My personal cloud server upgrades

About a year ago I decided to revamp my personal cloud. Main objectives were to make it more manageable and use as much pre-made software suites as possible instead of maintaining my own. This article is about what software I chose, which software it replaced as well as reasons why this was done. Oh and of course, I’ll start with hardware.

Hardware and Performance Considerations

old solution: Thinkpad X200 + ultrabase
new solution: Thinkpad T430
other considerations: RockPro64, Kobol Helios64

Sadly there’s no way to get a Kobol Helios64 NAS as it was discontinued when the pandemic started and I learned about it too late.

Originally my personal cloud ran on a Libreboot-powered Thinkpad X200. I loved the machine, but since I have this setup in my room and the Core 2 Duo CPU was showing its age and being noisy and slow, I had to figure out a better approach. For a long time I’ve wanted to switch to ARM-powered RockPro64 with their official NAS enclosure. It ticked all the boxes. In the end however, I found a cheap deal on Thinkpad T430 which I fixed up and flashed with Coreboot. So that’s the hardware now - I don’t think any ARM board can match it:

  • Core i5 3320M - I capped the CPU at the minimum frequency, as it’s enough, and probably faster than RockPro64 or even RPi4
  • 16 GB of RAM - I don’t think there exists an ARM board below 200 eur, which could have this much RAM (majority of it taken by ZFS ARC in my case, but only until more services are deployed)
  • battery backup - lasts about 10 hours with no power. Not that the time matters, but it’s nice to know that it can outlast full day outages here as it is connected to my workstation’s UPS as well. A bit of an overkill but didn’t cost me anything extra.
  • 2x SATA + 1x mSATA interface + SD card slot - again, don’t know which ARM board has all this
  • cost below 100 eur - this is extremely low for the value I am getting
  • power consumption configured between 10-15W - total power consumed per day is 0.25 kWh - again, only slightly above what a RockPro64 with 2 SATA drives would consume and it would have worse performance
  • silent operation - most ARM boards can do this, just not at these performance and memory levels

The platform

old solution: Linux Debian
new solution: Docker on Debian
other considerations: Podman, Kubernetes, Parabola Linux

First up, the glue that holds it all together. Initially I was looking at Kubernetes and some underlying software on which I’d run this setup. However, I quickly gave up on it due to complexity and not really needing to solve any of the problems that Kubernetes tries to address (like high availability and the insanely heavy abstraction). I have one site and only limited services running on a backup site (tiny VPS somewhere). I also want to keep this Libre-software-compliant as much as possible.

The File system

old solution: ext4 on lvm on luks
new solution: zfs on luks
other considerations: btrfs on luks, ext4 on lvm on mdadm on luks

At first, I actually didn’t have my setup ready to accept 2 disks - only later I bought ultrabase for Thinkpad X200 with ultrabay to which I installed an extra SSD. I wanted a filesystem with data integrity guarantees (despite not having ECC RAM, this is still better than no guarantees at all). At first I tried btrfs and ran it for a couple of months before I had enough time to switch over to zfs. I’ve always wanted to try a btrfs mirror setup on encrypted storage, and while it works, I wasn’t happy with the overall behavior and felt much more at home with zfs. I may switch to native zfs encryption sometime in the future due to its better send/receive capabilities to untrusted backup sites.

The other reason why luks is used is that I started this migration on Thinkpad X200 which does not have AES acceleration on the CPU. I used Adiantum encryption in luks to make storage usable with 1 Gbps network speeds. When I switched to T430, I changed it to AES with as little changes as possible.

Calendars, Contacts, Tasks

old solution: radicale
new solution: mailcow/SOGo
other considerations: Nextcloud

Radicale was simple and easy to understand, but it was extra software that required maintenance (and I forgot how it works). SOGo and Nextcloud both have its functionality so I went with SOGo as I wasn’t decided on Nextcloud yet - I was fiddling around with Seafile at that time. If I am ever able to eliminate SOGo due to how buggy it can be, I will have caldav/carddav in Nextcloud.

File Synchronization

old solution: unison/rsync
new solution: nextcloud
other considerations: Seafile, WebDAV in nginx

The main reason for choosing Nextcloud was its mobile app. No other file sync service’s mobile app has all the features of automatic uploads of arbitrary files that Nextcloud has. Later though I started using more Nextcloud features like PhoneTrack which allowed me to completely disable any Google’s tracking (hopefully) while still having my trips tracked somewhere. I also use it for syncing browser bookmarks with an app on Android and Floccus which works on any major browser including Firefox - I can use multiple browsers and have bookmarks available and synced between them and on my phone as well.

File Sharing

old solution: random PHP script
new solution: rustypaste

This was a switch from an ugly script that was actually the last thing to require php-fpm on my server to something that works flawlessly, is designed for this purpose and eats practically no resources. Very happy with the switch and the developer of the tool is great.

Password Management

old solution: password store
new solution: vaultwarden
other considerations: keepass+some sync, nextcloud passwords

I actually started on Keeepass, back when I didn’t even have any server. Later I migrated it to password store as I liked its unix philosophy. But I ended up on Vaultwarden (a Bitwarden compatible app written in Rust) because of how complete and flawless it is. It has a nice website, extensions for all major browsers and a great mobile app. I use it to store product keys for purchased software as well as any personal notes and … poems which I won’t publish.

Project Management/git

old solution: git over SSH, random websites/downloads
new solution: gitea
other considerations: gitlab, gogs

This one was simple, Gitea seemed to be the most popular, well-maintained, simple and did everything that I needed. Gitlab is heavier compared to Gitea and gives me no benefits over it.

Communications/E-mails

old solution: dovecot + postfix, accessed over IMAP from client devices
new solution: mailcow
other considerations: mail-in-a-box, zimbra, iredmail

Main reasons for change was that I needed EAS and some nice webUI for configuration. I recommended mailcow to friends as well and they’ve been happy with it. mailcow was very straight-forward to set up via docker-compose. Sadly Android’s EAS clients seem buggy in the most mysterious ways, so in the end I am still using IMAP and investigating the subtle EAS issues such as mails and calendar events diseappearing on Android clients (tried Gmail and Samsung Mail).

Communications/Instant Messaging

unchanged solution: weechat+bitlbee+signald+irslackd

This setup works so nice and I put it together in such way, that I am not willing to touch it anytime soon. It works very well, it aggregates all my messaging services: IRC, Signal, Telegram, Steam, Messenger, Hangouts, Slack. I don’t need to have ton of messaging apps on my phone, everything is handled through Weechat-Android app. One more interesting fact - a website or an app for any single one of those services usually consumes more CPU and RAM than this whole setup combined.

Smarthome

new solution: Home Assistant

Not much research went into this and Home Assistant seemed like a straight forward choice.

Monitoring

new solution: Zabbix

I had too much experience with Zabbix and never properly tried anything else. Plus it got a lot better in recent versions so that completely killed any motivation to migrate away from it. I don’t particularly like it, but it’s easy and works.

Other software and utilities

  • nginx - a bit of a glue for all this - I haven’t migrated to something more docker friendly because I still have a lot of stuff waiting to be dockerized. This is the main part of my setup that handles actual TLS connections from the outside.
  • acme.sh - this is how I manage all SSL certificates. I do not have it properly integrated with the setup (dockerized) due to lack of motivation to do this. It’s been working for years so I am unwilling to change anything about it.
  • nsd - the authoritative name server of choice for all my domains. It handles DNSSEC as well which I have scripts for. I have been using it for years.
  • unbound - recursive counterpart to nsd. Not specific to personal cloud, but it’s what I use for this purpose.
  • r2e - rss2email to send me articles from my favorite sites/RSS feeds via e-mail. I heavily use e-mail, so this is where I pay attention to what’s going on
  • sanoid+syncoid - very comfy snapshotting and incremental backups for ZFS. I have it set up in such a way to have 3 monthly, 3 weekly and 3 daily and 24 hourly snapshots of my data (and only data, everything else is excluded from this). It’s quite a time machine.
  • hugo - builds this site from .md files