I use arch btw (on everything).

So yes … my laptop, my home server and even my wife’s laptop.

I had a similar setup for years with traefik instead of nginx and I would recommend you to not over engineer your setup. If you only want to expose some specific services and for the others you only allow access in your LAN you can create an ACL for the restricted services based on a whitelist with your IP-Range. With that way your setup will be much easier, not so many SSL specific stuff (Which certificate do you need on which machine? Do you pass through the TCP connect or open the SSL connection and use insecure connection over your VPN?..), not so much DNS stuff, because you can redirect every subdomain to your server. You only need one fail2ban setup.

And you can access any device from your VPN in your LAN.

44 containers and my average load over 15 min is still 0,41 on an old Intel nuc.

As recommended from others here the docker version with a compose file works great.

I had similar problems with nextcloud upgrades until I switched the channel from latest to stable. Stable is still version 31, but I haven’t found a user comfortable alternative which I can give my family without hearing their pain. For me *Dav is the best decision and Syncthing for files that should be offline available like keepass or something.

And if you are actually on latest/32 maybe it is an option to switch to a tagged 32 version until it becomes stable.

From my view a major update shouldn’t been done automatically.

I host synapse as docker container behind traefik and it works pretty well. I have two users on my instance, have setup the mautrix-whatsapp bridge and federate with the instance of a friend.

The setup was straight forward: Pointing the sub-domain via traefik to the service and in the homeserver.yml enable well-known which announce port https with port 443 instead of 8448.

I use immich and nextcloud for the clients (my wife and my parents know that I only take care about that data) and on the server side I use borgmatic which has a local repository on the second drive inside my nuc and a remote repository hosted by hetzner called “storage box” which supports borg native.

Yes the remote is out of my physical access, but borg is fully encrypted and for 4$/3.6€/month for 1TB I feel good.

Before I started with borg and hetzner I had a rsync based backup with an odroid hc1 hosted by my parents, but that doesn’t feel safe. Due to slow network by my parents I had to sync my local backup instead of a second backup from the real data and the monitoring was also very bad.

From my point of view: You have no backup, if it is not automated and you have no monitoring.

Does your router indicate that you have DS-Light? I think O2 provides each customer DS-Light until they ask for a real IPv4.

To your second question: In case of DS-Light you don’t need a new IPv4 IP every 24h because your IP is not public facing.

PS: I don’t be sure, but the Fritz Remote Apps use IPv6 to ensure that they also work with DS-Light.

Yes I use wireguard only with systemd-networkd (as server and as client).

I followed the arch wiki and you need to ensure that the file permissions are correct, otherwise systemd will ignore them.

Copied from the wiki:

# chown root:systemd-network /etc/systemd/network/99-*.netdev # chmod 0640 /etc/systemd/network/99-*.netdev