• 0 Posts
  • 30 Comments
Joined 1 year ago
cake
Cake day: March 10th, 2025

help-circle
  • This.

    And graphene actually makes things very easy for you: every profile can have regular and private version of any given app.

    The private side is essentially a different user with its own set of vpn options but you can easily navigate in between provate and normal apps.

    Im using the regular profile for staying connected to home. All traffic is routed to home and then to proton.

    Everything in the private section goes through regular proton vpn(the app on the phone) so any traffic to the web also has a different exit node to my “home” traffic (albeit a proton one).

    I then have a separate profile called incognito with only proton pass, vpn and onion browser on it.






  • I’ll add pangolin to the list of things to think about trying. It was relatively easy to set up and it can run locally or on a vps. If it’s on a vps you dont need a constant IP or ddns because your hone server will connect to pangolin on the vps and the vps will serve the apps. youll point the dns records to your vps.

    It’s what i use for my extended family to reach my immich instance. No complaints yet whatsoever. It’s traefik+crowdsec+wireguard under the hood but all abstracted into a maintained, easy to use GUI. Youll have granular control over which users can use which services/subdomains and geoblocking etc is effortless.

    I put a centralised authentication layer (pocket id) on top of it for easier enrollment across various apps im running but for homeassistant only the built in 2FA should be enough.






  • This is what i did but on the router. I have openwrt on the router. You can install an extension called PBR (policy based routing) on it.

    Then you set up one wireguard interface that’s in the same firewall zone as your LAN to your lan and another that’s in the WAN. You can create policies to route any outbound connections (including the ones from your mobile client devices) through the commercial WAN wireguard connection.

    In addition for family members access i set up a pangolin instance (kind of like tailscale but selfhosted) on a Hezner VPS and a very simple oauth provider (pocket id) for authentication. Ive got a bunch of users and nobody had any problems with the signup process after i sent them the invite link.

    That way i can always be directly in my lan but other users can access without accessing my lan at all.


  • Surgeon.

    Seeing tech ceo’s at the trump inauguration got me sick in the stomach. I unsubscribed from everything out of spite and nausea and learned to selfhost over the course of what is almost a year now. At first it took up all my spare time and made my wife crazy. Now it’s been several weeks since i last had to sudo anything.

    It also opened my eyes to how stupid everything IT related in my country is. My municipality for example bought for what has now become a billion fucking euros a digital health record system from Epic. It’s the shittiest piece of software ive ever used, fully closed source and there’s ongoing customization costs trying to get it to work. We’re also a 100% onboard with office360 (copilot and all).






  • Ive been very satisfied with my two user instance set up using the AIO container via docker compose. They have that as a standardized deployment method nowadays. You can choose additional integrated services like onlyoffice and schedule backups via borg in the AIO mastercontainer’s webUI. My server (with a i3 coffee lake and 16GB DDR4) has 14 other services including immich and jellyfin. No performance issues whatsoever. I think nextcloud has really stepped it up.

    We (me and my wife) even use the kanban board as a PWA Although it’s a little clunky it works and all the deadlines even show up as tasks in my ical. Caldav was a bit weird to set up though.

    Using the virtual file sync client for osx so most of the files are actually never kept on the client device.



  • My duckdns domain was deemed untrustworthy and i hit the firewall with it.

    Spinning up a pangolin instance on a vps and getting a proper .fi (finland) domain fixed it. Plus it’s pretty bad form exposing ports directly instead of using a reverse proxy (and im guessing youre not using something like fail2ban and crowdsec and geoblocking either to keep the bots out.) Pangolin is an “all in one” solution that uses traefik for reverse proxy, handles certs automatically and almost automates the setup of Crowdsec for you. I highly recommend it. Can be used locally too if needed.