State of Homelab 2026
mrlokans.workThis is very cool, but you should not use Cloudflare Tunnels to stream media. This is forbidden by their terms of service (or at the very least not the intended use of Tunnels and they may disable your service). Use Wireguard or Tailscale instead.
https://www.xda-developers.com/cloudflare-tunnels-are-great-...
Yep, I rent a $5 VPS in my region that I tailscale to for exactly that reason, as well as to un-CGNAT myself.
For an easy GUI solution for the latter, highly recommend Nginx Proxy Manager.
Cloudflare Tunnel publicly exposes your services, whereas Wireguard/Tailscale are VPNs.
Tailscale (but not Headscale) offers Funnel, which is a reverse proxy, but you cannot use it with your own domain.
Pangolin is the closest alternative to CF Tunnel, but self-hosted NetBird with reverse proxy functionality can also be used.
The intersection of people who can self host headscale or netbird and those who can not set up their own reverse proxy is probably the empty set.
Can tailscale funnel do custom domains yet?
Personally I'm switching to rathole+traefik, weirdly something I was researching and experimenting with in the early hours of this morning (I have now not slept and have to go to work).
Haven't used it like that myself, but stumbled upon this last year
https://tailscale.com/docs/concepts/domain-ownership
This let's you use your own domain for your tailnet, isn't the funnel but - but isn't it even better? Unless you actually want a publicly routable domain name, then you're back some hosted ingress I guess
IIRC CF terms were about caching media not streaming media
Since https://blog.cloudflare.com/updated-tos it is not completely clear if you disable Cloudflare's cache indeed. Still the terms are unclear enough that they could cut you out, and I'd feel uneasy exposing a Jellyfin instance publicly, but that's just me :)
This is not so much a fantasy about "being independent". Instead, it's a fantasy about being a sysadmin.
I actually really like not having to worry if some licensing deal means my access to music I love gets shut off.
Isn't responsibility the trade off for independence?
You can't have one without the other.
A good example of that is the guys on r/homelab explaining how they built a NAS so their wife could save her phone media without Google Photos.
Man, paying Google/Apple $5/mo is surely a much better solution for her. And are you really doing 3-2-1 on that?
Save the dicking around for your own stuff.
The upfront costs are pretty big but over time it’s not too bad to do 3-2-1. I doubt you’ll come out on top of Google every time - there’s a reason their prices are so low, and that’s more of an incentive to leave than to save a few dollars.
For me, I run Immich off a Beelink S12 Pro mini PC, with the photos themselves stored on my Synology NAS. Every night, I backup the VM with docker that runs Immich to the NAS, then the entire NAS gets backed up to Synology’s Cloud. My upfront costs were the NAS, the drives, and the mini PC, and my ongoing costs are electricity and the cloud storage fee for Synology’s cloud (about $70/year for a terabyte). That’s not cheaper than Google, but it does prevent them from having access to photos of my kids and family.
Both my wife and I are reluctant to upload our entire photo collection spanning 20+ years to the cloud. Immich has been working really well for us, the experience for her is just as seamless as it would be for Google Photos, I think.
And at $180/yr for the 2TB of storage we'd need to pay for, vs. maybe $200 in hardware, it pays itself off pretty quickly... if you exclude the time spent setting it up and administering it. But I don't mind, it's a bit like digital gardening for me.
$200 hardware only? my main concern with storing photos locally is the need for a NAS. Even at 2-3TB you still need: a NAS device, 2-3 hard drives and the mini pc to run immich + power bill to run them. it will cost more than $180/yr. cost should not be the main factor people store photos locally.
You don't need a NAS, really. My setup is a second-hand i5-7300U fanless mini-PC I got for $90, 2 x second-hand 4TB HDDs, and 2 x USB 3.5" enclosures. It's messy but it works... I haven't measured power in a bit but I reckon it pulls around 20-30W, which is around $15-20 a year at my current prices.
We back it up daily using restic to an old 2TB NAS that's at my parents place + the occasional manual backup
How is that by itself not a NAS?
It is, but OP said you need both a NAS and a mini PC
180/year? That's ~150watt server. That's a very powerful NAS. You'll be paying $200 per month form a cloud provider for such performance. A performant home low power NAS can be build that will consume easily, 30-40W. It won't need to be upgraded for over a decade. Ideally, 5x HDDs with 5 year warranty. The only expense is rolling upgrades of HDDs as storage fills up.
Backup to cloud glacier storage is ~$1.20 per TiB-month
Cost is absolutely a factor. self-hosting can't even be touched. And, the that's just the start of the value proposition.
My local backups certainly cost more than $180/year just in hard-drives alone.
> Man, paying Google/Apple $5/mo is surely a much better solution for her. And are you really doing 3-2-1 on that?
Just some days back someone on reddit posted how their 14yo son (via a family/linked Google account) used Gemini Live to, err, enjoy himself with the camera on.
All his accounts are now permanently locked for CSAM.
So, yes, not being beholden to a megacorp absolutely has its uses.
That Reddit post was thoroughly debunked as untrue. It had some obvious plot holes and inconsistencies.
Google even came out and said that’s not how account suspensions work: They don’t sequentially ban other accounts that have been associated with a device that was associated with an account, as many pointed out.
I’m surprised how many people fell for that obvious piece of Reddit creative fiction. I think we’ll be hearing about it as an urban legend for years.
Reddit has become a place for posting fiction on advice subs. It started on the relationship advice subs but has spread to all of the advice subs now, like the legal advice post you saw. You have to read Reddit with a lot of skepticism.
Thanks, it's good to know this thing wasn't true. I wasn't aware of it at all.
Unfortunately I have seen other horror stories (dad takes a picture to send to the doctor, it uploads to iCloud/Google photos, account gets banned) to be wary of trusting any such large corp.
Partly tangential, but just yesterday there was a post of someone with a checzk password who got locked out of their iPhone. Now of course an iCloud backup might have actually helped them here, but the reliance on "It's Apple, it'll work" is a very common thing (understandably!), but unfortunately not true.
Oh, by the way - this was the account he used for his business (I don't remember if it was a custom domain). He's pretty much lost his only way of communicating with customers. This isn't just a "whoops, let me make a new email" situation.
(You can go to the legal advice UK subreddit if you want to see the post.)
> (You can go to the legal advice UK subreddit if you want to see the post.)
It was removed quickly because it was obviously untrue. The details of the story weren’t even consistent across the posters comments.
and lose a lifetime's worth of pictures because Google identified a pic of your toddler in their pyjamas as CSAM and nuked your life. Or your 13y/o kid fiddled with themselves infront of gemini. etc
Of all the dicking around one can do in a homelab, and I'm guilty of plenty of it, setting up some network storage for photo backup is easily one of the highest value things you can do.
Our child is only 6 but these fears are done of the reasons we have immich at home (amongst other things). We still have Google storage for photos, but just in case they take a photo or video that gets flagged we do not want to lose everything. I am though trying to get in the habit of having an annual photo book printed to have some used copies of memories.
My spouse is more tired to Google, but for myself if I got cut off i'd just have to change some recovery email addresses.
> Man, paying Google/Apple $5/mo is surely a much better solution for her.
According to which criteria?
There are values beyond "basic convenience" that are important as well. Being independent from a subscription service is one of them. Having full control over your own media being another.
Moreover, subscriptions in general have disadvantages. For example:
1. If a subscription service decides to increase their prices tenfold, there is nothing a customer can do to stop them.
2. If they decide to stop operating completely, a customer also has no say into the matter.
3. If the subscription service decides to just unilaterally stop offering the service to a particular user, they can do so at their own discretion, at any time.
This all means that whatever value is being "obtained" by using a subscription service, it is only going to last for as long as the provider wants it to last.
ha even better on /r/localllm husbands are scratching their head why their wives and kids just won't use their local chatgpt. It's fast and i bought 4 5090 for this why won't they use it!
Brothers, maybe they don't want you to see all their private chats with AI?
yes, the economics, and ease of use, of google/apple cloud storage is unmatched
and yes, most people willing to endeavor into the area are hobbyist, with all that entails
however, reading even one story of someone losing access to their cloud photos for xyz reason, is enough to decide that you ought to have some mechanism in place to ensure ownership of your data
I just sync down everything from my wife/kids’ Google Drive/Dropbox/whatever nightly to my NAS. Usability of a cloud solution, but with on-prem backup.
Except with modern tooling it's not a huge task anymore to run these services.
Cost wise on the right hardware it is very cheap to run, add the privacy/personal control aspect it's no wonder so many people do it.
Software wise I find stuff pretty easy to set and forget. It's hardware that's always been the issue for me. When your power or internet goes out, everything goes down. While you move property, every thing is down. Currently my server has developed an issue with randomly crashing and rebooting I haven't been able to resolve yet.
Using a VPS entirely removes the hardware aspect, but it also mostly defeats the point of self hosting.
Your personal photos likely do not need 99.99999999999% of availability, especially if you still have a local copy of the most recent and interesting ones on your smartphone.
I don’t think it defeats the point at all. Uploading photos to Google is a massive privacy concern. Apple is maybe better in that way, but very limited cross-platform support, and when I’ve tried it, poor performance & pricing. Neither do well at higher end photography either.
I self host for privacy, which makes me feel uncomfortable about all my private data sitting unencrypted on a server I don't control. It's better in that you don't have fully automated google AI scanning your data, but it's still exposed. None of the self hosted apps are designed with e2e encryption in mind so you'd be better off using icloud.
> None of the self hosted apps are designed with e2e encryption in mind
https://ente.com is open source, and self hosted, and end to end encrypted.
Lets say you don't leave it unencrypted on disk, only in memory. Do you really think vps providers are slurping your personal data out of a VM's memory in the same way google do dragnet personal data gathering? If your adversary is the government, sure they probably can do that, but otherwise it seems unlikely.
Well no, Google at some point in mid 201x screwed up some of photos hosted on Photos.
My personal backup has been flawless (so far).
Would have spent a couple thousand $ by now, if stayed on it.
There should be volunteer groups at local libraries running these services for their local communities.
It’d be a great way for kids to learn to operate services and a great alternative for anyone who wants to use the fantastic open source stuff that’s out there but lacks expertise or time.
> There should be volunteer groups at local libraries running these services for their local communities.
The problem with bespoke anything in computers is always the support.
No one wants to be on the hook for customer support. I absolutely agree with them.
There are a ton of "services" that exist solely to enable people to cut a check and say "Customer support is over there. Go talk to them and leave me alone."
For secrets management, I basically just use fnox everywhere (https://fnox.jdx.dev/). It's a frontend to tons more options than sops, although `age` is still included. I also think the DX is better but to each their own.
I just use Infisical self hosted
Seeing that fnox explicitly lists Infisical as a supported provider, I imagine they serve different purposes.
Looks interesting, thanks for sharing. I am using SOPS, might be a good replacement.
> There’s something appealing in that idea, being independent and prepared, a male fantasy likely never coming to life
There’s still cloudflare in the middle of the everything and it doesn’t make it “independent”.
Cloudflare Tunnel is a wonderful thing. In fact, Cloudflare itself is fantastic for homelabbers because it gives you so much for free. I used to just host direct on my own home IP, but nowadays I find it easier to just `cloudflared`. Don't have to worry about the firewall and any breaches into my network and all of that stuff.
I started from a similar place as you and then eventually now my IaaC for my homelab is just idempotent bash scripts written by Claude. The pattern I find with dependencies is that they have the property that someone wants to change some attribute and so the program needs to evolve for the attribute to be changeable. This means programs evolve to have many hinges and the interactions cause bugs one cannot reason about.
My needs for the homelab are fairly simple and the script can encode all the information it needs. As a human, writing such a script is tedious. As a human with an AI assistant, I've found that this is so much easier to worry about because bash is a fairly stable target.
Anyway, apart from that, I landed on using systemd's containers that use podman but otherwise not too different. My (far less polished) version of this post as a memory aid to myself: https://wiki.roshangeorge.dev/w/One_Quick_Way_To_Host_A_WebA...
How do you feel about the privacy implications of Cloudflare theoretically being able to read all your data? I guess this theoretical downside is outweighed by the practical upsides?
I don't have a homelab for privacy so much as convenience. And I accept the risk of trusting vendors. I also have a datacenter cabinet and the techs there have a key to the cabinet. That's even more dangerous access theoretically. I suppose if someone compromised cloudflared (more possible in this era of supply-chain attacks and Cloudflare's renewed commitment to vibe-coding) there's a risk. C'est la vie.
FWIW: Depending on your use case, Cloudflare doesn't have visibility into to cleartext. In my setup, I use their arbitrary TCP tunneling feature to tunnel SSH for a remote host, which works great.
That said: I do also tunnel HTTP, and I've come to terms with the privacy risk. Being able to setup enforcement of things like mTLS at the edge is quite nice.
What's the benefit of Cloudflare Tunnel over just using Wireguard?
I use them for different purposes. The wiki I linked there is exposed via `cloudflared`. Its purpose is to be public. I can't see myself using Wireguard for that.
Same question from me too - I do have a few services on my homelab at home - stuff like a NAS, synology surveillance, homeassistant, few lxc containers hosting random services on Proxmox - and it all works just fine for my needs with standard WireGuard vpn setup on all my devices (macbook/ipad/iphone/android). What would cloudflare tunnel get me?
It's free and simple and handles HTTPS termination and can be set up easily using terraform/pulumi.
Interestingly, in the early hours of this morning I switched from Cloudflare Tunnels to a rathole/traefik based solution (well, currently it's port forwarding and a low grade home-baked dyndns solution until I get paid and can afford a cheap hetzner box because I spent all of my money again).
I switched back because I didn't like the added complexity of having to manage the routes, what I'm using it for is technically against ToS, and I like the self-contained nature of my microk8s cluster.
> handles HTTPS termination
I understand a lot of people run services locally for other reasons, but HTTPS termination defeats any privacy argument.
Cloudflare are essentially the largest MitM data collector in the world. A few people started moving their data out of the cloud and they saw the gap. Now they're plugging that gap "for free".
I just add Yggdrasil to all my nodes. Removes the need to deal with nginx also.
I will never get why the F people are putting all this stuff into the public internet vs just using tailscale.
It is nice to download an app and then just point it at a public URL as opposed to having to rely on the device being in the same tailnet.
Tailscale is an overkill solution. Opening ports 80 and 443 for a reverse proxy is enough security provided your apps don't have broken authentication. I've been doing this for years now.
Validating every single service I run on my home server for security (currently at 30 containers + other non-containerised random crap) vs. enabling the built-in Wireguard server on my router (which is more or less as simple as setting up Tailscale). I have a very different idea on which of these is overkill.
What makes you think simply throwing random crap on a home VPN network is secure?
Tailscale/Wireguard is overkill because it is not needed where access controls work fine which is true for the majority of the popular self-hosted apps. And you now have to install a VPN client/cert on every device you want to access your services from. That's a major oof.
An external non-technical user needs to connect to your Jellyfin via their Smart TV (that doesn't have tailscale available to install), I guess.
In Ukraine I have visited SaaS company offices serving production traffic with an actual bunker like this. Physically underground.
Author seems to be mixing up homelab and selfhosting which are 2 different concepts.
Self hosting is hosting services and data you actively use. While I don't seek 99.9999% of availability, this is not where I want to explore and break things on purpose.
Homelab is en environment one use to learn and that is ready to be scratched/broken for the sake of learning. This is definitely not the place where I want to host my personnal services and files (or at least not as primary copy/endpoint).
I recently did the math and was floored to see I’d be spending 1.3k per year on streaming alone. So I said screw it, bought a nas and 36 TB of hard drives and set up an arr stack. I cancelled all of our streaming subscriptions 2 months ago and it’s been the best decision I’ve ever made. Plus my whole family is doing the same from all around town. I’m saving my extended family on the order of 5-6k per year total.
The nas is going to pay itself off in a few months, then it’s all savings from there. If only these media billionaires didn’t get so greedy, I would have happily kept paying them.
Especially with Claude code, setting up something like this is basically just sitting down and prompting for a couple of hours.
The emerging benefits are nice too. Like we don’t have to sift through junk of Netflix or Hulu to find stuff we would actually watch. All of it is stuff we would watch because we added it ourselves. Really fun!
Another huge benefit is you can actually get high-bitrate streaming. Ripping a 4k Blu-ray & streaming it from home (for those who may not want to sail the seas) is sooooo much higher quality than typical streaming.
It is so sad how with the internet we have accepted terrible media quality. Instant messaging and social media reduces photos to 1MP and heavily compressed. It's fine for a photo or meme you are only looking at once and scrolling past. But if it's something you'd want to save, the quality is garbage.
I'd honestly rather apps stop providing hosted media and just do the delivery, let me worry about backing up history. iMessage seems to be the only one sending things in full quality.
The main difference is that iMessages count towards iCloud quota, whereas (most?) other messaging services have free storage.
iMessage doesn't require you to store history in icloud, it can just store everything locally if you want. But yes, I'd rather not have stored history, or the option to pay for storage than to have all media crushed beyond recognition.
A few times I've wanted to print something and found it was sent over an IM app and compressed to 100kb rendering it useless.
I do a hybrid, where I keep lowest tier subscriptions but choose to watch content off of our media server setup at the highest available quality, without advertisement.
I don't mind paying for what I consume, but God damn is the value proposition at the floor currently. Here even the rather expensive mid tier subscription gives you 1080p at most with all the big players. It's as if they somehow converged to this model and aren't competing anymore. Coincidence, I'm sure.
Is that legal? Do you avoid uploading somehow?
Alternatively, you could not give them your money or your time. Find other hobbies and kick the "content" addiction.
For me it's a Intel n100 box with Proxmox. Auto Updates (without auto reboot) fully activated). It just works.
For accessing my home network I've rented a 1€-VPS that acts as a Wireguard connection hub.
Can you point us to the service that offers a 1€ VPS?
Ionos (VPS XS+)
1 Core with 512MB RAM combined with Wireguard easily shuffles a few GBit/s.
Probably of interest to you: https://lowendbox.com/blog/1-vps-1-usd-vps-per-month/
For those who's looking into a good homelab servers - better look at the refurbrished/used mini-pc based on 5th gen of Intel, like i5 11500T (HP ProDesk 400 G5 Mini for example), or ryzen. You'll get better thermals, better CPU, more expansion slots for cheaper than you can get out of NUC.
On top of that, resellers also often have upgrades for RAM and NVME available. WD-Red OEM 1Tb for less than 100 dollars sounds like bargain.
> 5th gen of Intel, like i5 11500T
That's an 11th gen Intel Core CPU, not 5th.
The support problem is real, but it's also solvable if you're not trying to support strangers. Ran Nomad + Consul for 50 services at my last place and the ops overhead was brutal until we stopped treating it like a public service. In practice, homelab stuff works great when it's just you or a small team that actually knows how to SSH into a box. Library volunteers handling production services for the community? That's a different animal entirely, fwiw.
Looking forward to the follow up post, State of Bunker 2029.
How do you feel about the privacy implications of Cloudflare theoretically being able to read all your data? I guess this theoretical downside is outweighed by the practical upsides?
Yes, the convenience of being able to access your data everywhere is very hard to overcome. The largest downside is the reliability of the Cloudflare platform, as if it goes down, you'll have problems accessing any of the exposed services, and it has indeed been problematic some time ago, when they were down for an extended period of time.
If I overcome my laziness, I'm going to invest a bit into Tailscale/WireGuard set-up, with some bastion host perhaps.
Sounds more like a state of the private download engine to me :)
I have a homelab with 4x Raspberry Pi 4's running Kubernetes a GMKtec Intel i5-12450H and a ProLiant ML350p Gen8 (which uses an ungodly amount of power). I'd add the following software/tools which have been awesome:
- Portainer running on GMKtec & ProLiant
- Dozzle (docker log viewer) on GMKtec & ProLiant
- Beszel (server monitoring, awesome) all hosts
- Kubetail (Kubernetes log viewer on Pi K8s)
- HomeAssistant
- Jellyfin
- UptimeKuma (uptime and notifications)
- Semaphore UI (ansible playbook runner)
- Metabase (querying and visualization for dbs)I've recently upgraded my ageing X8SIL Supermicro with an i5 to a X10 Sm board with a 2960 V4 14core Xeon... I was expecting a horrible power situation but it's less than 100w with a handful of spinning disks etc.
I see lots of people complaining on power with their re-used ProLiant and others etc. Is it the throttling or bios settings that messes with the idle power?
Or are you just running it at 100% and my low usage is what saves my electricity bill?
I'm at about 150 watts at idle with 2x Intel E5-2640 with 8x drives. I've gone through the BIOS pretty thoroughly and optimized as much as possible.
Ah okay 150w is not _that_ bad - more than a rpi for sure but still :)
And another cpu+chipset is always going to eat som Watts just by existing.
> I originally intended to try out the NixOS for the sake of reproducible builds and being able to store the configuration in a single place but got too lazy about it.
Ironically once I got over the hump of learning NixOS, I can't imagine using anything else for declarative configuration. Too lazy to use a traditional system which requires custom wiring.
I'll definitely give it a try, somewhere in the future
I was with you until you decided to gender your desires.
You are doing more than I am (e.g. synchronized file storage, books, music), but I have radarr, sonarr, overseerr, plex, and supporting apps for movies and tv shows. Plex is available externally through its remote access feature. For the actual request system, I run OpenClaw with an Overseerr extension. This allows me to manage titles remotely via Telegram without any kind of tunnel or SSO. Simple and gets the job done for the solo-user scenario.
Seems like it's down right now. I guess that's the "State of Homelab"? :)
Up for me.