News

Why I build my own cloud

ru0k3nba

4 min read
Share
Why I build my own cloud
Cloud computing

I didn’t set out to run a datacenter in my house. It started, like most of these things do, with a small annoyance: a subscription renewal email. Another service raising prices, another company quietly changing its privacy policy, another reminder that my photos, passwords, notes, and music lived on someone else’s computer — rented, not owned.

So I started pulling things back. One service at a time. A few years later, I have my own cloud. Not a metaphor — an actual one. My files sync to a server I can touch. My photo library is indexed on hardware I bought. My passwords never leave my network unencrypted. When friends ask why, the honest answer is: because once you start, it’s very hard to stop.

The Experience

Self-hosting is the most educational thing I’ve done outside of my actual career. I work in critical care education — I teach nurses how complex systems fail and how to recover them. It turns out homelabbing is the same discipline wearing different clothes. You learn networking because your services can’t talk to each other. You learn DNS because everything is DNS. You learn reverse proxies, certificates, containers, firewalls, and backup strategy — not from a textbook, but because something you rely on broke at 11 PM and you wanted it back.

There’s also something quietly personal about it. My services have Filipino names: Nextcloud lives at ulap (cloud), Jellyfin at pelikula (movies), Navidrome at musika, my notes at nota. It’s a small thing, but it makes the whole stack feel like mine in a way no SaaS dashboard ever did.

The Struggles

Let me be honest about the costs, because the self-hosting community sometimes isn’t.

You will break things. My most catastrophic failure came from editing a reverse proxy config while Docker was still running — it corrupted the firewall rules on my VPS badly enough that I rebuilt the entire server from scratch. The lesson is now a house rule: always bring the stack down before touching config files. I have a runbook because of that night. Every painful lesson became a document.

Identity is the hardest part. Single sign-on across a dozen services sounds elegant until you’re debugging OIDC token exchanges at midnight, or you migrate domains and discover your hardware security keys are bound to the old hostname. Every app handles authentication slightly differently, and the one rule I hold sacred: the password manager gets no SSO, no forward auth, nothing in front of it. It must work when everything else is on fire.

Migrations never end. I recently moved my entire ingress stack from a managed tunnel service to a self-hosted instance on a VPS — new domain, new reverse proxy, every service re-pointed in a careful sequence. Identity first, simple apps next, the complicated ones last. It went smoothly because of every migration before it that didn’t.

It costs time. Not constantly — a mature stack mostly hums along — but in bursts. Updates, certificate renewals, that one container that won’t start after a reboot. You’re the sysadmin now. There’s no support ticket to file except to yourself.

The Rewards

So why do it?

Ownership. My family’s photos — decades of them — live in Immich on my hardware, backed up on my schedule, encrypted offsite to storage I chose. No algorithm mines them. No acquisition or pricing change can hold them hostage.

Privacy that’s structural, not promised. My password vault, notes, home automation, and DNS all run inside my network. Privacy isn’t a checkbox in someone’s settings page; it’s the architecture.

Capability. I run things no consumer service offers: a two-node DNS cluster that filters ads for the whole house, a mesh VPN that puts my phone “at home” from anywhere in the world, intrusion detection that learns from attacks across my edge, a music server that scrobbles to two services while streaming losslessly to my phone. I’m now building local AI inference on top of it — my notes, my models, my hardware.

Competence. This is the underrated one. The confidence of knowing that when something breaks, you can fix it — because you built it, you documented it, and you’ve fixed worse — transfers to everything else in life.

The Hardware

The stack grew organically, and it shows — in a good way. Roles are separated so one failure doesn’t take everything down:

A pair of low-power ZimaBlade boards handle the perimeter and identity layer: reverse proxy tunnels, the password vault, single sign-on, VPN coordination, and security tooling. Small, silent, sippy on power — perfect for services that must never go down.

A cluster of Intel NUCs does the heavy lifting: Nextcloud, the photo library, the media server, music streaming. Alongside them, a rack server and the NUCs form a Ceph storage cluster on its own VLAN, with enterprise U.2 NVMe drives for the parts that matter.

Two Raspberry Pi 5s run redundant DNS, because DNS going down means everything feels down. A UniFi network underneath segments it all into VLANs — infrastructure, home, storage, and IoT each in their own lane.

And one piece lives outside the house: a small VPS that terminates public traffic and tunnels it home, so nothing on my home network is ever directly exposed to the internet.

The Software

Everything runs on Proxmox, with Docker inside VMs and LXCs. The roster:

Pangolin + Traefik for ingress and tunneling, Authentik for single sign-on, Vaultwarden for passwords, NetBird for mesh VPN, CrowdSec for collaborative intrusion prevention, and Technitium for DNS. On the application side: Nextcloud AIO for files, Immich for photos, Jellyfin for video, Navidrome for music, Joplin and Memos for notes, Home Assistant for the house itself, and Ghost — the very blog you’re reading — running on that VPS.

Every one of these replaced something I used to pay for, or something I used to give my data to for free, which is the same thing with the price hidden.

Should You?

If you want convenience, no. Pay the subscriptions; they’re genuinely good products. But if you’re the kind of person who reads a privacy policy and feels something twist — or who just wants to understand how the internet actually works — start small. One Raspberry Pi. One service. Maybe DNS filtering, maybe a photo backup.

Just know that it doesn’t stay one service. It never does. And a few years from now, you might find yourself writing a post like this one, on a blog you host yourself, explaining why you’d never go back.