Tunnel Fracture

January 31, 2026

Since having broken my leg at the knee a few weeks ago I have had some time to kill between dozing off on morphine and being in unreasonable pain.

This I have mostly spent fiddling with my NixOS homeserver setup.

I discovered the lovely resource of https://github.com/firecat53/nixos, from which I was able to build for myself a modularized multi-host nixos configuration with SOPS and Sops-Nix for secrets.

I also managed to do some data housekeeping, degrading my external 1TB raid1 btrfs disks to a single disk configuration because the other disk died a few months back. And now I have a Borg backup setup against a Hetzner storage-box to make up for the missing disk.

In the course of that I discovered I had a bunch of duplicate pictures. I used fdupes to help me with that, and found I had a whopping 200GB of duplicates lying around. Yikes.

I also got Immich and Jellyfin setup, also using Cloudflare tunnels.

So now my media library is hosted in Jellyfin (instead of NextCloud) and my photo library is hosted in Immich (again, instead of NextCloud).

Maybe next up I'm going to try and install an XMPP server instead of NextCloud Talk, probably Prosody.

All-in-all, considering how easy service management is on NixOS it's starting to feel like NextCloud doesn't really have much of a niche to fill. It tries to be some kind of everything-app, but the plugins available for the platform just do not measure up against the competition from dedicated services very well.

As such, the only thing that the dedicated-service approach lacks that NextCloud has is consolidated identity management. Perhaps if DIDs got some more love they could fill that gap.

Now, making a more elaborate cloudflare tunnel setup has not been smooth sailing. After fiddling for hours with TLS setting through various combinations of Let's-Encrypt ACME, nginx, and cloudflare I finally had to yield a tactical retreat from my ambition to have my own services served with certificates provisioned through my own server.

However, since our ISP actually provides us with IPv6 I should be able to host my sites directly without any tunnels or NAT port-forwarding. I just have to switch around our wifi routers so the one that is actually IPv6 capable is the one that's connected to the uplink. But that's a task for a day when I can more easily navigate the stairs without crutches.