Howdy
A wise man once said: “If something is free, it means that you are the product.” And let’s be honest — we all rely on cloud storage to sync, store, and share stuff between our devices and with other people. Most of us live on Google Drive, Dropbox, OneDrive, or whatever flavor of the month. But what’s the trade-off?
Well, take a look at this EFF article by Joe Mullin — it’s about Google scanning private photos and wrongfully flagging people as child predators. AI gets it wrong. Lives get wrecked. Not cool.
Even if things don’t go that sideways, I don’t like the idea of my files (notes, receipts, contracts, whatever) being scanned, monetized, or used to train models. So I thought: hey, I’ve got a homelab, decent bandwidth, and an itch for independence — let’s bring the cloud home.
But even if we do not go to such an exent, I would not want my data (notes, images, invoices, contracts, etc…) being scanned and used to profile me or worst.
With a homelab, storage space, and a decent fiber connection, I decided to self-host my own cloud and regain control over my data. No shady EULAs. No surprise account bans. No privacy violations.
Piecing the Puzzle Together
I did some thinking and nailed down what I needed from this setup::
- Multi-user support: I don’t want my girlfriend to see my tax returns;
- Cross-platform: Android, Windows, Linux… it’s all welcome;
- Simple UX: if she can’t upload a file in two taps, it’s a fail;
- Accessible from anywhere, easily: if it’s only reachable from the couch, it’s not a cloud.
Internet suggests a few options. I narrowed it down to Nextcloud and ownCloud. A quick Reddit deep dive sealed the deal: Nextcloud, mostly for better performance and stronger community support. Plus, there’s a Proxmox script that makes deployment stupid easy.
The Easy Part: Deploying Nextcloud
Big shoutout to the Proxmox VE Community Scripts project. The installation script is smooth like butter — seriously, it’s a two-step thing, and suddenly you’ve got a Nextcloud instance humming. I would never thank them enough to the wonderful job they are doing in both preserving the ttek’s legacy and make Proxmox accessible and approachable.
I chose to install it in a VM, not an LXC container. Why? Simpler to harden, fewer weird edge cases . At this point I had Nextcloud running. But only locally. I needed to make it accessible — without exposing my entire house to the internet.
Making It Global without punching holes in the Firewall
Here’s where it gets spicy. I had a few options to expose the instance to the outside:
- Tailscale: I am already using it for other things. It works, but requires installing the app, logging in, and manually connecting. My girlfriend would 100% bail;
- Dynamic DNS + Reverse Proxy: cleaner, but still means NAT punching and cert maintenance;
- Cloudflare Tunnel (formerly Argo Tunnel): already tried it in a job interview. It just worked. And since my domain (silvestri.cloud) is on Cloudflare, it was a no-brainer.
Building the Tunnel
Of course it being a free service means I am the product for some extent, and I can accept some data analysis on the traffic, keeping in mind that this traffic will be end-to-end encrypted, so I even if someone from Cloudflare would like to see what’s inside the file I’m transferring through the tunnel, good luck with it!
The setup of the tunnel is pretty simple and straight forward:
- Go to Cloudflare Dashboard → Zero Trust → Networks → Tunnels;
- Create a tunnel, name it something fun like cloud-home;
- I spun up a new LXC container in Proxmox (again, Community Scripts FTW);
- Cloudflare walks you through linking the tunnel to your domain — follow that;
- In the tunnel config, I set up a public hostname: example.mydomain.com, routing to https://192.168.xxx.xxx (needless to say, but you have to fill it with your data).
Because my Nextcloud instance uses a self-signed cert, I had to enable No TLS Verify in Cloudflare’s settings. Otherwise, the tunnel pukes with all sort of 5xx errors.
Here’s what that looks like:
Cleaning Up the Errors
So now the tunnel was live. Sort of. I got smacked with some alerts from Nextcloud. Classic.
It turns out that Nextcloud (by default) doesn’t trust requests from random domains. Fair. We just need to tell it to chill out and accept our public hostname.
From the VM, change the Nextcloud config file:
nano /var/www/nextcloud/config/config.php
Add your domain to the trusted domains list:
'trusted_domains' =>
[
0 => 'localhost',
1 => 'example.mydomain.com',
],
Save, then restart Apache:
systemctl restart apache2
A few seconds later… it just worked.!
Why I Ditched Nginx Proxy Manager
Before tunnels, I was using Nginx Proxy Manager (NPM). It handled certs, routes, all that jazz. But with Cloudflare Tunnel, I don’t need it anymore:
- No more port forwarding
- No more reverse proxy
- No more Let’s Encrypt renewal anxiety
Tunnel + domain + one tiny LXC → everything works. Cleaner, lighter, faster.
Mission Accomplished
And there you go: a full-featured, globally accessible, end-to-end encrypted Nextcloud instance — with zero open ports and no reverse proxy.
Is Cloudflare totally privacy-perfect? Nah. They’re still a big tech company. But traffic is encrypted, and at least now I own the data, not some AI pipeline.
If you’re running Proxmox and have a spare machine, I highly recommend giving this setup a shot. It’s surprisingly satisfying to own your cloud, especially when you don’t pay a dime in subscription fees.
What’s Next?
- Want to add SSO with Cloudflare Access?
- Want to expose Jellyfin, Gitea, or your own blog the same way?
- Want to sync stuff across devices without anyone in the middle?
Let me know! Maybe we’ll tackle that in the next post. 👀
In the meantime… Happy building ⚒