This is what i did but on the router. I have openwrt on the router. You can install an extension called PBR (policy based routing) on it.

Then you set up one wireguard interface that’s in the same firewall zone as your LAN to your lan and another that’s in the WAN. You can create policies to route any outbound connections (including the ones from your mobile client devices) through the commercial WAN wireguard connection.

In addition for family members access i set up a pangolin instance (kind of like tailscale but selfhosted) on a Hezner VPS and a very simple oauth provider (pocket id) for authentication. Ive got a bunch of users and nobody had any problems with the signup process after i sent them the invite link.

That way i can always be directly in my lan but other users can access without accessing my lan at all.

Surgeon.

Seeing tech ceo’s at the trump inauguration got me sick in the stomach. I unsubscribed from everything out of spite and nausea and learned to selfhost over the course of what is almost a year now. At first it took up all my spare time and made my wife crazy. Now it’s been several weeks since i last had to sudo anything.

It also opened my eyes to how stupid everything IT related in my country is. My municipality for example bought for what has now become a billion fucking euros a digital health record system from Epic. It’s the shittiest piece of software ive ever used, fully closed source and there’s ongoing customization costs trying to get it to work. We’re also a 100% onboard with office360 (copilot and all).

As a phycisian ive used AI to check if i have missed anything in my train of thought. Never really changed my decision though. Has been useful to hather up relevant sitations for my presentations as well. But that’s about it. It’s truly shite at interpreting scientific research data on its own for example. Most of the time it will parrot the conclusions of the authors.

Just run a small libux pc and a wireless keyboard+mouse…

Ive been very satisfied with my two user instance set up using the AIO container via docker compose. They have that as a standardized deployment method nowadays. You can choose additional integrated services like onlyoffice and schedule backups via borg in the AIO mastercontainer’s webUI. My server (with a i3 coffee lake and 16GB DDR4) has 14 other services including immich and jellyfin. No performance issues whatsoever. I think nextcloud has really stepped it up.

We (me and my wife) even use the kanban board as a PWA Although it’s a little clunky it works and all the deadlines even show up as tasks in my ical. Caldav was a bit weird to set up though.

Using the virtual file sync client for osx so most of the files are actually never kept on the client device.

Im on the same boat. Especiakly claude opus 4.5 writes better scripts in 20s than i could in 2 hours of web search and debugging

For critical baremetal/live situations i will use the docs and/or use AI for debugging help only.

Im on the same boat, Pangolin on a vps with some other services. Really inpressed with pangolin and usung pocket id for oauth witg great success

I’ve been using desec.io since it’s european, non profit and privacy oriented. Bring your own domain though. Works well, although my caddy plugin has problems getting certs sometimes. My pangolin instance never has any issues getting certs so might be caddy desec plugin specific.

Two 4tb disks in raid 1 is a waste of money for most selfhosters. Unless you really want to avoid downtime due to disk failure. (and even then you could get a power outage or a network failure). A second disk will protect you from disk failure but not from other forms of data loss (like you fucking up something and erasing all of your family photos).

Do you also plan to buy some cold storage medium and cloud storage or a remote backup server or something (for 3+2+1 backups)? thats way more important.

Ive got an office pc with a 9th gen intel i3 4 core, 16gb RAM, you can propably find one for 100-200 dollars. Ive installed a 4TB NVMe into it.

For nightly remote backups i have a pi with another 4TB NVMe(overkill for sure, you could use pretty much anything for this) and for cold store i have 4TB external that i plug in when i remember.

I run docker and immich, nextcloud+office, jellyfin + a bunch of smaller services. I could perhaps use a little bit a better gpu for jellyfin transcoding sometimes with certain 4k files. Otherwise no need for upgrades.

I use a small wireless logitech keyboard-mousepad so it works very well. I had to make exceptions in the router for googles video severs to bypass the vpn though.

My phone is on a wireguard tunnel into my router which puts my wireguard vpn in the same forewall zone as my home LAN. Internet access is routed through the tunnel and then through another tunnel to protonvpn and from there to the www. It was a bit elaborate to set up but it works. Wouldnt really recommend the setup for everyone, it was a bit of a pain in the ass to get working. I used Openwrt and policy based routimg plus wireguard for the tunnels into and put of the router.

Oh i have vaultwarden as well nowadays

As someone who went through this process after trumps 2nd term and power i can give you my process:

-angrily unsubscribe all big tech subscriptions -make a protonmail and tutamail account, realize I like proton suote more and decide to subscribe -transfer all passwords to proton suite -download all photos and other data to an external drive. TURNS OUT THIS TAKES SEVERAL DAYS WTF -angrily order a rasp-pi and an external SSD -use step by step tutorials to install docker and immich. Fall in love -gradually (via help of google and GPTs) become confident enough with command line to start managing the server headless over SSH

Fast forward 6 months: My router os now running OpenWRT, my network access is always through ProtonVPN. My external devices are connected via wireguard to the router when not on home wifi. My main server is now an old office mini pc running about 10 services. Im using borg for nightly snapshots(its a bit like apple time machine) and after that everything is backed up to another server at a friends house via rsync and ssh. I have a third mini computer whose purpose is to be my tv’s UI with access to services like the national broadcasts web ui and muäy own jellyfin and invidious (adless youtube client) The tv does not have an internet connection anymore.

I really feel like people who are beginners shouldnt play with exposing their services. When you set up Caddy or some other reverse proxy and actually monitor it with something like fail2ban you can see that the crawlers etc are pretty fast to find your services. If any user has a very poor password (or is reusing a leaked one) then someone has pretty open access to their stuff and you wont even notice unless you’re logging stuff.

Of course you can set up 2FA etc but that’s pretty involved compared to a simple wg tunnel that lives on your router.