2d ago

Guidance for Noob? (Synching vs Nextcloud, Immich, Tailscale)

TL;DR: Unsure if I should just run Syncthing, or do a Nextcloud. Tailscale seems at risk of enshittification, so do I find alternatives or just use it for ease? Is Immich easy enough to set up without Tailscale? Stick with docker or podman for ease? Are externsl drives easy to work with? Should my RAID1 be NTFS or Ext4?

Starting My Selfhosting Journey I recently got my drive bay and Optiplex and have already flashed Proxmox onto it so I could eagerly spin up some local services to see what I wanna stick with. Or at least I tried anyway 😅

Jellyfin in a debian container was quick, painless and seems to work fine. But I was trying to set up Nextcloud and I felt lost, with the many different ways people go about it. When I tried to set up Nextcloud AIO in a Debian VM with docker it forces you to set a domain for your instance, but I only want to do local for now (ease and security until I get the hang of things). Which then runs into the hosting a domain via Tailscale problem. 90% of guides, videos, scripts, etc. seem to only focus/support Tailscale, but they force you to use third-party accounts for logins, and I started this whole thing to distance myself from Big Tech. Is Headscale or NetBird a better idea (when I do decide to remotely access)? Who's more beginner friendly? Similarly, docker or podman?

I do know the difference between Syncthing and Nextcloud, but I wonder which I should stick with. I want to start being better about backing up my phone and laptop, and I know I could use syncthing to share these backups with each other, but I thought it'd be nice to try to replace my minimal Google Drive and Onedrive usage with Nextcloud and just put everything there. I'd still have to backup that data to an external location though if I want to follow the 3-2-1. So should I just do encrypted backups and put them in a cheap provider's cloud, and drop the idea of a selfhosted cloud?

Similarly related to the Nextcloud issue, is Immich another heavily Tailscale dependant service?

Side note: How easy is it to use external drives with these services I've mentioned? I plan to use my drive bay that currently has 2TB (4 drives running in RAID1), so I can only connect to it via cable. Can I have most of my media stored on the drives, or will that not work? Also, I swear I had to keep verifying my login every few mins when accessing my drives on ext4 format? I switched it to NTFS recently but Windows can't read/see the drives at all (does it not like Linux formatting it?)

Future Ideas: Once I get these first few down, any suggestions? I'm feeling the power rush and craze from being free and able to run my own stuff, and I want to prove to my mom how useful it'll be. I want to move away from YT Music, and I've heard Jellyfin + Jellyamp works good, but is there another I should run (Navidrome)? Should I get into the arr services and torrenting (I do have ProtonVPN)?

I tried looking at previous posts but I just wanted a little more personalized advice. I'm extremely greatful for any help and I will make sure to post my beautiful setup later once I get it going after y'alls input. It's really exciting thinking about the possibilities!

15 comments

Tailscale is great. You should use it. Most of their code is open-source. Their coordination server is closed-source, however there's a self-hostable open-source reimplemention called Headscale if you want a fully-open-source Tailscale stack.
Tailscale is a peer to peer VPN, meaning there's no central server like with OpenVPN. Systems on the VPN connect directly to each other. You can also use Wireguard in this way if you configure it as a mesh (every device on the VPN has every other device configured as a peer, and for each pair, at least one of them has the port open and forwarded). Tailscale is more reliable for that as it uses several NAT traversal techniques, so you don't need to open the port and it works even if both ends are behind NAT.
Immich doesn't rely on Tailscale; you can use any VPN. ~~They don't recommend exposing it to the public internet at the moment though, which is why you'd use a VPN~~ (edit: as per a reply, this is not the case any more). In general, never expose anything publicly unless it absolutely has to be (like a website that anyone can access). For giving access to friends, you can share a device with them via Tailscale and configure an ACL so they can only access particular services on it.
For the drives, I'd recommend ZFS instead of Ext4 or NTFS. ZFS can detect bitrot and corruption using checksums, which neither Ext4 nor NTFS can do. NTFS isn't recommended unless you're running Windows Server, but you already said you're using Proxmox.
IMO, use Syncthing instead of Nextcloud, unless you'll be using all the other apps that come with Nextcloud (calendar, office tools, chat, etc). Syncthing does one thing and it does it well, which is almost always better than using software that tries doing a large number of things. Consider Seafile too.
For backups, I'd recommend Borgbackup and Borgmatic. Get a cheap storage VPS to store it. You should be able to get a deal for less than $2/TB/month during the current Black Friday sales. Check LowEndTalk for deals. A Hetzner storage box would work great too.
- On the public Immich bit, they have docs on how to setup a reverse proxy correctly. No security warnings.
  That sounds like a thumbs up to me?
  
  Interesting! They used to have a warning about it. I guess they removed it at some point. It's referenced in this discussion for example: https://github.com/immich-app/immich/discussions/13008
- Dumb question: my bitwarden browser plugin doesn't work properly of my Vaultwarden doesn't run https. Right now I'm exposing it under subdomain with self-cert in nginx proxy manager. Could I switch over to using my Headscale with "tailscale serve"? Does this work and can I use it https in that way?
  
  Tailscale serve might work; I haven't tried it so I don't know what it's capable of.
  Usually I'd recommend getting a real domain name and using Let's Encrypt. .com domains are around $10/year but some TLDs are even cheaper. If you don't mind which TLD you use, go to tld-list.com and sort by renewal price.
  Edit: I forgot to mention - a server does not need to be publicly exposed to use Let's Encrypt. You can use a DNS challenge instead of a HTTP one.
  
  A domain with DNS access costs around 2€ a year. Just buy your own and generate certificates with Acme.
To answer your first bit:
I went owncloud --> nextcloud --> syncthing + radicale.
Not looked back.
I run everything through a proxy in my home-built pfsense box.
I also had a lot of difficulty setting up NextCloud. Based on the various reviews and comments, it seems like I may have actually dodged a bullet.
In general, as I've tried different self-hosting solutions, I've found that using a dedicated solution for each purpose has given me better results. I use Radicale for contacts and Calendar, Immich for photos, Jellyfin for media (Navidrome for music is great, but I ended up keeping my music library in Jellyfin because I liked the client apps better).
I'm using OwnCloud for filesync, although I'm also testing CopyParty, which is pretty phenomenal and stupid simple.
Tailscale is GOAT. Some people have speculated that it could be subject to enshitification some day. It's managed by a for-profit company, but everything they do is open source. There are already well-tested forks like HeadScale if you ever have the need to self-host it in the future.
NextCloud seems great if you can get it working and provides a lot of services in one. Some people have said that causes bloat and slowdown, so there are two sides to the coin.
Syncthing is likely not a good option for a file server. It's great if you want to have a shared file or folder on multiple devices, especially if you just want to transfer files quickly and seamlessly. It's fantastic at what it does, but it's not a file server. There are a lot of opportunities for error when using Syncthing.
I think you should think about this from a higher abstracted layer of things. The point being; how do you do this in a way that lets you be flexible, no lock in, ease of pivoting, and has the gift of allowing you to do things in stages as your skills/competencies grow. We also want to look to mitigate all sorts of setup/securing/maintenance/update infrastructure complexities and hassles.
You're going to have to solve a 'network' problem, how do you securely allow everything to communicate with each other. Managing things like Domain/HTTPS certificates/revers proxies/VPNs/tunnels etc. (Tailscale/Headscale as a solution is complex in and of itself; but the problem spaces it solves for are far more complex, and getting it wrong here can make you very vulnerable, catastrophically)
You're going to have to solve a 'user' problem, how do you manage identities, and their ability to authenticate credentials, and use multifactor auth, as well as manage their access to #1 and #3) (IDP, IAM, SSO; is a hard problem, and again, getting it wrong here would be catastrophic)
What 'services' am I providing to this network of users/devices? (Storage of things through say Nextcloud/Immich, access to media server for streaming, etc)
For #1 I would lean into Tailscale, and it's features like "Serve" and maybe "Funnel". I don't get the Enshittification vibe, but I suppose it is always a risk. The pivot point, would be to move your coordination server to Headscale. (you still use the tailscale clients, just reconfigured to point to the headscale coordinator).
For #2 Tailscale doesn't do the IDP (Identity Provider) thus all the Logon options. To start like "stage 1" just pick one (my recommendation would be github of the choices available, but also to maybe start investigating git/VCS learning paths), IDP/IAM is a hard problem, you can self host one, but you're adding a lot of complexity, and a huge security burden if you get it wrong. Consider doing this in a later stage; at stage X, work to selfhost something like Headscale/Traefik/Authelia; and then migrating to it to finally ditch all of 'Big Tech'.
For #3 How to host your services; ie Podman or Docker? If your just starting, I'd lean more into Podman; from a security standpoint, as well as a staging things in a way that lets you jump into say Container Orchestration/Kubernetes, (but also if you're worried about enshittification as Docker has shown some of) Adding tailscale to containerized services is fairly strait forward, making them securely available to your 'network'. The docker/podman paradigm is similar enough; learning to do things one way is very similar to the other's way; there is just a nuance to how things actually work, different 'gotcha' things, but a lot of the same abstractions, I don't think it's too difficult to bounce between if necessary.
Id recommend setting up a domain even if just for local use. No-ip.com is at least working for me right now (i have free throwaway domain set up there and my router is keeping my dynamic ip dns records up to date so i can wireguard into my router/lan even if the ip changes).
You dont need to expose your services but if you ever do want to, it’s so much easier if youve got a working reverse proxy infront already set up plus you can use https via let’s encrypt certifications inside LAN
Setting up (sub)domains in lan forces you to learn to use a reverse proxy like caddy traefik or nginx. Personally to me NPM(nginx proxy manager) was the easiest to use but i use caddy nowadays. For half a year i didnt expose anything but after wanting to share some albums with the extended family i decided to do so via pangolin hardened with crowdsec running on a virtual private server. Pangolin - while not as easy as tailscale is selfhosted and is very well documented and works well. Then internally, i still have my casdy reverse proxy and certs.
All the services work with the same domain names internally (via the routers dns) and externally. Internally the domain simply points to my severs LAN address. Externally the domain points to my VPS where Pangolin relays my internal domains to the users but adds an extra authentication layer/recerseproxy/access control layer infront. For authentication i use Pocket ID. I can reach nextcloud and access and edit all my documents and other files right there in the browser from any computer which is very convinient.
I use wireguard directly instead of tailscale. Not sure what router you're using, but mikrotik support it out of the box. I am sure they are not the only ones. My phone runs on it 24/7 and has access to the rest of my services.
I haven't setup nextcloud, so can't give any advice on that. Immich was insanely easy to setup though.
I like navidrome, but I am not using jellyfin, so I have nothing to compare it with.
Syncthing. You don't need nextcloud.
I did this about a year ago, and started with tailscale. But for some bizarre reason, tailscale would cause my entire internet connection to drop. I had the internet provider come out 5 times to fix it, i got a new router twice, they even checked for cable problems between my house and the neighbourhood switch. All to no avail. I would lose internet connection several times a day until i would reboot my router. I then found someone on their forum mention that tailscale was causing problems, so i turned it off. The problems stopped. I found no way to mitigate this.
I ended up running wireguard, which works great for me, but does have a bit of a learning curve. I have rented a tiny cloud server which is the central hub, and all of my services run in podman with their own wireguard config. I run my own dns for the lacal domains. It took me a bit of effort, but is now running very stable.
I’m still learning myself, but am planning to use NetBird instead of Tailscale to access my VMs and apps without exposing them to the web. So far, it’s been pretty easy to set up.

15 comments