Hi! I know this is a kind of dangerous topic to ask :D And I am sorry this got so long.
I plan on building my own little home server. Currently I will mostly use it for nextcloud, maybe some other stuff, like git. I would like to be able to access nexcloud or git from outside my home (yes, i actually go outside sometimes… dont know why though). I will run docker and portainer on a pi5 (i guess its enough for one person) and I have 4x4tb disks. I currently plan on creating a software raid 10 with the disks to get 8tb of storage.
I have two types of disks, a new set of ironwolf and a used set of wd 24/7 drives. How would you arrange them? Put both from one type in raid 1 or mix both types in raid 1? I just heared about LVM. Would you recommend to put that on top of the raid? I dont know If i plan to change the storage setup, but doubt it currently. Im not shure if ZFS would be a better solution for me, but it seems unneccesserry at the moment.
I dont quite know what i should search for to find a solution about accessing the services from outside. I would like to avoid a (wireguard) vpn so i can log in on a different device without setting it up, or that i can connect to the vpn at work or uni and still be able to use my nextcloud data. So dyn dns with portforwarding seems to be the only option. But I am a little afraid to open up my home network to the outside like this, without another protection like a login. I know nextcloud has that, but im not shure if that is enough or what can be seen and accessed from the outside if i use ddns and port forwarding.
For backups I plan on using dublicati and storing the backups encrypted to either pcloud (would need to by, additional cost…) or a server at a friends or my dads house. But with the second solution I am not shure how I would create a tunnel to their server, so its secure for both of us. He has a static ip, so no ddns needed. Maybe here would be a wireguard tunnel be best? My dad does not have a static ip but would create a wirequard vpn for me with MyFritz (avm ddns service). Any thoughts on that? I would create a disk image of the completed os (the sd card…) once the services are running, so i can revert if something breaks. I guess a manual image is enough after the setup, because the docker containers reset anyways on restart, right?
Thank you so much, I am greatefull for every advice!
For the disks, I’d use ZFS because it’s easier to use and it’s got data integrity checking. Choose how many disks you want to be able to lose and use raidzX where X is that number. E.g. raidz2 will allow you to have the same space as your raid10 but any 2 drives can fail and you’d still have your data. Dropping it down to raidz1 will give you the space of 3 drives at the expense of having only 1 redundant drive.
If you decide to stay ZFS-free, LVM has a built-in function to create raid. Look up the LVMRAID man page. It allows you to setup an LVM-managed mdraid and use volumes on it in one go.
For outside access, Tailscale is probably the easiest option. It has a fully open source upgrade path. Tailscale’s clients are open source. The server infrastructure isn’t, but there’s an open source project called Headscale which can replace Tailscale’s server. I’ve tested it briefly and while not as convenient to setup, it seems to work about as well.
But isnt tailscale not just a wrapper for wire guard that does not require big configuration? So I would still end up an VPN and send all my traffic over my home network?
It is but by default it operates as a “split-tunnel.” That is, only traffic directed to a machine on your Tailscale network is routed over the underlying WG tunnel. In practice it creates “an overlay network.” It will require installing a client on every end point. If you want a setup-free solution, then you have to do some sort of authentication that you trust to be secure. E.g. rely on each app’s authentication, front all apps with an http proxy that has authentication. Personally I wouldn’t trust that. I’d probably use ssh which also requires some setup on the client. And that brings me back to Tailscale. 😂
You could theoretically have a firewall rule that only allows the IP address from which you’re currently originating. You’ll have to figure out a way to reconfigure the firewall as you move from one place to another. I’ve done this using ipsets and dynamic DNS. It works fine for static locations. It wouldn’t work as well for a moving target as DNS records can be slow to update. I’m not using that method anymore because Tailscale is simpler and allows for more uses cases and I have no problems installing it on my machines and devices.
Finally you could probably setup Tailscale on a small router outside the device you’re using then connect the device through that router. It might be possible to access your tailnet this way without setting up a Tailscale client on the device. I haven’t done this but it’s probably possible.
Setting up Tailscale on a router is what I’m hoping to accomplish eventually. I want to use my home as an exit node so I can have my home ip while traveling without having a client on my traveling devices.
I hope that your router has a good amount of storage if it’s an embedded router because the Tailscale binaries are rather large. Last time I tried I had to run the
tailscaled
binary through a compactor, and I ran thetailscale
client only for the setup and then deleted it (the daemon doesn’t need it in order to run).Thats awesome that you got that working. I was hoping this would be possible the same way feeding a router a wireguard config is possible
Edit: I’m going to try this at some point in the next few months https://docs.gl-inet.com/router/en/4/interface_guide/tailscale/
Thanks! I took a look at tailscale a while back but was turned off immediately because it requires an account at their site. Would headscale run on my own server at home?
Agreed. This is why I looked at Headscale before relying extensively on Tailscale.
Yes, Headscale would run anywhere. For the highest versatility you would run it in the cloud but it’s not necessary. If all you’d want to connect to is your server and it’s mostly up. If you had other machines that you might want to talk to even if your server is down, then having it in the cloud makes that possible. Personally I tried it on the smallest DO droplet.