Self-Hosting a Home Server

A home server enables complete control over your data, services, and digital infrastructure. This guide covers the architecture, services, and practices for running a production homelab server.

Why Self-Host?

Privacy & Control

• Your data stays on hardware you own
• No third-party access to personal information
• Complete control over service configurations

Learning & Skills

• Hands-on experience with Linux system administration
• Understanding of networking, security, and infrastructure
• Practical DevOps and containerization skills

Cost Efficiency

• One-time hardware investment vs. recurring subscriptions
• Run multiple services on a single machine
• Scale as needed without vendor lock-in

Customization

• Configure services exactly how you want
• Integrate services that don't normally work together
• Build workflows tailored to your needs

Server Architecture Overview

Hardware Foundation

A modern homelab server typically includes:

CPU: Multi-core processor (8+ cores recommended)

• Handles concurrent services efficiently
• Modern AMD Ryzen or Intel processors work well
• Look for good single-thread performance for transcoding

RAM: 32GB+ DDR4/DDR5

• Docker containers are memory-intensive
• More RAM = more simultaneous services
• Consider ECC RAM for data integrity (optional)

Storage: Tiered approach

• NVMe SSD (1-2TB): System and hot data
• SATA SSD (2TB): Docker volumes and databases
• HDDs (4TB+ each): Media storage and archives
• Total capacity: 10-15TB is a good starting point

GPU (Optional but recommended):

• Hardware transcoding for media servers
• AI/ML workloads (LLM inference)
• AMD or NVIDIA with good driver support

Network: 2.5GbE or better

• Handles multiple simultaneous streams
• Fast file transfers
• Future-proof for growing bandwidth needs

Power: Quality PSU with headroom

• 850W+ for expansion capability
• 80+ Gold efficiency rating
• Modular design for clean cable management

Software Stack

Operating System: Linux (Ubuntu Server LTS recommended)

• Stable, well-documented, long-term support
• Excellent hardware compatibility
• Large community for troubleshooting

Containerization: Docker

• Isolates services from each other
• Easy deployment and updates
• Portable configurations

Reverse Proxy: Notes/NGINX

• Single entry point for web services
• SSL/TLS termination
• Load balancing capabilities

VPN: Tailscale

• Secure remote access
• Zero-trust mesh networking
• Works behind NAT without port forwarding

Service Categories

Media Services

Notes/Jellyfin - Media Streaming

• Self-hosted alternative to Plex
• Streams movies, TV shows, music
• Hardware transcoding support
• Mobile apps available

Notes/Navidrome - Music Server

• Subsonic-compatible music streaming
• Works with mobile apps like Symfonium
• Lightweight and efficient

Notes/Immich - Photo Management

• Self-hosted Google Photos alternative
• Automatic photo backup from mobile
• Facial recognition and search
• Album sharing capabilities

Smart Home

Notes/Home Assistant - Home Automation Hub

• Integrates hundreds of smart devices
• Local control (no cloud required)
• Powerful automation engine
• Beautiful dashboards

Protocol Bridges:

• Zigbee2MQTT: Zigbee device integration
• Z-Wave JS UI: Z-Wave device management
• MQTT Broker: Message bus for IoT devices

AI & LLM Services

Ollama Help - Local LLM Server

• Run AI models locally
• Privacy-focused inference
• GPU acceleration support
• Compatible with OpenAI API

Notes/Open WebUI - LLM Interface

• Web interface for Ollama
• ChatGPT-like experience
• Document upload and RAG
• Multi-user support

Utility Services

SearXNG - Private Search Engine

• Metasearch engine
• No tracking or profiling
• Aggregates results from multiple sources

PrivateBin - Encrypted Pastebin

• Share text securely
• End-to-end encryption
• Self-destructing pastes

Network Architecture

Physical Network Topology

Internet
    ↓
Router (with VPN)
    ↓
Network Switch
    ├─ Server (wired 2.5GbE)
    ├─ WiFi Access Points
    └─ Other devices

Network Segmentation

Management Network: Server administration

• SSH access
• Web interfaces
• Monitoring tools

Service Network: Docker containers

• Isolated bridge networks per stack
• Internal DNS resolution
• No direct internet access (except via proxy)

IoT Network: Smart home devices

• Separate VLAN (optional)
• Restricted internet access
• Communicates via MQTT broker

Remote Access Strategy

Tailscale (Recommended):

• Mesh VPN for secure access
• No port forwarding required
• Works from anywhere
• Device-to-device encryption

Cloudflare Tunnel (Alternative):

• Exposes specific services publicly
• No exposed ports on home network
• Built-in DDoS protection
• Free tier available

Never expose services directly to the internet without protection

Storage Strategy

Filesystem Layout

/                    # System (NVMe)
/mnt/data           # Docker volumes (SSD)
/mnt/media1         # Movies, Music (HDD)
/mnt/media2         # TV Shows (HDD)
/mnt/archive        # Backups, cold storage (HDD)

Mount Configuration

Use /etc/fstab for persistent mounts:

UUID=xxx /mnt/data ext4 defaults 0 2
UUID=yyy /mnt/media1 ext4 defaults 0 2

Why UUIDs? Device names (/dev/sdX) can change between boots. UUIDs are stable.

Backup Strategy

3-2-1 Rule:

• 3 copies of data
• 2 different media types
• 1 off-site backup

What to backup:

• Docker compose files and configs
• Application data and databases
• Important documents and photos

What not to backup:

• Media files (can be re-acquired)
• Docker images (can be re-pulled)
• Temporary files and caches

Security Practices

Firewall Configuration

UFW (Uncomplicated Firewall):

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH from local network only
sudo ufw allow from 192.168.1.0/24 to any port 22

# Allow Tailscale
sudo ufw allow 41641/udp

# Enable firewall
sudo ufw enable

Access Control

SSH Hardening:

• Disable password authentication
• Use SSH keys only
• Disable root login
• Change default port (optional)

Service Authentication:

• Use strong, unique passwords
• Enable 2FA where available
• Use reverse proxy with authentication
• Implement fail2ban for brute-force protection

Update Strategy

System Updates:

# Weekly system updates
sudo apt update && sudo apt upgrade -y

Docker Updates:

# Update all containers in a stack
cd /path/to/compose/
docker compose pull
docker compose up -d

Automation: Use cron jobs for scheduled updates (with caution)

Monitoring & Maintenance

Health Checks

System Resources:

• CPU usage and temperature
• RAM utilization
• Disk space and I/O
• Network bandwidth

Service Status:

• Container uptime
• Application logs
• Error rates
• Response times

Log Management

Centralized Logging:

• Docker logs: docker logs <container>
• System logs: /var/log/syslog
• Application logs: Service-specific locations

Log Rotation: Configure logrotate to prevent disk fill

Scheduled Maintenance

Daily:

• Monitor disk space
• Check service health

Weekly:

• Review logs for errors
• Update Docker containers
• Verify backups completed

Monthly:

• System package updates
• Security audit
• Capacity planning review

Quarterly:

• Hardware health check (SMART status)
• Backup restoration test
• Documentation review

Common Challenges & Solutions

Performance Issues

Symptom: Slow service response
Causes:

• Insufficient RAM (check with free -h)
• Disk I/O bottleneck (check with iostat)
• CPU overload (check with htop)

Solutions:

• Add more RAM
• Move databases to SSD
• Limit concurrent transcoding streams
• Optimize Docker resource limits

Storage Management

Symptom: Running out of disk space
Causes:

• Docker image/volume buildup
• Log files growing unchecked
• Media library expansion

Solutions:

# Clean Docker resources
docker system prune -a

# Check large directories
du -sh /* | sort -h

# Implement log rotation
# Add storage capacity

Network Connectivity

Symptom: Can't access services remotely
Causes:

• Firewall blocking connections
• VPN not connected
• Service not running

Solutions:

• Check firewall rules
• Verify Tailscale status
• Restart affected services
• Check service logs

Getting Started Checklist

Phase 1: Foundation (Week 1)

• Acquire hardware
• Install Ubuntu Server
• Configure static IP
• Set up SSH access
• Install Docker and Docker Compose
• Configure firewall (UFW)

Phase 2: Core Services (Week 2-3)

• Set up Tailscale for remote access
• Deploy NGINX reverse proxy
• Install first service (start simple)
• Configure backups
• Set up monitoring

Phase 3: Expansion (Week 4+)

• Add media services
• Deploy smart home stack
• Implement AI/LLM services
• Fine-tune performance
• Document your setup

Learning Resources

Documentation

• Docker - Container fundamentals
• Linux - System administration
• Notes/NGINX - Reverse proxy configuration
• Tailscale - VPN mesh networking

Community

• r/selfhosted - Reddit community
• r/homelab - Hardware and infrastructure
• Awesome-Selfhosted - Curated service list
• LinuxServer.io - Quality Docker images

Best Practices

• Start small, expand gradually
• Document everything you do
• Test backups regularly
• Keep security in mind
• Join communities for support

Conclusion

Self-hosting a home server is a rewarding journey that provides privacy, control, and valuable technical skills. Start with core services, expand as you learn, and always prioritize security and backups.

The initial setup requires time and effort, but the result is a powerful, private infrastructure that serves your needs without relying on third-party services.

Related Topics:

• Docker - Containerization platform
• Notes/Home Assistant - Smart home automation
• Notes/Jellyfin - Media streaming
• Ollama Help - Local AI models
• Technology & Privacy MOC - Privacy tools overview