Australis13

Good to know, thanks.

You can indeed: https://tailscale.com/docs/integrations/identity

That sounds like it may be a good fit for my use case, then. Thanks again and I'll definitely look into it!

Thanks for the suggestion. I'm trying to move away from Google, but the idea of a shared account for tailscale (which seems to support a lot of different SSO options) may be useful.

Good to know, thanks. Not keen on Cloudflare, so it's good to see that there's now multiple recommendations for Pangolin and Tailscale in this thread.

Thanks - appreciate another recommendation for Pangolin + crowdsec, plus I didn't know about authentik (which sounds super useful if the services behind it are compatible). I'm thinking I need to have a play around with tailscale and then Pangolin to see how they work and whether either will be appropriate for my use case.

Thanks. I think I'll need to do a bit more reading - I have no experience with any of the wireguard technologies (my VPN experience is with OpenVPN and enterprise-grade networking hardware that uses IPsec tunnels), but Pangolin's abilities do sound useful.

I guess I need to work out if something like tailscale (as per one of the other comments) set up on just the small group I want to share with will do the job, or whether I really need to expose services to the Internet and hence would benefit from a VPS with something like Pangolin.

Thanks, sounds like a potential option. I'll add to the list of things to look into and test out.

Yeah, I don't like the thought of worrying about vulnerabilities either, hence my asking this question!

I haven't heard of Pangolin cloud before -- I'm assuming this is a competitor to tailscale. Are you self-hosting it or using one of their paid plans, and if you're self-hosting, how hard was it to set up?

Thanks. My main concern is needing to have the tailscale client set up on my relatives' devices, so it'd need to be easy to do and the configuration straightforward.

If I wanted to route just traffic to Vikunja and Immich through it, so all their other apps (if on a phone) or web browsing (on a PC) didn't go through tailscale, is that straightforward to do and is it something that has to be done in the client-side configuration?

Thanks. I had forgotten about setting up a DMZ and appreciate the reminder!

Thanks, didn't know about Immich proxy. Sounds useful.

On the VPS point - beyond protection against DoS, I assume the main benefits only arise if you host the services on it? My understanding is that, if I open a port and forward it to nginx, then the largest attack surface would be nginx itself and the services it is acting as a reverse proxy for (e.g. Vikunja). nginx is well-established and I think most of the risk is from the plugins rather than nginx vulnerabilities itself, which leaves Vikunja and any other services I'd want to expose as the main attack surface. If I'm using a VPS as a gateway (e.g. hosting nginx there and still keeping Vikunja and Immich within my LAN), then that doesn't seem like it's much of a risk reduction. What am I missing?

Thanks. So, just to make sure I've understood correctly, your recommendation would be a VPS that hosts nginx (or Caddy) as the reverse proxy and uses tailscale (or equivalent) to access my home LAN and make services (e.g. Vikunja) available?

Thanks for the recommendation. I have no experience with Proxmox, so this might be part of a longer-term project once I've got the Vikunja access working (at least that's on a separate Pi and so would be similar to a distinct VM in that regard).

Good call. I'll have to play around with certbot using DNS validation (only ever tried with HTTP validation), but certainly worth including in my plan. Thanks.

Ah, my mistake, I'm getting mixed up between minidiscs and the 8cm mini CDs.

You can get multi-layer M-disc BD-Rs, though, up to the triple layer 100GB BDXL (although you need one of the BDXL burners to write those; the 50GB BD-R DLs can be written by most burners). They cost a pretty penny, though!

The biggest problem now is the disappearance of Bluray burners/writers. Here in Aus there are no internal drives available on the market any more. I've had to stock up with a few second-hand spares before they get too pricey.

Yeah, I like to have important data (such as family photos and videos) backed up on two different formats and M-disc BDs provide an acceptable option. There are various blog posts testing them online versus regular discs and they handle a lot more wear and tear (not that mine get subjected to that!), so I'm pretty confident that mine will outlast me.

Entertainment content I'm willing to risk on regular recordable discs/HDD backups if it's important enough to put in the effort (I usually buy the physical disc anyway, so I have the pressed CD, DVD or BD to start with).

Haven't seen a minidisc in ages! I remember some of the cheap IT hardware used to come with those for drivers in the late 2000s.

M-Discs are a specialised form of DVD and Bluray (DVDs require a burner with M-disc capability) that have a longer life than the usual consumer grade discs. Odds are that they will last longer than the technology required to read them.

Eventual goal - solar with battery backup for the house with isolation ability from the grid. Here in Aus you can have (1) solar tied to grid, (2) solar with batteries tied to grid, and (3) solar with batteries with a grid isolation switch. Only (3) allows you to power your house when the grid goes down.

If my place gets flooded then, due to the terrain, it's going to be a much bigger problem than data loss (even if it is all my family photos and videos). I think that will be the least of my concerns at that point. That said, I do have off-site backups and I'm also locally archiving to m-discs, so both the flood and EMP problem are not insurmountable in that respect.

Probably the one thing I do need to do is print out a lot of the more recent photos so I have hard copies of ones I want to keep.

This is definitely a decent starting point but not a complete solution, unfortunately. It's not always cost-effective if you only want a few tracks from an album or need to import it to get it at all (or if it was a limited release it can be hard to find at all).