If you're going to host services as home such as your password manager, set up a WireGuard VPN, you can use a Pi and it'll be perfectly sufficient, leave only the VPN open on the internet, VPN in from your phone, laptop, whatever for anything you need access to, and you don't need to rely on Nextcloud or Bitwarden having vulnerabilities discovered in them.
I was using Nextcloud previously for password sync because my password manager needs WebDAV, it was too much to maintain so I wrote a small server in Golang using the WebDAV library and it sits behind NGINX which handles the auth. I run Minio (S3 compatible) for syncing our family photos from our phones and Folder Sync app on Android. They both run on a VM and write out to a ZFS pool.
I have a Pi 3B+ running Raspbian mounted read-only as a WireGuard VPN for remote access, and we use the official WireGuard app. VPN is always on because we have fast, symmetric fibre, and we don't need to worry about trusting public networks.
Why would you mount read only, out of interest? How do you keep packages up to date? And what about logging? I'd want to be logging connection attempts.
To save the SD card mostly. I log to a ring buffer in RAM.
I've had my Raspberry Pis kill dozens of SD cards over the years, so read only can helas for updates, I manually remount read/write when I do maintenance and then remount read/only again when I'm done.
Thanks. I might have a look into doing it for mine, since that seems to make sense. I guess like you said you can just mount the fs rw, and then chroot in to run updates.
No need for chroot, I just say in when I'm on the LAN, remount / and /boot r/w, run the updates and reboot (boots any new kernel and switches back to r/o).
