Self-Hosting Infrastructure¶

Infrastructure Overview¶

All services run on my home server, accessible to the internet through a VPS reverse proxy:

graph TB
    DNS["🌐 deSEC DNS<br/>benoit.jp.net"] --> Sakura
    Internet["🌐 Internet"] --> Sakura["☁️ Sakura VPS<br/>HAProxy Load Balancer<br/>Tokyo Region"]

    Sakura -->|Tailscale VPN| HomeServer["🏠 Home Bare-Metal Server<br/>Ubuntu 24.04 LTS<br/>64GB RAM, 2TB NVMe"]

    HomeServer --> Services

    subgraph Services["📦 Incus Containers"]
        AdGuard["🛡️ AdGuard Home<br/>DNS + Ad Blocking"] ~~~ Miniflux["📰 Miniflux<br/>RSS Feed Reader"] ~~~ Forgejo["🦊 Forgejo<br/>Git Hosting"]
        Mastodon["🐘 Mastodon<br/>Social Media Instance"] ~~~ Scrutiny["🔍 Scrutiny<br/>S.M.A.R.T Monitoring"] ~~~ More["➕ And More..."]
    end

    UptimeKuma["📈 Uptime Kuma<br/>Hetzner VPS, US West"] -.->|monitors| Services
    Services ~~~ Updown

    Sakura -.->|Pulse ping| Updown["🔔 updown.io<br/>External Watchdog"]
    HomeServer -.->|Pulse ping| Updown
    UptimeKuma -.->|Pulse ping| Updown

Architecture Components¶

☁️ Sakura VPS (Tokyo)¶

• Role: Public-facing reverse proxy and load balancer
• Software: HAProxy for SSL termination and traffic routing
• Location: Tokyo region for optimal Japan connectivity
• Security: Only HAProxy exposed to internet, all services behind VPN

🔗 Tailscale VPN¶

• Purpose: Secure encrypted tunnel between VPS and home server
• Benefits: No open ports on home network, zero-trust networking
• Features: Automatic failover, mesh networking, access control

🏠 Home Bare-Metal Server¶

• Hardware: Fanless AMD Mini PC Ryzen 5 4500U from Topton (AliExpress)
• OS: Ubuntu 24.04 LTS on 256GB SSD
• Storage: 2TB NVMe for Incus (ZFS pool)
• Network: 1 Gbps Rakuten Hikari fiber (see Internet Connectivity for DS-Lite setup details)
• Backups: Incus persistent volumes backed up via borgmatic to BorgBase.com and TrueNAS storage

🌐 DNS — deSEC¶

• Provider: deSEC.io — free, privacy-focused DNS hosting
• Domain: benoit.jp.net
• Features: DNSSEC, anycast, API-driven, no tracking

📦 Incus Container Platform¶

• Technology: Community-driven LXD fork for container orchestration
• Benefits: Lightweight virtualization, resource isolation
• Management: Web UI + CLI + Terraform for easy service deployment
• Scalability: Easy to add new services as containers or VMs

📈 Uptime Kuma (Hetzner VPS)¶

• Role: External uptime monitoring for all self-hosted services
• Location: Hetzner VPS, US West region, independent from home infrastructure
• Notifications: Email

🔔 updown.io¶

• Role: External watchdog that monitors Uptime Kuma, the Sakura VPS, and the Incus server
• Method: Pulse cron ping from Uptime Kuma, the Sakura VPS, and the Incus server
• Alerting: SMS, ensuring alerts arrive even if all self-hosted services are down

Why This Setup?¶

Available Services¶

The following self-hosted services are currently running in this infrastructure:

Operational Procedures¶

Post Mortems¶

Incident write-ups for outages and issues encountered with this infrastructure.

Getting Started¶

Interested in building your own self-hosting infrastructure? Here's my recommended approach:

1. Start Small: Begin with one service (I recommend AdGuard or Miniflux)
2. Learn Containers: Master Docker or Incus for service isolation (Kubernetes is an option too, but I prefer Incus for its simplicity)
3. Secure Your Setup: Implement VPN and reverse proxy early
4. Document Everything: Keep notes for troubleshooting and rebuilds
5. Backup Religiously: Automate backups before you need them