Self-Hosting
Self-hosting & home-server runbooks
Operator-grade troubleshooting and planning for the home-server app layer — the own-your-data apps (Immich, Nextcloud, Vaultwarden), running the stack right (Docker on a NAS, a maintainable Compose stack, a mini-PC sized to the workload), and the resilience that keeps it safe (a tested 3-2-1-1-0 restore, trusted TLS, and a verified VPN kill-switch). Every page leads with diagnosis, is source-backed against first-party docs, and insists you prove the restore rather than assume it.
Apps & own-your-data
The self-hosted apps that replace subscriptions — Immich for photos, Nextcloud for files, Vaultwarden for passwords — set up the operator way, with backups that actually restore.
Fix an Immich phone that won't upload — the foreground/background split, iOS Background App Refresh, Android battery killers, Wi-Fi-only default — plus the DB+library backup that actually restores.
Open runbookMake Nextcloud fast and reliable — the real fixes operators apply (system cron, APCu+Redis, missing DB indices, PHP memory_limit/OPcache) and the maintenance-mode backup that actually restores.
Open runbookRun Vaultwarden the operator way — HTTPS via a reverse proxy (clients refuse plain HTTP), the Argon2 admin token and its Compose $$ trap, a locked-down admin page, and a SQLite .backup that restores attachments too.
Open runbookRun the stack
Running containers without fighting them — Docker on a Synology, a maintainable Compose stack that survives reboots and rebuilds, and picking a mini-PC by the workload it'll actually carry.
Run containers on DSM without fighting it — the DSM 7.2+ Container Manager (and the 7.3 naming churn), the bind-mount permission failure that blocks most first runs, and the 80/443 conflict with DSM's own web services.
Open runbookStructure a Compose stack that survives reboots, updates, and a rebuild — restart: unless-stopped, .env out of git, named volumes for data, pinned image digests instead of latest, and a backup that captures config + data together.
Open runbookChoose an Intel N-series mini-PC by what it'll actually run — N100/N150 (4-core, ~6W) for Pi-hole/Home Assistant + light transcoding, N305/N355 (8-core) for heavier multi-stream — plus the single-channel-16GB ceiling and the QuickSync AV1 decode-not-encode catch.
Open runbookResilience, access & TLS
The parts that keep self-hosting safe — a backup you've actually restored (3-2-1-1-0), trusted certificates instead of browser warnings, and a VPN kill-switch you've verified fails closed.
Prove your backup recovers, don't assume it — 3-2-1 extended to 3-2-1-1-0 (one immutable copy, zero errors after a tested restore), application-consistent database dumps, restic check, and a real restore drill to scratch.
Open runbookFix NET::ERR_CERT_AUTHORITY_INVALID on a self-hosted service — why a self-signed cert fails, the two real fixes (Let's Encrypt DNS-01 for an internal host, or a private CA you trust), the HSTS no-bypass trap, and why automated renewal is now mandatory.
Open runbookMake a container egress only through the VPN and prove it — the network_mode: service:gluetun pattern, the fail-closed firewall, the curl-from-inside egress-IP check, the tunnel-down leak test, and DNS/IPv6 leak traps.
Open runbook9 self-hosting runbooks, and growing. New home-server app, stack, and resilience operator pages are added as each theme is built out.