TrueNAS Scale Apps access options
Update:
From the next version of TruNAS Scale (Electric Eel) due in Q4 of 2024 TrueNAS Scale will no longer support Helm charts. This will be replaced by Docker and Docker Compose. You can read the full announcement here: Key to this development is “All of the TrueNAS Apps catalog will migrate to Docker Compose without requiring users to take any manual actions; all current users will need to do is update the system to Electric Eel when it launches.” Due to this, I would no longer recommend using TrueCharts. Either use only TrueNAS Apps (which will migrate successfully) or use Jailmaker with Docker and Dockge to learn how to deploy YAML scripts.
1. Summary
TrueNAS Scale offers the ability to install Apps to enhance the functionality of your NAS. In an ideal world, installing the apps on a separate device might be better, but if your device has the space (memory and storage) and power (CPUs) you can install these Apps locally. The Apps are Docker images that TrueNAS Scale manages for you. Instructions on how to install the necessary catalogues can be found here. I use a mixture of TrueNAS and TrueChart Apps without any issue There is some controversy around TrueCharts being less stable but I have not found this to be an issue. A better alternative is to use Jailmaker but this has a steep learning curve.
2. Types of setup
How you intend to use the apps will influence how you approach setting them up. There are three scenarios:
- Closed system with no access from outside your network. (In this case, access could be provided by a VPN)
- A system that is only open to those with a login. This could be implemented through a Cloudflare Tunnel
- A system where some parts are open to the public and others are behind a login.
Looking at the three alternatives:
1. Closed System:
This offers the best security and is the least headache to maintain. The downside is that outside your local network, you have to set up and connect to a VPN to access any resources within the network. This is not intuitive for non-IT literate users.
2. Cloudflare Tunnel:
A Cloudflare Tunnel acts as the gatekeeper to your network, allowing any user with the appropriate login details to access your site. This access can be further secured with Two-Factor Authentication (2FA). Using Cloudflare Tunnel is a highly secure method for providing users access to all the resources on your network through Single Sign-On (SSO). You can also protect local resources with passwords to assign different access levels to different users.
While this method provides a high level of protection, it still allows you to run applications like WordPress and make them accessible outside your local network. However, be aware that high bandwidth applications, such as Nextcloud, may violate Cloudflare’s terms and conditions due to the limited bandwidth allowed through a tunnel. Cloudflare does not specify what that bandwidth limit is.
It is also impossible to allow iOS or Android apps to access your home network from outside using a Cloudflare tunnel.
3. Open System:
This is the most flexible solution but requires the most maintenance. It will allow access to your resources from anywhere on the web. Selecting this alternative requires more maintenance and increases your vulnerability to attack but allows for the greatest flexibility. With this option, there is no issue with applications such as hosting Nextcloud. It is also possible to grant mobile apps such as Home Assistant, Frigate, and zmNinja access to their host’s data without providing full access to the web interface.
Cloudflare Account
For option 2, you will need a Cloudflare account. For option 3 a Cloudflare account is not strictly necessary but makes it a lot easier to set up and can include certificates for HTTPS. I strongly advise you to set up 2FA with your Cloudflare login. (A password manager is essential if you haven’t already got one. I use and recommend Bitwarden.) When used with 2FA Bitwarden places the Time-based one-time password (TOTP) into the clipboard after you have logged in ready for you to paste into the application.) The next action is to set up your domain on Cloudflare.
Please note
When using Cloudflare with tunnels the T&Cs restrict you to using HTTP(S)/UNIX/TCP and SSH protocols.
If you are using Cloudflare proxies with or without tunnels, then Cloudflare can see all the data passing through the proxy.