Garmin smartwatch but used offline only and connected with the FOSS gadgetbridge software. I’ve also started doing some manual tracking in a diary just to get my thoughts down with it.

Also unrelated, but if you’re running a x86 system with gigabytes of RAM, why not run Opnsense at that point?

I believe it’s gotten better but historically *BSD had poor SQM support (bufferbloat mitigation), which is particularly useful on slower, asymmetric connections and where low, consistent latency is paramount.

It was also a bit of a laggard on Wireguard support, although that’s long since been fixed. So mainly you might prefer OpenWRT if you want the Linux kernel which tends to get features more quickly. Also because it’s so low on resource usage (including disk space), you can put it in a VM and very rapidly recover in the case of issues.

You could of course also use a full Linux based router OS, but I don’t believe there are many with a web interface, which most users would prefer.

This thread is helpful for Lenovo minipcs specifically: https://forums.servethehome.com/index.php?threads/lenovo-thinkcentre-thinkstation-tiny-project-tinyminimicro-reference-thread.34925/

Another approach would be setting up your own recursive revolver with e.g. Unbound. It’s debatable whether it’s more or less private than using DoH etc but it would bypass the DNS tampering by your ISP at the least.

You could also get a wildcard cert using dns challenge, and not even expose the subdomains publically.

The mini-pcs that people typically recommend use around that at idle, and are much more powerful and have more reliable storage. But if you all you need is a Pi that’s fine of course.

You could also secure what peers inside the tunnel can access, particularly if you plan to give other people access. I.e. only allow only port 443 on a given server using a reverse proxy. It’s not a major threat either way but it would reduce the amount of access if someone gets into your phone/laptop etc.

1. Hourly snapshots using btrbk
2. Daily local backup to a NAS, also with btrbk (note: requires btrfs on both sender and receiver systems)
3. I’m currently setting up a remote backup solution using borg to the NAS of a relative

I’d consider paper (physical) backups for essential passwords and keys, but be careful about security.

probably something with my ISP that I can’t really easily work around

I’d try and find out if you’re behind a CG-NAT first, and whether you have IPv6 support. Some ISPs will turn off CG-NAT if you ask if that is the reason you haven’t been able to get things working. Wireguard will then work properly which is a bit kinder on battery life with mobile devices in particular compared to Tailscale and Netbird (although both are improving in that regard).

Maybe a used minipc like the Lenovo Tiny series, although it might be slightly exceeding your budget.

Vodafone/TPG now implements this too. It’s just shitty old Optus that’s stuck in the past.

Yeah, you’re stuck with NAT66 with most commercial VPNs that support IPv6. If you’ve got ISP level ipv6 you can still allow inbound connections directly at least.

If you do go the NAT66 route, consider assigning a fake GUA from an unassigned prefix as if you use standard ULAs outbound connections will always prefer ipv4.

None of this is in the spirit of proper ipv6 but it “works”.

I don’t normally use Jellyfin for music but I do like that some subsonic clients like supersonic are supporting Jellyfin as an alternative, so if navidrome breaks for some reason I can just change over quickly.

Navidrome will only open your library in read-only

Are you sure that’s not just the default in the example docker-compose.yml? If there isn’t some additional handling, you can just remove the “:ro” from:

volumes:
      - "/path/to/your/music/folder:/music:ro"

Most ISPs that do use CGNAT also offer ipv6 in Australia at least. The problem is that there is always that one client network that only supports ipv4 so you end up needing to support dual stack one way or another. Most of these ISPs also support CGNAT opt out for free at least, but I suspect that will go away in the medium term (and maybe that will encourage more universal ipv6 rollout).

It’s probably a TOS violation but you can combine it with pinchflat to strip ads and sponsored content from YouTube. It’s not a general YouTube app though, rather you use it to preserve channels you’re interested in.

You can also use Jellyfin to serve legally purchased music from bandcamp etc, or movies and TV shows ripped from Blurays and DVDs.

I’ve used both Headscale and a while ago, Netbird. Some of this will be in comparison to raw Wireguard, which I’m also using.

I’m currently using Headscale, but it does have some annoyances. There were breaking changes fairly often for a while, although it looks to have mostly stabilised now. Tailscale itself is pretty invasive with its routing rules and DNS which can break things or cause unexpected behaviour, which doesn’t occur with raw Wireguard which is more predictable once you understand it. The Tailscale android client has been somewhat unreliable and clunky, although getting better, although third party Android clients for Wireguard, in turn, have also improved Wireguard usage dramatically. On the other hand, Headscale (or Netbird) are pretty much necessary if you are on a CG-NAT and need ipv4 access, and more usable if you want to build a mesh network.

I can’t remember if I tested the service Netbird or the self-hosted version (I think both) but the main thing I remember is that it had poor support for ipv6, which I consider mandatory. Otherwise, the Android client seemed solid and it felt well-designed overall. And maybe the ipv6 support is better now.

yes but why would you?

Mainly because you’re required to use their distribution, or to build on Debian, which is not to everyone’s liking.

Of course that’s an argument against proxmox, and not virt-manager and the like.

Primary goal: Navidrome as server combined with a VPN (tailscale is probably the easiest to setup but not technically self-hosted). Clients can be any that support the subsonic protocol. I personally use dsub2000 (android) + supersonic (Linux) but there are others. I’d start by testing it on your LAN to see if it’s workable.

Secondary goal: if you can get all 12 people to install Tailscale on all relevant devices then you can continue to use that. If not, you’ll need to host navidrome (or an alternative) publically preferably with a reverse proxy for better security. You could alternatively try Tailscale funnel or some cloudflare solution to host navidrome.

There’s also endurain but it doesn’t support gadget bridge integration yet (gadgetbridge needs to solve it on their end).