🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Self-Host

by @ivangdavila

Deploy and maintain self-hosted services with security, backups, and long-term reliability.

Versionv1.0.0
Downloads1,346
Stars⭐ 2
TERMINAL
clawhub install self-hosting

πŸ“– About This Skill


name: Self-Host description: Deploy and maintain self-hosted services with security, backups, and long-term reliability. metadata: {"clawdbot":{"emoji":"πŸ–₯️","requires":{"anyBins":["docker","podman"]},"os":["linux","darwin","win32"]}}

Self-Hosting Rules

Before Installing Anything

  • Backups first β€” decide where data lives and how it's backed up before deploying, not after data exists
  • Check resource requirements β€” many services need more RAM than expected, OOM kills corrupt data
  • Verify the project is actively maintained β€” abandoned projects become security liabilities
  • Docker Fundamentals

  • Always use named volumes or bind mounts for persistent data β€” anonymous volumes are lost on container removal
  • Pin image versions (nginx:1.25.3 not nginx:latest) β€” latest changes unexpectedly and breaks setups
  • Set restart policy (unless-stopped or on-failure) β€” containers don't auto-start after reboot by default
  • Use docker compose down not docker compose rm β€” down handles networks and volumes properly
  • Networking

  • Never expose database ports to the internet β€” only the reverse proxy should be public
  • Use a reverse proxy (Traefik, Caddy, Nginx Proxy Manager) β€” handles SSL, routing, and security in one place
  • Create Docker networks per project β€” default bridge network lacks DNS resolution between containers
  • Bind admin interfaces to localhost only (127.0.0.1:8080:8080) β€” not all traffic needs to be public
  • SSL and Domains

  • Use automatic SSL with Let's Encrypt β€” Caddy and Traefik do this natively
  • For local/LAN access, use a real domain with DNS challenge β€” avoids browser certificate warnings
  • Wildcard certificates simplify multi-service setups β€” one cert for *.home.example.com
  • Security Essentials

  • Change all default passwords immediately β€” bots scan for default credentials within hours
  • Enable automatic security updates for the host OS β€” unpatched systems get compromised
  • Use fail2ban or equivalent β€” brute force attacks are constant
  • Keep services behind authentication (Authelia, Authentik) β€” not everything has built-in auth
  • Disable root SSH, use key-only authentication β€” password SSH is a vulnerability
  • Backups

  • Test restores, not just backups β€” untested backups are wishful thinking
  • 3-2-1 rule: 3 copies, 2 different media, 1 offsite β€” local RAID is not backup
  • Automate backup schedules β€” manual backups get forgotten
  • Back up Docker volumes, not containers β€” containers are ephemeral, data is not
  • Monitoring

  • Set up uptime monitoring (Uptime Kuma is self-hostable) β€” know when services die before users tell you
  • Monitor disk space β€” full disks cause silent failures and corruption
  • Log rotation is mandatory β€” Docker logs grow forever by default, fill disks
  • Consider resource monitoring (Netdata, Prometheus) β€” spot problems before they're critical
  • Maintenance

  • Schedule regular update windows β€” services need updates, plan for downtime
  • Document everything you deploy β€” future you won't remember why that container exists
  • Keep a compose file repo β€” reproducibility matters when hardware fails
  • Test updates on staging when possible β€” production surprises are painful
  • Home Server Specifics

  • Dynamic DNS if ISP doesn't provide static IP β€” Cloudflare, DuckDNS work well
  • UPS protects against power loss corruption β€” especially important for databases
  • Consider power consumption β€” some hardware costs more in electricity than cloud hosting
  • Port forwarding exposes your home network β€” use VPN (WireGuard, Tailscale) instead when possible
  • Common Mistakes

  • Putting everything on one machine with no redundancy β€” single point of failure for all services
  • Ignoring updates for months β€” security vulnerabilities accumulate
  • No firewall rules β€” assuming "nobody knows my IP" is security
  • Storing secrets in docker-compose.yml committed to git β€” use .env files, exclude from version control
  • Over-engineering from day one β€” start simple, add complexity when needed