Hi, finally setting up Nextcloud in an effort to de-Google myself and replace GDrive for good.
I am currently running Nextcloud via Tailscale and that works fine except for when i want to share a file to someone outside of my Tailnet. I have heard of federated Nextcloud but i am not sure that i quite understood the purpose of this or maybe there is a better solution? If i run two instances like that, will i simply be able to share certain files over to that instance for sharing?
deleted by creator
I want to avoid having anything private or critical be internet facing.
Understandable, but if you’re sharing it, it’s not private in that sense anyway. This may be a legitimate use case for GDrive, Dropbox, Box, etc. Or just use sneakernet.
deleted by creator
I think for the Nextcloud federation to work, both instances need to be publicly accessible.
Not true, both instances need to be able to reach each other through a domain, but they don’t both need to be public.
Eh, that is the same thing. I wasn’t talking about public registrations or so.
That is most definitely not the same thing.
What do you think having a public IP means then?
For the described scenario only one public IP is necessary. The other Nextcloud instance could have an internal IP only.
deleted by creator
Thanks, did not occur to me to use a dedicated app for that purpose! Will check that out.
Thread parent’s approach is what I would use as well. It makes lot of sense to isolate something as sprawling and with as large an attack surface as nextcloud… but that implies you can’t use it for public sharing. Any use that that DOES involve public sharing creates an incentive to choose a smaller and more auditable codebase (not that you’ll necessarily audit it yourself, but simplicity does have benefits here).
Another approach I’ve used with semi-public services is to stick them behind a proxy I trust like Caddy or nginx and gate access to them with https basic auth. Basic auth rightfully gets dismissed in many security contexts, but in the case of personal self-hosting it can serve a useful purpose. The proxy handles the basic auth, and no network packets can reach the protected application until basic auth is complete, which completely protects against unathenticated exploits in the protected application (though obviously exploits against the proxy would still work, but major proxies are pretty well hardened). The major downside here is that you can’t really use mobile apps, as none of them support this niche and frankly dubious approach to network access control. But for public sharing, you’re almost certainly having folks use a browser as their client rather than an app, and for the small convenience overhead of the basicauth login you get a pretty significant reduction in unauthenticated attack surface. The app limitation again makes this a poor match for Nextcloud, but a good match for a standalone public filesharing system that you don’t quite trust as much as your proxy.
Edit: If you want to get fancy you could even expose the same Nextcloud instance BOTH via tailscale for your own app use behind a basicauth proxy for semi-public sharing. It gets network protection in both cases, but basicauth is sort of kind of easy enough to grant semi-public access to.
Aren you sharing files to collaborate or just “send things to others?”
You could just setup nginx or apache and put files in a directory that it serves and send the link to your friends.
I run two nextcloud instances for this exact purpose (set up using this role so it’s not more complex to manage than just one instance).
Personal instance on home server, shared instance on rented VPS. When I want to share a file/folder I just copy it to the VPS instance and use the “share by link” feature.
