The Self-Hosted Services Guide

March 14, 2026 • Self-Hosting • 20 min read

You use Google for email. Dropbox for files. 1Password for passwords. Maybe iCloud for your photos and contacts. Every service you use is someone else's computer—and that means someone else has your data.

I'm not here to tell you to go cold turkey. I still use some cloud services. But I've spent years gradually bringing more of my digital life onto my own hardware. It's not about being a paranoid extremist. It's about control. About owning the things that are yours. About not being the product.

This guide covers the services I self-host that actually make my life better. Not tech-for-tech's-sake projects—these are tools I use every day. Passwords, files, bookmarks, reading lists, network-level ad blocking. The stuff that matters.

What We'll Cover

Why Self-Host?

Here's the thing: self-hosting isn't for everyone. It takes time. It takes maintenance. You'll deal with upgrades that break things. You'll troubleshoot at 2 AM when something stops working. It's not all glamour.

But here's what you get back:

Prerequisite: You'll need a home server. It can be a Raspberry Pi, an old laptop, a cheap VPS, or a dedicated mini PC. Check out the Homelab Guide for hardware suggestions. For this guide, I'll assume you have Docker installed (see the Docker Guide if you don't).

What You Need Before You Start

Before we dive in, make sure you have:

I'm going to show you docker-compose.yml files for each service. Create a folder for each service, drop in the compose file, and run docker-compose up -d. That's it.

1. Bitwarden – Password Manager

What it is

Bitwarden is an open-source password manager. It's like 1Password or LastPass, but you host it yourself. You get a password vault, secure notes, credit card storage, and the whole thing is end-to-end encrypted.

Why I use it

I used to use 1Password. Then I realized I was paying $35/year to store my passwords in someone else's cloud. Bitwarden does the same thing—better, in my opinion—and I host it on my own server. The browser extensions work great. The mobile apps are solid. The $10/year for premium is optional (I still pay it for the extra features, but the free tier is genuinely usable).

There are two ways to run Bitwarden: the official image (which is heavy and requires their proprietary Rust server), or Vaultwarden, which is a lighter alternative written in Rust that implements the Bitwarden API. Use Vaultwarden. It's what everyone runs.

mkdir -p ~/docker/vaultwarden && cd ~/docker/vaultwarden
cat > docker-compose.yml << 'EOF'
version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    ports:
      - "127.0.0.1:8080:80"
    volumes:
      - ./data:/data
    environment:
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=true
      - ADMIN_TOKEN=your-admin-token-here
EOF
Important: Change your-admin-token-here to something random and long. This gives you access to the admin panel at /admin. Keep this secret!

Start it up:

docker-compose up -d

Set up a reverse proxy (nginx or Caddy) in front of this to handle HTTPS. I'll cover that in another guide, but for now, know that you need SSL. You're handling passwords here—don't send them over plain HTTP.

First-time setup: Visit your Bitwarden instance in a browser. Create your account. That's it. The encryption key is derived from your master password—you're the only one who can read your passwords. Even if someone got access to your server, they'd need your master password to decrypt anything.

2. Nextcloud – Files, Calendar, Contacts

What it is

Nextcloud is essentially a self-hosted Google Drive. It handles file storage, sync, calendar, contacts, tasks, notes, and about a hundred other apps. It's huge. It can do too much, honestly.

Why I use it

I use it for file sync and calendar primarily. My wife and I share a folder with family photos. We sync our calendars. It's nice having our own Google Photos/Google Calendar without being on Google.

Nextcloud is heavier than the other services here. It needs at least 1GB RAM to run comfortably. But it's powerful.

mkdir -p ~/docker/nextcloud && cd ~/docker/nextcloud
cat > docker-compose.yml << 'EOF'
version: '3'

services:
  nextcloud:
    image: nextcloud:latest
    container_name: nextcloud
    restart: always
    ports:
      - "127.0.0.1:8081:80"
    volumes:
      - ./data:/var/www/html
      - ./apps:/var/www/html/custom_apps
    environment:
      - PHP_MEMORY_LIMIT=512M
      - NEXTCLOUD_TRUSTED_DOMAINS=your-domain.com
    depends_on:
      - db

  db:
    image: postgres:15-alpine
    container_name: nextcloud-db
    restart: always
    volumes:
      - ./db:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=nextcloud
      - POSTGRES_USER=nextcloud
      - POSTGRES_PASSWORD=strong-password-here
EOF

Start it:

docker-compose up -d

Give it a minute—the first-time setup takes a bit. Then visit the port you mapped (8081 in this case) and you'll see the Nextcloud setup wizard. Point it to the database (use db as the hostname), create your admin account, and you're off.

Important: Nextcloud has an Android app and iOS app for syncing files. Install them and point them to your server. That's where the magic happens—you get Dropbox-like sync without Dropbox.

Once you're logged in, head to the app store (click your avatar → Apps) and install:

3. Wallabag – Read Later

What it is

Wallabag is a "read it later" service. You save articles to it, and it strips away the clutter—ads, popups, tracking—and gives you just the content. It's like Pocket, but self-hosted.

Why I use it

I read a lot of articles. I don't read them all at once. I save them to Wallabag, and when I have time—on a flight, before bed—I open Wallabag and read without distractions. No ads trying to sell me things. No Medium paywalls. Just the article.

Wallabag is straightforward:

mkdir -p ~/docker/wallabag && cd ~/docker/wallabag
cat > docker-compose.yml << 'EOF'
version: '3'

services:
  wallabag:
    image: wallabag/wallabag:latest
    container_name: wallabag
    restart: always
    ports:
      - "127.0.0.1:8082:80"
    volumes:
      - ./data:/var/www/wallabag/data
    environment:
      - SYMFONY__ENV__DATABASE_DRIVER=pdo_sqlite
      - SYMFONY__ENV__DATABASE_PATH=/var/www/wallabag/data/wallabag.db
      - SYMFONY__ENV__DOMAIN_NAME=https://your-domain.com
EOF

Start it and go to port 8082. Create your admin account. That's it for the basics.

The browser extension: Install the Wallabag browser extension for Firefox or Chrome. When you're on any page, click the extension icon to save it to your Wallabag. Super useful for articles you want to read but don't have time for now.

4. Linkding – Bookmarks

What it is

Linkding is a simple bookmark manager. That's it. That's the whole thing. You save URLs, tag them, search them. No bloat, no features you don't need.

Why I use it

Browser bookmarks never worked for me. I never remember to look at them. Linkding gives me a place to dump links I want to remember, tag them with topics, and search when I need them. It's especially great because I can access my bookmarks from any browser, on any device—not locked into Chrome's ecosystem.

This one is lightweight and uses SQLite:

mkdir -p ~/docker/linkding && cd ~/docker/linkding
cat > docker-compose.yml << 'EOF'
version: '3'

services:
  linkding:
    image: sissbruecker/linkding:latest
    container_name: linkding
    restart: always
    ports:
      - "127.0.0.1:8083:3000"
    volumes:
      - ./data:/linkding/data
    environment:
      - LD_SETTINGS_SECRET=super-secret-random-string
EOF

Start it:

docker-compose up -d

First login is username admin and password admin. Change that immediately in settings. You also set the LD_SETTINGS_SECRET—this is used for加密 settings, so make it random.

The bookmarklet: Linkding has a bookmarklet you can add to your browser. Drag it to your bookmarks bar, and whenever you're on a page you want to save, click it. Quickest way to bookmark.

5. AdGuard Home – Network-Wide Ad Blocking

What it is

AdGuard Home is a DNS-level ad and tracker blocker. You configure your devices to use your AdGuard server as their DNS, and it blocks ads system-wide. Every device. Every app. No browser extensions needed.

Why I use it

My TV's smart apps were bombarding me with ads. My phone was tracking everything I did. My router couldn't stop it. AdGuard sits between my network and the internet and just... blocks the garbage. No ads on YouTube apps. No tracking in games. It's incredible.

AdGuard is different—it needs to run on your network directly, not just in Docker, because it needs to be your DNS server. There are two ways to do this:

Option A: Run directly on the host (recommended)

# The easy way - one command
docker run -d \
  --name adguardhome \
  --restart always \
  -v ./data:/opt/adguardhome/conf \
  -v ./work:/opt/adguardhome/work \
  -p 53:53/tcp \
  -p 53:53/udp \
  -p 3000:3000/tcp \
  adguard/adguardhome

Option B: Use the official install script

curl -sSL https://raw.githubusercontent.com/AdGuardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

Either way, visit port 3000 for the setup wizard. It walks you through:

Network setup: For AdGuard to work, you need to change your router's DHCP settings to hand out AdGuard's IP as the DNS server. Every device on your network will then use it automatically. Check your router's documentation for how to do this.
Blocklists: AdGuard comes with a few enabled by default. I recommend adding more—here are some popular ones: You can add these in Settings → DNS Blocklists.

After setup, your entire network is ad-free. It's genuinely magical visiting friends' houses and seeing ads everywhere and remembering "oh right, I forgot normal internet has ads."

Tips for Running These at Home

A few things I've learned running these services:

Backups matter

You're now responsible for your data. If your hard drive dies, you lose everything. Set up backups. The Restic guide on this site covers one approach. At minimum, copy your Docker volumes to another drive periodically.

Get a domain

You can access these services by IP, but that's not sustainable. Get a domain—they're like $10/year. Then set up a reverse proxy (nginx or Caddy) to route traffic to the right container based on subdomain. I'll cover that in a future guide, but it's essential for a proper setup.

Use HTTPS everywhere

Don't expose these services over plain HTTP, especially Bitwarden. Get SSL certificates (Let's Encrypt is free). Your passwords, your files, your data—don't send them over unencrypted connections.

Don't expose everything to the internet

You probably don't need to access everything from outside your home network. For things you do need (Bitwarden), use a VPN or at least enable two-factor authentication. For things you don't (Nextcloud), bind to localhost only.

Keep them updated

These are security tools. Vulnerabilities get found. Check for updates periodically. docker-compose pull && docker-compose up -d handles most of it, but you need to remember to run it.

Start Small

Don't try to set up everything at once. Pick one service that annoys you about Big Tech—probably Bitwarden or ad blocking—and start there. Get comfortable running it. Then add another.

Every service you self-host is one less piece of your digital life that's owned by someone else. It's one more thing you control. One more thing that's yours.

The learning curve is real, but it's worth it. And if you get stuck, there are communities full of people running these same services who can help.

The revolution will not be proprietary.

// Comments

Leave a Comment