How and why I moved from Apple Services to my own server
41 points by gruberb
41 points by gruberb
Very interesting setup. Surprised I didn't see Tailscale used.
I am actually happy to see a non-tailscale setup - it feels weird how this has become the second cloudflare. I've been using just plain old wireguard where necessary and a box in a datacenter as central endpoint for all the things behind something resembling a CGNAT.
I completely agree, Tailscale gets a pass from a lot of people because it's marketed to tech inclined people, but it's also very much a "lock you in" product. Once you start to depend on all its custom features, the cost of switching is prohibitive.
Classic Wireguard is good enough for most people, especially self-hosting where the set of devices doesn't change often.
But do the majority of people really go all-in?
I think I was a relatively early adopter and to this day I only use it as an easier way to have wireguard. If they locked me out or shut down I would be inconvenienced for a day until I set up stuff again. The DNS feature is nice though.
What about headscale?
You would have to reconfigure the config on each device but there is an open source alternative to the control plane.
I've never tried it personally, but if I cared about the Tailscale features I'd definitely go for that instead.
The current main dev works for Tailscale though (see contributor stats), so it seems like a fragile project.
I was fascinated by Wireguard when I heard about it, but bounced off it hard when it came to configuring custom routing tables etc. Tailscale Just Works for me, whether it's SSH from my VPS to my home server, accessing the same from macOS or Windows, or using as a VPN on my iPad. It's a service I would happily pay for if they discontinue the free tier.
That basically proves my point: you're essentially stuck with it no matter what they do.
I'm not saying Tailscale doesn't add value, I definitely think they do! I'm just coming at it from the angle of self-hosting and not wanting to be subject to the whims of just a different company.
I do think using Tailscale as a way to exit an even worse company's garden is good: some progress is better than none. I'm just weary of it because it's usually recommended without any mention of lock-in, kind of like Cloudflare used to be.
Thanks! I was thinking about it, but adding it on top of my existing setup seemed daunting. Maybe that's a January project. I am also a bit afraid of adding yet another layer on top of everything else.
It should not be too much of a lift considering that you're already using a custom domain and have a reverse proxy. If you're only hosting services for yourself then I would strongly recommend doing it as you decrease your attack surface significantly. For example, think of the people who were self-hosting a public Umami instance and had a vulnerability exploited by receiving HTTP requests from anyone. If you don't need public access to your services then you can put them behind a VPN like Tailscale to curtail a whole class of threats.
A couple of years ago I wrote about doing this with Tailscale, it might come handy. You install Tailscale, update your firewall to only allow connections through the Tailscale interface, and have NGINX listen on the machine's tailnet IP address.
@ggpsv in your (nice) article you mention Wireguard, I was currently thinking to use that to setup a new VPN, any reason to prefer Tailscale (which I know nothing about)?
I think that in the context of self-hosting some may find Tailscale to be more convenient to set up and manage, or find the added features useful (ACLs, Tailscale serve, magic DNS, shared nodes, etc), or prefer Tailscale's approach to routing if your server is behind NAT.
Personally, it was easy to ramp up and access my services privately using Tailscale, and only then switch to WireGuard once I took the time to learn and deploy the latter to my liking. Knowing what I know now, I prefer the plain WireGuard approach as it is significantly simpler, I have no third-party dependencies, and I can reason through it easily.
That said, per the premise of my article and my comment, using WireGuard or Tailscale ends up being the same: the reverse proxy listens on the private IP, the firewall allows connections only through the VPN interface, and TLS certificates are acquired through DNS challenges. What does differ slightly is that with Tailscale you can integrate very easily with NextDNS to define the domains that resolve only within the VPN (e.g git.example.com). With WireGuard you can instead have the server itself manage DNS by using dnsmasq or systemd-resolved and then configure peers to use DNS=... in their WireGuard configuration so that DNS resolved by the server.
Thanks!
Ease of use. Tailsacle is easier, that said setting up wire guard is not that hard either.
The Tailscale free tier supports up to three “other” accounts. Hence, if I want family members to upload photos to photoprism I have to pick two or pay.
I read your post on your setup, also interesting. I was able to replace a similar setup i had (with duckdns, caddy, let's encrypt, custom domain redirects in pihole) to now using just Tailscale Services which just dropped in beta a month ago. Cheers!
Curious which OVH server line the author is using? (likely Kimsufi/SYS, but seems quite cheap with 4TB + 64GB)
Nice point. One thing is missing is maintenance price. Obviously, if a learning experience for you is valuable maintenance price will be nothing. For me, the main point is owning the email address. In the last 10 years I switched from gmail to Zoho then to gmail back, now moved email to iCloud.
But for other apps, I think iCloud offering is decent. Especially if you already own bunch of Apple devices. Find mine network is very cool.
I think the best strategy is to use the best software, but always remember what they can block you so you need a backup solution
While I have Apple products (so does my S.O.), neither one of us uses iCloud because the possibility of loosing our accounts (maybe less of an issue than with Google). There's also the forced-march of progress and the assumption that one will simply replace all Apple equipment every few years (ideally for Apple: every damn year!) as they lock-step "compatibility" with the Mac OS-X and iOS offerings. @#$@#$@#$ that @#$@#$@#$ (Yes, I know! My equipment will be pwoned the second it become obsolete and be unwillingly mining Muskcoin for Russian oligarchs or something like that).
Are you seeding the torrents through Mullvad? I thought they got rid of the port forwarding.
Yep, that’s sometimes a problem. I cannot be discovered, so new peers don’t find my server therefore! I am not 100% sure about the details, but you are right: Often times this limits my download speed etc. But it works well enough.
I bought a Samsung S21 back in the days when the iPhone was going in a direction I didn’t appreciate.
One thing that I took fro granted in the Apple ecosystem was how “first class” the ability to add my own CardDav, CalDav and IMAP server was.
IMAP is something that is often supported, but getting carddav and calddav to work in any of the supplied apps on Samsungs edition of Android was a lesson in futility, which was surprising and went directly against the common narrative that Android is a more open ecosystem.
Of course, it was Samsungs edition of Android, but it really was surprising that it was so hostile to self hosting. Also, that phone never got an aftermarket OS in its usable lifetime, and you have to already know which apps support self hosting in order to download them; of course.
It's actually an android issue. Last I checked you still need 3rd party apps to sync CalDAV to this day (and get the power settings right to actually run). Even on a LineageOS system. Looks like apple provided the right integration into their OS while android allows you to customize it - but makes it really hard to get something so essential via apps due to various technical reasons.
I simply have it all on my device and perform backups automatically. But I don't bother with cloud sync.
Agreed, its an android (or maybe moreso a Google?) constraint on using carDav and caldav without a 3rd party...however, i highly recommend Davx5 [https://www.davx5.com/] - which acts as a middleware layer to sync contacts and calendar data. I've been using it for years to use non-google contacts and calendars! The configuration is pretty straight forward too; really quite "Set it and forget it". I'm quite sure that there are other alternatives, but I've had such luck with Davx5 that i just stick to it if/whenever switching phones.
My problem was that it doesn't store more than the last X days of entries on the device. So I don't have a searchable history for old entries. Did you find a way around that ? I have also seen sync issues in my family.
Sorry I didn't see this till now. I actually never noticed this issue...but only because for my calendar I tend to look forward not back. However I took a quick look, and there is a setting within Davx5 named "Past event time limit" that might help you. Mine seemed to be set to 90 (for 90 days worth of events that get synced apparently). I don't recall if I ever set that to 90 or if that was the default. It also seems like if you set this to blank, then it syncs all events. Give it a try! Also please report back here, so other folks in your same situation can learn from your experience. 😀
Huh you can just enter nothing ? Oh well. I was thinking about putting 9999999 in there..
I'll have to retry, Davx5 didn't always survive the batter optimization. Sadly deactivating this for apps doesn't seem to mean they are capable to periodically waking up and doing their thing. it seems to straight up disable any forced sleep when I look at my past battery runtimes.
Oh another thing: I really like splitting up my appointments across multiple calendars. Meaning they have by default a specific color (using aCalendar here). Problem was that sharing your calendar with your family means they will claim colors.
Huh you can just enter nothing ? Oh well. I was thinking about putting 9999999 in there...
Well, that is what the label/note indicates on that field within the Davx5 mobile app...I've never used with a blank value...so not sure what happens.
As to the battery drainage/usage....I have not tweaked anything on the app; so have been using the default settings...but, am running stock android on stock refurbished Pixel 4a...so maybe Lineage OS (if i understood correctly that its what you're using) maybe has a minor bug that manifests via synching apps like davx5?
For multiple calendars....actually I use the calendars per my email provider (so i'm not self-hosting these via such as Radicale, etc.), and as stated of course, accessing them via caldav via davx5...and what i do is setup 1 calendar for me only...and then i also create a separate, shared calendar for the rest of the family...and that shared one (also accessed/synched via Davx5) i simply assume it will be abused, er, um, used by others in a manner that might differ from what i might prefer. ;-) And, then to actually view my calendars and create evetns/appointments, i use the Fossify Calendar mobile app...and in this mobile app, it lets me set the color of the calendar locally..of course, this does not change any colors on server side...But i care less ab out that. Not sure if that helps or not. :-)
Interesting and timely article. I'm in the process of extracting myself from various providers, mainly Google, but some Apple as well. For the time being, I'm still using iCloud but only for "in progress" things. I'm gradually moving most things to Proton (email and medium-term storage), along with independent backups to Amazon S3 Glacier (or similar) using Restic and Arq.
Photos are the big issue for me at the moment. I'm currently running everything off a tiny 1 GB Llinode, and don't really want to run a beefy VPS for Immich. Proton's photo option seems not quite up to snuff yet.
I have no problem with iCloud Drive or whatever it is called this year, but that’s because I don’t use it for significant bulk storage. If I really did feel the need for bulk storage I’d look for a different option.
The problem I have with things like Dropbox is the that of end to end encryption is considered an extra feature to charge for, and I don’t really want to use a service that considers that acceptable. At the same time running my own servers is obnoxious: using services like AWS as a server is subject to the same “your account is gone and so is your data”, and running your own physical servers requires finding somewhere to put them that isn’t your house.
It feels like all of the options for large storage are not particularly great.
I do get pretty far with nextcloud (there are hosted options) and SyncThing. Maybe worth a try.
I’m very happy using Apple services and then just backing up the data once a quarter or so. It’s a good balance between convenience and owning my data.
And then I use a custom domain, don’t use sign-in with Apple, and whatever else minimizes lock in.
Interesting write up. The dns setup is similar to mine.
For each service, I add an A record in GoDaddy
Alternatively, find a dns provider who supports a wildcard (maybe godaddy does?). I have *.mydomain.com and $anything.mydomain.com gets that record, unless I have some explicit foo.mydomain.com record which takes priority.
That way each time I add or remove a service, dns is already there unless I need to point it somewhere different than my default.