you can run the open source control plane called Headscale instead of relying on Tailscale’s (the company) free service tier
Ah, that sounds more interesting. I still have time until I buy everything, there’s still going to be a lot of research, especially with all the ideas and feedback people have given me in this thread.
I’ll definitely try it, thanks!
Up to personal preference if you trust a fork for this work
I see 3600 stars and I guess that’s kinda trustworthy :) I also do like some of the enhancements listed on the github page. I’ll try it, thank you very much!
Then I give praise to you, for you are more prepared than any other individual I personally know of and even some smaller companies I had worked with.
Okay so not critical, just mildly inconvenient if lost.
I wouldn’t put it at “mildly inconvenient”, as the photos I could lose can never be restored. Most of the other things can. I’d be really sad if I lost all the photos, but it wouldn’t threaten my existence in any way.
I’m sorry, I should have specified in more detail what I meant by “critical”.
It’s not life-threatening, it’s just critical to me. It’s kinda like “my priciest possession” could mean a yacht or a half-dead car, depending on the context.
[EDIT]
a disk failure is probably the most likely failure scenario. Corruption is the second most likely
Yes, these are things that are 100% going to happen at some point. I cannot guarantee theft, floods, earthquakes or anything like that, but hardware degrades with time and use, so at some point things are going to fail.
Not make or break by any means
That’s great to hear. I can always buy better hardware later and first test if things run with what I already have. I don’t like to have my IT wasting in some drawer.
Thank you for your advice!
tailscale with headscale over openvpn
Is a vpn inside a vpn really improving security at all? Or is there a different reason to use tailscale inside a vpn?
I assume you basically want protection against disasters, but not high uptime. (E.g. you likely can live with a week of unavailability if after a week you can recover the data.)
Exactly. These are not business-data, but my personal data. No money or absolutely necessary thing is lost if I lose all of that.
The key is about proper backups.
Thanks to other commenters I realized, I can just export contacts, calendar events and photos every night to some on-disk location and back them up somewhere offsite. This would probably be a few GB only. The other ~1.5 TB of data is stuff like movies, music, old games that I’d probably never get anywhere else etc. My data is not life-threatening. It’s just “critical” to me.
Via google I found that you can export your calendars via a URL, so I my current backup plan is this:
This way, I’d still be compliant to the 3-2-1 rule (just not for all my data), while saving quite some money on the offsite data storage.
As you are already using nextcloud, could you verify if exporting calendars and contacts work with these 2 URLs?
# calendar export
https://${NEXTCLOUD_URL}/remote.php/dav/calendars/${NEXTCLOUD_USER}/${CALENDAR_NAME}/?export
# contacts
https://${NEXTCLOUD_URL}/remote.php/dav/addressbooks/users/${NEXTCLOUD_USER}/contacts/?export
This is the command used in this tutorial. The website is in german, scroll down for bash, python, nodeJS and windows powershell examples.
curl -L -J -O -u "$username:$password" "$downloadLink" --create-dirs -o "./$(basename "$url")"
my Nextcloud server is running in a datacenter. Every week I run a backup to a USB drive that I keep in a third location.
If you don’t mind me asking, how much are you paying for your datacenter server and the third location?
I’ve done nothing special regarding security and have it exposed to the public internet. I intend on having fail2ban look at its logs but I’ve not yet set that up
That sounds kinda dangerous. I remember years ago, when I rented my first vcloud-server, within the first 10 minutes I had bots trying to get in via SSH. I’d be way too paranoid.
I would recommend having it entirely behind a VPN
Yes, that’s my plan. I intend to create a new OpenVPN server on my pfSense with access only to the nextcloud VM. This would also allow me to share the vpn config files with my friends without a password, as the authentication is done by inline-cert vpn config.
Memos is pretty usefull for me. App on fdroid momemos is superb. Syncthig takes care of google drive ish needs. Immich for photos. Mealie keeps food interesting.
I’m going to have to test a lot of new android apps, I guess. Thanks for the mentions!
Regarding syncthing, according to gedaliyah’s answer here, syncthing will be dropping the android app :(
Except for maps. Man, there just is no substitute especially when mobile.
I thought there was an android app for open street maps, but I couldn’t find any on play.google.com either.
I do not recommend an external enclosure […] you’ll come to hate it for lack of ability
I feel kinda the same, but on the other hand, having a full-blown ATX system running in my living room isn’t going to be my first choice. If I can’t manage with the zotac mini PC, I can still take the drives out of the enclosure and put them in a full ATX case. That’s more of a “last resort” though.
A docker AIO version of nextcloud running on as close to bare metal as you can is probably the best option for performance.
I’m not worried about performance all too much. The only thing constantly connected will be my phone, for syncing contacts, calendars and, every now and then, a new photo or two. Sometimes I open the calendar in my browser on my desktop or laptop to add / change an event. I really don’t use it too extensively.
And to aid in CPU and performance of the VM, I can always have a VM with the “host” CPU type, which should forward CPU capabilities and features to the VM.
Thank you for the tipps!
A quick google search even reveals a nextcloud tutorial on how to install it . I’ll definitely try that out.
DAVx5 basically acts as the connector between your server and your calendar/contacts/files apps
Thank you for the explanation. I’ll probably be testing a lot of FOSS apps on my current android before I make the switch, so it’s good to know that I have to look out not just for usability, but also connectivity!
You’ve got a point, but now I gotta ask: Where do you store your original paperform documents? You know, the real-life critical things. Maybe I’m wrong, but I feel like most people store these things at home, possibly tucked away in a neat, little, sorted folder, for preservation. Which would be a nightmare for all the same reasons, but seems strangely accepted and widely practiced.
No data I own is life-or-death critical. Losing everything would be really bad, but many things can be restored in alternative ways, except the photos.
Also, I may be able to backup the most important stuff (which would only be a few GB at most) to an offsite server, as long as nextcloud (or an alternative) is able to export contacts, calendar and photos, or I can single these out in some other way. As long as this somehow works, I can rent a cheap hetzner server with a few GB of storage and have that be the backup target for the most critical stuff.
If you really mean life-or-death critical
No data I own is “life-or-death” critical.
I can ask around for contact info again, same with calendar events I had planned. Some documents can be restored via the original service or by paying a fee to get a new original document, I still have folders full of originals in paper form. Some info can be restored by looking through my bank account or online buying activity. Losing my photos would be really sad, but nothing of that will kill me or destroy my life.
But I definitely can save the most critical stuff (probably a few GB only), if nextcloud (or some alternative) has the ability to regularly export these to an on-disk location. This way, some backup utility like restic or rsnapshot shoud be able to do the job.
Thank you for sharing your experience of the process!
On my phone, I use DAVx5
I’m a little confused after looking at the website. What exactly does DAVx5 do? The regular re-sync of contacts, calendar and files itself? Shouldn’t that be done by the contacts app / calendar app on regular intervalls?
with Fossify apps
I just downloaded fossify calendar on my android a few days ago to test it and got to see the other fossify apps :)
syncthing phasing out android support
Oh man, I already use syncthing for ~5 GB of files and I use it on my android too. Seems I’ll be trying syncthing-android-fdroid in the future then.
There are tons of notes apps
There really are a lot! NotallyX looks nice and simple, but memos also looks very interesting. And thank you for the link, I’ll go dive into that tomorrow.
The one Google feature I am not able to reproduce is Google Messages
I do not need RCS-compatible messengers. What I send via SMS is nothing more than pure text, also no group chats. I use signal and element for my “fancy” messaging needs :)
I use Tailscale
I’ll look into it some more over the next days, but on a quick glance, this seems like it is an online service where you need an account? If that’s the case, I’d prefer using my already running OpenVPN server to do the job.
Oh, it’s nice to hear somebody already did that, thank you!
Did you have any hiccups or general problems with nextcloud or calendar/contacts/photos sync? Did you do any specific thing to harden security, other than using ufw, fail2ban and changing sshd config?
Thank you for your input!
I also thought about the 3-2-1 backup rule, but am unsure if that is overkill.
My VM-backups and file-level-backups are proxmox backup server (pbs) backups. Meaning, to have them offsite, I’d need to rent a dedicated root server on which I am able to install pbs to act as an offsite sync-target. With TB of backups, this is gonna get very costly very fast.
I thought about regularly exporting encrypted calendar and contacts onto some free online storage, hoping I can automate this process.
With what I have layed out in my post, to lose contacts and calendar events, both my intel NUC and the zotac mini-PC have to be corrupted at the same time. Or both RAIDs simultaniously failing both drives. Am I not paranoid enough or is that an acceptable level of failure-safety?
Yeah, I do daily VM-backups which include all of the data on syncthing. No matter what you have, you always gotta have a good backup-strategy.
I use syncthing for some of my “can-never-lose-these” files. syncthing synchronizes files between different devices. This is not an online-file-hosting thing like Google Drive or OneDrive. These files are physically present on all synchronized devices.
My server is the “main” (you can make everyone equal) syncthing every other syncthing connects to. With an established connection, files will be synchronized on participating devices. AFAIK, syncthing is compatible with Windows, Android and Linux.
This way, my important files are on my server, my smartphone, my PC and my laptop and every single one of these devices must simultaniously explode for me to lose my data. Also, it’s on docker hub
pi-hole is another great one. Local adblocker for the whole network, just set it as your DNS server or let the DHCP server propagate this DNS server to your clients. This too is on docker hub
Proton also seems to be interesting. Privacy by default and being swiss based definitely are plus points.
Thanks for the mentions!