I've said for a long time that Linux & open source is kind of a paradox. It goes everywhere, it speaks every protocol. But as a client, as an end. The whole task of coordinating, of groupwareing, of bringing together networks: that's all much harder, much more to be defined.
Making the many systems work together, having directory infrastructure: that stuff is amazing. For years I assumed that someday I'd be running FreeIPA or some Windows compatible directory service, but it sort of feels like maybe some OpenID type world might possibly be gel'ing into place.
Hey y'all, I know getting a setup that feels "right" can be a process. We all have different goals, tech preferences, etc.
I wanted to a share my blog post walking through how I finally built a setup that I can just be happy with and use. It goes over my goals, requirements, tech choices, layout, and some specific problems I've resolved.
Where I've landed of course isn't where everyone else will, but I hope it can serve as a good reference. I’ve really benefited from the content and software folks have freely shared, and hope I can continue that and help others.
Sometimes when I think about my home network, I think about it in terms of what will happen when I die and what I will be inflicting on my family as the ridiculous setups stop working. Or like, how much it would cost a police forensics team to try to make any sense of it.
I think "home labbing" fulfils much the same urge / need as the old guys (I hate to say it but very much mostly guys) met by creating hugely detailed scale model railways in their basement. I don't mean that in a particularly derogatory way, I just think some people have a deep need for pocket worlds they can control absolutely.
I have been getting into this too. I caution anybody with self-hosting/tinkering tendencies against starting a tech company because it just makes it so much easier to justify this stuff...
Eventually serving a regular old container doesn't cut it anymore and you find yourself needing to pay these weird newspapers nobody reads to publish your business' alias because it's a requirement for a legal DBA which ASIN needs to let you get your own IPV6 block, which you need to truly own you and your customers' IPs and it's not worth becoming an AS without it, but then you can actually move towards physically become your own ISP and then...
The ingress problem people solve with tailscale is one of the hardest. I'm curious to see if it's possible to implement STUN/TURN [0-1] with a generally good mechanism for exposing the server to the Internet by caching all static files and blocking dynamic access to the backend with a loginwall, which authenticates allowed users with email "magic links" -> nonrenewable access tokens. In theory it should not be excessively difficult, expensive, or risky to do this.
It's just relevant enough to what we're doing with remote development environments for me to justify another rabbit hole
Never understood the obsession with Tailscale. I've got an on-demand WireGuard VPN back into my home network with both split (DNS and local service access) and full tunnels. I externally host more prominent things on a VPS and have a tunnel back in for the few services I do want to expose. A mesh VPN just seems like another potential vector into my LAN and Yet Another Subscription in a time when I'm trying to cutback costs on subscription services.
- one single machine
- nginx proxy
- many services on the same machine; some are internal, some are supposed to be public, are all accessible via the web!
- internal ones have a humongous large password for HTTP basic auth that I store in an external password manager (firefox built in one)
- public ones are either public or have google oauth
I coded all of them from scratch as that's the point of what I'm doing with homelabbing. You want images? browsers can read them. Videos? Browsers can play them.
The hard part is the backend for me. The frontend is very much "90s html".
LDAP author here. I'm happy that LLDAP is mentioned and yet that it is not highlighted. The goal of the project was to have a simple LDAP server that is easy to install/manage for self-hosters without knowledge of LDAP required. Cheers and congrats on your setup!
I wish I had the time to do any of this. I could probably do it on a weekend but maintaining it, upgrading it to keep up with new releases would be something I wouldn't have time for.
I end up just paying a cloud provider and forget about it.
Anyone else on the same boat? What has been your approach?
I like it. Why Flame, though? It’s built using node, react, redux… meaning you are bringing dozens (if not hundreds) of third party dependencies to your secure kingdom. I don’t think it’s worth it for the start page (could easily be a single html page with hardcoded links)
Great blog post, but unfortunately from my experience with my kinda tech-friendly family, i can tell you that not exposing service publicly is an absolute UX killer.
Nobody uses the local nextcloud because they just don't think they can rely on it, it doesn't always work from their perspective, and is too finicky to use, because it needs an external app (Tailscale).
This can be only fixed when the app itself can trigger a vpn connection, and I don't think this is going to happen any time soon.
Great write-up. I have been tinkering with Immich over the last few months and go back and forth whether I want to just limit it to Tailscale for use away from home or if I want to go through the trouble of setting up a reverse proxy on a VPS. I think my biggest concern is finding a relatively user-friendly monitoring/security solution to alert me if anybody is trying some sort of attack against the VPS
Nice writeup, thank you. I already thought about having NixOS on my server, but currently I prefer proxmox. There are projects with NixOS + Proxmox, but I did not test it yet.
> My main storage setup is pretty simple. It a ZFS pool with four 10TB hard drives in a RAIDZ2 data vdev with an additional 256GB SDD as a cache vdev. That means two hard drives can die without me loosing that data. That gives me ~19TB of usable storage, which I’m currently using less than 10% of. Leaving plenty of room to grow.
I would question this when buying a new system and not having a bunch of disks laying around... having a RAID-Z2 with four 10GB disks offers the same space as a RAID1 with two 20GB disks. Since you don't need the space NOW, you could even go RAID1 with two 10TB disks and grow it by replacing it with two 20TB as soon as you need more. This in my opinion would be more cost effective, since you only need to replace 2 disks instead of 4 to grow. This would take less time and since prices per TB are probably getting lower over time, it could also save you a ton of money. I would also say that the ability of losing 2 disks won't save you from having a backup somewhere...
Why bother with SSO? If your family and closest friends use something like a wireguard client (iOS for example has a very good one that takes only a minute to configure permanently), the users simply switch a toggle and they are now on your private network and don’t need to SSO to anything (provided you have left everything open).
For a small home network the pros of that approach vastly exceed the cons.
I've been tempted to use NixOS for my self hosted setup but I just can't bring myself to do it.
My setup is quite simple, it's just a few VMs with one docker compose file for each. I have an ansible playbook that copies the docker compose files across and that's it. There's really nothing more to it then that, and maintenance is just upgrading the OS (Fedora Server) once the version reaches EOL. I tend to stay 1 version behind the release cycle so upgrade whenever that gets bumped.
I do use nix-darwin on my macs so I do _see_ the value of using a nix configuration, but I find it difficult to see if the effort in porting my setup to Nix is worth it in the long run, configuration files don't get written in a short time. Maybe LLMs could speed this up, but I just don't have it in me right now to make that leap
> Authelia provides authentication and authorization for services in a couple of ways. For services that support OpenID Connect it provides a very simple single sign on experience. If not, Authelia can integrate with my reverse proxy (nginx) and require the user login before the reverse proxy allows access to a service.
Recently I found out Gitea or Forgejo can act as an Oauth provider. And since these support ldap you can for example deploy a Samba AD and set it up as an authentication source for Gitea/Forgejo. If you enable the OAuth feature you can connect stuff like grafana and log in with your Samba AD credentials.
To me this is more convenient than running a dedicated auth service considering Forgejo can also provide git, wiki, docker registry (also authenticated) and other function. It's such an underrated piece of software and uses so few resources.
Curious what the driver for nixos and packages over docker was. Docker was the huge step up for me in making the homelab easy to run, update, and recover when things failed. It also made managing services endpoints and ports remote easier than when they all lived on the operating system. Wish this was delved into a little more in the post.
I am curious what are some good enough cheapskate self-hosting setups?
I want to self-host one of those floss Pocket replacements but I don't want to pay more than what these projects charge for hosting the software themselves (~$5). I am also considering self-hosting n8n. I don't have any sophisticated requirements. If it was possible I would host it from my phone with a backup to Google Drive.
Impressive setup, but I would assume it to be very operations-intensive because of the high number of deployed components and their complex configuration. Plus, if you are serious about self-hosting, you would need the facilities and infrastructure to deploy it: server rack, redundant power supply, smoke detectors, fire extinguisher... I would never let my PC-grade hardware run unsupervised in my home.
And if I understood correctly, you would still have to have some server on the Internet for running your Headscale VPN, so you need your own dedicated Internet connection - ADSL, dial-up, cable modem would not be enough.
This is kinda similar to something I'm trying to setup. I have most of my self-hosted infrastructure running in docker containers, but I want to put some stuff on a nixOS ec2 instance. Mostly services I want to never go down or be affected by my local network (uptime kuma) and chat stuff (irc bouncer, conduit, soju, etc etc).
I use nixOS on my laptop but don't make many nix projects, and TBH I have no idea how to test this setup locally before deploying it. I have some nix stuff setup that spins up a VM and exposes the ports on localhost, but it's brittle and rapidly spaghettifying. Do you have any tips for testing this stuff as part of a local project?
Is there home lab for isolated LAN and "self-sufficient" devices?
I want to have a block of gunk on the LAN, and to connect devices to the LAN and be able to seamlessly copy that block to them.
Bonus: any gunk I bring home gets added to the block.
First part works with navidrome: I just connect through the LAN to my phone with amperfy and check the box to cache the songs. Now my song gunk is sync'd to the phone before I leave home.
This obviously would fit a different mindset. Author has a setup optimized for maximum conceivable gunk, whereas mine would need to be limited to the maximum gunk you'd want to have on the smallest device. (But I do like that constraint.)
I too use LLDAP and Authelia. I use Caddy (no Traefik) as a reverse proxy to protect my services using 2FA SSO. It's very easy to use and I can access all my services anywhere in the world without bothering with a VPN.
It's nice to see a home lab on HN. Hardware has become a lost art for many.
If you dont have a home lab, start one. Grab a 1l pc off of ebay. Think center m720q or m920q with an i5 is a great place to start. It will cost you less than 200 bucks and if you want to turn it into a NAS or an Opnsense box later you can.
When it arrives toss Proxmox on it and get your toys from the community scripts section... it will let you get set up on 'easy mode'. Fair warning, having a home lab is an addiction, and will change how you look at development if you get into it deeply.
I woke up today with a plan of making my DNS at a separate site work properly with ipv6, over my wireguard. I use ULAs for the point to point wireguard link, and GUAs don't like routing to ULAs. I figured the choice was between routing my two sites GUAs over the wireguard when talking to each other, or deploy ULAs in my networks. 4hrs later I had everything set up with ULAs. Had lunch. Decided that was awful. 3hrs after that I've got my GUAs going over the wireguard.
A pain point you mention is that everyone must run the tailscale client. Have you considered exposing everything on the public internet using something like Cloudflare Tunnels? You can have cloudflare handle auth on their edge network, which mitigates the worry about having to deal with 0-days on a self hosted auth solution. You have a pretty sophisticated directory setup tho so I'm not sure how well this would fit in with the existing infra.
It’s a shame he doesn’t self host an internal mail server at least with restricted outbound/smtp.
Something like this is very easy to setup with projects such as stalwart which also offers CardDAV and CardDAV (think easy synchronization of calendar and contacts without relying on "cloud").
He already has tailscale + headscale, adding in an internal only mail/collaboration server would be a win.
Setup your own WireGuard rather than Tailscale.. this is too much like Authy delegating AAA to a third-party.
- Store your SSH public keys and host keys in LDAP.
- Use real Solaris ZFS that works well or stick with mdraid10+XFS, and/or use Ceph. ZoL bit me by creating unmountable volumes and offering zero support when their stuff borked.
- Application-notified, quiesced backups to some other nearline box.
- Do not give all things internet access.
- Have a pair (or a few) bastion jumpboxes, preferably one of the BSDs like OpenBSD. WG and SSH+Yubikey as the only ways inside, both protected by SPA port knocking.
- Divy up hardware with a type 1 hypervisor and run kubernetes inside guests in those.
- Standardize as much as possible.
- Use configuration and infrastructure management tools checked into git. If it ain't automated, it's just a big ball of mud no one know how to recreate.
- Have extra infrastructure capacity for testing and failure hot replacements.
In case the author is around: On mobile (Chrome on Android) the screenshot is not readable at all and there is also no way to open an enlarged version, let alone zoom into the page.
It's not open-source or self-hosted but putting it out there: CloudFlare zero-trust is amazing and free. In my setup, I have a cloudflared tunnel configured in my homelab machine and I expose individual services without a VPN or opening up my firewall. You can also set up authentication with SSO, and it happens before reaching the backend application which makes it more secure. This is easy for family and friends to use, because they don't need to setup anything from their side, just go to the URL and login.
https://developers.cloudflare.com/cloudflare-one/connections...
im using proxmox but struggling to setup subnets and vms
should I be using terraform and ansible?
im using cursor to ssh and it constantly needs to run commands to get "state" of the setup.
basically im trying to do what I used to do on AWS: setup VMs on private network talking to each other with one gateway dedicated to internet connection but this is proving to be extremely difficult with the bash scripts generated by cursor
if anyone can help me continue my journey with self hosting instead of relying on AWS that would be great
Why people need these overly complicated setups and why do they need to have an access point to reach their "den" from anywhere is beyond me. People and their digital gadget delusion.
Security paranoia, but here are the details of my home lab. WHY? If god forbid someone gets in they could in an instant identify the target...
IMO this is too complicated. I think products like the Synology Disk Station strike a better balance between ownership of data and maintenance over time. Tailscale even publishes a client for Synology products.
My Self-Hosting Setup
(codecaptured.com)605 points by mirdaki 19 July 2025 | 206 comments
Comments
> This means keep one login per person, ideally with SSO, for as many services as I can
Truly S-tier target. Incredible hard, incredible awesome.
I've said for a long time that Linux & open source is kind of a paradox. It goes everywhere, it speaks every protocol. But as a client, as an end. The whole task of coordinating, of groupwareing, of bringing together networks: that's all much harder, much more to be defined.
Making the many systems work together, having directory infrastructure: that stuff is amazing. For years I assumed that someday I'd be running FreeIPA or some Windows compatible directory service, but it sort of feels like maybe some OpenID type world might possibly be gel'ing into place.
I wanted to a share my blog post walking through how I finally built a setup that I can just be happy with and use. It goes over my goals, requirements, tech choices, layout, and some specific problems I've resolved.
Where I've landed of course isn't where everyone else will, but I hope it can serve as a good reference. I’ve really benefited from the content and software folks have freely shared, and hope I can continue that and help others.
I think "home labbing" fulfils much the same urge / need as the old guys (I hate to say it but very much mostly guys) met by creating hugely detailed scale model railways in their basement. I don't mean that in a particularly derogatory way, I just think some people have a deep need for pocket worlds they can control absolutely.
Eventually serving a regular old container doesn't cut it anymore and you find yourself needing to pay these weird newspapers nobody reads to publish your business' alias because it's a requirement for a legal DBA which ASIN needs to let you get your own IPV6 block, which you need to truly own you and your customers' IPs and it's not worth becoming an AS without it, but then you can actually move towards physically become your own ISP and then...
The ingress problem people solve with tailscale is one of the hardest. I'm curious to see if it's possible to implement STUN/TURN [0-1] with a generally good mechanism for exposing the server to the Internet by caching all static files and blocking dynamic access to the backend with a loginwall, which authenticates allowed users with email "magic links" -> nonrenewable access tokens. In theory it should not be excessively difficult, expensive, or risky to do this.
It's just relevant enough to what we're doing with remote development environments for me to justify another rabbit hole
[0] https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_...
[1] https://en.wikipedia.org/wiki/STUN
- one single machine - nginx proxy - many services on the same machine; some are internal, some are supposed to be public, are all accessible via the web! - internal ones have a humongous large password for HTTP basic auth that I store in an external password manager (firefox built in one) - public ones are either public or have google oauth
I coded all of them from scratch as that's the point of what I'm doing with homelabbing. You want images? browsers can read them. Videos? Browsers can play them.
The hard part is the backend for me. The frontend is very much "90s html".
I end up just paying a cloud provider and forget about it.
Anyone else on the same boat? What has been your approach?
Nobody uses the local nextcloud because they just don't think they can rely on it, it doesn't always work from their perspective, and is too finicky to use, because it needs an external app (Tailscale).
This can be only fixed when the app itself can trigger a vpn connection, and I don't think this is going to happen any time soon.
> My main storage setup is pretty simple. It a ZFS pool with four 10TB hard drives in a RAIDZ2 data vdev with an additional 256GB SDD as a cache vdev. That means two hard drives can die without me loosing that data. That gives me ~19TB of usable storage, which I’m currently using less than 10% of. Leaving plenty of room to grow.
I would question this when buying a new system and not having a bunch of disks laying around... having a RAID-Z2 with four 10GB disks offers the same space as a RAID1 with two 20GB disks. Since you don't need the space NOW, you could even go RAID1 with two 10TB disks and grow it by replacing it with two 20TB as soon as you need more. This in my opinion would be more cost effective, since you only need to replace 2 disks instead of 4 to grow. This would take less time and since prices per TB are probably getting lower over time, it could also save you a ton of money. I would also say that the ability of losing 2 disks won't save you from having a backup somewhere...
For a small home network the pros of that approach vastly exceed the cons.
My setup is quite simple, it's just a few VMs with one docker compose file for each. I have an ansible playbook that copies the docker compose files across and that's it. There's really nothing more to it then that, and maintenance is just upgrading the OS (Fedora Server) once the version reaches EOL. I tend to stay 1 version behind the release cycle so upgrade whenever that gets bumped.
I do use nix-darwin on my macs so I do _see_ the value of using a nix configuration, but I find it difficult to see if the effort in porting my setup to Nix is worth it in the long run, configuration files don't get written in a short time. Maybe LLMs could speed this up, but I just don't have it in me right now to make that leap
Recently I found out Gitea or Forgejo can act as an Oauth provider. And since these support ldap you can for example deploy a Samba AD and set it up as an authentication source for Gitea/Forgejo. If you enable the OAuth feature you can connect stuff like grafana and log in with your Samba AD credentials.
To me this is more convenient than running a dedicated auth service considering Forgejo can also provide git, wiki, docker registry (also authenticated) and other function. It's such an underrated piece of software and uses so few resources.
I want to self-host one of those floss Pocket replacements but I don't want to pay more than what these projects charge for hosting the software themselves (~$5). I am also considering self-hosting n8n. I don't have any sophisticated requirements. If it was possible I would host it from my phone with a backup to Google Drive.
I use nixOS on my laptop but don't make many nix projects, and TBH I have no idea how to test this setup locally before deploying it. I have some nix stuff setup that spins up a VM and exposes the ports on localhost, but it's brittle and rapidly spaghettifying. Do you have any tips for testing this stuff as part of a local project?
https://gokrazy.org/
OS upgrades are easy now and it's declarative but I don't have to learn Nix
I want to have a block of gunk on the LAN, and to connect devices to the LAN and be able to seamlessly copy that block to them.
Bonus: any gunk I bring home gets added to the block.
First part works with navidrome: I just connect through the LAN to my phone with amperfy and check the box to cache the songs. Now my song gunk is sync'd to the phone before I leave home.
This obviously would fit a different mindset. Author has a setup optimized for maximum conceivable gunk, whereas mine would need to be limited to the maximum gunk you'd want to have on the smallest device. (But I do like that constraint.)
If you dont have a home lab, start one. Grab a 1l pc off of ebay. Think center m720q or m920q with an i5 is a great place to start. It will cost you less than 200 bucks and if you want to turn it into a NAS or an Opnsense box later you can.
When it arrives toss Proxmox on it and get your toys from the community scripts section... it will let you get set up on 'easy mode'. Fair warning, having a home lab is an addiction, and will change how you look at development if you get into it deeply.
Homelabbing is fun :')
Something like this is very easy to setup with projects such as stalwart which also offers CardDAV and CardDAV (think easy synchronization of calendar and contacts without relying on "cloud").
He already has tailscale + headscale, adding in an internal only mail/collaboration server would be a win.
- Store your SSH public keys and host keys in LDAP.
- Use real Solaris ZFS that works well or stick with mdraid10+XFS, and/or use Ceph. ZoL bit me by creating unmountable volumes and offering zero support when their stuff borked.
- Application-notified, quiesced backups to some other nearline box.
- Do not give all things internet access.
- Have a pair (or a few) bastion jumpboxes, preferably one of the BSDs like OpenBSD. WG and SSH+Yubikey as the only ways inside, both protected by SPA port knocking.
- Divy up hardware with a type 1 hypervisor and run kubernetes inside guests in those.
- Standardize as much as possible.
- Use configuration and infrastructure management tools checked into git. If it ain't automated, it's just a big ball of mud no one know how to recreate.
- Have extra infrastructure capacity for testing and failure hot replacements.
In case the author is around: On mobile (Chrome on Android) the screenshot is not readable at all and there is also no way to open an enlarged version, let alone zoom into the page.
should I be using terraform and ansible?
im using cursor to ssh and it constantly needs to run commands to get "state" of the setup.
basically im trying to do what I used to do on AWS: setup VMs on private network talking to each other with one gateway dedicated to internet connection but this is proving to be extremely difficult with the bash scripts generated by cursor
if anyone can help me continue my journey with self hosting instead of relying on AWS that would be great
Why did you go with Nextcloud instead of using something more barebones, for example a restic server?
At this rate if I keep seeing good article about NixOS I might actually switch for real haha!
*Leaves page* can't do it...
Security paranoia, but here are the details of my home lab. WHY? If god forbid someone gets in they could in an instant identify the target...