An autistic approach to installing YunoHost. (Warning - lots of graphics)

You can click the link for a larger version of the image, or see a live interactive version on Coggle.

Hi, I’m frittro, I’m an “elder geek” from Auckland, New Zealand, who is self-learning about self-hosting to set up a homelab for 2022, to escape the clutches of Big Data companies like Google. I have purchased two Raspberry Pi 4B single board computers for a personal project.

The mindmap above is what I plan to implement for myself and my family/friends during 2022. I made a start in 2021 by purchasing the two Raspberry Pi 4B SBC’s and installing Pi-Hole and PiVPN under Docker/Portainer on Raspberry Pi OS (Buster). However, before I rolled out my full live system, I came across Yunohost which looks like a better fit for me, as I’m not exactly a developer as such, so I want to have as much of this automated for me as possible. I had considered deploying with Ansible, which would have added another level of complexity, and more for me to learn, but would have helped with future upgrades.

What I would like to know at this stage is whether my intentions as outlined in the mindmap here are “doable”. I will no doubt need plenty of help along the way, but I was intending to teach myself the intricacies of Ansible, Docker, and Portainer anyway, so I’m hoping that Yunohost will be easier for me to learn. I just need to make sure that my intentions are feasible, in the eyes of Yunohost pro users first, before I start down this track. Whether I am capable of implementing all of this, remains to be seen!

I think yunohost seems to be a good solutions for your needs.

You have not spoken about which kind of apps you want. If you want to be able to send email correctly to all email servers of this planet, you need a public static ipv4. (you may ask your internet provider for a full stack ip or use a VPN to achieve that: VPN providers | Yunohost Documentation

I have not undertand:

A centralised portal which can access external sites like Facebook […]

Thanks for the reply, Valentin. I wasn’t too sure about the whole VPN vs Static IP address issue, as I definitely want full email support, along with publicly accessible sites such as a selfhosted public Wordpress blog (at blog.fmds.geek.nz), but I also want to keep much of my portal and its contents private. If I can achieve this with a VPN, but still have public access to my selfhosted Wordpress blog, that would be ideal. If not, then I guess I could cough up an extra $10/month to my ISP for a static IP address.

As for accessing Facebook from the portal, I intend to use the External Sites module in NextCloud to encourage my users to stay as much as possible within our portal, but still have access to their regular sites like Facebook. I would also use the same External Sites module to provide an interface for my other selfhosted sites in Yunohost, such as Bitwarden, Monica pCRM, etc, so that they can all be accessed (with appropriate permissions) from within NextCloud running as our portal. Does that make sense? The first thing my users should see when they visit portal.fmds.geek.nz should be the login screen for our NextCloud instance, and should not see Yunohost’s interface at all. Only admins should have access to our Yunohost login screen.

On this issue, I was hoping to use DynamicDNS (such as NSUpdate, No-IP, or DuckDNS) with a dynamic IP address, and the script to update the DDNS automatically whenever my IP address changes, instead of having to pay for a static IP address. Would that be incompatible with Yunohost’s email stack?

Thats’ not the yunohost’s email stack the problem, but the fact that if you change of ip regularly you won’t be able to increase your ip reputation. So some mail could randomly be refused.
NB: yunohost provides dynamic dns domain *.noho.st, *.nohost.me and *.ynh.fr

Ooh, ouch! I think that pretty much clinches the deal then. Wifey (or “she who holds the purse strings”) agrees that we could spend the extra $10/month for the static IP if it is really necessary.

On this issue, my primary app will be a selfhosted Bitwarden server for my wife and I, as we will be changing from many years of Keepass usage. Secondly, my wife wants to start a Wordpress blog. Next up, we want to have central storage for our ebook collection (using Calibre Web), recipes etc (using Grocy), personal contact management (using Monica pCRM), streaming media (using Jellyfin), and family tree information (using Webtrees).

We’ll be using various client devices for all of this, including GNU/Linux laptops at home, and Android mobile devices both at home and externally. I hope to cut down on installed apps on the mobile devices by centralising on the NextCloud portal for mobile.

I would say Yunohost would be a pretty easy way to what you want…BUT forget about having 100% reliable email delivery. I have been running Yunohost for 2 years now and it works great. The only thing that I can’t trust 100% is email. If my wife starts saying “why aren’t my emails getting delivered?”, I am toast!

For email, I would recommend Protonmail or Tutanota. Email is inherently insecure. Do your secure messaging through the built in XMPP (Conversations app on Android), or Signal.

The cost vs. time ratio to get email working at 100% reliability is not worth it in my opinion.

A suggestion for another few apps you should get your family using:
Nextcloud - to replace Dropbox/Google Drive
Nextcloud Notes (inside of Nextcloud)
Send - to send links to files to each other

Good luck!

Thanks for all the great advice, Elias.

Exactly! It took me many years to train my wife up to use Internet Banking for our regular bill payments, so now she relies on email for that. If important emails don’t get through, it could spell disaster for us!

Thanks for the recommendation. I have a hosted mail service temporarily set up for now. I can leave that in place for now quite happily and migrate to one of those services down the track. I would have liked to self-host my own email server, but we can’t afford to miss important emails.

Yes, I intend to centralise most of our mobile computing via the NextCloud app, and have most of our day-to-day sites accessible from within our NextCloud instance as External Sites. I hope this should cut down on the number of apps we need to have installed on our phones, as we only have very cheap handsets, with limited storage, and I’m not yet confident to replace their firmware to get rid of all the pre-shipped crud.

Forgot to mention this but you can setup forwarding in Yunohost.

wife@example.tld >> wife’s gmail account

Hmm, not sure how that helps if Yunohost’s email system is unreliable. Can you explain more, please?

Yes, doesn’t help a lot but just forwards any emails received to a Yunohost account.

Mostly Yunohost email is unreliable sending emails, not receiving them as far as I know, so you can use Yunohost for incoming email. Many threads on here about email. You can see what kinds of issues people have and what they try to do to fix them.

email troubles

I think it depends. Each of us in the family has a Yunohost running, about as long as @arkadi (close to three years by now).

We have had no email troubles, not even when some of the servers needed to switch to a VPS of which the IP’s might have had a less than favourable history (the Yunohost diagnostics warned the IP’s were blacklisted, maybe complete with a link to the site for de-listing request).

The forwarding option can be a good intermediate step. Combine it with updating your reply-to address to your own domain, while you keep using the current services for a while.

Regarding dynamic DNS and the noho.st/etc domains: most of my DNS is going through a (free) account at dns.he.net, where you can tick “use dynamic DNS” for each DNS entry. That should work for your own fmds-domain as well. (Yunohost can host more than one domain, so you could add family members favourite domain later on)

Thanks for the reply, Boudewijn.

I am currently discussing getting a static IP from my ISP. I’m about to ask them if they have a separate pool for static IP’s, or if they just snaffle one from out of their common dynamically assigned pool. I want to get the best chance I can of having a static IP without a blacklist history, but these days it is hard to get.

I’m a little puzzled by this. When I was investigating what it would take to set up my homelab project using the traditional Docker/Portainer deployment paradigm, I came across NGINX Proxy Server as a solution for selfhosting multiple sites from a single server using subdomains. I assume that Yunohost has some similar way of dealing with this, so that I can have my own portal.fmds.geek.nz subdomain, and blog.fmds.geek.nz for my wife’s blog, and other such subdomains, all selfhosted from Yunohost, right? I don’t need to use the *.noho.st, *.nohost.me or *.ynh.fr domains, do I?

No, indeed. Those are to take away any financial/complexity thresholds that self-hosters-to-be may have.

Yunohost runs Nginx indeed, and will use it to create proxy’s for other locations if you need*. It will just as happily serve multiple blogs and services under different (sub)domains**.
**) The domain that is configured as ‘main/default’ domain for my wife and my server is ‘online.osba.nl’ and is forwarded to a blog, it is shared with gialinh.nl on the same server that is also forwarded, to her blog. There are some more (sub)domains, living happily side-by-side
*) My daughters Yunohosts used to run at home, until my ISP stopped providing IPv4 subnets. Their Yunohosts run on a small VPN now. I used the ‘redirect’ app to have Nginx configured to forward visits to their Nextcloud instance to the instance at home, where they have enough space. That is somewhat different than the example you give, where there is a forward to another resource inside your LAN. I don’t think I have used that.

How is the IPv6 situation in New Zealand?

By the way, welcome to the community!

I started reading from bottom to top, so I finally opened the mindmap in its own right

Nice plan, and as the others already affirmed, a good match with what Yunohost provides. Going through the items one by one:

• Light green
  • portal with self hosted apps: that is where it starts
  • using a single interface: depends what you mean. The single sign on will provide the black canvas with colourful squares as you can see in the demo-site (logon with demo/demo), but each app will have its own look and feel (until our community is large enough to provide a Yunohost-themed skin for each app…). Login is to those apps is handled, almost always, by the SSO. (Notable (and only) example of the contrary would be Peertube, which apart from the initial log in, I can wholeheartedly can recommend as a self hosted Youtube-replacement.)
  • providing granular access control: there is a powerful user/group management feature. You can define various groups with various app permissions, and assign named users and visitors to any number of groups.
• Dark green
  • SSO: Yes, available;
  • Single portal, accessible at home and away: Yes, available;
  • Portal which also provides access to external sites: Yes. You already found the Nextcloud feature; another option is the ‘redirect’ app, which places the external site as a coloured square in the portal;
  • Simple setup and administration: Yes, I would say so. The Yunohost team should feel proud of themselves
  • Reliable regular backups: automatically before each app upgrade, and manually on keypress. Regularly automated via various installable apps (I use Borg);
  • Easy upgrade: Yes, for each individual app as well as for the platform as a whole.

It still is IT, things do break for different people in different ways and mostly you only will read about the broken cases of course. I can only say that I am really happy with (the community around) Yunohost!

Here it’s about bed-time, perhaps I’ll reply to the yellow and purple parts of the map tomorrow, and to the rest of the conversation

No problems, we can read in reverse order, and reply asynchronously too. Being from New Zealand, I’m used to being awake when most others are asleep!

I’m really not sure, I haven’t done a lot with IPv6 yet. I’m aware of it, and the need for it, but it hasn’t been a major concern for me personally yet.

Hmm, I’m thinking that I wish I had known about this sooner. I only bought the domain because I thought it would be necessary for my selfhosting plans. Now I’m looking at committing to yet another ongoing cost, for a static IP address as well, for this project. I’ve finally convinced my wife to give up the landline in 2022, saving us about the same amount as the static IP address will cost us, and we still have our mobile phones. But now I’ve also spent $NZ56.81 for domain registration for three years, plus another $NZ10.10 for one year of email hosting (as a temporary measure before I start selfhosting my own email server), which uses my new domain name, but only has a single mailbox that I have configured for the catchall.

With all that said, I think I should probably set up my Yunohost system using one of the default *.noho.st, or *.nohost.me subdomains, and somehow follow your example of …

… such that we can refer people to our portal.fmds.geek.nz website, but it will be served from something like portal.fmds.noho.st or something instead. That way when our three year domain name contract ends, if we aren’t in a financial position to renew it, we can just switch over to the portal.fmds.noho.st domain. I assume there is something that I could do in Cloudflare to make such a change easier.

What I was meaning here was that when our visitors go to fmds.geek.nz or portal.fmds.geek.nz they should see the login screen for our NextCloud instance. When they go to blog.fmds.geek.nz, they should see my wife’s Wordpress blog. I don’t want the Yunohost screen to be seen at all by the public. In theory, I should be the only one who gets to see it.

While that is admirable, and I understand the push to promote Yunohost itself, for myself though the hosting solution that I choose should remain in the background, and I’ll theme our site independently. I’m sure that, as I learn more about Yunohost and come to love it the way others here seem to now, I’ll find some way to promote Yunohost to others as well.

You’ve given me much to think about, Boudewijn. I’ll reply to more of your replies later. Sleep well.

You can click the link for a larger version of the image, or see a live interactive version on Coggle.

I’ve made a new mindmap, this time showing what my homelab setup might look like when running under Yunohost. This time I’m looking at setting it up with the default *.noho.st domain name, and pointing my own *.fmds.geek.nz domain there as well. I guess there will be some fiddling needed with my domain registrar to get that part working properly. I don’t want my test.local machine to be available at all on the Internet, that is purely for testing new apps and features before I roll them out to the prod.local machine.

Nice to share the planning of the lab, you put a lot of thought in it.

When you wrote about ‘external sites’ , I thought you meant ‘outside of the LAN/homeserver’. Nextcloud (as well as Yunohost) provides functionality for that.

In the mindmap the sites are all self hosted. and at least a couple of them I recognize from the Yunohost catalogue. Providing access via Nextcloud could make you lose the single sign on functionality, because you don’t access them via SSOwat anymore but via Nextcloud.

The proxy manager for nginx got its own icon. Is that to show the functionality that nginx provides, or is it a separate piece of software?

Nextcloud got a central role, as portal and for reaching further sites. Which functionality of Nextcloud itself do you expect (the people) to use?

That last question may be important. If the main reason is to provide a platform to reach all often used sites and services, and only secondly provide a hub to access data on the go, the experience may be suboptimal: Nextcloud provides a lot of functionality, but is not the fastest site to open.

In our case, Nexctloud is available, but relatively invisible:

• data from phones is uploaded to it, and retrievable via the app (or website)
• data from laptops is synced with it (two-way, so pictures from the phone show up in the picture directory on each persons laptop or account, for example)
• Calendars are synced via Nextcloud (CalDAV)
• Contact lists are synced via Nextcloud (CardDAV)
• Some locations are mounted (read only) on other servers via SSHFS, or (read/write) via WebDAV
• (probably some other uses; this is top of mind)

For all these uses the Nextcloud website can be accessed, but it is not necessary: desktop programs get the data they need by themselves, and phone apps also communicate with Nextcloud in the background. Sharing of files can be done from the website, but just as well from the file manager.
The only reason for accessing the Nextcloud website for data retrieval, is when I am at another location and prefer the comfort of a large screen over a telephone screen to browse for a file at the homeserver, or work on some document in the online editor.

So (and I don’t want to come over as pushy :-P) if the focus of using Nextcloud as portal is for the external apps, I think the solution is overweight. Nextcloud has a central role in data management, but the jump board is an add-on, not the main feature (then again, to confuse matters: more and more apps are available as add-ons to Nextcloud itself, more or less seamlessly integrating: mindmapping, budgeting, mail, calendar and contacts of course, mediaserver, passwordmanager, you probably saw the list).

One step to the left in the mindmap: proxy manager. Getting ahead of your answer of whether you mean the app itself, or visualize the functionality it provides: using the app is overkill if you already got Yunohost. Yunohost manages nginx-configuration for all installed apps automatically, and proxying for extra apps (either on the server itself, in the lan or on the Internet) can be managed from Yunohost via the redirect app (works for me, but I have to miss out on the status view provided by Nginx Proxy Manager, and use monitoring software for that).

You already repeated that you don’t intend people to visit the Yunohost interface. That wouldn’t be necessary if configured as in your mindmap: portal.fmds… would directly open Nextcloud. On the other hand: you could contemplate using the Yunohost interface as portal (either at portal.fmds… or directly at fmds…, and move Nextcloud to data.fmds… or cloud.fmds…)
Nextcloud would still be directly accessible, but the Yunohost portal would provide single sign on to all installed apps (I repeat it, because I am not sure Nextcloud can provide the sign in, and becouse the Yunohost interface opens faster than Nextcloud).

Hey, I see the mindmap being updated I’ll post this before it’s out of date

An alternative could be as follows (after reading your reply, I see the Yunohost interface is a no-go; I’ll leave it up for educational purpose); I didn’t mention the test server. It is a bit of a combination of a functional and a technical diagram, sorry for that.

My graphics are not as fluent as yours, I hope the idea comes across:

(I don’t know how to select a smaller font; the original image) can be zoomed out)

              ┌────────────────────────┐                        ┌───────────────────┐
              │                        │                        │                   │
              │  cloudflare            │                        │ noho.st/ynh.fr/   │
              │                        │                        │                   │
              │                        │                        │                   │
              └────────┬───────────────┘                        └─────────┬─────────┘
                       │                                                  │
                       │                                                  │
                       ▼                                                  ▼
              ┌────────────────────────┐                         ┌───────────────────┐
              │                        │                         │                   │
              │                        │                         │ *.fmds....        │
              │  *.fmds.geek.nz        │                         │                   │
              │                        │                         │                   │
              └────────────────────────┴─────┐       ┌───────────┴───────────────────┘
                                             │       │
                                             │       │
                                             │       │
                                             │       │
                                             ▼       ▼
                                    ┌───────────────────────────┐
                                    │   Optionally:             │
                                    │                           │
                                    │  VPS or VPN for fixed IP  │
                                    │                           │
                                    └────────────┬──────────────┘
                                                 │
                                                 │
                                                 │
                                                 │
                                                 │
                                                 ▼
                                    ┌───────────────────────────┐
                                    │   Router, ports forwarded │
                                    │                           │
                                    │  or DMZ /exposed host     │
┌───────────────────────────────────┼───────────────────────────┼──────────────────────────────────────────────────┐
│                                   └─────────────┼─────────────┘                                                  │
│   LAN                                           │                                                                │
│                                                 │                                                                │
│            ┌────────────────────────────────────┼───────────────────────────────────────────────────────────┐    │
│            │  RPi                               │                                                           │    │
│            │  ┌─────────────────────────────────┴─────────────────────────────────────────────────────────┐ │    │
│            │  │ Yunohost proxy function         ▼                                                         │ │    │
│            │  │ ┌───────────┬───────────────────────────────────────────────────────────────────────────┐ │ │    │
│            │  │ │ SSO       │                                                                           │ │ │    │
│            │  │ │ at x.fmds │                                                                           │ │ │    │
│            │  │ ├───────────┘  ┌───────────────┐  ┌────────────────┐ ┌──────────────┐ ┌─────────────┐   │ │ │    │
│            │  │ │              │Nextcloud      │  │ Rainloop       │ │ Firefly      │ │Blog1        │   │ │ │    │
│            │  │ │              │at portal.fmds │  │ at fmds/webmail│ │ at fmds/money│ │at blog.fmdds│   │ │ │    │
│            │  │ │              │               │  │                │ │              │ │(default app)│   │ │ │    │
│            │  │ │              │               │  │                │ │              │ │             │   │ │ │    │
│            │  │ │              └───────────────┘  └────────────────┘ └──────────────┘ └─────────────┘   │ │ │    │
│            │  │ │                                                                                       │ │ │    │
│            │  │ │              ◄───────────────────────────────────────────────────────────────────►    │ │ │    │
│            │  │ │                                                                                       │ │ │    │
│            │  │ │                                                                                       │ │ │    │
│            │  │ │             ┌──────────────┐   ┌────────────┐     ┌───────────┐                       │ │ │    │
│            │  │ │             │              │   │            │     │           │                       │ │ │    │
│            │  │ │             │ Bank         │   │ News       │     │  ...      │                       │ │ │    │
│            │  │ │             │ at bank.nz   │   │ at bbc.nz  │     │           │                       │ │ │    │
│            │  │ │             │              │   │            │     │           │                       │ │ │    │
│            │  │ │             └──────────────┘   └────────────┘     └───────────┘                       │ │ │    │
│            │  │ │                                                                                       │ │ │    │
│            │  │ │                                                                                       │ │ │    │
│            │  │ │                                                                                       │ │ │    │
│            │  │ │                                                                                       │ │ │    │
│            │  │ │                                                                                       │ │ │    │
│            │  │ │                                                                                       │ │ │    │
│            │  │ │                                                                                       │ │ │    │
│            │  │ └───────────────────────────────────────────────────────────────────────────────────────┘ │ │    │
│            │  │                                                                                           │ │    │
│            │  └───────────────────────────────────────────────────────────────────────────────────────────┘ │    │
│            │                                                                                                │    │
│            └────────────────────────────────────────────────────────────────────────────────────────────────┘    │
│                                                                                                                  │
└──────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Haha, nice. I was just adding that one extra dashed line between NGINX and the individual apps. What I was thinking was that I can use NextCloud as the single, centralised portal, and I understand that there are several SSO modules for NextCloud which I intend to look into further. Aesthetically, the Yunohost tiled interface doesn’t really do it for me, I’m afraid. I’m sure it is great for tech gurus, but I will have several technophobes as end-users, so I’ll be making a custom theme for my NextCloud instance.

As to the question of where the individual apps reside, I am not so concerned about that. If an app is available from within Yunohost itself, then I’ll use it from there, but make it available to my users within NextCloud. I assume that the NGINX proxy within Yunohost can be configured to route ports directly to the individual apps, such that if someone looks up crm.fmds.noho.st for instance, it can be routed to the relevant port for the Monica instance in Yunohost; and that such a request could also come from within the NextCloud instance via the External sites app, essentially creating an iframe of the “external” app within NextCloud, but viewing it as served from Yunohost. A bit of a roundabout way of doing things, sure, but it lets me provide a single, unified interface to my users, based on NextCloud. Does that make sense?

As you pointed out, not all of my iframes would be filled with selfhosted sites. I also want to have NextCloud displaying a Facebook login in an iframe, for those who still can’t seem to ween themselves off Facebook. Other external sites that we use regularly could also be shoved inside an iframe and linked to from within NextCloud, so that all of our regular browsing can be done from a single location. That’s the idea, anyway.