I love nextcloud and have been using it for years. However recently I've considered taking my instance offline or at least behind a VPN because even if only 10% is true of what AI folks are claiming about LLMs finding exploits left and right, it seems super risky to be hosting your private data on nextcloud.
How do you folks deal with these massively increased threats to self-hosted open source apps?
I host my entire homelab in my home and use tailscale to access it. You just connect your nextcloud instance to tailscale. Then you connect each client to tailscale. Works on iOS and android (and of course any desktop). When you're on you're home network (LAN), tailscale _should_ use the LAN IP for routing. And then when away, you'll route over derp servers usually.
You could also use tailscale for auth, but i like to enforce separate authentication so that you have to be authenticated to the tailnet and have to go through the normal authentication to app.
That works okay if you are the only user.
I use quite a few Nextcloud features where access via tailscale is either inconvenient or impossible. My whole family uses the calendar on their phones and other devices, which means they would have to either learn about VPNs, or I would be the one managing all their devices for them. (Neither are likely to happen.)
I also often share individual files or folders with external contacts as a more private alternative to dropbox or google drive.
Cloudflare tunnel instead ?
> How do you folks deal with these massively increased threats to self-hosted open source apps?
I throw everything behind Cloudflare ZeroTrust SSO or whatever it’s called with a whitelist of Github accounts, and Cloudflare Tunnel to network the containers/VMs without exposing any ports to the outside (except SSH), enforced by both the cloud firewall and iptables/ifw.
I ban almost the entire world using iptables.
Or rather, I drop all traffic other than that coming from my geo.
This has dropped my „rattling the door handle“ rate to 1/week instead of 1/second.
> I've considered taking my instance offline or at least behind a VPN
The practical downside is that you won't really be able to use all the features of Nextcloud that way, such as file sharing with people outside your LAN, or Nextcloud Talk (a Zoom substitute).
That being said, I don't store sensitive documents on my Nextcloud instance exposed to the Internet. For that, I have a Samba server on a LAN.
Host it in your home an use a vpn to connect to your home network when you are outside, that way it isn't exposed to the internet but you can still access it.
Yup, that's the way it has to be. And thanks to the autocomplete on steroids we call Ai nowadays it actually has become way easyier to do such a thing.
Kinda like how once chemistry gets complicated enough we call it biology, LLMs have become complicated/versatile enough that it's no longer useful to call them autocomplete.
Same. Solving it by moving complex and sensitive data to an offline desktop app https://document.bot that support offline (self hosted) AI models (and optionally EU/ US AI providers). However, it doesn't integrate yet with shared (org) drives.
I use nextcloud all the time, my private instance works great and does everything I need it to. But I keep it behind a VPN. It’s got a lot of parts, and thus a lot of surface area. It may be secure but I just assume it isn’t. I rely on the VPN to be the security boundary.
Yeah definitely would put behind a VPN. I run mine on my desktop at home and use Tailscale (Headscale for self-hosting) to make it accessible when I'm out of the house. Blazing fast speeds when at home, and reasonable when not.
Putting everything behind a VPN seems like the solution selfhosters have landed on. That way you have some control over how quickly you have to respond.
I only use my ownCloud instance behind Tailscale...