My self-hosted services
Here's a snapshot of the services I'm currently running for myself, and approximately how. Some will go, new ones will be added, but here we are for December 2024.
Many, if not all are strictly unnecessary, there are free/cheap hosted alternatives available, but there's something very satisfying about knowing these are sitting on a shelf in the cupboard in my office. Not least that for the most part, these services are incredibly responsive!
In the past I've run a lot of these things in a single-node Kubernetes cluster, mostly using Helm charts. NixOS modules have made things much simpler, whilst still allowing a declarative approach to managing most of these services.
I typically have /services/<service>/<subcomponent> directories on host machines, and have these mounted into the various containers and VMs as necessary to store state. This means the rest of the container/VM is usually ephemeral, and can be re-created at any time. Indeed, I've been able to migrate between machines very easily thanks to this. It also provides a gives me a single volume to back up from each host.
I recently got to grips with microvm.nix, so am starting to migrate things to VMs where that level of isolation feels appropriate.
One thing to be mindful of when using a single Nix expression to define a system composed of many containers/VMs is that nixos-rebuild is pretty expensive in CPU and RAM, taking around 2 minutes to make a simple change and using approaching 10Gb RAM on the machine that hosts the majority of the services below!
AdGuard Home
My network-wide DNS server, also used by Tailscale/Headscale clients, like my phone, to do surprisingly effective ad blocking at the network level.
Deployed using the NixOS module directly on my router host.
Atuin
I'm running my own instance of the sync server for this amazing utility. Once you get used to cross-machine shell history with blazing-fast search, it's hard to go back.
Deployed using the NixOS module which also takes care of configuring a PostgreSQL instance for persistence, all in a NixOS container (a systemd-nspawn container built and managed by NixOS).
Emoncms
Quoting from the website, “Emoncms is a powerful open-source web-app for processing, logging and visualising energy, temperature and other environmental data”.
I use it to collect electricity usage data from clamps on my incoming grid power cable, and from my solar PV inverter, in addition to an optical sensor on the electricity meter. It turns out the little flashing LED flashes at a very exact interval according to your electricity use.
It also connects with an EmonEVSE charging station for my car, providing it via MQTT with solar generation data so it can modulate charge according to what's coming from the roof.
Deployed on an EmonPi, a dedicated Raspberry Pi 3 unit in the cupboard with my distribution board, that includes a “hat” for connecting to the clamps, etc.
Forgejo
A nice and surprisingly feature complete alternative to Github/Gitlab that's pretty simple to operate at small scale. Handling SSH Git interactions through my load balancer was probably the hardest part of getting this running.
Deployed using the NixOS module, which takes care of configuring PostgreSQL, all in a NixOS container.
Grafana and Prometheus
Prometheus scrapes metrics from a bunch of these services, including Home Assistant, and from each host device using it's node-exporter tool for data on CPU, memory, network, temperatures, etc.
Grafana lets me build dashboards to query Prometheus and visualise all that data. There are pre-built dashboards for many of these services, and I've got custom ones I use all the time for energy data sources from my battery inverter and EmonCMS (via Home Assistant).
Each is deployed in it's own NixOS container, using the Grafana and Prometheus NixOS modules.
Headscale
An alternative to using the official service-side part of the Tailscale mesh VPN. I installed this recently, and I'm not sure I'm ready to commit to using it, versus manually configuring Wireguard. But it does what it says on the tin. I have noticed lots of connections continue to be made by the client apps to the official endpoints.
Using it to provide DNS where the DNS server is in the Tailnet seems to result in delayed/failed queries for a few moments if the connection has gone idle. This wasn't a problem I saw when previously using vanilla Wireguard for the same thing, likely due to the static configuration.
I also noticed the Wireguard configuration was lighter on my iPhone's battery, likely because it had a much simpler job of connecting to a single, static endpoint.
Deployed in microvm.nix VM using the NixOS module which also configured PostgreSQL.
Home Assistant
The centre of my home automation universe, acting as my Zigbee coordinator, bridging lights, our central heating and ACs to HomeKit.
Deployed as a VM using HAOS using Incus on NixOS. There's a NixOS module, but it's complicated, and the Home Assistant folks are pretty clear that they only actively support their own OS.
Jellyfin
Although I stopped adding to it when streaming came along, I've got a few thousand tracks mostly ripped from CDs, some bought from iTunes back in the day, that have come with me across each new machine. Now I've dropped them in to Jellyfin, along with a few DVD rips, and can access them anywhere, which is nice.
Deployed directly on a NixOS host with the module. Recently moved out of a Docker container inside an Incus Debian container, and probably not in it's final form yet.
Keycloak
I'm running enough services here that maintaining separate logins for them all gets quickly tedious. So wherever a service supports OIDC, which many listed here do, I connect them to Keycloak as my single sign on provider. It's a single place to maintain an account, including 2FA with multiple passkeys, YubiKeys and TOTP codes.
It's configured primarily through the web UI right now, which is something I'd like to fix eventually.
Deployed in a NixOS container using the module which also takes care of a supporting PostgreSQL instance.
Linkding
One of my favourites. I used Linkding as a read-it-later service. I looked at a few alternatives, and I find this one suits me best. It's got a browser extension for quick-adding links, and an iOS app which doesn't have a share-sheet action out the box, but it's pretty simple to create a Shortcut for.
No native Nix package or module for this one! And the author makes Docker the default easy path for deployment, which is understandable. This one might finally get me to try my hand at writing a Nix package and module.
Deployed with Docker Compose inside a dedicated Debian container in Incus.
Mastodon
This is what really got me started on the path to self-hosting. I'm fortunate to have had a very pleasant social media experience on Mastodon, perhaps in part because my single-user instance brings with it some limits on what I see.
Mastodon is by far the most resource intensive service listed here. But it's still pretty small and lives happily alongside all the other stuff on a reasonably modest small form factor machine.
I do use fedifetcher to grab extra context for the toots appearing in my timeline, which is often useful, but definitely adds to the resources. It's packaged in NixOS, but there's no module for it. However it's trivial to create the necessary systemd units in the nix config.
Deployed in a NixOS container using the module which takes care of all supporting services, except for Minio.
Miniflux
Like Linkding, Miniflux is one of many options I looked at, and it's the one that fits me best as an RSS aggregator and reader. I love it's minimalist UI, and it's broad API support for connecting to apps on iOS and elsewhere. And indeed I can save directly to my Linkding instance from the Miniflux web UI.
Deployed in a NixOS container using the module, which also takes care of it's PostgreSQL database.
Minio
Providing an S3-compatible service for object storage, for now just being used for my Mastodon instance's media. Arguably I could have skipped this and let Mastodon manage the media in it's own filesystem, but here we are. I've worked in DevOps long enough to know having something S3-like often ends up being handy.
Deployed as a NixOS container, using the NixOS module.
Nextcloud
Primarily I use it like one might use Dropbox or OneDrive, as a file sync service across devices. Syncthing might be more suitable for this narrow use case.
I do appreciate Nextcloud supporting iOS's native Photos, so that any new photos taken on my phone are automatically uploaded to my server.
It feels like a large attack service, and so is something I want to make VPN-only.
Deployed using the NixOS module, which also takes care of configuring PostgreSQL, Redis and nginx, in a NixOS container. Definitely a candidate for moving to a VM.
Restic
My backup tool of choice, I use the built-in server to receive backups for my various machines on the local network, and remotely over VPN.
I also use rclone to nightly sync these encrypted backups to OneDrive, which has been the cheapest cloud storage I've found. Effectively 6Tb for around £50 per year when you pick up the Microsoft 365 “gift cards” on offer. With the news of them increasing the cost to force AI into the offering, I suspect I'll eventually move on from this solution. But for now, because they allow stacking the gift cards, I'm covered for the next 3 years. Assuming they don't renege on the deal.
Deployed using the module directly on a NixOS host.
SearXNG
My default search “engine” is one I self host! SearXNG is a meta-search tool, running queries against multiple public search services, and gives a clean, ad-free set of results that are usually sufficient.
Deployed using the module in a NixOS container.
Snikket
This is my most recent addition, prompted by Neil's recent post linking to his article on using Snikket/XMPP for over a year.
I previously ran Matrix Synapse for a while, which is pretty effective, but never became embedded in my day-to-day. I'd been meaning to try an XMPP-based solution for a while, so took a look at Snikket, and Prosody, which it's built on.
Prosody has a NixOS module, where Snikket does not. However, it's a pretty complex beast, so there was something quite appealing about dipping my toe with an opinionated all-in-one solution.
Another project where the author targets Docker for deployment. I don't like running Docker natively on my NixOS host that I use for my server, because I like to be in full control of it's network configuration and nftables rules.
I started by trying to use Podman and the oci-containers NixOS module within a NixOS container. Giving the container sufficient privileges to run containers didn't sit well, and it required some hacky use of the module to pass the correct arguments. So this was the project that pushed me to get to grips with microvm.nix, which ended up being quite straightforward, and led me to quickly convert a few containers to VMs.
Deployed using the NixOS oci-containers module, with Podman, inside a microvm.nix VM.
Traefik
Traefik is the glue that binds all my services together and makes them available to the Internet (or just my home network). It's a fairly lightweight load balancer with a configuration format that makes sense to me. I could easily swap in Nginx or similar here, but Traefik suits me well.
I use the security.acme NixOS module to manage certificates with Lets Encrypt, and pass these to the various places they're needed with mounts. I mostly use wildcard certificates to reduce the number required, and do dns-01 validation against my domains hosted with Mythic Beasts, using the built-in support for them in Lego.
The public instance is deployed in a micronix.vm VM using the NixOS module. The private instance uses the same module on the NixOS host.
Vaultwarden
I've been a 1Password user for many years. Two decades of using a Mac will do that for you. Now I'm back to Linux, I wanted something that I could host myself that provided a reasonable user experience on the desktop and iOS. Bitwarden is pretty decent, but I've not quite mustered the enthusiasm to migrate fully yet, so continue to mainly use 1Password. The UX just isn't quite as good in Bitwarden. With that said, I have only positive things to say about Vaultwarden.
Deployed in a NixOS container using the module which uses SQLite by default, but I've set it up with PostgreSQL using the module for that.
WriteFreely
You're using it now visiting this site. I like it's super-simple writing UI, although I occasionally have thoughts of going back to a static site generator.
Deployed using the NixOS module which also takes care of the MySQL database, all in a NixOS container.
I started writing this post thinking “I'll just knock out a quick one to help get me back into the habit”. LOL. Turns out it's easy to forget just how much stuff I'm operating!