Setting the default gateway is unnecessary for a network of peers that are already on the subnet. It can only lead to problems as the hosts try to send every request outside their network to 169.254.1.1, which doesn’t even exist in this scenario
The poster you’re replying to is suggesting a static IP in the apipa range, not an apipa assigned ip. You’d already know a static IP because you set it yourself.
Technically true but I wouldn’t suggest using a self signed cert on the internet under any circumstances.
Absolutely do not expose your server on port 80. Http is unencrypted, you’d be sending your login credentials in plaintext across the open internet. That is Very Bad™. If you own a domain name, you can set up a letsencypt cert fairly easily for free. Then you could expose 443 and at least your traffic will be encrypted in transit. It won’t solve the other potential issues of exposing your instance like brute force or ddos attacks, but I’d consider it a bare minimum.
If you use a VPN like many others are suggesting it won’t matter as much because the unencrypted traffic never leaves your local network.
Wireguard installation is going to be much more secure than a Nextcloud
I understand that, and it’s a good suggestion and a better solution if it fits the OPs use case. I don’t understand suggesting they do both. Either VPN or port forwarding solve the problem, doing both seems unnecessary.
before you start forwarding ports on your router
Don’t you mean instead of? If all the OP wants to do is access next cloud, they can do it over the VPN without forwarding ports. What you’re suggesting doesn’t solve the problem of port 80 being an attack vector, and adds yet another attack vector (the VPN itself)
deleted by creator
You would not. In the example given 169.254.1.1 doesn’t even exist, no machine is listening on that address so it couldn’t possibly do any good if it wanted to