Ok I’m not any networking expert but I think you are overestimating the risk here.

Opening a port doesn’t mean you are opening your whole home network just the specific services you want. And those not directly but with a web server in front of them . Web servers talked in this tgread that sit in front of open ports are well audited . I think that measures like mtls a generic web server hardening are more than ok to not ever be compromised.

But yeah I’m surely interested to listen if you could elaborate.

Thanks

He he didnt but thats what he meant

I mean 99% of users use reverse proxy for https public access

Also read the threat replies …

That’s what this thread is about

…

No?

Yes that’s exactly what they do

The funnel exposes your local services to the public over https . Like what you want to accomplish with reverse proxy . Its just more straightforward for a beginner.

Personally I closed my router ports and switched to tailscalr funnels after using caddy with mutual TLS for years.

While using a web server before your self hosted micro services is the obvious answer and caddy the easier to configure, as a beginner you should also consider taiscale funnels. You dont need to mess with router stuff like port forward or caring if you ISP have your router behind a cgnat which is kinda norm nowadays , also dont have to care for a domain name dynamic DNS stuff . You could have a look to my quick how to . All you need is running a script , the ports and desired names of your subdomains and your tailscale auth key. https://ippocratis.github.io/tailscale/

Brave sync server is open source and self host able.

Everything a browser syncs is syncable passwords, history, bookmarks, cards etc

The “issue” is there is not a user interface element to easily add the self hosted instance url

There are workarounds though

You can read my quick how to here

https://ippocratis.github.io/brave/

Headscale does not support funnels unfortunately

Tailscale is not completely foss.

https://tailscale.com/opensource

Yeah I’ve tried that with my webdav mount coz its the obvious thing to do.

Problem is local notes are exposed to other apps and unencrypted.

Apps like neutrinote can protect notes in their app sandbox and create a backup mirror in location of choice e.g. a webdav Mount that happens to be behind mtls.

Syncthing does not offer mtls.

Thanks for the info. Will look in to that approach too.

Mtls requires that the android client device has a certificate installed that matches the one installed on the server in order to access it.

“But, thinking about it now, I doubt it will actually affect the feature”

It will not

We don’t need to import a custom CA authority here just to insatll a client cert

Vaultwarden behind mutual tls and reverse proxy and https://github.com/oguzhane/bitwarden-mobile until https://github.com/bitwarden/mobile/pull/2629 is merged

But honestly all services you mentioned are worthy.

Anything that fits your needs imao

I use https://github.com/dgraziotin/docker-nginx-webdav-nononsense

There are many dockerised fileservers

OMV is quite limiting and maybe a little heavy for the pi(?)

Docker is straightforward Idk what to say You install docker and docker compose on host and run some compose.yml’s to spin up your services

RPI4/400 is perfectly capable as a little home server. All it needs is a good SD card.

Owntracks,photoprism,monocker,brave go m-sync,libre photos,wallabag,radicals e,Baikal,Firefox sync,Joplin web,webdav server,jellyfin,vaultwarden,wireguard

Nextcloud is an overkill. Its just too much. I’d say better split down the needed services. Baikal/radicale etc for contacts/calendar. Photoprism/librephotos etc for photos. A webdav server for storage. And so on.