So, I have been checking this forum for quite some time and pretty much did everything I could on my immediate privacy journey. From threat modelling to securing my devices, I have still one dillema about how would be the best course of action here.
So, I mainly use privacy-respecting cloud services.
I wanted to dive into the selfhosting world because of the main aspect there: Independence. Here’s the thing: I like some services from Private Company#1 and Private E2EE Company#2 and all, but I worry that these companies can become a lot worse in no time. Also, with the VPN blocks, censorship and everything, I really want my data and files and everything to be secure in an environment I can control, and accessible at all times (that is my threat model).
From what I know, a VPS hosting would be a no-no for me because I would just be switching trust from a private server to another server that would require setting up E2EE services. All and all, this approach would not go with the independence part, even if it would be a server I manage, because it would be hosted elsewhere.
However, I worry about opening ports and exposing my network to the net, and wanted the setup to be as simple and with the minimum devices to maintain as possible. Mainly my PC and Phone. Also, I wanted most services (photo management, calendar, RSS feed…) to be available wherever I am on my phone. What would be the best course of action here? I thought about Syncthing and keeping all my calendars, password vaults and photos locally stored and synced between these devices, but AFAIK it does not support iOS.
Also, just syncing files would probably not really be the best answer for stuff like calendars and RSS feeds via OPML, since I would have to keep importing stuff over and over.
Edit: I wanted to add that I want my stuff to be always available offline as well.
Am I looking for something that doesn’t exist?
Really want to hear some suggestions and how you guys did address this kind of issue.
Yes, you can theoretically self-host from your PC, but people typically buy dedicated server hardware that will be physically connected to a router and will run the app servers 24/7. It sounds like you want to run at least an ente app server.
I like my raspberry pi (hardware) + cloudflared (expose on the web) combo, which I think is a very simple start.
A lot of what you’re saying, I was also saying a few years ago. What you’re asking for has inherent contradictions that make it nearly impossible without compromise.
Out of your requirements, pick two:
Always available from anywhere
No VPS/external infrastructure
No exposed home network
One thought I have is to reconsider a VPS. Yes, I get that you don’t want to shift trust from one provider to another server, but if you use the VPS running only lightweight sync/coordination services (encrypted) with the actual data stored locally, you’re using it as a relay/coordinator. They won’t have any of your data, and it will help in the “always-on availability” and “minimal maintenance” requirement.
And if the specific VPS provider goes sour, it’s possible to transfer to another provider.
As for “no exposed ports” and “always on availability”, what you’ll use is a VPN. Tailscale is the most friendly option for private VPN mesh network , but now you’re trusting another company. Headscale is the self-hostable version of Tailscale, and you can run that on your VPS. Your devices can connect to each other through it and the VPS itself will never see the traffic. Wireguard is another option.
Cloudflare tunnels is another common option mentioned by others as you can connecting lightweight services (ie, no video streaming, etc) without port-forwarding, but then again, now you’re relying on Cloudflare.
“Always on” means something must run 24/7, whether it be a Raspberry Pi ($50-100), old laptop/desktop as home server, a purpose-built NAS. or VPS. You want minimum devices, but self-hosting does require at least one always-on machine.
CalDAV (used by Nextcloud/Radicale) doesn’t require any manual importing. You connect your iOS Calendar app once, and then it automatically syncs all changes bidirectionally while keeping a full OFFLINE copy on your device.
The RSS concern is something different: the challenge isn’t importing OPML repeatedly, it’s that RSS feeds need something to fetch new articles 24/7 from the internet, which requires either an always-on device at home or a lightweight VPS service.
If you really want to make file-syncing work, check out https://mobiussync.com/ (an unofficial and afaik “limited” iOS client for Syncthing) or Resilio Sync which is propitiatory but iOS compatible. Otherwise, you’re probably correct in that file-syncing is not a viable option for your setup. I don’t have personal iOS devices so this is just based on reading about other people’s experiences.
Couple other things to consider now:
If you’re self-hosting, it means you’re now responsible for data loss. You should consider encrypted cloud backup (even if it’s a bit ironic). Backblaze B2 is my recommendation, although Amazon S3 Glacier Deep Archive IS an option as the cheapest.
Also, just the act of maintaining self-hosted services is ongoing work. Security updates, troubleshooting, just upgrading in general… Maintenance is inevitable, We can try to minimize the amount of maintenance or make it as simple as possible, but there is maintenance none-the-less.
Ultimately, what is your best course of action?
Here’s what I’d recommend:
Self-host services you want at home, like Immich for photos, FreshRSS for RSS, Radicale for CalDAV, etc. Try connecting to them using Wireguard VPN, Tailscale/Headscale, and Cloudflare tunnels and figure out their strengths and weaknesses from there.
Start with just ONE service on a device you already own and go from there. Self-hosting has a learning curve, and you don’t want to migrate everything at once only to realize it’s more complex than expected. You can always expand later.
The perfect solution you’re envisioning doesn’t really exist, every approach trades off something. The question is which tradeoffs you can live with.