Nextcloud to replace Dropbox for a remote video editor

[gyorfitam]

Hi Everyone,

I'm planning to setup my own Nextcloud storage to replace Google Drive/Dropbox/etc. I have few questions about this:
- Is it possible to use an external (USB 3.0) SSD as the storage for the cloud? I would like to use 4 HDD's as my local RAID storage and the USB SSD would be only for the cloud (but connected to the same computer). Generally speaking I'm expecting big files (tens of GB's or more) to be uploaded by my clients from a remote location (so through the internet), I would only upload the finished video files that are typically under 2GB so I assume it's good that my download speed is quite nice. The important part is that the client should be able to upload it to this external SSD (that is physically in my room) through the internet and I want to have easy access to it through my LAN so I can copy it to the editing PC.
- Is it possible to set this up with a normal home broadband with a basic router? If you need better router, what is the minimum you would recommend? I just measured the available speed right now and it's around 530 Mbit/s download / 37 Mbit/s upload. What kind of speeds I can expect out of this setup?
- 8GB RAM and a 2C/4T i3 CPU enough for this? The more demanding tasks (so clients uploading) are only going to happen here and there, not all the time.

Thanks in advance

 

[sretalla]

- Is it possible to use an external (USB 3.0) SSD as the storage for the cloud?

That's possible (although USB is introducing a factor that will likely have you regretting it at some point). An internal NVME M.2 drive would be a better answer.

Are you concerned that your Internet connection will be too fast for the RAIDZ pool? I would doubt that, so maybe consider not using the additional drive.

If you're concerned about not exposing the contents of the RAIDZ to the Internet, you need to consider the overall security of your system and don't be worried about access to only one of your pools... if somebody can maliciously access one of your pools (USB, NVME, RAIIDZ or whatever), you're already exposed and they can probably see your whole system... the idea is to prevent malicious access entirely (or as best you reasonably can) with a firewall, reverse proxy and properly secured access (like using the nextcloud option for 2 factor Auth)

- Is it possible to set this up with a normal home broadband with a basic router? If you need better router, what is the minimum you would recommend? I just measured the available speed right now and it's around 530 Mbit/s download / 37 Mbit/s upload. What kind of speeds I can expect out of this setup?

I would recommend something with a proper firewall (so depends on your broadband provider if that's their default kit or not). pfSense can be installed on appropriate hardware with 2 Network interfaces in order to do the job correctly if your ISP doesn't. DD-WRT is also an option to put proper firewalling in place with a consumer router, but may struggle to route 500Mbits reliably unless you go with really new hardware (make sure to check their compatibility matrix before buying anything).

- 8GB RAM and a 2C/4T i3 CPU enough for this? The more demanding tasks (so clients uploading) are only going to happen here and there, not all the time.

For a Nextcloud instance to have some room to do its work, I would recommend going above the minimum required RAM of 8GB and opt for 16GB instead. That CPU is fine (assuming you get a board and RAM that are appropriate for TrueNAS).

 

[gyorfitam]

Thank you for your comprehensive answer. Now I see it more clearly what should I do.

If you're concerned about not exposing the contents of the RAIDZ to the Internet

That's the main reason for me but in this case, I can think about something else. Let's say someone can maliciously access one of my pools so the they probably see the whole system. Does this only apply to that particular system or the whole home network with all the connected devices? If it's the first then I can even think about setting up a mini PC with one HDD for this cloud separately so it would be separated from my main NAS, our computers, phones, etc.

 

[sretalla]

Let's say someone can maliciously access one of my pools so the they probably see the whole system. Does this only apply to that particular system or the whole home network with all the connected devices?

If your system security is breached, you can consider that whole system to be accessible (via privilege escalation) and from there, anything in your network not well protected is also up for grabs. For this reason, systems exposed to the internet (even via reverse proxy) will often be placed in a DMZ network, which is limited in access differently to the rest of the network by the firewall. (although don't confuse that for the DMZ host feature on some consumer routers, which basically sends all incoming internet traffic to one port)

As long as you're not working on secret material that governments would be interested in getting their hands on, most of what you need to do is ensure you're following standard security best practice like patching your systems and putting in place an appropriate level of safeguard (as I mentioned, like reverse proxy behind a firewall and implementing 2 factor Authenticaiton).

If somebody (or some government) is determined enough to get through your security measures, there's not a lot you can do about it if you want things to be accessible on the Internet, so all you would really be trying to do is block/frustrate most hacking attempts that arrive at your door with a good indication of defense, that's sufficient for most private individuals and small companies. Almost all hacking is done using well known attack vectors (automatically via scripts) that could have been patched if the owner were paying attention.

 

[gyorfitam]

Thanks again.
What would be the bare minimum device for pfSense you would recommend using?