Skip to content
HomeTechOps

Self-Hosting

Self-hosting & home-server runbooks

Operator-grade troubleshooting and planning for the home-server app layer — the own-your-data apps (Immich, Nextcloud, Vaultwarden), running the stack right (Docker on a NAS, a maintainable Compose stack, a mini-PC sized to the workload), and the resilience that keeps it safe (a tested 3-2-1-1-0 restore, trusted TLS, and a verified VPN kill-switch). Every page leads with diagnosis, is source-backed against first-party docs, and insists you prove the restore rather than assume it.

From the box to a backup you've restored — the operator path

Self-hosting is four decisions, not one install. Each step has a source-backed runbook so you can change one thing at a time and prove it works.

1 · Hardware

Pick the box it runs on

Size a mini-PC by the workload it will carry, or weigh a turnkey NAS vs a DIY build in the NAS buying guide.

Pick the hardware

2 · Run the stack

Run containers without fighting them

Build a maintainable Docker Compose stack that survives reboots, or run Docker on a Synology.

Set up the stack

3 · Own your data

Replace the subscriptions

Self-host photos with Immich and passwords with Vaultwarden — set up the operator way, with backups that restore.

Own-your-data apps

4 · Make it survivable

Resilience, TLS & safe access

Prove a tested 3-2-1-1-0 restore, fix browser TLS warnings, and verify your VPN kill-switch fails closed.

Resilience & access

Compare & choose

Which one should you run? Source-backed, use-case decision maps (never a leaderboard) for the big self-hosting choices — media server, home-server OS, and self-hosted photos.

Jellyfin vs Plex in 2026: the cost shift (Plex lifetime hits $749.99 on July 1), hardware transcoding, remote access, apps, and privacy — and which to run.

Open runbook

Proxmox VE vs TrueNAS vs Unraid in 2026: hypervisor vs ZFS-NAS vs flexible-array, licensing, hardware, and when to combine them — a which-OS decision map.

Open runbook

Immich vs PhotoPrism vs Nextcloud Memories in 2026: mobile auto-backup, AI/face search, GPU acceleration, RAW/video, backups, and which to self-host.

Open runbook

Apps & own-your-data

The self-hosted apps that replace subscriptions — Immich for photos, Nextcloud for files, Vaultwarden for passwords — set up the operator way, with backups that actually restore.

Fix an Immich phone that won't upload: foreground vs background, iOS Background App Refresh, Android battery killers, and the Wi-Fi-only default.

Open runbook

Make Nextcloud fast and reliable — the real fixes operators apply: system cron, APCu+Redis, missing DB indices, PHP memory_limit/OPcache.

Open runbook

Run Vaultwarden the operator way — HTTPS via a reverse proxy, the Argon2 admin token and its Compose $$ trap, and a SQLite .backup that restores attachments.

Open runbook

Run the stack

Running containers without fighting them — Docker on a Synology, a maintainable Compose stack that survives reboots and rebuilds, and picking a mini-PC by the workload it'll actually carry.

Run containers on DSM without fighting it — Container Manager, the bind-mount permission failure that blocks most first runs, and the 80/443 DSM conflict.

Open runbook

Structure a Compose stack that survives reboots, updates, and a rebuild — restart: unless-stopped, .env out of git, named volumes, and pinned image digests.

Open runbook

Choose an Intel N-series mini-PC by workload — N100/N150 (4-core, ~6W) for Pi-hole/Home Assistant, N305/N355 (8-core) for heavier multi-stream transcoding.

Open runbook

Resilience, access & TLS

The parts that keep self-hosting safe — a backup you've actually restored (3-2-1-1-0), trusted certificates instead of browser warnings, and a VPN kill-switch you've verified fails closed.

Prove your backup recovers, don't assume it — 3-2-1 extended to 3-2-1-1-0, application-consistent database dumps, restic check, and a real restore drill.

Open runbook

Fix NET::ERR_CERT_AUTHORITY_INVALID on a self-hosted service — why a self-signed cert fails, and the two real fixes: Let's Encrypt DNS-01 or a private CA.

Open runbook

Make a container egress only through the VPN and prove it — the network_mode: service:gluetun pattern, the fail-closed firewall, and the egress-IP leak test.

Open runbook

Self-hosting: common questions

Mini-PC or a NAS for self-hosting?

Both work; it's a trade-off. A turnkey NAS gives you an integrated, supported appliance; a DIY mini-PC gives you more compute per dollar and full control but makes you the support desk. Size a mini-PC by workload, and compare the paths in the NAS buying guide.

Should I run Home Assistant in Docker or a VM?

Docker (Container) has no add-ons; HAOS in a VM gives you add-ons and USB passthrough. The trade-off and the migration path are covered in Home Assistant on a NAS: Docker vs VM.

How do I back up self-hosted apps so they actually restore?

Back up the database with an application-consistent dump, not a raw copy of live files, and prove the restore on clean hardware. The tested backup/restore runbook walks through 3-2-1-1-0 for a home server.

How do I reach my services safely from outside?

Don't port-forward app panels. Use a mesh VPN or a reverse proxy with trusted TLS, and verify any VPN kill-switch fails closed. Fix untrusted-certificate browser warnings the right way rather than clicking through them.

12 self-hosting runbooks, and growing. New home-server app, stack, and resilience operator pages are added as each theme is built out.