DEV Community

Henk van Hoek
Henk van Hoek

Posted on

Building a Sovereign Home Server: Lessons Learned Running Nextcloud, Euro-Office, and Frigate on a Raspberry Pi 5

#iot #linux #opensource #performance

A single-board computer like the Raspberry Pi 5 (8GB) can be surprisingly capable when properly optimized. Running a complete NVR with AI object detection (Frigate) alongside a self-hosted collaborative office suite (Nextcloud + Euro-Office) and a private mesh network (Headscale) is demanding, but highly achievable.

Recently, while running a system resource check during a live server backup (tar and gzip), the system registered a steady 67% CPU load and a stable temperature of 61°C while managing four active security cameras.

If you are looking to build a similar "Sovereign Stack" on a Raspberry Pi 5, here are the key architectural decisions and lessons learned from setting up this environment.

1. Memory Optimization: Surviving Peaks with ZRAM

Running Nextcloud and the Euro-Office Document Server alongside an active NVR can quickly saturate the physical 8GB of RAM on a Raspberry Pi 5, especially during intensive processes like automated backups.

  • The Challenge: Traditional swap space on an SD card or SSD is slow and drastically shortens the lifespan of your storage medium due to constant write cycles.
  • The Lesson: Utilizing ZRAM (compressed swap inside the RAM itself) is essential. It temporarily compresses idle memory blocks, effectively expanding your available RAM. As a result, the system can gracefully absorb heavy load spikes without crashing or wearing out your physical storage.

2. Offloading AI Workloads with Hardware Acceleration

Analyzing four high-definition video streams and running continuous AI object detection (person, car, etc.) would easily peg a Raspberry Pi 5 CPU at 100% across all four cores, leaving no room for other applications.

  • The Challenge: Real-time computer vision is incredibly CPU-intensive.
  • The Lesson: Offloading these tasks to a dedicated co-processor is non-negotiable. By integrating a Google Coral TPU (visible in system processes as frigate.detector.coral), all object detection calculations are handled externally. This keeps the Pi’s CPU cycles free to manage Nextcloud database queries, web serving, and file encryption.

3. Resolving DNS Conflicts in Private Networks (AdGuard Home vs. VPN & Browser)

Self-hosted services often rely on local-only subdomains (e.g., office.yourdomain.com) that are registered exclusively in a local DNS server like AdGuard Home. This works well until client-side security features and VPNs are introduced.

  • The Challenge: Modern operating systems, browsers, and VPN clients are designed to bypass local DNS servers for privacy or routing reasons, which breaks local domain resolution.

  • The Lessons:

    1. VPN DNS Hijacking: VPN clients like Tailscale or Headscale override your system's DNS settings by default to enable MagicDNS. To prevent your local device from losing access to your AdGuard Home, configure the client to ignore VPN-pushed DNS settings using: 
     sudo tailscale up --accept-dns=false
  1. Browser DoH (DNS-over-HTTPS): Modern web browsers often have "Secure DNS" turned on. This feature bypasses the OS host resolver entirely and queries public servers (like Google or Cloudflare), which cannot resolve your local subdomains. Disabling "Secure DNS" in your browser's security settings restores local resolution.

4. Docker Architecture, Strict JWT Validation, and SSL for Euro-Office

Integrating Euro-Office (a digitally sovereign, European office suite based on a fork of OnlyOffice) into Nextcloud requires strict attention to container networking, token authentication, and browser security.

  • The Lessons:
    1. Internal Container Routing: Nextcloud and Euro-Office must reside on a shared Docker bridge network (e.g., pi-services) to communicate directly via container names rather than looping through the public router interface.
    2. Strict JWT Secret Validation: The PHP JWT library used in recent Nextcloud releases strictly enforces key-length validation for HS256 encryption. The JWT_SECRET configured in your environment must be exactly 32 characters long. Any deviation will result in authentication failures like Provided key is too short or Invalid token.
    3. The Iframe SSL Trap: Browsers will refuse to load the Euro-Office document editor inside Nextcloud if the Document Server uses an untrusted SSL certificate (such as those generated by a local step-ca). Because browsers block untrusted iframes silently, Nextcloud will display a generic connection error. Importing and trusting your private Certificate Authority's root certificate (root.crt) in your operating system's trust store resolves this issue.

Conclusion

The Raspberry Pi 5 has matured into a viable, energy-efficient platform for hosting a robust home cloud and security infrastructure. By optimizing memory handling via ZRAM, offloading heavy compute tasks to dedicated hardware, and carefully configuring local DNS routing and browser security policies, you can run a highly responsive, private, and secure sovereign stack on a single low-power board.

About the Author & Projects

Henk van Hoek | Advocate for Digital Sovereignty

If you want to dive deeper into the configurations, explore the architecture, or contribute to the project, feel free to check out my GitHub repositories:

  • 🛡️ sovereign-stack – A comprehensive blueprint for deploying digitally sovereign services on your own infrastructure.
  • 🥧 PiSelfhosting – Fully optimized self-hosting templates and scripts tailored specifically for the Raspberry Pi.

Let's build a more decentralized and private web together!

Top comments (0)