Thanks a lot, that pretty much what I was looking for

If you already have Nextcloud running you can use the Nextcloud Forms app

Honestly, I would say because you just have less struggle. I had just a lot more problems when I was using Ubuntu instead of Debian. But I thinks it’s mostly personal preference

I don’t know about photoprism but I guess that’s not going to work because it’s really hard to provide features like face recognition and a web frontend with a zero trust setup. So if you just want the to have a automatic photo backup you could take a look at encrypted folders for nextcloud

And container to container works fine, im able to communicate p.e. with keycloak:9000

But the network is created externally, so shouldn’t this be the same?

I using docker compose: Caddy Keycloak and Headscale

For Headscale you don’t need a lot of bandwidth or power because your traffic is not routed through the Headscale server. Headscale only helps to directly connect your clients together without having to open ports

Just in case you never heard of it, there is also the option to use Tailscale. It lets you connect to your services without opening any ports and uses Wireguard under the hood but makes configuration simpler

Maybe you could also try to generate your one SSL certificate and add it to your Android/Linux/Windows devices as root certificate 🤷🏼‍♂️.

That’s only a possibility, of you’re willing to do this to every single device that should be able to connect to your services