this post was submitted on 06 Mar 2025
26 points (96.4% liked)

Selfhosted

43537 readers
655 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
HybridSarcasm@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
26
CalDAV Server Without Exposing Server? (lemm.ee)
submitted 2 days ago by ClownsInSpace2@lemm.ee to c/selfhosted@lemmy.world
23 comments fedilink hide all child comments
 

I self-host a couple of services, but I haven’t exposed anything outside my home network. I want to self-host my calendar, but not sure if I can do it without exposing it. Any recommendations on the best way to go about this? For those who do self-host a calendar service, how do you keep it secure?

top 23 comments
sorted by: hot top controversial new old
[–] dingdongitsabear@lemmy.ml 2 points 1 day ago

unless you really need it, set up sync to work only on your home network. you enter a new event when away and it stays on your device.

once you get home, it then syncs with radicale/syncthing/nextcloud/whatevers.

[–] oldfart@lemm.ee 3 points 1 day ago

Unless you live a very dynamic lifestyle that requires your calendar to be 24/7 synced, you can just use whatever server software you like, make it listen in LAN only, and have your devices sync when they're at home.

DecSyncCC and Syncthing is another option.

[–] tapdattl@lemmy.world 11 points 2 days ago (1 children)

I think the general consensus for homelabbers is a mesh network -- Tailscale and Netbird are the two most popular options

[–] tekeous@usenet.lol 6 points 2 days ago

Radicale is the GOAT and supports authentication. Or you can just run it on a LAN behind a firewall.

[–] ChillPill@lemmy.world 6 points 2 days ago

VPN is the way to go if you're not sharing it with a bunch of people

[–] reboot6675@sopuli.xyz 4 points 2 days ago (1 children)

Related question, what CalDAV server are you using? Been looking for something lightweight

[–] hendrik@palaver.p3x.de 3 points 1 day ago

I think Baikal or Radicale would be the usual contenders for that

[–] Nomad@infosec.pub 1 points 1 day ago

If you want sync to your phone, just set up a VPN. Now your phone and mobile computer can always access your services. I use SoGO, it has calendar hosting, authenticated sync which you can use with davx on android and the web interface is basic but usable. You can also enable mail, tasks and contact sync all in one.

[–] enemenemu@lemm.ee 4 points 2 days ago* (last edited 2 days ago) (1 children)

I run nextcloud on my machine. If there's a crack, there would be one in their hosted instance as well. There's nothing really I can do about security of it.

[–] higgsboson@dubvee.org 2 points 2 days ago (1 children)

I do not expose Nextcloud to the internet. I use dnsmasq to give LAN clients the private IP. If I need to access NC from elsewhere, there's VPN for that.

[–] enemenemu@lemm.ee 1 points 2 days ago

Sounds like a good solution as well

[–] Selfhoster1728@infosec.pub 3 points 2 days ago (2 children)

mTLS with a reverse proxy!

[–] cmg@infosec.pub 3 points 2 days ago (1 children)

What caldav clients supports that?

I’d recommend the Tailscale style approach. MTLS is a pain imo without infrastructure and especially on the app layers

[–] Selfhoster1728@infosec.pub 1 points 2 days ago* (last edited 2 days ago)

Tailscale is simpler but when you're accessing from devices behind VPNs like I do mTLS is a lifesaver.

I use DAVx⁵ for caldav (supports mTLS)

I find mTLS cool too :P

In terms of being a pain it's not that bad with nginx in my opinion. I can just build my own certificate for each service I expose or you use a common one, giving read only access to the key for my nginx containers and in two lines in the .conf it's sorted.

[–] ClownsInSpace2@lemm.ee 2 points 2 days ago (1 children)

This is the first time I’ve heard of mTLS. Sounds interesting, any tutorial recs?

[–] Selfhoster1728@infosec.pub 1 points 2 days ago (1 children)

Not any in particular but mTLS is essentially just a reverse proxy (like nginx) asking a client for a certificate to be able to access the service behind it.

There are quite a few guides out there, so choose one for your reverse proxy of choice!

[–] suzune@ani.social 2 points 1 day ago (1 children)

So it's the good old client certificate authentication?

[–] Selfhoster1728@infosec.pub 2 points 1 day ago

yep

In my opinion it's the best solution because there's a really low attack surface plus it makes it easy to control which device has access to which services.

[–] wildbus8979@sh.itjust.works 3 points 2 days ago (1 children)

Who do you want to have access to said calendar?

[–] ClownsInSpace2@lemm.ee 1 points 2 days ago (1 children)

Just myself, but I would like to keep it synced between my phone and my laptop while also keeping a backup.

[–] wildbus8979@sh.itjust.works 4 points 2 days ago

Then you should really look into setting up a personal VPN. After that what you use to do calendar becomes irrelevant in terms of access.

[–] tenebrisnox@feddit.uk -1 points 2 days ago

Could you set up a Cloudflare tunnel and make sure the security rules are tight enough to keep others out?