Thanks for your comment. I’ve had Infomaniak for the past year but find the UI/UX annoying. Same with Mailbox which I used for a few months before that. I’ve just tried Fastmail and love it already. Does everything I wanted Infomaniak to do. Davx with auto configure, Google calendar sync. And like you say, the apps are slick.

That’s a BBC link. A website with zero ads.

I was just thinking this week, that those who self host (and more importantly, those who program the code we self host), are at the front line of the modern digital resistance: in the sense that the world is burning due to the greed of the tech bros that run our daily lives. Convienience for the masses is what gives them power over us, and any one who rejects their systems is helping to fight back.

Voting with your wallet helps, so not giving them your money is the first step. Then managing and keeping your own data private is the next one.

2024 was the year I got more serious with self hosting and migrating away from the cloud offered by Google etc. But 2025 was the year I pushed to run all my own services and get the family on board as well; trying to educate my kids with running our own services (the wife is so not interested!).

There were some really cool projects released last year and some oddly well-timed ones as I was looking for various services, and Jotty was one of those!

Thanks so much for you work and rest assured amongst the negativity you may receive in certain corners of the web, there are people truly appreciative of yours, and others like you, hard work.

Sometimes all it takes is a random comment from a fellow self-hoster to put me on another journey… Thanks for the tip on passkeys and Pocket ID! Love the Pocket ID guides on all popular services. This looks to make it much easier for family logins to all my services. I’m starting the migration now already from Pangolin and inward.

I love the seemingly never-ending journey of self hosting!

Pangolin is a reverse proxy, so it can forward a URL to any backend service on any port. But you’re right in that you have to be signed in on the browser you access it on. Therefore an app won’t directly work without prior login. You can create a ‘shareable link’ in Pangolin, which I use for the Immich app. This gives me header tokens that the Immich app can take in its advanced settings, and that’s how that one works.

I’ve recently moved away from dedicated apps for mobile services and toward web-based access for most things (I use Music Assistant in browser). This isn’t perfect for everything and everyone, but I realise now with your question that it’s worked well for me transitioning to Pangolin (and at least Immich app works).

Not my expertise I’m afraid. Geoip blocking is straightforward with traefik (and Pangolin docs), Crowdsec is a little more complicated, and with the external firewall into the VPS, there isn’t much more I can think to do.

It’s likely more a factor of how secure Pangolin itself is at that stage.

If today’s outage is anything to go by, you’re better off not using Cloudflare!!

I have continued to use it for public websites so that, in my thinking, at least the Cloudflare network is scrutinising who is accessing my webpages in case of attacks etc.

Pangolin is a simpler cloud reverse proxy, whereas Cloudflare has more bells 'n whistles for quick-set security. You just need to harden your VPS that Pangolin runs on. You can activate Crowdsec etc on it as well.

I run mine on a Hetzner VPS which has a nice firewall feature in the control panel securing the VPS ports for SSH and Pangolin tunnel to my home IP. Then it’s only ports 80 & 443 exposed. And I think from memory Pangolin doesn’t play nicely with UFW (well, Traefik doesn’t).

I only started using Cloudflare tunnels recently, but I’m now using the self hosted alternative Pangolin on a VPS for private services, and I keep the Cloudflare tunnel for public web hosting, i.e WordPress. This also allows easy restriction to the WordPress login page for other users via Google auth etc which is something very simple with CF.

Having split up my private/public services to seperate tunnels also means I don’t stand the chance of taking the public services offline with my constant tinkering of Pangolin and the VPS it runs on.

I have pushed the CF tunnel for file transfers occasionally (which is against their terms), but it hits remarkable speeds for a ‘free’ service.

I had Nextcloud running for several years (VM is the best way IMO, I would avoid the Docker AIO). However I found Filebrowser and it rocks as a file share service. Filebrowser Quantum is a fork with more feature as the original no longer has a maintainer. The most I’ve had someone upload to it was 300GB.

I use Filebrowser Quantum if you are happy opening up a port for it. It supports 2fa. Also requires Docker which isn’t too difficult.

We also do the sauté onions (which is just onions cooked slooooowly). They caramelise and become sweet, add some generic chicken seasoning to them (I use a salt/paprika mix from the general store), tinned baked beans in tomato sauce, rice, and that’s all. Spice it up with some jar jalapeños and its a damn fine meal for nearly no prep or cost.

Yeah, Caddy was working fine, but the issue was me tinkering with it meant having to reload Caddy for the updated config to work, and that would break any connections people were using for file transfers etc. Also, it isn’t as quick for reverse proxying file transfers.

Therefore trying to run private and public services through it was limiting when I was also trying to tweak it constantly for my homelab.

I’ve found Traefik to be better in that it auto reloads the config live as you edit it, and it’s been faster for file transfers on my 1Gbps fibre.

And now I’ve split my services to separate public/private reverse proxies, that takes the pressure of having to keep one proxy always live. Pangolin uses Traefik, and so do I for my direct services through my firewall, and that makes life easier when only dealing with one type of proxy service.

I too am using a Cloudflare tunnel for my public facing services (such as WordPress), and that also allows you to put the WP login page behind another auth login as well which is great for security, so I do also vouch for Cloudflare.

I’m using Pangolin for private services on a VPS.

Plus, I have one service that is direct to my home IP for file sharing to one particular remote IP that is the only service directly through my firewall.

Therefore I have 3 ways my services are accessed and this has been the game changer for me recently, as previously I tried to run all this through one Caddy reverse proxy directly to my router and it gets painfully fragile mixing public/private services through one bottleneck when you’re tinkering as a selfhoster. So splitting it up has helped massively.

Good tip with the Cloudflare alts though!

I’ve relied on a Wireguard VPN for remote access until recently, I’m now playing with Pangolin via a VPS. I question why I need public (private) access, but it seems cool to operate that way and allows family members easier access.

I ran Blue Iris, but despite my love for it, my disdain at having to run it on Windows made me move away. You can run it still in a VM, but it’s not ideal, and also not meeting your requirement of moving off Windows.

I would recommend Home Assistant with Music Assistant for music playback of local library files, and that gives you a web page controller. I see Home Assistant also integrates iSpy DVR. No experience of iSpy, but the Music Assistant integration is superb. I use it to stream all music at home for the family to Chromecasts etc and this way everyone just accesses the same web portal.

Home Assistant can be Docker or it’s own OS.

Perhaps not the size you’re after, but I have a HP Z1 G5, i9-9900, 5 SSD, 3 HDD, and that can idle as low as 45W and costs me £60/yr in electric. I managed to pick it up off eBay for only £260 (discounted from £350; if you keep an eye on certain things, sellers drop prices to rid of their gear).

You can sub to Tidal through a VPN for a cheaper deal. I get a family package through Slovakia for €10/month. Spotify block that kind of thing.

The Tidal app isn’t a patch on others, but I’d sooner have nothing than pay for Spotify ever again.

I like that Tidal has Dolby Atmos music as well, and some tracks sound awesome on my home theatre.

To add, I’ve no experience of YT music though.

I love it. I started with pFsense, then really liked Untangle for its ease of use, then went (back) to OPNsense and preferred that for the fact it could run Caddy internally as a reverse proxy and was fast, but I was a bit frustrated at wanting to do more with it and needing to research everything. I already had Unifi APs and decided that it just made sense to have a Ubiquiti router. I’ve found it stable, easy to use with good feature updates, and have also just paid for the annual Cybersecure add-on which is reporting loads.

I was being too simplistic in my other reply. I was referring to basic router based DNS and NextDNS as the upstream resolver.

I don’t have an answer for hard coded DNS when it comes to NextDNS, which is essentially an upstream resolver with block lists functionality.

And to be honest, I misinterpreted OPs original question which was to take PiHole to the next level, whereas NextDNS is an alternative to.

I can run app based routing and blocking on my router, but whether that would restrict DNS for those services I don’t know.

Thanks for the clarification, you’ve got me wanting to pursue more DNS control now!