Self-Host
by @ivangdavila
Deploy and maintain self-hosted services with security, backups, and long-term reliability.
clawhub install self-hosting
π About This Skill
name: Self-Host
description: Deploy and maintain self-hosted services with security, backups, and long-term reliability.
metadata: {"clawdbot":{"emoji":"π₯οΈ","requires":{"anyBins":["docker","podman"]},"os":["linux","darwin","win32"]}}
Self-Hosting Rules
Before Installing Anything
Backups first β decide where data lives and how it's backed up before deploying, not after data exists
Check resource requirements β many services need more RAM than expected, OOM kills corrupt data
Verify the project is actively maintained β abandoned projects become security liabilitiesDocker Fundamentals
Always use named volumes or bind mounts for persistent data β anonymous volumes are lost on container removal
Pin image versions (nginx:1.25.3 not nginx:latest) β latest changes unexpectedly and breaks setups
Set restart policy (unless-stopped or on-failure) β containers don't auto-start after reboot by default
Use docker compose down not docker compose rm β down handles networks and volumes properlyNetworking
Never expose database ports to the internet β only the reverse proxy should be public
Use a reverse proxy (Traefik, Caddy, Nginx Proxy Manager) β handles SSL, routing, and security in one place
Create Docker networks per project β default bridge network lacks DNS resolution between containers
Bind admin interfaces to localhost only (127.0.0.1:8080:8080) β not all traffic needs to be publicSSL and Domains
Use automatic SSL with Let's Encrypt β Caddy and Traefik do this natively
For local/LAN access, use a real domain with DNS challenge β avoids browser certificate warnings
Wildcard certificates simplify multi-service setups β one cert for *.home.example.comSecurity Essentials
Change all default passwords immediately β bots scan for default credentials within hours
Enable automatic security updates for the host OS β unpatched systems get compromised
Use fail2ban or equivalent β brute force attacks are constant
Keep services behind authentication (Authelia, Authentik) β not everything has built-in auth
Disable root SSH, use key-only authentication β password SSH is a vulnerabilityBackups
Test restores, not just backups β untested backups are wishful thinking
3-2-1 rule: 3 copies, 2 different media, 1 offsite β local RAID is not backup
Automate backup schedules β manual backups get forgotten
Back up Docker volumes, not containers β containers are ephemeral, data is notMonitoring
Set up uptime monitoring (Uptime Kuma is self-hostable) β know when services die before users tell you
Monitor disk space β full disks cause silent failures and corruption
Log rotation is mandatory β Docker logs grow forever by default, fill disks
Consider resource monitoring (Netdata, Prometheus) β spot problems before they're criticalMaintenance
Schedule regular update windows β services need updates, plan for downtime
Document everything you deploy β future you won't remember why that container exists
Keep a compose file repo β reproducibility matters when hardware fails
Test updates on staging when possible β production surprises are painfulHome Server Specifics
Dynamic DNS if ISP doesn't provide static IP β Cloudflare, DuckDNS work well
UPS protects against power loss corruption β especially important for databases
Consider power consumption β some hardware costs more in electricity than cloud hosting
Port forwarding exposes your home network β use VPN (WireGuard, Tailscale) instead when possibleCommon Mistakes
Putting everything on one machine with no redundancy β single point of failure for all services
Ignoring updates for months β security vulnerabilities accumulate
No firewall rules β assuming "nobody knows my IP" is security
Storing secrets in docker-compose.yml committed to git β use .env files, exclude from version control
Over-engineering from day one β start simple, add complexity when needed