I host my entire homelab in my home and use tailscale to access it. You just connect your nextcloud instance to tailscale. Then you connect each client to tailscale. Works on iOS and android (and of course any desktop). When you're on you're home network (LAN), tailscale _should_ use the LAN IP for routing. And then when away, you'll route over derp servers usually.

You could also use tailscale for auth, but i like to enforce separate authentication so that you have to be authenticated to the tailnet and have to go through the normal authentication to app.

I ban almost the entire world using iptables.

Or rather, I drop all traffic other than that coming from my geo.

This has dropped my „rattling the door handle“ rate to 1/week instead of 1/second.

> How do you folks deal with these massively increased threats to self-hosted open source apps?

I throw everything behind Cloudflare ZeroTrust SSO or whatever it’s called with a whitelist of Github accounts, and Cloudflare Tunnel to network the containers/VMs without exposing any ports to the outside (except SSH), enforced by both the cloud firewall and iptables/ifw.

> I've considered taking my instance offline or at least behind a VPN

The practical downside is that you won't really be able to use all the features of Nextcloud that way, such as file sharing with people outside your LAN, or Nextcloud Talk (a Zoom substitute).

That being said, I don't store sensitive documents on my Nextcloud instance exposed to the Internet. For that, I have a Samba server on a LAN.

Host it in your home an use a vpn to connect to your home network when you are outside, that way it isn't exposed to the internet but you can still access it.

Same. Solving it by moving complex and sensitive data to an offline desktop app https://document.bot that support offline (self hosted) AI models (and optionally EU/ US AI providers). However, it doesn't integrate yet with shared (org) drives.

I use nextcloud all the time, my private instance works great and does everything I need it to. But I keep it behind a VPN. It’s got a lot of parts, and thus a lot of surface area. It may be secure but I just assume it isn’t. I rely on the VPN to be the security boundary.

Yeah definitely would put behind a VPN. I run mine on my desktop at home and use Tailscale (Headscale for self-hosting) to make it accessible when I'm out of the house. Blazing fast speeds when at home, and reasonable when not.

Putting everything behind a VPN seems like the solution selfhosters have landed on. That way you have some control over how quickly you have to respond.

I only use my ownCloud instance behind Tailscale...