The 2026 Self-Hosting Renaissance — Personal Infra Rebuilt with Tailscale, Coolify, Dokku, and a Homelab

Prologue — Why People Run Their Own Stuff Again

In 2018, a friend would have asked, "Why are you hosting that yourself? Just spin it up on AWS." In 2026, the same friend has a Coolify install on an N100 mini-PC and pulls up their own Immich to look at photos.

The shift didn't happen overnight. Several dots got connected at the same time.

The cloud got expensive. FX rates, AWS egress, S3 request prices, and most of all, the dread of "I left something on by accident and now there's a $10,000 invoice." People burning$ 100+/month on a couple of side projects moved to a $200 N100 mini-PC and lifetime hosting.
Mesh VPN went mainstream. After Tailscale wrapped WireGuard into something humans can use and gave it away for free, the four classic horrors — port forwarding, dynamic DNS, certificates, NAT traversal — disappeared at once. People even self-host the control plane via Headscale.
Containers grew up. One Docker Compose file brings up Immich, Nextcloud, Vaultwarden, Forgejo, Plausible, and Pi-hole in five minutes. The Ansible-playbook era of five years ago feels like another lifetime.
PaaS went open source. Coolify, Dokku, and CapRover bring the "git push, get deployed" experience onto your own box. The $100/month Heroku bill becomes zero.
Data sovereignty came back as a topic. Photos, documents, passwords, family chat — what becomes training data for what model, nobody really guarantees. "My data on my disk" is appealing again.
The side-project aesthetic returned. selfh.st newsletter, r/selfhosted, awesome-selfhosted, Homelab Show — a culture of showing off your tiny server. The 90s PC user-group, reborn for the 21st century.

This piece is a 2026 map of that renaissance. Including the harder question: what should you self-host, and what should you absolutely not?

1. Foundation — Mesh VPN Changed Everything

If you compress the homelab boom into one sentence, this is it:

Self-hosting is divided into before-Tailscale and after-Tailscale.

What Tailscale Removed

The old home-server guide always started with the same chapter.

Go into the home router and open ports 80, 443, 22.
Set up dynamic DNS so the residential IP is reachable by name.
Pull a Let's Encrypt certificate and stand up an nginx reverse proxy.
Configure fail2ban, intrusion detection, SSH key auth.
Wake up Saturday morning to an alert that someone is brute-forcing your SSH.

Tailscale severed that chain in one move. You don't open a single port. Install the client on every device, log in with the same account, and a WireGuard-based P2P mesh forms automatically. A private IP in the 100.x.y.z range gets attached to each device, and the devices talk only inside that network.

By 2026, Tailscale offers:

A WireGuard-based mesh VPN — peer-to-peer, not hub-and-spoke. Once two nodes negotiate a direct connection, traffic stops touching the control plane.
NAT traversal (STUN, UDP hole punching) automatic. If that fails, it falls back to a DERP relay.
MagicDNS — names like my-nas.tailnet-name.ts.net instead of 100.64.x.x.
Tailscale SSH — SSH key management delegated to ACLs. The bastion host disappears.
Subnet routers and exit nodes — expose a whole LAN through one gateway, or route all traffic through your home.
Funnel — expose a single service to the public internet without opening any ports.
ACLs as JSON — who can reach whom on what port, as code.
Free plan: 100 devices, 3 users (an expansion from April 2024 that still holds in 2026).

Headscale — Self-Hosting the Control Plane

Tailscale's control plane (coordination, auth, ACLs) is operated by the company. For the people who can't even trust that, Headscale (MIT-licensed) provides a compatible control plane. The data plane is still WireGuard, so no performance difference.

By 2026 Headscale is considered stable around v0.26. OIDC SSO, policy v2, prefixed API keys, embedded DERP — "our own Tailscale with our corporate OAuth" is now feasible.

A Small ACL Snippet

{
  "acls": [
    { "action": "accept", "src": ["group:admin"], "dst": ["*:*"] },
    { "action": "accept", "src": ["group:family"], "dst": ["tag:media:80,443"] },
    { "action": "accept", "src": ["tag:ci"], "dst": ["tag:registry:443"] }
  ],
  "groups": {
    "group:admin":  ["alice@example.com"],
    "group:family": ["bob@example.com", "carol@example.com"]
  },
  "tagOwners": {
    "tag:media":    ["group:admin"],
    "tag:registry": ["group:admin"],
    "tag:ci":       ["group:admin"]
  }
}

One file: admins get everything, family gets media only, CI gets the registry only. The mental shift is writing firewall rules in terms of identity, not IPs.

Tailscale Funnel — Public Exposure Without Open Ports

Funnel exposes a tailnet service to the public internet on an official xxx.ts.net hostname. TLS is issued and rotated by Tailscale, and traffic enters via Tailscale before hitting the internal node. Zero router ports open, public blog still online.

Alternatives in One Line Each

Tool	Character	One-liner
Tailscale	Managed SaaS, 100 devices free	Easiest. 90 percent of people stop here
Headscale	Tailscale-compatible self-hosted control plane	For companies and full autonomy
Netbird	OSS mesh, rich ZTNA policy	Strongest Tailscale alternative
ZeroTier	Virtual L2 network, longtime player	Great for LAN gaming and embedded
Nebula	Slack's mesh, lean and fast	Operationally heavier
Plain WireGuard	Fastest but DIY for everything	You hand-draw the mesh

Bottom line — whatever you self-host, start by installing Tailscale. The single service that truly needs public exposure (a blog, say) gets Funnel or Cloudflare Tunnel separately.

2. Self-Hosting the PaaS — Coolify, Dokku, CapRover

A homelab eventually grows out of one wish: "I want git-push-to-deploy on my own hardware." In 2026 there are three main contenders.

2.1 Coolify — The Star of 2025-2026

Coolify is the work of Hungarian developer Andras Bacsai, now incorporated, written in PHP/Laravel. Apache 2.0 license, runs on a single Docker host, delivers an experience close to Heroku/Vercel.

What it gives you:

Git integration with GitHub, GitLab, Gitea, Bitbucket. Push auto-builds and deploys.
Nixpacks / Heroku Buildpacks / Dockerfile auto-detection.
Preview environments — a separate domain per PR.
One-click DB, Redis, RabbitMQ, MeiliSearch provisioning.
Automatic TLS via a Caddy-based traffic router.
Multi-server — one Coolify can manage several nodes.
A one-click self-hosted app catalog (Plausible, Umami, n8n, Supabase, ...).
Backups to S3-compatible storage (B2, R2, MinIO).

By 2026, Coolify runs in the stable 4.x line. The one-line install script is essentially standard. It's the most repeated keyword in the selfh.st newsletter.

When to pick it:

A solo developer juggling several side projects.
A small team running staging and production on a single host.
An indie maker for whom Heroku/Vercel bills started to sting.

Limitations:

DB backup restore flows still need hand-holding.
Multi-node is possible but not a real cluster (for that, K3s).
Core is Laravel — deep customization has a learning curve.

2.2 Dokku — The Original PaaS-in-a-Box

Dokku dates back to 2013. It started as the "Can we build Heroku in 100 lines?" experiment and has matured into the most battle-tested single-host PaaS. MIT-licensed, built from shell scripts and Docker, time-tested reliability as its main asset.

The core flow:

# On the host
dokku apps:create myblog
dokku domains:add myblog blog.example.com
dokku letsencrypt:set myblog email me@example.com
dokku letsencrypt:enable myblog

# Locally
git remote add dokku dokku@homelab.tailnet-name.ts.net:myblog
git push dokku main
# Buildpack detection -> container build -> zero-downtime deploy

Watching git push dokku main work the first time leaves people muttering, "wait, this is just Heroku."

Coolify vs. Dokku, one line:

Dokku is CLI- and plugin-centric. For people at home in a shell.
Coolify is UI-centric. For people who want everything through clicks.

2.3 CapRover — Docker Swarm Cousin

CapRover is in the same category. It runs on Docker Swarm, and its "Quick One-Click Deploy 100+ apps" catalog is the highlight. The UI is a bit lighter, and multi-node clustering is built in from day one. In 2026 the market share has slid behind Coolify, but it has a loyal user base.

2.4 K3s / k0s — "PaaS Is Restrictive but K8s Is Heavy"

The next level up replaces PaaS with lightweight Kubernetes. K3s (Rancher), k0s (Mirantis), MicroK8s (Canonical) live in that slot. Kubernetes that fits on a Pi 4/5. ArgoCD, Flux, Helm work directly. The catch is that "operating Kubernetes" is now your homework.

Running K3s on a homelab is almost religious. What you gain: a GitOps playground for Ingress and ConfigMaps. What you give up: weekends debugging cert-manager, MetalLB, and local-path-provisioner.

2.5 Decision Matrix

Situation	Pick
2-5 side projects, want speed	Coolify
Comfortable in a shell, value stability	Dokku
Multi-node plus one-click catalog	CapRover
You run K8s at work, want practice at home	K3s
One compose file is the whole stack	Plain docker compose + Traefik

3. Identity, Passwords, Auth — The Heart of Self-Hosting

Once data starts living on your own disk, the next question is unavoidable: "what about the passwords?"

3.1 Vaultwarden — Bitwarden Server at Zero Cost

Vaultwarden is a Bitwarden-compatible server rewritten in Rust. The official Bitwarden server is a heavy multi-container .NET app; Vaultwarden is a single binary backed by SQLite or PostgreSQL. 100 percent compatible with the official Bitwarden clients (mobile apps, browser extensions).

# docker-compose.yml
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      DOMAIN: "https://vault.tailnet-name.ts.net"
      SIGNUPS_ALLOWED: "false"
      ADMIN_TOKEN: "<argon2-hash>"
    volumes:
      - ./vw-data:/data
    ports:
      - "127.0.0.1:8080:80"

Expose it only inside the tailnet and your password vault never touches the public internet. Bitwarden Premium becomes free, and family-shared vaults, TOTP, and file attachments all light up.

3.2 Authentik / Authelia / Keycloak — SSO Gates

Once you've stood up multiple self-hosted services and want to log in only once, you need an SSO or reverse-proxy auth gate.

Authentik — Python/Django. The friendliest UI, OAuth2/OIDC, SAML, and LDAP in one package. The most popular pick in 2026.
Authelia — Go, lean. Particularly strong on 2FA, MFA, and WebAuthn. De facto partner of Traefik.
Keycloak — Java, enterprise standard. Heavy but the same KC you see at work.

If you already run Tailscale, "ACL as the first gate, Authentik as the second" is a clean split. Authentik only really earns its keep when something has to be exposed externally — for internal-only services, Tailscale ACL is usually enough.

3.3 Passkeys and WebAuthn

By 2026, passkey adoption in the self-hosting world has picked up sharply. Vaultwarden stores passkeys in the vault. Forgejo/Gitea, Authentik, and Immich treat WebAuthn login as a standard option. The trend of "the password field disappears" is the same here.

4. Content — Photos, Documents, Notes, Code, Video

4.1 Immich — The Definitive Google Photos Replacement

Immich is the headline success of the 2026 self-hosting world. It copies Google Photos' UX directly — mobile app, auto-backup, face recognition, object search, geo clustering, live photos, external libraries, shared albums, curated memories. It hit GA in 2024, took off in 2025, and by 2026 is the tool people use to leave Google Photos.

The backend bakes in ML — CLIP embeddings for search, MediaPipe for faces, optional Whisper for video audio. It runs better with a GPU but performs well on an N100 CPU. When family library preservation gets serious, it's effectively the only choice.

4.2 Nextcloud / OwnCloud / Seafile — Drive Replacements

Nextcloud — the biggest ecosystem. Calendar, notes, office suite (Collabora/OnlyOffice), mail, chat (Talk) — a super-app. Heavy, but the most versatile.
OwnCloud Infinite Scale (OCIS) — the lean Go-based rewrite. Focused on file sync.
Seafile — the best-reviewed sync performance. Plain UI.

A common pairing: Immich for family photos, Nextcloud for general documents.

4.3 Forgejo / Gitea — GitHub Alternatives

In the age of GitHub Codespaces and Copilot, why run your own Git server? Two answers.

Source-code sovereignty — private work, experiments, personal coding journals.
CI/issues/wiki in one place — Forgejo Actions is workflow-YAML compatible with GitHub Actions. Just run a separate actions-runner and you're set.

Forgejo is the community fork born in 2022 after Gitea moved to a company structure. In 2025, Codeberg migrated fully to Forgejo, and by 2026 Forgejo is the de facto standard for self-hosted Git. Gitea is still active but new adoption leans Forgejo for licensing and governance reasons.

4.4 Notes, Docs, Wikis

Obsidian + Git/Syncthing/self-hosted sync — markdown files plus Git sync, the classical solution.
Outline — team wiki, often discussed as a Slack/Confluence replacement.
AppFlowy — Rust-based Notion clone. Mobile got stable in 2026.
Trilium / TriliumNext — single-user note tree. Cult favorite.
BookStack — wiki using a book/chapter/page metaphor. Strong for manuals and runbooks.
Memos — short-form note stream like Twitter. For journaling.

4.5 Media Servers — Jellyfin / Plex / Emby

Movies, music, TV libraries — still owned by media servers. Jellyfin, fully open source and free, soaked up users rapidly after Plex's 2024 policy changes. Plex still leads on UI and hardware-accelerated transcoding, but a meaningful audience left over "I'm not putting up with ads in my own library."

4.6 RSS, Read-Later, Archive

Miniflux — Go, lean. A no-nonsense RSS reader.
FreshRSS — PHP, feature rich.
Wallabag — Pocket replacement, read later.
Readeck / Linkding — bookmarks.
Karakeep / Linkwarden — bookmarks with AI auto-tagging, very hot in 2026.
ArchiveBox — archive a URL whole (screenshot, HTML, warc).

5. Infra Chores — DNS, Monitoring, Automation

5.1 Pi-hole / AdGuard Home — Household DNS Blockers

Block ads, trackers, and malicious domains at the DNS layer for the whole household. A single Raspberry Pi 4 or one Docker container is enough. Install once and ads start vanishing from every phone, TV, and smart toaster on the network.

Pi-hole — oldest, most battle-tested. Simple UI.
AdGuard Home — Go, more modern. Smoother handling of DoH, DoT, and DNSCrypt upstreams.

Both are stable by 2026, but AdGuard Home edges ahead in new installs. Both pair well with Tailscale MagicDNS — Tailscale DNS from outside, your own Pi-hole on the inside.

5.2 Beszel / Glances / Netdata — Monitoring

Homelab monitoring doesn't need to reach the corporate Prometheus and Grafana setup.

Beszel — Go, SQLite, single binary. Born in 2024. Light and good-looking. The dark horse of 2026 homelab monitoring. Agent plus hub layout.
Glances — top/htop superset on a host. Has a web UI too.
Netdata — one-second resolution, very detailed. Heavy but unmatched in information density.
Uptime Kuma — HTTP and port pings for an uptime page. The standard for monitoring side-project sites.
Dozzle — Docker log viewer in the browser.
Beszel plus Uptime Kuma plus Dozzle covers 99 percent of homelab needs.

5.3 Backups — Restic, Borg, Kopia

Putting data on your own disk means owning the backup, too.

Restic — Go, single binary, encryption and dedup standard. Backends include S3, B2, Wasabi, almost anything.
Borg — older and very battle-tested, though the push-mode workflow has rough edges.
Kopia — friendliest UI, ships with a GUI.
Duplicacy — commercial, polarizing licensing.

Apply the 3-2-1 rule (3 copies, 2 media, 1 offsite) to your homelab too. Offsite usually means Backblaze B2 (cheap), Cloudflare R2 (free egress), or AWS S3 Glacier Deep Archive (cold).

5.4 Automation — n8n, Home Assistant

n8n — self-hosted Zapier/IFTTT replacement. Node-graph automation.
Home Assistant — the smart-home OS. Integrates every IoT thing in your home. Still dominant in 2026.
Node-RED — visual programming, especially strong in industrial and Arduino-class work.

n8n and Home Assistant have basically become "canvases for building your own assistant." LLM nodes (Anthropic, OpenAI, Ollama) are now standard, and the "personal assistant grounded in my local data" pattern is widespread.

5.5 Analytics — Plausible / Umami / GoatCounter

Self-host blog and side-site analytics instead of GA4.

Plausible — Elixir, the most polished. AGPL — be careful when hosting.
Umami — Node/Postgres, MIT, the highest adoption.
GoatCounter — Go, a one-person side project, beautiful in its minimalism.

Cookie banners disappear, and visitor data stays on your disk.

6. Hardware — What Lives Under the Desk

Hardware choices are harder than software ones. The common 2026 pattern.

6.1 N100/N305 Mini-PCs — Effectively the Standard

The Intel N100 (4-core Alder Lake-N, 6W TDP) and N305 (8 cores, 15W) have been the homelab baseline since 2024. For 200-350 dollars you get 16GB RAM, a 512GB NVMe, dual 2.5GbE NICs, and HDMI output.

Power use is roughly 30-50 kWh per year (5W idle, 15W under load). Maybe 4-9 dollars a year of electricity in many regions. With AWS t3.medium clocking in near 30 dollars a month, the box pays for itself within a year.

6.2 Raspberry Pi 5 — Lightweight Nodes

The Pi 5 (2.4 GHz quad Cortex-A76, 8GB RAM) still shines for specific workloads.

DNS only with Pi-hole or AdGuard Home.
Octoprint and print servers.
Dedicated Home Assistant OS box.
A three-node K3s cluster for learning.

By 2026 ARM container images are essentially universal, so compatibility worries are gone. The stability key is moving from an SD card to NVMe via a HAT.

6.3 NAS — Synology vs. TrueNAS vs. Unraid

Once data crosses about a terabyte you enter NAS country.

Synology — the easiest. DSM is genuinely well crafted. Hardware value is debatable, and a 2025 policy nudging customers toward branded drives shook reputation in some models.
TrueNAS Scale — Debian plus ZFS plus Kubernetes. Powerful with a learning curve.
Unraid — JBOD plus parity, lets you grow disk by disk. The most beloved NAS OS in the self-hosting world.
OpenMediaVault — Debian plus a web UI. Lean.

A homelab template: one Unraid or TrueNAS Scale, one N100 mini-PC, one Pi. NAS for storage, mini-PC for compute. The division of labor is clean.

6.4 Used Enterprise — Dell, HP, Lenovo 1L PCs

200-dollar Dell OptiPlex 7060, Lenovo M720q, and HP EliteDesk units land in the secondary market with i5/i7 CPUs, 16GB, and an SSD, making them solid second mini-PCs. r/homelabsales stays busy.

6.5 Pi-KVM / TinyPilot — Remote KVM

You think you'll never touch the server again until you need to enter the BIOS. Pi-KVM and TinyPilot put HDMI capture and USB emulation on a Raspberry Pi to give you an IP KVM. About 100 dollars of parts for an IPMI/iLO-class experience.

Borderline mandatory if your server lives at a friend's, a parent's, or in the office corner you don't visit.

6.6 UPS — Power Loss and Surge Protection

Treat a small UPS (APC Back-UPS, CyberPower) as essential. About 200 dollars buys 30 minutes of runtime plus surge protection. It directly determines whether your disks survive an outage.

7. Threat Model — How Not to Get Owned

"Nobody is looking at my server" doesn't survive contact with reality. An SSH port exposed to the internet sees bots within seconds. The 2026 self-hosting threat model starts from a single assumption.

Public ports are reconnaissance targets. Prefer zero. If you must, one. Everything else lives behind the mesh.

7.1 Five Exposure Patterns

Pattern	Attack Surface	Recommend?
Router port-forward 80/443/22	High (the whole internet sees you)	Avoid
Cloudflare Tunnel	Medium (CF is the gate)	Recommended
Tailscale Funnel	Medium (Tailscale is the gate)	Recommended
Tailscale only, no public exposure	Low (only an account compromise)	Strongly recommended
Air-gapped plus USB transfer	Effectively zero	Enthusiast

The default rule is start private and promote to public only when needed.

7.2 Cloudflare Tunnel

Run cloudflared on the home box and open one outbound tunnel to Cloudflare. Cloudflare's edge terminates the domain and pushes traffic into the tunnel. Public hosting with zero router ports.

Upside: free tier, DDoS protection, Cloudflare Access (zero trust) for SSO bolt-on, IP masking. Downside: Cloudflare sees TLS-terminated traffic, and live streaming bumps into the TOS.

7.3 Tailscale Funnel

Public exposure on a Tailscale-owned hostname (xxx.ts.net). TLS is Let's Encrypt, automated by Tailscale. Simpler than Cloudflare, but the free tier has bandwidth caps, and (as of 2026) your own domain isn't supported.

7.4 What Actually Needs to Be Public

Must be public: blog, portfolio site, OAuth callback handlers, online form submission.
Share-link is enough: Plausible embedded dashboard (public-page option), media library guest links.
Never public: Vaultwarden, Authentik, admin UIs, Forgejo admin, Coolify dashboard, raw DBs.

7.5 Always-On Basics

SSH goes through Tailscale SSH; close port 22.
Containers join Docker networks, not host ports; Traefik or Caddy is the gate.
Automatic security updates (unattended-upgrades; watchtower selectively).
A backup that has never been restored isn't a backup yet.
Emergency access (Bitwarden Emergency Access, Vaultwarden Emergency Access) configured.
Don't park 2FA solely in the same vault — keep a YubiKey or a second vault for the codes.

7.6 What Actually Goes Wrong — Real Patterns

CVEs that bypass auth on publicly exposed Plex/Jellyfin — once a year, like clockwork.
Vaultwarden admin token stored as a plain env var — and the env file ends up in a backup.
Forgejo runner token leaked — arbitrary builds can run.
Synology DiskStation with a weak password and public exposure — ransomware.
docker run --network host — internal network fully exposed.

The synthesis is simple — shrink the public surface, hide everything behind the mesh, concentrate secrets in one place, and protect that one place the hardest.

8. What to Self-Host and What Not To

The most dangerous trap is the homelab fantasy of "everything is possible." Possible and worth doing are different sets.

Category	Self-Host?	Why
Photo library (Immich)	Strong yes	Family memories must not be lost — you own that risk
Passwords (Vaultwarden)	Strong yes	Most critical asset, zero external dependency
Notes/documents/Drive replacement	Yes	Heart of data sovereignty
Media server (Jellyfin)	Yes	Massive value, watch for GPU needs
Analytics (Umami/Plausible)	Yes	Replace GA4, cookie banners gone
RSS, read-later, bookmarks	Yes	Light services, high data value
Git hosting (Forgejo)	Yes (hobby)	Company code follows company policy
Automation (n8n) / smart home	Yes	Private flows have no reason to be external
DNS / ad blocking (Pi-hole)	Strong yes	Best price-to-value, instant felt benefit
Self-hosting mail	Avoid	Reputation, DKIM, SPF, blocklists — nightmare
Payments / identity / legal duties	Avoid	Compliance and audit overhead
Corporate SSO / directory	It depends	Small teams ok with Authentik, scale needs Okta/Entra
Chat (Matrix)	Cautious	Can you actually move all your friends?
LLM inference (Ollama)	Hobby yes	Production needs GPU spend and tuning
Video conferencing (Jitsi)	Light only	Real workloads belong on SaaS

Two one-liners:

Self-host only when operational cost is less than or equal to benefit. Mail is the textbook counter-example.
The more valuable the data, the higher the value of self-control. Photos, passwords, journals — you should own them.

9. Cost Math — Honestly

One appeal of homelab is "the AWS bill goes away." For an honest comparison, here's a 12-month table.

Item	Cloud	Homelab (one N100)
Compute (monthly)	$30 (t3.medium)	$1.5 (electricity)
Storage (1 TB)	$23 (S3 Standard)	$5 (amortized NVMe)
Egress (monthly)	$50 plus (TB scale)	$0 (home internet)
Availability (monthly)	99.99 percent	99 percent (outages, reboots)
Ops time (hours/month)	2	4-10 early, settles around 2
Upfront	$0	$250 (mini-PC) plus$ 80 (UPS)
Year-one total	$1,200 plus	$330 (year 1),$ 80 from year 2

Hidden cost: your time. The first month eats 30 hours of "install, break, redo." After that it settles at one or two hours a month. Whether that time is enjoyable is the real decision.

Hidden gain: the cloud skills you use at work, exercised at home. Running ArgoCD, Prometheus, Traefik at home moves your understanding to a different level.

10. Starter Recipe — Halfway There in One Week

A seven-day roadmap for newcomers.

Day 1 — Hardware and OS

Order an N100 mini-PC (or pick up a used 1L PC).
Install Ubuntu Server 24.04 LTS or Debian 12.
Disable SSH password login; keys only.

Day 2 — Tailscale

Install Tailscale on the host, laptop, and phone; log in with the same account.
Turn on MagicDNS and Tailscale SSH.
Close port 22 on the router.

Day 3 — Docker plus Traefik or Caddy

Install Docker and Docker Compose.
Bring up Traefik or Caddy as a reverse proxy with automatic TLS (Tailscale certs).

Day 4 — Pick One: Coolify or Dokku

Coolify: one-line install script.
Dokku: one apt line plus your first git push.
Deploy one of your side projects.

Day 5 — The Core Three

Vaultwarden for passwords.
Immich for photos (family-grade value).
Pi-hole or AdGuard Home for DNS.

Day 6 — Monitoring and Backups

Install Beszel, Uptime Kuma, and Dozzle.
Use Restic to back up /var/lib/docker/volumes and the photo volume to B2 or R2 daily.
Restore once. A backup you've never restored is a wish.

Day 7 — Anti-Pattern Audit, then Rest

Confirm zero externally exposed ports.
Print Vaultwarden's emergency access and recovery seed on paper and store it somewhere safe.
Pick one app to add next week. Done.

Eighty percent of people stop here. From there it's a slow expansion — Forgejo, Plausible, n8n, Home Assistant, Jellyfin...

Epilogue — Self-Hosting Is Normal Again

The 2026 landscape, summarized.

Tailscale erased the NAT/certificate/VPN hell.
Coolify and Dokku put the Heroku experience back on your own box.
Immich, Vaultwarden, Forgejo, Plausible chipped away at big-tech dependency, one sack at a time.
One N100 mini-PC makes a zero-dollar cloud bill realistic.
selfh.st and r/selfhosted play the role of friendly mentors.

This isn't avoidance — it's a rebalance. Cloud is not going away — corporate infra, global traffic, working SaaS are all still cloud. But personal data and tools live back under the desk.

A 14-Item Checklist

Is a mesh VPN (Tailscale or equivalent) in place?
Is router port 22 closed to the public?
Does every SSH session go via keys plus Tailscale SSH?
Are all passwords inside Vaultwarden (or equivalent)?
Are emergency access and recovery seeds printed on paper somewhere?
Is data on at least two media, one of them off-site?
Have you successfully restored from backup at least once?
Do your family or roommates know where the photos and documents live?
Is monitoring on and routing alerts to your phone?
Are automatic security updates running?
Does the UPS hold for at least 30 minutes?
Can you draw the auth flow of the one public domain you do expose?
Is there a piece of paper that explains, "if I'm out for a year, here's how to keep this alive"?
Is the weekly time you spend on this decreasing rather than growing?

Ten Anti-Patterns

Installing 20 apps the first week — that's 30 worth of operations.
Port-forwarding 22, 80, 443 — bots reach you in five minutes.
Storing the Vaultwarden admin token as a plaintext env var — and backing the env file up.
Never restoring from a backup — it isn't a backup.
Reusing one SSO password across services — one breach is total.
docker run --network host everywhere — isolation gone.
Monitoring only on the same host — host dies, alerts die.
Self-hosting mail — reputation and DKIM purgatory.
Skipping the UPS on an SSD — one outage and the filesystem goes.
Not telling family — if you can't get in, neither can the photos.

Next Up

Candidates: Kubernetes Homelab — running a small cluster with K3s, ArgoCD, and Cilium, Immich Deep Dive — ML pipeline, external libraries, B2 backups, Tailscale ACLs in Practice — identity-driven firewalls.

"Cloud is for work. Under the desk is for me."

— The 2026 self-hosting renaissance, end.