Here’s an idea: on your android device use something like Insular to create a work profile, that way you get its own VPN slot, add your selfhosted-related apps there along with Tailscale. You can keep ProtonVPN on for your other apps, while using TS for your “LAN away from home” stuff. Since Tailscale already encrypts all traffic, you don’t have to worry about HTTPS, certs, et al.

Oh no, don’t take it as “don’t reinvent the wheel”! I meant it in the true sense that sometimes we spent so much effort and focus building something, just to post about it somewhere and getting a reply “Oh nice, it’s exactly like X project!”.

Currently I’m running NextCloud on prem, so DavX5 and JTXBoard cover most of my note taking and todo tasks, and I guess one could deploy the server-side encryption module on a NextCloud AIO on a VPS and keep everything (probably) safe and private. I’m kinda lazy too, that’s why I liked the hands-off maintenance of NC-AIO. I get notifications to update stuff, and I get regular security audits from NC itself.

BTW, never take that “doing stuff already done” is in detriment of helping FOSS projects. There are tons of examples of people randomly tinkering around and accidentally finding some huge fix for other projects. Off the top of my head, some weeb wanted to play Nier Automata at decent framerates on wine and a few years later, here we are with DXVK and all the proton stuff making most stuff playable!

Really interested on seeing this, although if I could make a suggestion, start by scouting around and see if you can adapt FOSS apps, maybe fork them and add/remove features to please your objectives and tastes.

Although I’m eager to see these through, I like projects like murena (/e/OS) that cobble together good Foss projects into a single cohesive ecosystem (without making the word ecosystem gross and vendor locked in like in most cases)

Unless the crook happens to be extremely nerdy or its law enforcement, already being a Linux formatted partition feels it should be enough for a rando breaking in and stealing a computer.

That being said, something like a PiKVM connected to your server (and Tailscale) could let you enable both UEFI/boot password and propt for LUKS decryption upon boot.