SelfHosting Updates - End Summer 2025

Summer is almost gone…

TL;DR:

Lately I have been tinkering with Python Web Apps and with SGGs.

A Post for anyone just starting with a home server.

+++ If you like Music, this is how to have your DIY spotify - server setup via container +++ Revisited the FireBat AK2 and added https via Traefik

Intro

If you are new with SelfHosting and HomeLab in general, just remember to get started properly:

1. Install some Linux (or try with a VM first / via wsl on your Windows)

2. Get docker installed like a PRO with such script

curl -O https://raw.githubusercontent.com/JAlcocerT/Linux/main/Z_Linux_Installations_101/Selfhosting_101.sh
nano Selfhosting_101.sh #MAKE SURE YOU UNDERSTAND WHAT YOU WILL BE RUNNING FIRST

#chmod +x Selfhosting_101.sh
#sudo ./Selfhosting_101.sh 

If you want, you can get Podman instead of Docker:

sudo apt install podman
podman --version

3. Open Portainer localhost:9000 and start deploying apps other people created (FAST)

4. Start creating and deploying your Apps

5. Get a domain (TLD) and bring https when you feel confortable.

6. Along the way…

• Understand what chmod does: https://it-tools.tech/chmod-calculator
• Dont be afraid of the terminal. Embrace the CLI and SSH ( Termix will help! )
• Crontab to schedule tasks: https://it-tools.tech/crontab-generator
• Get in love with docker compose: https://it-tools.tech/docker-run-to-docker-compose-converter
• Understand apt packages and how to manage them

SelfHosting Sept 25

At some point, you will need these docker commands:

#df -h #check space
docker stop $(docker ps -a -q) #stop all
#docker volume rm $(docker volume ls -q | grep -v '^portainer_data$') #rm all volumes but portainer

#docker system df
#docker image prune -a 
#docker builder prune -a --force
docker system prune --all --volumes #release space from old containers

#docker system prune --all --volumes #just clean all...

Be aware that named volumes, which are not removed by default with docker system prune as they might contain important data.

But you can have such script to clean all volumes that are not associated to a running containre.

Just be careful:

comm -23 <(docker volume ls -q | sort) <(docker ps --format '{{.Names}}' | xargs -I {} docker inspect --format '{{range .Mounts}}{{if .Name}}{{.Name}}
{{end}}{{end}}' {} 2>/dev/null | sort -u) | xargs -r docker volume rm

HTTPs Everywhere

When you will be confortable with containers, you will want to bring https instead of having that insecure http.

I got to know about: https://github.com/FiloSottile/mkcert

#sudo apt install mkcert #https://github.com/jeffcaldwellca/mkcertWeb

A simple zero-config tool to make locally trusted development certificates with any names you’d like.

But I would recommend to go directly to a ,proper’ Cloudflare or Traefik v3.3 setup

To access securely your services outside home, You have low config VPNs like tailscale.

# Enable IPv4 forwarding
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
# Enable IPv6 forwarding
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
# Apply the changes immediately
sudo sysctl -p /etc/sysctl.conf
#sudo tailscale up --advertise-exit-node
#sudo tailscale set --advertise-exit-node=true

Go to https://login.tailscale.com/admin/machines and configure your exit node

For more advance users exploring DNS: see PiHole and DuckDNS.

But as of today i’d rather keep these https setups:

• Setup NGINX to get https via UI as per this guide
• Or go the Traefik v3.3 approach (programatic https) as per this other guide
• Just use cloudflared…

As a NC has recently made a release: https://hub.docker.com/_/nextcloud/tags

sudo docker compose -f docker-compose.traefik.yml up -d
#/media/casa/Datos_copia_2
#/home/casa/Home-Lab/nextcloud
sudo docker compose -f docker-compose.traefik.yml ps

#ping nextcloud.casa.jalcocertech.com
#ifconfig enp1s0

#sudo docker inspect nextcloud
#docker inspect nc -f '{{range $net, $conf := .NetworkSettings.Networks}}{{$net}} ({{$conf.IPAddress}}){{end}}'
#docker network inspect traefik_traefik-proxy --format '{{range .Containers}}{{.Name}} ({{.IPv4Address}}) - {{.MacAddress}}{{"\n"}}{{end}}'

If you want a photo centered selfhosted app, see Immich, which just released v2.0

Make sure your router DHCP settings does not change the private ip of your homelab, or your cloudflare x traefik setup will be pointing to a wrong ip:

See also…

These posts might help:

Conclusions

Autumn is almost here.

And is a great chance to tinker with your miniPC and homelab.

Try new desktop apps for your linux system and install them via:

Example, install RustDesk or Reminna to control your new miniPC from your laptop (with full UI access):

flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
flatpak install flathub com.rustdesk.RustDesk


> See also [appimagelauncher](https://jalcocert.github.io/JAlcocerT/flask-cms-for-ssgs/#lately-i) :)

I promised recently that I wont do more static sites for people.

And consequently, this has not been a DFY (done for you), but a DWY (done with you) recap of this and this web setups.

This is how the session went:

Just make sure to have all you need for HUGO or Astro web development ready

Plot twist.

You will never stop learning, as more and more selfhosted apps will catch our attention:

For example, Homarr:

Homarr

Seen on Spring 2025 Selfhosting Post

• Networking, Domains and DNS, SSL…
• Creating your own containers…

Fortunately, there are amazing resources to give you ideas:

1. https://selfh.st/

• From this one you will get weekly projects to have a look ( Plot Twist: you wont have time to see them all)
  • Example: https://github.com/OpenCut-app/OpenCut or https://github.com/Cloudable-dev/netgoat

MIT | The open-source CapCut alternative

MIT | A Cloudflare alternative for local and cloud use, can be used ontop of cloudflare for cloudflares paid features, but for free!

2. https://github.com/jmlcas?tab=repositories

Youtube is a great source for great tutorials too: Jims Garage, Christian Lempa, Tech with Nana, NetworkChuck, Pelado Nerd (in Spanish), DB Tech…

I will never be able to thank them enough for all they have taught me already (and to other great channels that would make the list too long).

If you ever wandered what are the most popular repos: https://gitstar-ranking.com/repositories

Remember about:

HomeLab Repo

Docker Configs for anyone starting a Home-Lab

3. Free goodies: https://free-for.dev/#/ and https://freestuff.dev/alternative/clerk/

Lately I…

They are also placed into the new Home-Lab repo and the stack of this post will be placed also accordingly:

Docker Repository

Collection of Docker Config Files - 0925 Edition 🐳 ↗

Home-Lab Github Repository

Ordered config files | Youtube Video friendly and for New SelfHosters 🐳 ↗

I have updated the docker-compose.yml and Dockerfiles at:

git clone https://github.com/monakit/monakit
npm install
npm run dev -- --host 0.0.0.0 --port 4321 #http://192.168.1.11:4321/

git clone https://github.com/JAlcocerT/EntreAgujayPunto

#install go
wget https://go.dev/dl/go1.21.1.linux-armv6l.tar.gz
sudo tar -C /usr/local -xvzf go1.21.1.linux-armv6l.tar.gz
export PATH=$PATH:/usr/local/go/bin
source ~/.bashrc
go version

#https://github.com/gohugoio/hugo/releases/tag/v0.123.0
wget https://github.com/gohugoio/hugo/releases/download/v0.123.0/hugo_extended_0.123.0_linux-amd64.deb -O hugo_specific_version.deb && \
sudo dpkg -i hugo_specific_version.deb && \
rm hugo_specific_version.deb && \
source ~/.bashrc

hugo version
hugo server --bind="0.0.0.0" --baseURL="http://192.168.1.106" --port=1313

To put astro/hugo inside a container is as simple as:

Once you have your theme selected and tweaked, maybe even with custom shortcodes/components…

You have to host it somewhere so that others can see what you created.

Option A: You can use any of these 3rd party free static hosting

Example: https://box2overtake.com/ or proyectorutasmoto.web.app

Option B: create your container to selfhost astro/hugo/whatever ssg and expose it publically via cloudflare tunnels.

Using your HomeLab to host a cool website, like this ebook landing, is as simple as understanding those!

Want sth more? See how to use your SSG with IPFS and ENS (WEB3 ready!)

Pi and IoT

Ive been tinkering with MicroControllers and MQTT protocol.

Microcontrollers like the esp32 and some creativity can get you even a ebook reader as per this video

• HA https://www.home-assistant.io/docs/automation/

New Software

Ive also tried:

1. Tried Zen browser: https://zen-browser.app/download/

With CTRL+ALT+C it gets really compact!

With CTRL+H, it opens your synced tab, so you can see your mobile firefox tabs on desktop :)

#pkill -9 brave #brave was not behaving properly lately...
flatpak install flathub app.zen_browser.zen

Welcome to a calmer internet | Firefox based

Zen offers a “Sync” feature, which is implemented using Mozilla Firefox’s Sync feature.

FAQ

Your Music Server

Got that server running with containers?

Congrats, you can no whave your DIY spotify: A music webapp server that stores whatever your bring them, like from here

Your music your rules.

sh -lc 'echo "Current user: $(whoami)"; id; echo "UID: $(id -u)"; echo "GID: $(id -g)"; echo "Groups: $(id -Gn)"' 

For android, you have as client ultrasonic: https://gitlab.com/ultrasonic/ultrasonic

Free and open-source music streaming Android client for Subsonic API compatible servers

With Supported (tested) Subsonic API implementations: Subsonic, Airsonic-Advanced, Supysonic, Ampache

You also have substreamer app on ios or android (as a client), they also have: https://hub.docker.com/r/ghenry22/substreamer

Just that its not OSS

See also MeTube and Navidrome:

Youtube FE

If you are creating youtube videos from your action cam and storing them just there: you can download them later on, so you can review your travel stories during those long flights.

There are more alternatives, like:

• https://github.com/christian-fei/my-yt

Unlicensed | A clean and minimal youtube frontend, without all the ads and whistles

HomeLab Commands

1. Whats taking that much space?

#sudo du -ahx / | sort -rh | head -n 50
sudo du -ahx . | sort -rh | head -n 50 #from current folder and below

2. I want to clean old container stuff

docker builder prune
#docker system prune -a
docker volume prune
docker image prune -a

3. Stop all containers, but portainer:

#docker ps -a -q --filter 'name=!portainer'
docker ps -q | grep -v portainer | xargs docker stop

4. How much resources are those containers cosuming?

docker-compose stats
#sudo docker stats 7dfdfce97523
#sudo docker stats nextcloud
#docker stats typebot-builder typebot-viewer typebot-db

docker stats $(docker ps --filter "name=typebot" --format "{{.Names}}")
#docker stats -a

See also lazydocker!

Git Sync

From https://akashrajpurohit.com/blog/initial-vps-setup-checklist-first-30-minutes/

• https://github.com/AkashRajpurohit/git-sync

🔄 A simple tool to backup and sync your git repositories

How to Change USB Size

This has been useful few times already (from Windows):

Diskpart
List disk
select disk N
clean 
create partition primary

Which Linux to get started?

To not complicate things: Just get Ubuntu LTS with GNOME.

If this is your first time, take it easy on the learning journey and for now, dont trust your new miniPC as unique storage of anything

You can also consider:

1. Lubuntu - Because it requires just ~700mb of RAM

2. Ubuntu if you want the same, but with GNOME

You can have ubuntu without UI, if you plan to use your server’s terminal only

3. Garuda, if you want to say I use ARCH BTW. Mind the steep learning curve.

How exactly?

Well, first try download them and run it via a VM.

Then, setup VENTOY into your USBs and bring your favourite one.

Backup Github

1. https://github.com/TimWitzdam/GitSave

2. Gitea and Gogs: Lightweight self-hosted Git services. They support mirroring repositories from GitHub, providing a continuously synced backup

Which Devices are connected to my router?

1. First get to know who is your router:

ip route | grep default

2. Then, inspect:

nmap -sn 192.168.1.0/24
# Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-26 11:43 CEST
# Nmap scan report for _gateway (192.168.1.1)
# Host is up (0.025s latency).
# Nmap scan report for 192.168.1.103
# Host is up (0.067s latency).
# Nmap scan report for BYOD-00335 (192.168.1.104)
# Host is up (0.000095s latency).
# Nmap done: 256 IP addresses (3 hosts up) scanned in 3.63 seconds

(Optional) get the mac/vendor of one of them:

ping -c 4 192.168.1.106
#nmap -O 192.168.1.106
#tailscale status
sudo tailscale up --force-reauth #just in case you forgot to extend the expiry

See the life traffic over a network:

ifconfig enp1s0
vnstat -l -i enp1s0   # live mode (Ctrl+C to stop)
#vnstat -l -i proton0   # live mode (Ctrl+C to stop)

#ip -s link show wlp3s0

#https://protonvpn.com/support/official-linux-vpn-debian/
wget https://repo.protonvpn.com/debian/dists/stable/main/binary-all/protonvpn-stable-release_1.0.8_all.deb
sudo dpkg -i ./protonvpn-stable-release_1.0.8_all.deb && sudo apt update
#echo "0b14e71586b22e498eb20926c48c7b434b751149b1f2af9902ef1cfe6b03e180 protonvpn-stable-release_1.0.8_all.deb" | sha256sum --check -
sudo apt install proton-vpn-gnome-desktop

Its recommended to do p2p behind a VPN so that hackers can attack youe public IP address

As seen in 0625, Reddit knows your F1 thing

But hey, this is just to do legal stuff, like sharing OSS images, like ubuntu.

Dont dare to watch f movies with your cat. Not interesting fmhy repo https://fmhy.net/posts/sept-2025

Neither read the anna’s archive.

Those might be down: https://www.isitdownrightnow.com/

You know, just in case your cool site gets banned without a reason:

Hello Again Firebat

After one year of putting the FireBat AK2 up and running…

I realized that not everyone is ready to have a PC 24/7.

Because: what is it doing exactly?

Plus…tailscale can get expired and access lost for the admin.

And that has a point, actually.

ssh casa@192.168.1.106
#du -sh .                    # Human-readable size of current folder
du -sh /media/casa/Datos_copia_2/PerriChico
#du -sh .* | sort -h
#du -h --max-depth=2         # Two levels deep
#rm *.LRF #clean (if needed) all LRF files
sudo snap install vlc
sudo apt update && sudo apt install ubuntu-restricted-extras

So I decided to propose a new homelab architecture….

Traefik v3.3 + Cloudflare + Tailscale IP

git clone https://github.com/JAlcocerT/Home-Lab
cd ./Home-Lab/traefik
#https://jalcocert.github.io/JAlcocerT/testing-tinyauth/
#https://fossengineer.com/selfhosting-traefik/

• https://dash.cloudflare.com/profile/managed-profile/preferences
  • https://dash.cloudflare.com/profile/api-tokens

curl "https://api.cloudflare.com/client/v4/user/tokens/verify" \
     -H "Authorization: Bearer abcdefg12345709"

sudo apt install apache2-utils
echo $(htpasswd -nB admin) | sed -e s/\\$/\\$\\$/g

#cd ./Home-Lab/traefik
touch /home/casa/Home-Lab/traefik/acme.json #blank, just change the permissions to 600 later (private key)
touch /home/casa/Home-Lab/traefikacme.yml
touch /home/casa/Home-Lab/traefik/traefik.yml

chmod 600 ./acme.json && \
chmod 600 ./traefik.yml #or it will be a security risk for other users to see the privatekey

Make sure to point CF DNS records, maybe using script https://github.com/JAlcocerT/waiting-to-landing/blob/main/cloudflare-dns-updater.py

For which you will need the ZoneID of your Domain as well as per this .env.sample

sudo snap install jq
sudo snap install yq
# Get zone ID of your domain via CLI instead of Cloudflare UI
curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=jalcocertech.com" \
  -H "Authorization: Bearer $cf_token" \
  -H "Content-Type: application/json" | jq -r '.result[0].id'

These are the only ones you will see configured in cloudflare DNS: if you want, change that private IP for your tailscale one

#python3 cf-dns-updater.py
dig +short casa.jalcocertech.com A
ping casa.jalcocertech.com
nslookup casa.jalcocertech.com

We are going to get https://casa.jalcocertech.com/ and https://auth.casa.jalcocertech.com/login working pretty soon…

touch config/acme.json && chmod 600 config/acme.json

sudo docker compose up -d
sudo docker logs traefik

Once Traefik is deployed, go to: https://casa.jalcocertech.com/dashboard/#/http/routers

You can also check with CTRL+I within firefox

Example 1: Traefik + already created (from others) webapps ✅

dig +short silverbullet.casa.jalcocertech.com A
ping silverbullet.casa.jalcocertech.com
nslookup silverbullet.casa.jalcocertech.com

ping portainer.casa.jalcocertech.com

Example 2 Traefik + your (flask/dash/whatever) webapp ✅

Example with ThreeBodies (flask)

git clone https://github.com/JAlcocerT/ThreeBodies
cd ThreeBodies
#make docker-up

Or with Trip Planner… with this traefik+tinyauth compose

git clone https://github.com/JAlcocerT/Py_Trip_Planner
cd Py_Trip_Planner
#make docker-up

#cd trip-planner #from homelab repo
sudo docker compose -f docker-compose.traefik.yml up -d

Example 3 Traefik + a Web App + Tinyauth ✅

If you need a webapp on your homelab that does not bring some user/pwd, like OpenSpeedTest…

This method will allow to authenticate webapps via user/pwd or with Oauth like GH.

https://github.com/JAlcocerT/Home-Lab/blob/main/open-speed-test/docker-compose.traefik.yml

We will need to create a Github OAUTH App: https://auth.casa.jalcocertech.com

1. Go to https://github.com/settings/applications/new

Add the link as per your subdomain: https://auth.casa.jalcocertech.com/api/oauth/callback/github

2. Then, registre the application. Get its ID and and its client secret:

Those are required for

    environment:
      - GITHUB_CLIENT_ID=${GITHUB_CLIENT_ID} #For GitHub OAuth
      - GITHUB_CLIENT_SECRET=${GITHUB_CLIENT_SECRET}

3. When its done, we will be Seeing the application: https://github.com/settings/applications/3023538

particularly at the OAUTH developer section.

Just spin up Tiny Auth with: https://github.com/JAlcocerT/Home-Lab/blob/main/tinyauth/docker-compose.firebat.yml

cd tinyauth
#sudo docker compose up -d
docker compose -f docker-compose.firebat.yml up -d

Now, go to https://auth.casa.jalcocertech.com or whatever subdomain you placed.

See that this works without touching any configuration nor Cloudflare DNS and we already have the HTTPs and the dns pointing

nslookup auth.casa.jalcocertech.com

Authorize the app And you will be logged in!

Remember that you can also add Users/pwd to TinyAuth via the .env:

echo $(htpasswd -nB jalcocert) | sed -e s/\\$/\\$\\$/g
sudo docker restart tinyauth

Now, for OpenSpeedTest to use TinyAuth via Traefik:

cd 
sudo docker compose -f docker-compose.traefiktinyauth.yml up -d
##command: tail -f /dev/null #in case you need to keep running

And there you go https://openspeedtest.casa.jalcocertech.com/

The only additional part to the dockercompose service label (like openspeedtest), is the traefik.http.routers.openspeedtest-secure.middlewares=tinyauth

Thanks again to Jims Garage!

Imo, much better than the cloudflare webapp authentication method we saw some time ago: yet still coding for entrepreneurs approach is also great

More Free Resources

1. https://fmhy.net/devtools#static-page-hosting from https://github.com/fmhy/edit

2. https://free-for.dev/#/ from https://github.com/jixserver/free-for-dev