Let's Encrypt SSL/TLS certificates are free, as is Apache/Nginx/Caddy to reverse proxy Nextcloud or any other solution (if a web based interface is needed). You might also need something like ngrok ( https://ngrok.com/ ) for publically accessing the instance if you're behind NAT and are hosting it on a homelab, or alternatively just put it on one of the VPSes that you're using, if you have any.
Personally i'm using a similar setup (a WireGuard VPN tunnel or two in there as well) on my pre-existing VPSes, so the effective costs are 0$ for me. And the file based approach is actually superior to any (possibly) dubious browser plugins in my eyes.
This reads like that notorious HN comment about it being trivially easy to roll your own Dropbox. Our time has value. Good UI has value. How much time is saved by just using a service like 1Password versus the design, setup, maintenance, and ongoing use of a system like you suggest with all those individual pieces?
I was just thinking the exact same thing. For technical and especially non-technical folk, getting a full nextcloud host set up and working is going to take significantly more time than a simple login into 1Password, where it just works.
Box.net supports webdav if that's what you want. I'm not aware of any other big name cloud storage providers that offer support for standard protocols. It's available for free accounts, too. This does mean the files aren't encrypted, however if your vault is encrypted that may not matter to you.
Except, you didn't need to roll your own. 1PW used to support Dropbox - it's how I still use it.
And specifically you only need the DB free tier to store a 1PW vault, so the only cost was paying for the 1PW client (which I am more than happy to pay for on major version updates, as long as it is not a subscription).
1PW removed functionality that existed, with goal (or at the very least the effect) of locking users into their own cloud platform with a new monthly bill.
For a moment I felt that perhaps I should add clarification about how I'm not trying to dismiss the cloud solutions (as in the notorious Dropbox comment), but instead am attempting to provide one of the many libre setups to answer the parent question, but in the end didn't get around to it.
My time probably isn't as valuable as that of the many people here (about 5x less earnings on average in Latvia when compared to places like US), therefore it definitely makes sense for me to upskill myself in any way possible, especially if I get usable software out of it.
But if you take the container based approach, there is almost no administration to be done:
First, install Docker: https://docs.docker.com/engine/install/ubuntu/#installation-methods (about 10 minutes, varies by distro)
Personally, i use Docker Swarm, but that's just a few more init commands and Docker Compose works as well: https://docs.docker.com/compose/install/ (about 5 minutes)
Then, set up something like Caddy for a reverse proxy: https://hub.docker.com/_/caddy (probably 20 minutes)
And then, set up Nextcloud: https://hub.docker.com/_/nextcloud (probably 20 minutes)
Lastly, install KeePass from the previously mentioned links and put the password DB in the synced folder (probably 10 minutes)
Ngrok, DNS challenges etc. might be necessary depending on the setup, but are not usually required for most regular VPSes.
Backups and updates should also be taken care of, but full VPS backups are mostly standard and you can just bump the container tag every month.
As for the UI, i agree in principle, but not in this case. KeePass has good UI and I'd argue that you don't need a team of UI and UX developers to keep track of some usernames and passwords (and maybe certificate files).
Furthermore, I'd argue that most of the cloud offerings are actually problematic because not all of them let you download the data as files. In contrast, KeePass works with files (much like SQLite) and therefore, if you'd prefer to use SD cards or Samba or NFS or whatever instead of VPSes to somewhat decrease the attack surface, or simply use tools that you know, then you can do that. Want Syncthing instead of Nextcloud? Go ahead!
I'm putting emphasis on this because the line of thinking that we need web SaaS platforms for everything is dangerous - it makes you think that the problem is more complicated than it actually is. Whereas in reality some people probably get away with using password protected spreadsheets (don't do this). The problem is complicated only from a security perspective. That's it.
The cloud solutions excel at convenience and things like browser plugins and it's good that they're offering options for the less technically inclined folk, but they're far from the only option.
I know exactly how to do it, I've tried out what has been described above.
I've got a lab for stuff I want to tinker with, but a password manager is seen as an "essential service" to me like e-mail and music. I'd much prefer to pay a bit per month and have a team of professionals deal with it if the servers go down.
If at the end of the day my home server breaks and I want to get on and watch Amazon Prime/Netflix/whatever I still can with a hosted password manager. I value my time and sanity a lot more than £2 a month.
That's a fair point! But depending on your setup, it's also possible to replicate the password database file to every single device of yours on the network.
Currently doing just that, if any of my servers go down, i can still access all of my passwords on my desktop, on my laptop, on my tablet, on my phone or on my backup servers. Of course, provided that i have KeePass or a mobile app installed and know the master password.
Oh and I do manual backups to SD cards just to be sure every month. I'm not sure how I'd do that with a cloud service where in a sense their entire company (and my network connection to it) is a single point of failure. If my internet connection goes down, how would I log in to my selfhosted software in my homelab over LAN, without being able to access the passwords?
> so getting to know how to do things by yourself is a waste of time?
Potentially. Are you looking to make a prototype, or are you trying to go to prod with mission critical data?
Most people here could trivially roll a prototype grade password manager in pretty limited time. Getting something hardened and reliable is a different story.
Recently set up something similar. DNS entry that resolves to a local ip, swag + letsencrypt reverse proxying to Nextcloud, all setup as containers and accessible anywhere over WireGuard. I'm pretty happy with it.
It does seem like an interesting and useful project, though there are also other more popular alternatives like Caddy: https://caddyserver.com/ (even though their V2 not being backwards compatible was a tad annoying)
Apart from that, just wanted to say that WireGuard is absolutely lovely! Pretty simple to set up, works well and uses way less resources than something like OpenVPN.
The real question here is how much time it takes to setup this experience and how much time it takes to maintain. You could argue that the true cost is the labor cost of implementation and maintenance at your current pay rate.
Let's Encrypt SSL/TLS certificates are free, as is Apache/Nginx/Caddy to reverse proxy Nextcloud or any other solution (if a web based interface is needed). You might also need something like ngrok ( https://ngrok.com/ ) for publically accessing the instance if you're behind NAT and are hosting it on a homelab, or alternatively just put it on one of the VPSes that you're using, if you have any.
Personally i'm using a similar setup (a WireGuard VPN tunnel or two in there as well) on my pre-existing VPSes, so the effective costs are 0$ for me. And the file based approach is actually superior to any (possibly) dubious browser plugins in my eyes.