Getting Started with Self-Hosting

Self-hosting means running your own services on a machine you control. Usually that is something at home or a rented VPS. Your files, your photos, your VPN, your monitoring stack sit on hardware you own, under terms you set. No company scans your data, no subscription disappears when a startup shuts down.

It is less difficult than it sounds and doubles as a decent way to learn networking and Linux. This covers the basics.

Hardware

You do not need anything special. An old laptop, a Raspberry Pi 4 or 5, or any x86 machine with 4GB of RAM and a spare drive will run everything on this page without issue. My server is a small-form-factor PC running Ubuntu 24.04 LTS.

If you want to start in the cloud before committing to hardware, rent a small VPS from Hetzner (cheap, European, decent privacy record) or Linode. A 2-core, 4GB RAM instance is enough. You can migrate to local hardware later.

Operating System

Ubuntu Server LTS is the easiest starting point. Wide documentation, long support windows, and everything installs with apt. Debian works if you want something more minimal. Avoid anything that needs a GUI; a server running a desktop environment is wasting RAM for no reason.

Set up SSH key access immediately after install. Put your public key in ~/.ssh/authorized_keys and disable password login. If your server has a public IP, it will be scanned within minutes of coming online.

Docker

Docker is how most things run on my server. Each service lives in its own container: isolated, reproducible, easy to update or roll back. A docker-compose.yml file defines your stack, what images to run, what ports to expose, what volumes to mount. Starting a Pi-hole, Grafana, or Immich instance is a matter of writing a compose file and running docker compose up -d.

Get comfortable with Docker before adding services. Know what docker ps, docker logs, and docker compose down do.

What to Run

Start with what gives you the most back immediately:

Pi-hole + Unbound. Network-wide DNS blocking and recursive resolution. Every device on your network is filtered the moment you point your router's DNS at it. Details in the NetSec guide.

Immich. Self-hosted Google Photos replacement. Facial recognition, albums, shared libraries, and a mobile app that backs up in the background.

Jellyfin. Self-hosted media server. Stream your film and music library to any device on your network, or through a VPN from anywhere.

Vaultwarden. Self-hosted, Bitwarden-compatible password manager. Your passwords live on your server.

WireGuard. Your own VPN server. Once it is running, everything above is reachable from outside your network as if you were home. Details in the NetSec guide.

Reverse Proxy and SSL

Once you have more than one service running, you want a reverse proxy in front of them, routing pihole.yourdomain.com to one container and jellyfin.yourdomain.com to another, all over HTTPS. Nginx Proxy Manager handles this with a web UI and manages Let's Encrypt certificates automatically.

For external access without exposing your home IP, Cloudflare Tunnels create a persistent outbound connection from your server to Cloudflare's edge. No port forwarding needed.

Backups

Restic is the best tool for this: encrypted, deduplicated, supports local and remote backends including Backblaze B2. Run it on a cron job. Test your restores. A backup you have never restored from is untested.

The 3-2-1 rule: three copies of the data, two different media types, one off-site. It still applies.

Security

A server exposed to the internet will get probed. The full security stack I run is in the NetSec guide: UFW, fail2ban, CrowdSec, WireGuard with Cloak, Prometheus and Grafana for monitoring. Do not leave this until later. The tools are not complicated and an unsecured machine on your home network is a real problem.