine for static locations. It wouldn't work as well for a moving target as DNS records can be slow to update. I'm not using that method anymore because Tailscale is simpler and allows for more uses cases and I have no problems installing it on my machines and devices.

Finally you could probably setup Tailscale on a small router outside the device you're using then connect the device through that router. It might be possible to access your tailnet this way without setting up a Tailscale client on the device. I haven't done this but it's probably possible.

[–] WbrJr@lemmy.ml 2 points 7 months ago (1 children)

Thanks! I took a look at tailscale a while back but was turned off immediately because it requires an account at their site. Would headscale run on my own server at home?

[–] avidamoeba@lemmy.ca 2 points 7 months ago* (last edited 7 months ago)

Agreed. This is why I looked at Headscale before relying extensively on Tailscale.

Yes, Headscale would run anywhere. For the highest versatility you would run it in the cloud but it's not necessary. If all you'd want to connect to is your server and it's mostly up. If you had other machines that you might want to talk to even if your server is down, then having it in the cloud makes that possible. Personally I tried it on the smallest DO droplet.

load more comments (3 replies)
load more comments (3 replies)