I would like some ideas or suggestions as I am not sure how to continue with self hosting.
I want to self host images and caldav, maybe documents later as well. These would need to be continuously available to PC clients and Android. There would be a handful of users maximum.
The obvious (?) solution would be Nextcloud, which would do everything I need.
My problem is that I have only one public IP address and the HTTP and HTTPS ports are already in use by Apache.
The second problem is that I already use wireguard to another location, and Android cannot connect simultaneously to several wireguard endpoints. At least as far as I know.
Below, I list the approaches I have considered and the problems / drawbacks I see.
Please comment if I am wrong about something here.
At the moment I am looking at option 4.
Any comments are welcome!
Option 1. Nextcloud AIO publicly available through HTTPS
It needs the HTTP & HTTPS ports which are in use. Otherwise, this would be the go-to for me.
Option 2. Nextcloud AIO through wireguard
I would have to switch between two wireguard instances on Android. There would probably be continuous connection errors and sync problems on apps that try to connect to either location (nextcloud and davx5 for example).
Setup would be a bit compilated for me. AFAIK, I would have to set up a local DNS, self made certificates and a reverse proxy for the Apache server.
Setup would be complicated for all other users as well and require wireguard and manually installed certificates.
Option 3. Nextcloud AIO with tailscale
Setup complicated like #2 and then some?
I have no idea if it works while using the android wireguard app for the other connection I need.
Option 4. Radicale and Ente publicly available
As far as I know, these run on special ports that are not 80 or 443.
Server setup would be slightly complicated.
Client setup would be simple.
Document sync I would have to figure out later (maybe just syncthing or otter setup?).
Your existing Apache setup can be used as a reverse proxy. The idea is, you setup those other services (eg, next cloud or radicale) on other systems, or on the same system with different ports. Then when you access some URL, eg https://yourhomenetwork.com/radicale, Apache acts as an intermediary and returns the service at http://127.0.0.1:8080/radicale. No additional open ports needed. No additional certificates needed.
Apache can even be configured to respond to requests differently if they're coming from the internet or from wireguard. Say if you wanted to deny all traffic from the internet and only access it from your VPN, or if you wanted to conditionally apply a password.
You can also use Apache to host multiple domain names, or sub domains, from the same IP address and ports (the feature is called "vhost"). That may require multiple SSL certificates though. (EDIT: If youre using a wildcard certificate, you can host multiple sub domains from that one certificate)
You've got options though, and you don't need to break what you've already got :)
Can't you use a wildcard SSL cert for subdomains? (*.mydomain.com)
Absolutely! Yes you can :) Good point, and I will now change my comment for greater accuracy.