Have you considered something like Tailscale so you can securely access it from outside your home? I've been thinking about spinning up my own home server that way, seeing as Tailscale makes it easy to securely access it from my phone when I'm out and about.
Exposing Home Assistant over it allows me to do things like turn my lights off when I'm away from home, without exposing stuff to the public internet.
https://www.blog.akhil.cc/shelly-dimmer
Before I clicked I thought “man, a single config.nix for his whole system? this is going to be big…” But I’ve continually been surprised how little configuration you actually need to do in nixos. I’ve been planning on configuring Home assistant on an RPi myself, so this will help. Thanks for sharing!
I was just looking into doing something similar after realizing how little my RPi3B+ running only HomeAssistant was actually doing. I'd love to have PiHole and Shelly among others so maybe this route on a RPi4B is the way to go. Thanks for this!
It's not quite the same as a VPN, but in addition to Tailscale and some of the alternatives suggested in other comments, it may be worth looking at using HTTPS client certificates.
Done right, you get a pretty simple second line of defence - you can validate the client has an appropriate certificate (running your own CA is pretty straightforward for small-scale home use or for a small group of users). Without such a certificate, users can't access the web service.
If your goal around a VPN is a second line of defence against the application's own authentication logic failing, client certificate authentication might be worth a look. If your threat model needs to cover a major issue in your web server, you might still want to stick with a VPN-based setup.
(You can of course do both, and bind services to an internal-only IP that you can only reach via a VPN, then have certificate auth on that too if you so desire)
The headache I find with client side certs is that it's annoyingly common for client side apps to have their own CA store which you have to track down and install your CA.crt in.
I just stumbled on a self hosted project similar to tailscale: https://github.com/gravitl/netmaker. There is also https://github.com/juanfont/headscale which is an open sourced implementation of the Tailscale coordination server. Tailscale "just works" and makes things incredibly easy for personal use, but it's awesome that there are also similar self-hosted options out there
(Repo owner here) I'm planning to build my own router with OpenWRT and install Wireguard on it, however due to the chip shortage I can't get the hardware for a reasonable price yet. Netmaker looks amazing, I need to play with it.
ZeroTier is certainly another viable alternative, but their self hosted option still relies on the ZeroTier root servers (you can self-host roots, but they don't support removing theirs [1]), and their licensing for the self hosted product is more restrictive than something like netmaker.
I'm using Tailscale on my home network. Right now my two most interesting use cases are 1) I have it installed on my Home Assistant VM so I can access it wherever I am without having to futz with internal vs external URLs, and 2) I have a few Raspberry Pi's scattered around the house running zwavejs2mqtt which doesn't have any authentication built in (i.e. anyone on my wifi could theoretically mess with my zwave network). I told it to listen on each Pi's Tailscale address and use ACLs to lock it down so just Home Assistant can talk to the websocket API.
Isn't headscale a clearly better option, since it removes the need to trust and depend on external sources? It the same software essentially, but if we're talking about self hosting, headscale is just inherently better, since it actually is self hosted.
Normally I would prefer a go implementation given the option (especially since this is network focused), but I was surprised to see that the go implementation of wiregaurd (not headscale, just the vanilla wiregaurd-go) is considerably slower than the rust or C version.
The rust version (not that I'm that rust guy) may be the optimum for maintainability/readability and speed.
I found the Tailscale Android app to take quite a big hit on my battery when used as an always-on VPN, so I use cloudflared on a VPS to create a Google authenticated tunnel to home assistant (over Tailscale).
They solve different problems. Tailscale basically allows you to ignore any NAT topologies separating you from your machines. You can have a pseudo local network of your machines behind a VPN, allowing SSH to any machine with zero routing issues. And it’s incredibly seamless. I’m a big fan.
But in this model wouldn't you control the NAT config? You're already running servers, so outside access isn't an issue. I dunno, OP is running that "Cloudflare tunnel" thing for exposed ports so maybe there's something I don't know, or that the internet connection is still some consumer thing that prevents or forbids running servers.
Actually, now that I look closer they aren't running their own email, so maybe this really is primarily a mostly-internal-access project. I do like those SFFs tho!
The difference vs SSH for me (using plain Wireguard but achieving the same thing) is that I can set up my phone with always-on VPN to home and then wherever I am I'm effectively on my home network. I can access all my home-hosted services in my browser, securely access IOT things that can't talk to the open internet, use my home-hosted DNS rather than my mobile provider's, etc. I do use ssh over that connection (with Termux) to talk to servers, ofc.
NAT busting is a plus. Avoid needing DDNS and opening a port. Also easier setup for accessing other stuff on the network via that computer vs up/down rules with a standard wg config.
For a small setup thats the big thing, but for anything a little more it does key rotation, handles ips for you, and offers "magic dns" which makes all the devices get a nice DNS address when tailscale is on.
NAT busting is a minus. If apps can create holes in your network and “bust your NAT,” your network is not well secured; you should disable UPnP and filter egress.
Also, you gain simplicity but give up to coordination servers, that can be a privacy and security problem.
Have you considered something like Tailscale so you can securely access it from outside your home? I've been thinking about spinning up my own home server that way, seeing as Tailscale makes it easy to securely access it from my phone when I'm out and about.