Distributing Yunohost over 2 servers (one for Nextcloud/storage)

TL;DR:
Can I have Yunohost serving osba.nl on a VPS, and nextcloud.osba.nl on a server on my home network, and have them agree with each other on user accounts and such?

Longer version:
My ISP used to offer a small IPv4 subnet, but decided it was not in their business interests to have people running too many servers at home and cancelled the service.
So, from one day to the other, we didn’t receive email anymore, telephones could not back up photos to Nextcloud and websites could not be reached anymore.

Now most of the Yunohosts run each on a small VPS, but for Nextcloud that is not an option. I was hoping to use my homeserver as storage device for the Nexctloud portion of the Yunohosts, and prefer to have a Nexctloud installation per domain as it was until recently (so that each can manage their own Nextcloud installation as part of their Yunohost). Those options come to mind:

  1. Don’t install Yunohost on a VPS, but only use the VPS to create a tunnel to the home network to make the IPv4 available;
  2. Install the main domain (osba.nl) on the VPS, and install the Nextcloud instance on a separate Yunohost in the home LAN under nexctloud.osba.nl;
  3. Install all on the VPS, osba.nl as well as nextcloud.osba.nl, and use SSHFS to mount a directory on my home server on /home/yunohost.app/nextcloud/data/ to offload the files. I would probably need to do the same for the MySQL filecache, but do not look forward to the performance penalty (if MySQL allows me to do that anyway).

No. 2 seems easiest to install, using a backup of one Yunohost to post-install the other so that users are identical. Still, I expect headache when new users are added to the external or the internal Yunohost.

Would I need some kind of mirroring for the base system on both sides, and add non-mirrored applications on top of that?

The reason for this difficult way is that I don’t know how to serve multiple domains for email, XMPP and Matrix on their individual ports from a single IPv4 and I prefer not to disable IPv4 and use IPv6 only for these servers. Everything on VPS is not an option because the price would be too high.

Any suggestions?

Good morning wbk,

Options 1 and 2 are doable, and I would even add easily doable.

Option 3 seems to complicated to me.

Option 1 (I’m actually using this one) :
1-Install a VPN server on you VPS (you can use angristan’s script to install openvpn or wireguard)
2-Install the VPN client on your Yunohost at home, and connect it to the VPN server located on your VPS
3-On your VPS, use the firewall to forward the concerned network ports (80 for the web, 480 for secure web, 25 for the emails, etc) arriving on your VPS to the VPN IP address of your yunohost.

Option 2 (I’m also using this one but not for Nextcloud, so I cannot garantee you 100 % that it works. But I think it should work. You might have to forward some ports as well) :
1- Install Yunohost on your VPS and set everything up.
2 - Install a second yunohost on your homeserver and install your nextcloud there
3 - Install a VPN server on your VPS, a VPN client on your homeserver. Connect your homeserver to your VPS VPN server.

4- On the VPS yunohost, install the app redirect-ynh on the domain nextcloud.osba.nl and set it to redirect the traffic to your homeserver yunohost nextcloud URL.

In both case, I can help you and post the commands step by step, just let me know.
Have a nice day

1 Like

Hi @charly,

Thank you for the quick and detailed answer!

Great that both 1 and 2 are working solutions, now I have to chose :slight_smile:

I prefer to host everything at home, still option 2 has my slight preference because it would be a waste to pay for the VPS and not use the (smaller but much faster) resources of that server :stuck_out_tongue:

For option 2, I expect only the traffic for nextcloud.osba.nl to be forwarded from the VPS to my homeserver, but configuration of both Yunohosts is separate (so that a user on osba.nl does not exist on nextcloud.osba.nl until it is manually added).
Do you have experience with SSO working or not in that situation?

Hey,

Mmmm. I’d say that the redirect app of your vps yunohost would have to be public and that The nextcloud app of your home server should be set as private app (so you don’t have a double authentication system).

But I’m not 100% sure about that.

The best would be to experiment.

Otherwise, option 1 works for sure.

Yes, the redirect of nextcloud.osba.nl on the VPS would be public, and the actual Nextcloud on my homeserver would need authentication. But it will authenticate against Yunohost on the homeserver.

Maybe experimenting would go in the direction of redirecting SSO on the homeserver to Yunohost on the VPS… hmm it is getting complex quickly: that would mean synchronising user additions back to the homeserver to have them created in Linux there.

Maybe I reevaluate β€œEveryone manages their own Nextcloud instance”, and try to merge all of them into one. I think that will have implications for federation and Nextcloud Social: everyone will get a new federation ID, I’ll make another thread to find out about that.

For now it seems that option 1, having all needed ports forwarded, is the best option (one disadvantage I just think of would be duplication of bandwidth for all traffic, but Nextcloud is probably most bandwidth intensive anyway).

I’m sure to take on your offer of more detailed steps later on, thanks again for your help so far!

It turns out more complex than I anticipated. With help of asciiflow.com I did this piece of art (after thinking about it, I slightly camouflaged the names, just in case; on the other hand, they’re on the public internet anyway…)

 193.107....
 β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                193.107....
 β”‚  *.akasha.nl β”‚               β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
 β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜               β”‚  *.athena.nl  β”‚
                                β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

                                 nexctloud.sanyi.nl
                                forward to internal wireguard
             β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                        10...x?
             β”‚ *.fakran.nlβ”‚
             β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

                                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                                    β”‚  *.nirem.nl    β”‚
                                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜






              β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” 80.101.226.250
              β”‚    router/FW   β”‚
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                β”‚   192.168.1.1 + wireguard?                 β”‚
β”‚                β”‚                                            β”‚
β”‚                β”‚                                            β”‚
β”‚                β”‚                       WG 10....x ?         β”‚
β”‚                β–Ό   192.168.1.2            192.168.1.3       β”‚
β”‚               β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”        β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”‚
β”‚               β”‚ *.osba.nlβ”‚        β”‚  nextcloud.athena.nl    β”‚
β”‚               β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜        β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚
β”‚                                                  ...4       β”‚
β”‚             (also NC)             β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”‚
β”‚                                   β”‚ nextcloud.akasha.nlβ”‚    β”‚
β”‚                                   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚
β”‚                                                  ...5       β”‚
β”‚                                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”‚
β”‚                                    β”‚nextcloud.fakran.nl β”‚   β”‚
β”‚                                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚
β”‚                                                  ...6       β”‚
β”‚                                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”‚
β”‚                                    β”‚ nextcloud.nirem.nl β”‚   β”‚
β”‚                                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚
β”‚                                                             β”‚
β”‚                                      ......                 β”‚
β”‚                                                             β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

I have wireguard server installed on Yuno-VPS *.athena.nl, and the VPNclient app on Yuno-LAN nextcloud.athena.nl, and then got stuck (the VPNclient app configuration fields do not match the Wireguard server info).

I have no experience with Wireguard, but my experience with OpenVPN pushesh me β€˜slightly’ towards Wireguard. After reading a bit, I think the Wireguard server should be on the router (to make the whole internal LAN accessible), with the Yunohosts out in the field as clients.

What do you think?

In your situation where you use option 2, is the domain name picked up correctly by nginx on the internal host, after the traffic is being forwarded via the VPN by the redirect-app?

Do you have remarks on my to do list, exemplified for a single domain?

  • install Wireguard on the router
  • install Wireguard on *.athena.nl
  • make VPS athena connect to the LAN via Wireguard
  • add domain nextcloud.athena.nl to VPS athena
  • add redirect-app to VPS athena on domain nextcloud.athena.nl and make it the default application, forwarding to the correct 10…x IP in the Wireguard range that matches the internal nextcloud.athena.nl server

If that works out, should I not be able to add nextcloud.athena.nl to *.osba.nl? From a user- and rights management perspective, nextcloud.athena.nl already does not benefit from LDAP/SSO on *.athena.nl; adding the domain to the *.osba.nl server skips the hop via the VPS and saves bandwith there.

Sorry for all the questions, I hope you can give a (partial) hint!

Hi, alles gut ?

Sorry, I didn’t see your answer.

If you want, I suggest you that we reset your plan and set everything from scratch again.

Tell me :
-How many servers you have, where they are (at home or on a VPS)
-If you do have a VPS
-What exactly is the router ? Is it at home ? Is 80.101.226.250 a static and public IP4 ?

Keep me posted and then we’ll see.

See ya

Hi, thank you again for the invitation!

Old
There used to be nine Yunohosts that were accessible via IPv6 and of which six were accessible via (static) public IPv4 (so three of them were IPv6 only).

They all needed their ports forwarded (for mail, XMPP, Matrix, etc) and their DNS-reversed (for mail).

The router was a Fritz!Box, but no more.

Current
Now I only got one public IPv4, 80.101.226.250, which is static but will change when I change ISP in the near future (but after the change it should be static once more).

All nine Yunohost are still running at home, but for most of them only for Nextcloud (because of data) and FFSync (because it does not install on new servers anymore).

I have 6 (light) VPS servers (it was the cheapest and most flexible way to get 5 public IPv4 :-P).
On four of them have I Yunohost installed from a backup from the respective homeservers. They run most apps and services, except for Nextcloud (because of the volume of data and the bandwith) and FFSync (because of the installation).

The router is now OPNSense. It can run Wireguard and OpenVPN, as well as Nginx as reverse proxy. I tried configuring Nginx as reverse proxy before posting here, but I must admit I have not had much succes with that.

TL;DR: the current situation is

  • 9 Yunohosts at home, backups from 4 of them restored on VPS
  • 6 VPS with 1 IPv4, but with limited storage/bandwith
  • 1 static public IPv4 from my ISP at the OPNSense router

Does that paint a picture?

Hi,

Pretty heavy stuff then.

Well, in my humble opinion, you could simplify the whole thing this way :

1- VPS : You’re only static public IP.

On this VPS :
-A VPN server
-Yunohost with all your domains installed.
On each domain : install the redirect app, on set it to redirect each domain to your home Yunohost servers (all connected to the VPN via the VPN Client)

At home :
All your Yunohost machines. All those machines are connected to the VPN server.

Let me know if you need any assistance.

See ya

Hi, thanks for your suggestion and reading my long story!

Your solution resolves a lot of the complexity, and is cheaper to run :slight_smile:

I hesitate to start configuring things that way. What is your opinion on:

  • With only one IPv4, I can only have one reverse DNS for the maildomains.
  • Some services claim a port for themselves. Can the VPN facilitate multiple Matrix/XMPP server connections on one port, one for each of the domains, because the traffic will be forwarded to the respective server in the LAN?
  • Is there still a benefit to using a VPS at all, taking in account that my home connection has a fixed IPv4?

Thanks again!

Mmmmmm.

In my point of view, this solution is indeed limitating if you’d like to run multiple matrix servers.

No benefice at all to use a VPS if you already have a static public IP at home.

Have a nice day

1 Like

Thank you for your time helping :slight_smile:

I will try to find a solution and post it here once I found one.

In the mean time I will probably open another thread with questions about VPN :wink: