This posts lists inexpensive home servers, Tailscale and Claude Code as the big unlocks.
I actually think Tailscale may be an even bigger deal here than sysadmin help from Claude Code at al.
The biggest reason I had not to run a home server was security: I'm worried that I might fall behind on updates and end up compromised.
Tailscale dramatically reduces this risk, because I can so easily configure it so my own devices can talk to my home server from anywhere in the world without the risk of exposing any ports on it directly to the internet.
Being able to hit my home server directly from my iPhone via a tailnet no matter where in the world my iPhone might be is really cool.
definitely, but to be fair, beyond that it's just linux. Most people would need claude code to get what ever they want to use linux for running reliably (systemd service, etc.)
I'd rather expose a Wireguard port and control my keys than introduce a third party like Tailscale.
I am not sure why people are so afraid of exposing ports. I have dozens of ports open on my server including SMTP, IMAP(S), HTTP(S), various game servers and don't see a problem with that. I can't rule out a vulnerability somewhere but services are containerized and/or run as separate UNIX users. It's the way the Internet is meant to work.
Tailscale works behind NAT, wireguard does not unless you also have a publicly reachable relay server which introduces its own maintenance headaches and cost.
I did it and I was just hacked because of a CVE on my pangolin reverse proxy!
Sadly, I didn't knew of the CVE soon enough and I only noticed when a crypto malware took my fan 100% all day long...
It's worth considering: Run the PiVPN script on a Ubuntu/Debian based VM. Set it to use a non-standard random port. That will be your only port exposed to the internet.
Add the generated Wireguard key to any device (laptops, phones, etc) and access your home LAN as if it was local from anywhere in the world for free.
Works well, super easy to setup, secure, and fast.
I just have a vpn server on my fiber modem/router (edgerouter-4) and use vpn clients on my devices. I actually have two vpn networks - one that can see the rest of my home network (and server) and the other that is completely isolated and can't see anything else and only does routing. No need to use a third-party and I have more flexibility
Besides the company that operates it, what is the big difference between Tailscale and Cloudflare tunnels? I've seen Tailscale mentioned frequently but I'm not quite sure what it gets for me. If it's more like a VPN, is it possible to use on an arbitrary device like a library kiosk?
Yeah same story for me. I did not trust my sensitive data on random self hosting apps with no real security team. But now I can put the entire server on the local network only and split tunnel VPN from my devices and it just works.
LLMs are also a huge upgrade here since they are actually quite competent at helping you set up servers.
Just be sure to run it with --accept-dns=false otherwise you won't have any outbound Internet on your server if you ever get logged out. That was annoying to find out (but easy to debug with Claude!)
Tailscale is a good first step, but its best to configure wireguard directly on your router. You can try headscale but it seems to be more of a hobby project - so native wireguard is the only viable path. Most router OS's supports wireguard these days too. You can ask claude to sanity check your configuration.
Tailscale does not solve the "falling behind on updates" problem, it just moves the perimeter. Your services are still vulnerable if unpatched: the attacker now needs tailnet access first (compromised device, account, or Tailscale itself).
You have also added attack surface: Tailscale client, coordination plane, DERP relays. If your threat model includes "OpenSSH might have an RCE" then "Tailscale might have an RCE" belongs there too.
WireGuard gives you the same "no exposed ports except VPN" model without the third-party dependency.
The tradeoff is convenience, not security.
BTW, why are people acting like accessing a server from a phone is a 2025 innovation?
SSH clients on Android/iOS have existed for 15 years. Termux, Prompt, Blink, JuiceSSH, pick one. Port N, key auth, done. You can run Mosh if you want session persistence across network changes. The "unlock" here is NAT traversal with a nice UI, not a new capability.
These are two very separate issues. Tailscale or other reverse proxies will give you access from the WAN.
Claude Code or other assistants will give you conversational management.
I already do the former (using Pangolin). I'm building towards the latter but first need to be 100% sure I can have perfect rollback and containement across the full stack CC could influence.
People are way too worried about security imo. Statistically, no one is targeting you to be hacked. By the time you are important and valuable enough for your home equipment to be a target you would have hired someone else to manage this for you
> The biggest reason I had not to run a home server was security: I'm worried that I might fall behind on updates and end up compromised.
In my experience this is much less of an issue depending on your configuration and what you actually expose to the public internet.
Os-side, as long as you pick a good server os (for me that’s rocky linux) you can safely update once every six months.
Applications-wise, i try and expose as little as possible to the public internet and everything exposed is running in an unprivileged podman container. Random test stuff is only exposed within the vpn.
Also tailscale is not even a hard requirement: i rub openvpn and that works as well, on my iphone too.
The truly differentiating factor is methodological, not technological.
Now I wish there was some kind of global, single-network version of Tailscale...
TS is cool if you have a well-defined security boundary. This is you / your company / your family, they should have access. That is the rest of the world, they should not.
My use case is different. I do occasionally want to share access to otherwise personal machines around. Tailscale machine sharing sort of does what I want, but it's really inconvenient to use. I wish there was something like a Google Docs flow, where any Tailscale user could attempt to dial into my machine, but they were only allowed to do so after my approval.
For the permissions, just add basic auth in the reverse proxy and choose whom to share the passwd with.
Now if you want OAuth or something like that... well tough luck, you need to set up OIDC or whatever and that's going to be taking you some time, but it still works how you want.
There’s also Cloudflare tunnels for stuff that you want to be available to the internet but dont want to open ports and deal with that. You can add an auth policy that only works with your email and Github/whatever SSO.
Great! I have looked into this and I have a few questions though...
Basically, I feel that tailscale does not make it very easy to set up services this way, and the only method I have figured out has a bit too many steps for my liking, basically:
- to expose some port to the tailnet, there needs to be a `tailscale serve` command to expose its ports
- in order for this command to run on startup and such, it needs to be made into a script that is run as a SystemD service
- if you want to do this with N services, then you need to repeat these steps N times
Anyone seriously about tech should have a homelab. It’s a small capital investment that lasts for years and with proxmox or similar having your own personal “private cloud” on demand is simple.
Fun. I don't agree that Claude Code is the real unlock, but mostly because I'm comfortable with doing this myself. That said, the spirit of the article is spot on. The accessibility to run _good_ web services has never been better. If you have a modest budget and an interest, that's enough -- the skill gap is closing. That's good news I think.
But Tailscale is the real unlock in my opinion. Having a slot machine cosplaying as sysadmin is cool, but being able to access services securely from anywhere makes them legitimately usable for daily life. It means your services can be used by friends/family if they can get past an app install and login.
I also take minor issue with running Vaultwarden in this setup. Password managers are maximally sensitive and hosting that data is not as banal as hosting Plex. Personally, I would want Vaultwarden on something properly isolated and locked down.
One day when I have some extra bucks I'd try to get a home server running, but the idea of having something eating grid electricity 24/7 doesn't seem to play along well with this 3rd world budget. Are there some foolproof and not so costly off-grid/solar setups to look at (like a Raspberry-based thingy or similar)?
Impeccable timing, I finally got around to putting some old hardware to use and getting a home assistant instance (and jellyfin, and immich, and nextcloud, ...) set up over winter break. Claude (and tailscale) saved hours of my time and enabled me to build enough momentum to get things configured. It's now feasible for me to spend 15-20 minutes knocking down homeserver tasks that I otherwise would've ignored. Quite fun!
What I’d really like is to run the admin interface for an app on a self hosted system behind firewalls, and push read replicas out into the cloud. But I haven’t seen a database where the master pushes data to the replicas instead of the replicas contacting the master. Which creates some pretty substantial tunneling problems that I don’t really want on my home network.
Is there a replica implementation that works in the direction I want?
Interesting subject, thank you! I have a cluster of 2 Orange Pis (16 GB RAM each) plus a Raspberry Pi. I think it's high time to get them back on my desk. I never had time to get very far with the setup due to a lack of time. It took so long to write the Ansible scripts/playbooks, but with Claude Code, it's worth a try now. So thanks for the article; it makes me want to dust it off!
This is great and echoes my experience. Although I would add a caveat that this mostly applies to solo work. Once you need to collaborate or operate on a team, many of limits of self-hosting return.
Might as well ask here in case author or anyone else with a similar setup is reading. Has anyone run into stability issues running a bunch of self-hosting stuff on a mac mini M1 (8GB)? My setup is pretty basic - docker running Jellyfin, Immich, *arr software, qbittorrent. Stuff is stored on a NAS over SMB. Usually within a few hours of rebooting, the OS or at least userspace totally freezes. SSH connections are instantly closed, screen share doesn't work. It responds to ping for a while but that also goes down eventually. Pretty stumped...
I literally did this yesterday and had the same thought. Older computer (8 gigs ram) with crappy windows I never used and I thought huh, I wonder how good these models can take me through installing linux with goal of docker deploys of relatively basic things like cron tasks, personal postgres, and minio that I can used for self shared data.
Took a couple hours with some things I ran across, but the model had me go through the setup for debian, how to go through the setup gui, what to check to make it server only, then it took me through commands to run so it wouldn't stop when I closed the laptop, helped with tailscale, getting the ssh keys all setup. Heck it even suggested doing daily dumps of the database and saving to minio and then removing after that. Also knows about the limitations of 8 gigs of ram and how to make sure docker settings for the difference self services I want to build don't cause issues.
Give me a month and true strong intention and ability to google and read posts and find the answer on my own and I still don't think I would have gotten to this point with the amount of trust I have in the setup.
I very much agree with this topic about self hosting coming alive because these models can walk you through everything. Self building and self hosting can really come alive. And in the future when open models are that much better and hardware costs come down (maybe, just guessing of course) we'll be able to also host our own agents on these machines we have setup already. All being able to do it ourselves.
I find myself a bit overwhelmed with hardware options during recent explorations. Seemingly everything can handle what I want a local copy of my Bandcamp archive to stream via jellyfin. Good times we’re in but even having good sysadmin skills, I wish someone would just tell me exactly what to buy.
I feel the same way. I now have around 7 projects hosted on a home server with Coolify + Cloudflare. Always worry about security and I have seen many posts related to self hosting on HN trending recently
Nice. This is a great start. The next steps are backups and regular security updates. The former is probably pretty easy with Claude and a provider like Backblaze, for updates I wonder if "check for security issues with my software and update anything in need" will work well (and most importantly, how consistently). Alternatively, getting the AI to threat model and perform any docker hardening measures.
Then someday we self-host the AI itself, and it all comes together.
Prices are going to have an effect here. I have a 76TB backup drive of 8 drives. A few months ago one of my 10TB drives failed and I replaced it with a 12 TB WD gold for 269CHF. I was thinking of building a new backup drive (for fun) and so I priced the same drive and now it's 409CHF.
It's not tariffs (I'm in Switzerland). It's 100% the buildout of data centers for AI.
There's something ironic about using Claud Code – a closed source service, that you can't self-host the hardware for, and that you can't get access to the data for – to self-host so that you can reduce your dependencies on things.
I would really like some kind of agnostic backup protocol, so I can simply configure my backup endpoint using an environment variable (e.g. `-e BACKUP_ENDPOINT=https://backup.example.com/backup -e BACKUP_IDENTIFIER=xxxxx`), then the application can push a backup on a regular schedule. If I need to restore a backup, I log onto the backup app, select a backup file and generate a one time code which I can enter into the application to retrieve the data. To set up a new application for backups, you would enter a friendly name into the backup application and it would generate a key for use in the application.
The idea is a contract is defined saying which options exist and what they mean. For backups, you’d get the Unix user doing the backup, what folders to backup and what patterns to exclude. But also what script can be run to create a backup and restore from a backup.
Then you’d get a contract consumer, the application to be backup, which declares what folders to backup either which users.
On the other side you have a contract provider, like Restic or Borgbackup which understand this contract and know thanks to it how to backup the application.
As the user, your role is just to plug-in a contract provider with a consumer. To choose which application backs up which application.
This can be applied to LDAP, SSO, secrets and more!
I’ve also found AI to be super helpful for self-hosting but in a different way. I set up a Pocketbase instance with a Lovable-like app on top (repo here: https://github.com/tinykit-studio/tinykit) so I can just pull out my phone, vibecode something, and then instantly host it on the one server with a bunch of other apps. I’ve built a bunch of stuff for myself (journal, CRM, guitar tuner) but my favorite thing has been a period tracker for a close friend who didn’t want that data tracked + sold.
162 comments
[ 4.4 ms ] story [ 82.6 ms ] threadI actually think Tailscale may be an even bigger deal here than sysadmin help from Claude Code at al.
The biggest reason I had not to run a home server was security: I'm worried that I might fall behind on updates and end up compromised.
Tailscale dramatically reduces this risk, because I can so easily configure it so my own devices can talk to my home server from anywhere in the world without the risk of exposing any ports on it directly to the internet.
Being able to hit my home server directly from my iPhone via a tailnet no matter where in the world my iPhone might be is really cool.
Now I have tailscale on an old Kindle downloading epubs from a server running Copyparty. Its great!
I am not sure why people are so afraid of exposing ports. I have dozens of ports open on my server including SMTP, IMAP(S), HTTP(S), various game servers and don't see a problem with that. I can't rule out a vulnerability somewhere but services are containerized and/or run as separate UNIX users. It's the way the Internet is meant to work.
Add the generated Wireguard key to any device (laptops, phones, etc) and access your home LAN as if it was local from anywhere in the world for free.
Works well, super easy to setup, secure, and fast.
LLMs are also a huge upgrade here since they are actually quite competent at helping you set up servers.
The only thing served on / is a hello world nginx page. Everything else you need to know the randomly generated subpath route.
You have also added attack surface: Tailscale client, coordination plane, DERP relays. If your threat model includes "OpenSSH might have an RCE" then "Tailscale might have an RCE" belongs there too.
WireGuard gives you the same "no exposed ports except VPN" model without the third-party dependency.
The tradeoff is convenience, not security.
BTW, why are people acting like accessing a server from a phone is a 2025 innovation?
SSH clients on Android/iOS have existed for 15 years. Termux, Prompt, Blink, JuiceSSH, pick one. Port N, key auth, done. You can run Mosh if you want session persistence across network changes. The "unlock" here is NAT traversal with a nice UI, not a new capability.
Claude Code or other assistants will give you conversational management.
I already do the former (using Pangolin). I'm building towards the latter but first need to be 100% sure I can have perfect rollback and containement across the full stack CC could influence.
In my experience this is much less of an issue depending on your configuration and what you actually expose to the public internet.
Os-side, as long as you pick a good server os (for me that’s rocky linux) you can safely update once every six months.
Applications-wise, i try and expose as little as possible to the public internet and everything exposed is running in an unprivileged podman container. Random test stuff is only exposed within the vpn.
Also tailscale is not even a hard requirement: i rub openvpn and that works as well, on my iphone too.
The truly differentiating factor is methodological, not technological.
TS is cool if you have a well-defined security boundary. This is you / your company / your family, they should have access. That is the rest of the world, they should not.
My use case is different. I do occasionally want to share access to otherwise personal machines around. Tailscale machine sharing sort of does what I want, but it's really inconvenient to use. I wish there was something like a Google Docs flow, where any Tailscale user could attempt to dial into my machine, but they were only allowed to do so after my approval.
For the permissions, just add basic auth in the reverse proxy and choose whom to share the passwd with.
Now if you want OAuth or something like that... well tough luck, you need to set up OIDC or whatever and that's going to be taking you some time, but it still works how you want.
Basically, I feel that tailscale does not make it very easy to set up services this way, and the only method I have figured out has a bit too many steps for my liking, basically:
- to expose some port to the tailnet, there needs to be a `tailscale serve` command to expose its ports
- in order for this command to run on startup and such, it needs to be made into a script that is run as a SystemD service
- if you want to do this with N services, then you need to repeat these steps N times
Is this how you do it? is there a better way?
But Tailscale is the real unlock in my opinion. Having a slot machine cosplaying as sysadmin is cool, but being able to access services securely from anywhere makes them legitimately usable for daily life. It means your services can be used by friends/family if they can get past an app install and login.
I also take minor issue with running Vaultwarden in this setup. Password managers are maximally sensitive and hosting that data is not as banal as hosting Plex. Personally, I would want Vaultwarden on something properly isolated and locked down.
related "webdev is fun again": claude. https://ma.ttias.be/web-development-is-fun-again/
Also the "Why it matters" in the article. I thought it's a jab at AI-generated articles but it starts too look like the article was AI written as well
Is there a replica implementation that works in the direction I want?
From to time, test the restore process.
Took a couple hours with some things I ran across, but the model had me go through the setup for debian, how to go through the setup gui, what to check to make it server only, then it took me through commands to run so it wouldn't stop when I closed the laptop, helped with tailscale, getting the ssh keys all setup. Heck it even suggested doing daily dumps of the database and saving to minio and then removing after that. Also knows about the limitations of 8 gigs of ram and how to make sure docker settings for the difference self services I want to build don't cause issues.
Give me a month and true strong intention and ability to google and read posts and find the answer on my own and I still don't think I would have gotten to this point with the amount of trust I have in the setup.
I very much agree with this topic about self hosting coming alive because these models can walk you through everything. Self building and self hosting can really come alive. And in the future when open models are that much better and hardware costs come down (maybe, just guessing of course) we'll be able to also host our own agents on these machines we have setup already. All being able to do it ourselves.
Then someday we self-host the AI itself, and it all comes together.
(In)famous last words?
It's not tariffs (I'm in Switzerland). It's 100% the buildout of data centers for AI.
We've gone a step further, and made this even easier with https://zo.computer
You get a server, and a lot of useful built-in functionality (like the ability to text with your server)
The idea is a contract is defined saying which options exist and what they mean. For backups, you’d get the Unix user doing the backup, what folders to backup and what patterns to exclude. But also what script can be run to create a backup and restore from a backup.
Then you’d get a contract consumer, the application to be backup, which declares what folders to backup either which users.
On the other side you have a contract provider, like Restic or Borgbackup which understand this contract and know thanks to it how to backup the application.
As the user, your role is just to plug-in a contract provider with a consumer. To choose which application backs up which application.
This can be applied to LDAP, SSO, secrets and more!
Proxmox Backup Server?