Hello everybody,
my plan is to switch from Android to GrapheneOS. In this process, I want to get rid of my reliance on my google account as much as possible.
To this end, I’d like to selfhost some “critical” data, e.g.
- contacts
- calendar
- online drive for files (e.g. google drive alternative)
- some basic note-taking app (like google keep)
and so on.
I do some selfhosting already, though it is not that kind of “cannot lose this” data. So I’d like to share my thoughts and ask for your opinions and experience for the process.
More details for what I want
contacts
- have to be syncable to the phone
- if possible, some webinterface to edit / browse
calendar
- has to be syncable to the phone
- webinterface + sync to desktop / phone
- if possible, send invite-links to events to others
drive
- files of my choosing must be offline-available
- ever other file should not use storage on the phone
- if possible, able to share links to download files
- if possible, able to share links to view with online editor (see below)
document editor
- think google sheets / google docs
- if possible, able to share links to view documents online
smartphone photos
- auto-backup camera folder
There may be some things I’m not thinking about right now, but this seems to pretty much be it.
If possible, all of this should be accessible only via vpn.
What I already have
I have a pfSense physical appliance that’s already managing my home network, got an OpenVPN already setup, dynamic DNS working properly for the lack of a static IP, etc.
I own 2 mini-PCs (some Intel NUC, some passive-cooled zotac with an intel with 4c/8t). One of them (zotac) is currently running as my Proxmox Virtual Environment Hypervisor, managing 3 VMs.
I also have a second PC which misses some critical parts, so it is not currently in working condition. I think there’s an AM4 mainboard and 16 or 32GB of DDR4 RAM in there. I could make a NAS or a new hypervisor out of this, but the case (Fractal Design Define 7) is quite big and a full PC is probably worse for energy-efficiency than my 2 mini-PCs and is going to be more expensive.
Not much in terms of storage sadly
- 1x 6TB external USB HDD (used for backups)
- 1x 2TB external USB HDD (used for data)
What I plan to do
The kind of data I’m going to be hosting myself now is very import, so it cannot be lost or corrupted.
But the feature list doesn’t seem to be overly complicated. This seems like something nextcloud could do.
This means, I will probably need to buy
- 2x 4 TB HDD for storage for data RAID
- 2x 8-10 TB HDD for backups
- 2x external RAID case
Then I could connect the data RAID to the already running zotac pc and spin up new VMs for nextcloud and whatever else I might need and start serving my data from home.
The Intel NUC will be used as a Proxmox Backup Server, connected to the backup RAID. Keeping some daily, weekly and monthly backups.
On the phone-side, I’d have the vpn always active. Whenever active, sync of contacts, calendar entries, photos etc. should be possible.
Questions
Is there anything I missed? Did any of you already try something like that? Does anybody here see a potential problem with any of the above?
Can anyone recommend a RAID-1 external enclosure without a fan and some quiet and energy-efficient HDDs?
You must log in or register to comment.
Nextcloud with a 3-2-1 backup strategy is ace. Proxmox can auto-backup, it’s slick.
Went through the same thing. Paused between Murena (at that time they weren’t providing my personal domain / email address solution) and nextcloud, and proton. I went with proton. I could in theory do nexrcloud +proton. You do you.
And for notes, I went markdown route and obsidian.
Proton also seems to be interesting. Privacy by default and being swiss based definitely are plus points.
Thanks for the mentions!
I use Nextcloud (currently using their AIO docker images) for all of that. Not sure if it checks all the boxes perfectly, but if not it is probably as close as youll find ready-made.
Not sure if it checks all the boxes perfectly, but if not it is probably as close as youll find ready-made
That’s a good point. To have cohesion and good integration, some sacrifices have to be made. This seems better than having 20 independent services working with (and sometimes probably against) each other.
Memos is pretty usefull for me. App on fdroid momemos is superb. Syncthig takes care of google drive ish needs. Immich for photos.
Mealie keeps food interesting.
Have not done calendar or contacts yet.
Running a few on a low power pi5 using docker for the most backup pihole runs on baremetal.
1 16tb external and 2 5tb external. Not the best but i dig it.
I need a nuc.
Memos is pretty usefull for me. App on fdroid momemos is superb. Syncthig takes care of google drive ish needs. Immich for photos. Mealie keeps food interesting.
I’m going to have to test a lot of new android apps, I guess. Thanks for the mentions!
Regarding syncthing, according to gedaliyah’s answer here, syncthing will be dropping the android app :(
Ah yes forgot to mention in my family we run syncthing fork from fdroid also.
As far as the “what you want” stuff goes, Nextcloud can do all of it and I use it for exactly that.
Oh, it’s nice to hear somebody already did that, thank you!
Did you have any hiccups or general problems with nextcloud or calendar/contacts/photos sync? Did you do any specific thing to harden security, other than using
ufw,fail2banand changingsshdconfig?Haven’t had any issues whatsoever.
I’ve done nothing special regarding security and have it exposed to the public internet. I intend on having fail2ban look at its logs but I’ve not yet set that up (entirely out of laziness).
If you want to be very secure I would recommend having it entirely behind a VPN. I personally use tailscale+headscale for my internal only services but like I said I have Nextcloud publicly exposed as I want to be able to access it from potentially any device.
I’ve done nothing special regarding security and have it exposed to the public internet. I intend on having fail2ban look at its logs but I’ve not yet set that up
That sounds kinda dangerous. I remember years ago, when I rented my first vcloud-server, within the first 10 minutes I had bots trying to get in via SSH. I’d be way too paranoid.
I would recommend having it entirely behind a VPN
Yes, that’s my plan. I intend to create a new OpenVPN server on my pfSense with access only to the nextcloud VM. This would also allow me to share the vpn config files with my friends without a password, as the authentication is done by inline-cert vpn config.
You’ll always have bots knocking on your doors. In general keep the doors locked and you are fine.
I highly recommend trying tailscale with headscale over openvpn.
tailscale with headscale over openvpn
Is a vpn inside a vpn really improving security at all? Or is there a different reason to use tailscale inside a vpn?
No i mean instead of OpenVPN i would recommend you look into using Tailscale. If you want to fully self host it then you can run the open source control plane called Headscale instead of relying on Tailscale’s (the company) free service tier on their own control plane.
The Tailscale client and server are also open source.
you can run the open source control plane called Headscale instead of relying on Tailscale’s (the company) free service tier
Ah, that sounds more interesting. I still have time until I buy everything, there’s still going to be a lot of research, especially with all the ideas and feedback people have given me in this thread.
I’ll definitely try it, thanks!
Nextcloud does have a problem with the online editor. It frequently bugs out and moves things out of order or just doesn’t feel snappy.
Some time ago there was also saving issues
I only sync my computer and I have nothing to report. It just works. There’s just a small bug when you just create a file on windows and start editing it, the file shows as being edited by Nextcloud for a couple of seconds, but then it works. It’s just on the initial creation.
Are the documents you edit with the online editor files which are visible in the online drive? Does nextcloud use the open document specifications for saving documents (e.g. .odt, .ods)? Can you view these files without opening them in the editor (like the preview in google drive)?
If so, that is acceptable. The document thing is more for completion, I don’t handle documents all too often. And if the online editor is bad or not working but the files are visible and offline-syncable in the drive to some desktop client and they are using the open document format, I can edit them with libreoffice.
Thanks for the heads-up!
-
Are the documents you edit with the online editor files which are visible in the online drive?: Yes. It works like Google drive basically, and yea, I don’t use an external editor or something. I just create or upload a file to the cloud, and edit it there using the built in web editor (you just open the file and it opens the editor)
-
Does nextcloud use the open document specifications for saving documents (e.g. .odt, .ods)?: Yes. I believe they use a modified version of Collabora or something. By default, you use the same extensions you’d use with libre software like collabora or libreoffice. It supports opening documents from word, PowerPoint and excel… but often fucks up the formatting in some parts (much like libreoffice)
-
Can you view these files without opening them in the editor (like the preview in google drive)?: No. You view them only via the editor. It should respect permissions though, so if you share a file with read access only, they won’t be able to edit it in the editor.
You can use any format you want in Nextcloud, it’s just that they might not be supported by their built in editors, but they’ll work fine.
The reason I use the built in editors is that multiple people can work on a single file at the same time
You’re welcome!
Thank you for answering!
Good to know that most things I would need seem to be already working nicely in nextcloud :)
It should respect permissions though, so if you share a file with read access only, they won’t be able to edit it in the editor.
I’ll definitely have to try that before trying to send out links.
Sure! I always try this
A small downside: you can’t seem to restrict people commenting on a file you shared. There’s a built in “discuss about this file” feature but it shouldn’t really be a problem, unless you intend on sharing a file to a looot of people, because afaik you can’t moderate it
I’ll definitely have to try that before trying to send out links.
Yea, I recommend you always test features to see how they work and what they imply (and if they’re bugged, because Nextcloud often updates and sometimes breaks small things)
you can’t seem to restrict people commenting on a file you shared
That’s okay. My circle of friends I’d share files with is not all too big. So everything stays between a few people anyway.
Nextcloud often updates and sometimes breaks small things
Does breaking stuff happen often? I plan to use the docker image nextcloud:stable-fpm in the hopes of bypassing some bugged releases.
-
3-2-1?
Thank you for your input!
I also thought about the 3-2-1 backup rule, but am unsure if that is overkill.
My VM-backups and file-level-backups are proxmox backup server (pbs) backups. Meaning, to have them offsite, I’d need to rent a dedicated root server on which I am able to install pbs to act as an offsite sync-target. With TB of backups, this is gonna get very costly very fast.
I thought about regularly exporting encrypted calendar and contacts onto some free online storage, hoping I can automate this process.
With what I have layed out in my post, to lose contacts and calendar events, both my intel NUC and the zotac mini-PC have to be corrupted at the same time. Or both RAIDs simultaniously failing both drives. Am I not paranoid enough or is that an acceptable level of failure-safety?
The offsite rule is mainly in the scenario where your house burns down for example, or if someone steals your stuff. It can happen.
Maybe your electricity will have variations and will fuck up all your devices in a specific location…
Yes, you’re right. As David From Space said in this comment, the real critical data is far less then all of the backed up data.
So I definitely can have an offsite-backup, it just depends on if I can single these things out in nextcloud, possibly via regular export to the filesystem.
Yea if you don’t need much then you can do with exporting not a lot of stuff.
Google is evil but I know that GDrive has pretty low prices on data storage
There are many cold storage services out there with good pricing. If you need a VPS with good storage (to automate sync, etc… idk), I know I would use Interservers, based in the USA, priced at 3$/TB/month (HDD)
But if you only want to sync a small amount then you can do with free services, probably. Don’t forget to encrypt everything when uploading to these services! Don’t want them to be able to see the content of your files.
Google is evil but I know that GDrive has pretty low prices on data storage […] Don’t forget to encrypt everything when uploading to these services!
That is what I am hoping for :) My free Google account grants me 15GB of online storage and my free Microsoft account provides me with another 5GB. The 15 GB should be enough for encrypted photo backups, while 5GB definitely is enough for encrypted calendar, contact and probably some document backups. I just need to find a way to automate backups to these.
based in the USA, priced at 3$/TB/month
If I am going to pay money for something and with how the world currently is, I’m going to use some EU based service. My only VPS resides at hetzner, if the need arises I will probably just add a storage volume to my VPS or upgrade it to the next tier.
Got it! Sadly, hetzner doesn’t have the best prices on storage
Yeah, hetzner’s more about having your own servers than providing cheap storage.
