Dale John Dunlop

Why Build a Zero Trust Home Server?

Thu, 03 Apr 2025 22:06:12 GMT

In today's digital landscape, running your own private infrastructure is becoming increasingly popular. With a simple Raspberry Pi, you can self-host your own media, files, ad blocker, automation workflows, and more right from home, while maintaining complete control over your data.

This guide will help you understand how to set up a secure and accessible home server using zero trust principles, with no open ports on your home router.

Why Build a Zero Trust Home Server?

Complete Digital Privacy: Keep your data local and away from big tech companies
Enhanced Security: Access services without opening ports on your router
Centralised Control: Host your own media, files, dashboards, and automation tools
Accessible From Anywhere: Use secure tunnelling to access your services globally

What You Can Self-Host Securely

Here are some powerful services you can run on your Raspberry Pi:

Use Case	Service	What It Does	Resource Requirements
Ad Blocking	AdGuard Home / Pi-hole	Network-wide ad and tracker blocking	Low: 100MB RAM, minimal CPU
Zero Trust Access	Tailscale / Cloudflare Tunnel	Secure remote access without port forwarding	Low: 200MB RAM, minimal CPU
Firewall & Protection	UFW / Fail2Ban	Secure your server from unwanted access	Very Low: System level
Media Streaming	Jellyfin	Host your own Netflix-like streaming platform	Medium-High: 1-2GB RAM, moderate CPU
Personal Cloud Storage	Nextcloud	Self-hosted alternative to Dropbox/Google Drive	Medium: 1-2GB RAM, moderate CPU
Smart Home	Home Assistant	Smart home automation hub	Medium: 1GB RAM, moderate CPU
Service Monitoring	Uptime Kuma	Monitor your services' health	Low: 200-500MB RAM, low CPU
Password Management	Vaultwarden	Self-hosted Bitwarden-compatible password manager	Low: 500MB RAM, minimal CPU
Docker Management	Portainer	Graphical interface to manage Docker containers	Low: 500MB RAM, minimal CPU
Workflow Automation	n8n	Create powerful automation workflows	Medium: 1GB RAM, moderate CPU
RSS Aggregator	FreshRSS	Track news and updates from your favorite sites	Low: 200MB RAM, minimal CPU
Document Management	Paperless-ngx	Scan, store, and search your documents	Medium: 1GB RAM, moderate CPU

https://strapi.my-home-portal.com/uploads/homer_88ae207b36.png Example Homer dashboard showing various self-hosted services

Real-World Performance Expectations on Raspberry Pi 4 (4GB)

Jellyfin: 1-2 direct play streams OR 1 1080p transcode
Nextcloud: Comfortable file syncing for 3-5 users
AdGuard + Tailscale + Uptime Kuma: Can run simultaneously with minimal impact
Storage needs: Start with 128GB SSD for OS + Docker, external HDD for media/backups

Setting Up Your Raspberry Pi

Hardware Requirements

For a reliable zero trust home server, you'll need:

Raspberry Pi 4 (4GB or 8GB recommended)
USB SSD (128GB+ recommended) instead of microSD for reliability
Official Power Supply (3A for Pi 4)
Case with cooling (like the Argon ONE M.2 or Flirc case)
Ethernet connection (strongly recommended for stability)

https://strapi.my-home-portal.com/uploads/PI_layout_fed29699e0.png Raspberry Pi 4 with SSD and cooling case for optimal home server performance

Step 1: Install Raspberry Pi OS

Download and Install Raspberry Pi Imager:
- Visit the Raspberry Pi Software page and download for your OS
Configure with Raspberry Pi Imager:
- Open the Raspberry Pi Imager application
- Click "Choose device" and select your Raspberry Pi model
- Click "Choose OS" and select Raspberry Pi OS Lite (64-bit) for a headless server
- Click "Choose storage" and select your SSD (connected via USB adapter)
Configure Advanced Options:
- Press Ctrl+Shift+X to open advanced options
- Set a hostname (e.g., homeserver)
- Enable SSH and configure an SSH key for passwordless login
- Configure your WiFi (if not using Ethernet)
- Set locale settings
- Click Save and then Write
Insert the SSD into your Raspberry Pi and power it on

Step 2: Initial Configuration

Connect to your Raspberry Pi via SSH:

            ssh username@homeserver.local

Update your system:

            "hljs-string">"hljs-built_in">"hljs-built_in">sudo apt update && "hljs-string">"hljs-built_in">"hljs-built_in">sudo apt full-upgrade -y

Set a static IP address (recommended):

            "hljs-string">"hljs-built_in">"hljs-built_in">sudo nano /etc/dhcpcd.conf

Add these lines, customizing for your network:

          interface eth0
static ip_address=192.168.1.100/24
static routers=192.168.1.1
static domain_name_servers=1.1.1.1 1.0.0.1

Reboot to apply changes:

            "hljs-string">"hljs-built_in">"hljs-built_in">sudo reboot

Step 3: Security Hardening

Remove Password Authentication for SSH

If you didn't set up SSH keys during installation:

            "hljs-string">"hljs-comment"># On your "hljs-built_in">local machine
ssh-keygen -t ed25519 -C "hljs-string">"hljs-string">"hljs-string">"your_email@example.com"
ssh-copy-id username@your-pi-ip-address

Then disable password authentication:

            "hljs-string">"hljs-built_in">"hljs-built_in">sudo nano /etc/ssh/sshd_config

Find and modify these lines:

          PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

Restart SSH service:

            "hljs-string">"hljs-built_in">"hljs-built_in">sudo systemctl restart sshd

Set Up Basic Firewall

Install and configure UFW:

            "hljs-string">"hljs-built_in">"hljs-built_in">sudo apt install ufw
"hljs-string">"hljs-built_in">"hljs-built_in">sudo ufw default deny incoming
"hljs-string">"hljs-built_in">"hljs-built_in">sudo ufw default allow outgoing
"hljs-string">"hljs-built_in">"hljs-built_in">sudo ufw allow ssh
"hljs-string">"hljs-built_in">"hljs-built_in">sudo ufw "hljs-string">"hljs-built_in">"hljs-built_in">enable

Install Fail2Ban to Protect from Brute Force Attacks

            "hljs-string">"hljs-built_in">"hljs-built_in">sudo apt install fail2ban
"hljs-string">"hljs-built_in">"hljs-built_in">sudo "hljs-string">"hljs-built_in">"hljs-built_in">cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
"hljs-string">"hljs-built_in">"hljs-built_in">sudo systemctl "hljs-string">"hljs-built_in">"hljs-built_in">enable fail2ban
"hljs-string">"hljs-built_in">"hljs-built_in">sudo systemctl start fail2ban

Configure a custom SSH jail:

            "hljs-string">"hljs-built_in">"hljs-built_in">sudo nano /etc/fail2ban/jail.local

Add/modify the SSH section:

          [sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400  # 24 hours

Restart Fail2Ban:

            "hljs-string">"hljs-built_in">"hljs-built_in">sudo systemctl restart fail2ban

Setting Up Docker and Portainer

https://strapi.my-home-portal.com/uploads/port_db6453290a.png Portainer dashboard showing running containers and resource usage

Docker allows you to run multiple services in isolated containers.

Install Docker and Docker Compose

            curl -fsSL https://get.docker.com | sh
"hljs-string">"hljs-built_in">"hljs-built_in">sudo usermod -aG docker "hljs-string">"hljs-variable">"hljs-variable">$USER
"hljs-string">"hljs-built_in">"hljs-built_in">sudo apt install -y docker-compose-plugin

Log out and log back in for group changes to take effect:

            "hljs-string">"hljs-built_in">"hljs-built_in">exit
"hljs-string">"hljs-comment"># Reconnect via SSH

Create Directory Structure

            "hljs-string">"hljs-built_in">"hljs-built_in">mkdir -p ~/docker/{compose,configs,data}

Install Portainer for Docker Management

Create a docker-compose file for Portainer:

            nano ~/docker/compose/portainer.yml

Add the following content:

            version: '3'
services:
  portainer:
    container_name: portainer
    image: portainer/portainer-ce:latest
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ~/docker/data/portainer:/data
    ports:
      - 9000:9000

Start Portainer:

            "hljs-string">"hljs-built_in">"hljs-built_in">cd ~/docker/compose
docker compose -f portainer.yml up -d

You can now access Portainer at http://your-pi-ip:9000 to set up your admin account.

Setting Up AdGuard Home In Detail

https://strapi.my-home-portal.com/uploads/adgaurd_21ae0461fd.png AdGuard Home dashboard showing blocked requests and filtering statistics

AdGuard Home is a powerful network-wide ad blocker and DNS server. Here's how to set it up and configure it properly.

Initial Setup

First Create and deploy the docker file

            version: '3'
services:
  # Network-wide ad blocking
  adguard:
    container_name: adguard
    image: adguard/adguardhome:latest
    restart: unless-stopped
    volumes:
      - ~/docker/configs/adguard:/opt/adguardhome/conf
      - ~/docker/data/adguard:/opt/adguardhome/work
    ports:
      - 3000:3000  # Admin Panel
      - 53:53/tcp  # DNS
      - 53:53/udp  # DNS
      - 784:784/udp # DNS-over-QUIC
      - 853:853/tcp # DNS-over-TLS
      - 443:443/udp # DNS-over-HTTPS
    cap_add:
      - NET_ADMIN
    networks:
      - home_network

Then run the file and access it

          http://your-pi-ip:3000

Follow the setup wizard:

Create an administrator account
Configure network settings:
- Choose the interfaces to listen on (typically all)
- Keep default ports:
  - DNS: 53
  - Web interface: 3000

Common DNS Issues and Fixes

Before AdGuard can function correctly, make sure port 53 is available:

            "hljs-string">"hljs-comment"># Check "hljs-keyword">if port 53 is "hljs-keyword">in use
"hljs-string">"hljs-built_in">"hljs-built_in">sudo lsof -i :53

If systemd-resolved is using it, reconfigure it:

            "hljs-string">"hljs-comment"># Edit resolved configuration
"hljs-string">"hljs-built_in">"hljs-built_in">sudo nano /etc/systemd/resolved.conf

Add or modify these lines:

          DNSStubListener=no

Then restart the service:

            "hljs-string">"hljs-built_in">"hljs-built_in">sudo systemctl restart systemd-resolved

Configuring AdGuard Home

1. DNS Settings

In the AdGuard Home dashboard, go to Settings > DNS Settings:

Set upstream DNS servers (recommended):
- Cloudflare: 1.1.1.1 and 1.0.0.1
- Quad9: 9.9.9.9 and 149.112.112.112
Enable DNS-over-HTTPS/TLS (for security)
Enable blocking of domains from filters

2. Filtering

Go to Filters > DNS blocklists and add these recommended lists:

AdGuard DNS filter
AdAway Default Blocklist
Peter Lowe's Ad and tracking server list
Malicious URL Blocklist by Curben
NoCoin Filter List

3. Configuring Local DNS Records

To use .home.internal domain names for local services:

Go to Settings > DNS rewrite
Add entries for each service:
- Domain name: jellyfin.home.internal
- Answer: your-pi-ip
- Repeat for other services

4. Client Configuration

Set your router to use AdGuard as the DNS server:

Access your router's admin interface
Find DHCP/DNS settings
Set primary DNS to your Raspberry Pi's IP address
Save changes

Alternatively, configure individual devices to use your Pi's IP as their DNS server.

5. Security Features

Enable these additional security features:

Safe Search: Forces safe search on Google, Bing, etc.
Parental Control: Optional content filtering
Safe Browsing: Blocks malicious domains

6. Statistics and Logs

AdGuard Home provides detailed statistics and logs:

View top blocked domains
Check query logs for troubleshooting
Monitor overall network activity

Using AdGuard with Tailscale

To use AdGuard as your DNS server while connected to Tailscale:

In Tailscale admin console, set a DNS nameserver:
- Go to DNS > Nameservers
- Add your Raspberry Pi's Tailscale IP
Configure split DNS (optional):
- In Tailscale admin, set up split DNS for .home.internal domains
- This allows resolving local domains when away from home

Setting Up Zero Trust Remote Access

https://strapi.my-home-portal.com/uploads/jumpbox01_dfed666cdc.jpg

Method 1: Tailscale - VPN-Like Mesh Network

Tailscale creates a secure mesh network between your devices without opening ports.

Install Tailscale

            curl -fsSL https://tailscale.com/install.sh | sh
"hljs-string">"hljs-built_in">"hljs-built_in">sudo tailscale up

Follow the authentication link to connect your Raspberry Pi to your Tailscale account.

Configure Tailscale for Subnet Routing (Optional)

To access other devices on your home network through Tailscale:

            "hljs-string">"hljs-built_in">"hljs-built_in">sudo tailscale up --advertise-routes=192.168.1.0/24

Go to the Tailscale admin console and approve the subnet routes.

Setting Up ACLs and Policy

For enhanced security, set up access control policies in the Tailscale admin panel.

Example ACL policy:

            {
  "acls": [
    {
      "action": "accept",
      "users": ["user@example.com"],
      "ports": ["*:*"]
    }
  ]
}

Method 2: Cloudflare Tunnel with Docker Compose

https://strapi.my-home-portal.com/uploads/cloudflare_d4e7776782.png Diagram showing how Cloudflare Tunnel provide secure remote access

Cloudflare Tunnel lets you expose services using a custom domain without opening ports. Running it in Docker keeps everything neatly containerized.

Prerequisites

Registered domain on Cloudflare
Cloudflare account

Setting Up Cloudflare Tunnel via Web UI Docker Compose

The Cloudflare Tunnel can also be set up directly from the Cloudflare Zero Trust dashboard, which many users find more convenient:

Log in to your Cloudflare account and navigate to Zero Trust > Access > Tunnels
Click Create a tunnel and give it a name (e.g., "Home Server")
You'll be provided with a tunnel token. Create a docker-compose file for Cloudflare:

            nano ~/docker/compose/cloudflare.yml

Add the following content:

            version: "3.8"
services:
  flaresolverr:
    image: ghcr.io/flaresolverr/flaresolverr:latest
    container_name: flaresolverr
    environment:
      - LOG_LEVEL=info
      - CAPTCHA_SOLVER=none
    ports:
      - 8191:8191
    restart: unless-stopped

Start the Cloudflare tunnel:

            "hljs-string">"hljs-built_in">"hljs-built_in">cd ~/docker/compose
docker compose -f cloudflare.yml up -d

Back in the Cloudflare dashboard, you'll be asked to configure public hostnames:
- Click Add a public hostname
- Enter the subdomain and domain (e.g., jellyfin.yourdomain.com)
- For service, select "HTTP" and enter the local service address and port (e.g., jellyfin:8096)
- Repeat for each service you want to expose
Optional: Add authentication
- In the Cloudflare dashboard, under the "Public Hostname" settings, you can enable "Zero Trust Policy"
- Configure authentication methods (Google, GitHub, email one-time passwords, etc.)
- Set up custom policies for who can access each service

Setting Up Essential Self-Hosted Services

Create a Complete Docker Compose Stack

Create a new docker-compose file:

            nano ~/docker/compose/services.yml

Add the following content:

            version: '3'
services:
  # Network-wide ad blocking
  adguard:
    container_name: adguard
    image: adguard/adguardhome:latest
    restart: unless-stopped
    volumes:
      - ~/docker/configs/adguard:/opt/adguardhome/conf
      - ~/docker/data/adguard:/opt/adguardhome/work
    ports:
      - 3000:3000  # Admin Panel
      - 53:53/tcp  # DNS
      - 53:53/udp  # DNS
      - 784:784/udp # DNS-over-QUIC
      - 853:853/tcp # DNS-over-TLS
      - 443:443/udp # DNS-over-HTTPS
    cap_add:
      - NET_ADMIN
    networks:
      - home_network

  # Service monitoring
  uptime-kuma:
    container_name: uptime-kuma
    image: louislam/uptime-kuma:latest
    restart: unless-stopped
    volumes:
      - ~/docker/data/uptime-kuma:/app/data
    ports:
      - 3001:3001
    networks:
      - home_network
  
  # Media server
  jellyfin:
    container_name: jellyfin
    image: jellyfin/jellyfin:latest
    restart: unless-stopped
    volumes:
      - ~/docker/configs/jellyfin:/config
      - /mnt/media:/media
    ports:
      - 8096:8096
    networks:
      - home_network
    environment:
      - JELLYFIN_PublishedServerUrl=jellyfin.yourdomain.com

  # Personal cloud storage
  nextcloud:
    container_name: nextcloud
    image: nextcloud:latest
    restart: unless-stopped
    volumes:
      - ~/docker/data/nextcloud:/var/www/html
    ports:
      - 8080:80
    depends_on:
      - nextcloud-db
    networks:
      - home_network
    environment:
      - MYSQL_HOST=nextcloud-db
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD=secure_password_here

  # Database for Nextcloud
  nextcloud-db:
    container_name: nextcloud-db
    image: mariadb:latest
    restart: unless-stopped
    volumes:
      - ~/docker/data/nextcloud-db:/var/lib/mysql
    networks:
      - home_network
    environment:
      - MYSQL_ROOT_PASSWORD=very_secure_root_password
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD=secure_password_here
      
  # Workflow automation
  n8n:
    container_name: n8n
    image: n8nio/n8n:latest
    restart: unless-stopped
    ports:
      - 5678:5678
    volumes:
      - ~/docker/data/n8n:/home/node/.n8n
    networks:
      - home_network
    environment:
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER=admin
      - N8N_BASIC_AUTH_PASSWORD=secure_password_here

  # Password manager
  vaultwarden:
    container_name: vaultwarden
    image: vaultwarden/server:latest
    restart: unless-stopped
    volumes:
      - ~/docker/data/vaultwarden:/data
    ports:
      - 8081:80
    networks:
      - home_network

networks:
  home_network:
    driver: bridge

Start all services:

            "hljs-string">"hljs-built_in">"hljs-built_in">cd ~/docker/compose
docker compose -f services.yml up -d

Setting Up a Homer Dashboard

Homer provides a clean, customizable dashboard for all your self-hosted services.

Create a docker-compose file for Homer:

            nano ~/docker/compose/homer.yml

Add the following content:

            version: '3'
services:
  homer:
    container_name: homer
    image: b4bz/homer:latest
    restart: unless-stopped
    volumes:
      - ~/docker/configs/homer:/www/assets
    ports:
      - 8082:8080
    networks:
      - home_network

networks:
  home_network:
    external: true

Start Homer:

            "hljs-string">"hljs-built_in">"hljs-built_in">cd ~/docker/compose
docker compose -f homer.yml up -d

Create a basic configuration:

            "hljs-string">"hljs-built_in">"hljs-built_in">mkdir -p ~/docker/configs/homer
nano ~/docker/configs/homer/config.yml

Add this sample configuration:

            title: "Home Server Dashboard"
subtitle: "Your Self-Hosted Services"
logo: "assets/icons/logo.png"
header: true
footer: 'Created with ❤️ with Homer'

# Links to services
services:
  - name: "Media"
    icon: "fas fa-play-circle"
    items:
      - name: "Jellyfin"
        logo: "assets/icons/jellyfin.png"
        subtitle: "Media Server"
        tag: "media"
        url: "http://jellyfin.home.internal"
        target: "_blank"
  
  - name: "Storage"
    icon: "fas fa-database"
    items:
      - name: "Nextcloud"
        logo: "assets/icons/nextcloud.png"
        subtitle: "File Storage"
        tag: "storage"
        url: "http://nextcloud.home.internal"
        target: "_blank"
  
  - name: "System"
    icon: "fas fa-cogs"
    items:
      - name: "Portainer"
        logo: "assets/icons/portainer.png"
        subtitle: "Docker Management"
        tag: "system"
        url: "http://portainer.home.internal"
        target: "_blank"
      - name: "AdGuard Home"
        logo: "assets/icons/adguard.png"
        subtitle: "Ad Blocking"
        tag: "system"
        url: "http://adguard.home.internal"
        target: "_blank"
  
  - name: "Automation"
    icon: "fas fa-robot"
    items:
      - name: "n8n"
        logo: "assets/icons/n8n.png"
        subtitle: "Workflow Automation"
        tag: "automation"
        url: "http://n8n.home.internal"
        target: "_blank"

Create a directory for custom icons:

            "hljs-string">"hljs-built_in">"hljs-built_in">mkdir -p ~/docker/configs/homer/icons

You can download icons for your services and place them in this directory.

Setting Up Nginx Proxy Manager for Local Domain Names

To access your services with nice local URLs like portainer.home.internal:

            nano ~/docker/compose/nginx-proxy.yml

Add the following content:

            version: '3'
services:
  nginx-proxy-manager:
    container_name: nginx-proxy-manager
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '80:80'
      - '443:443'
      - '81:81'
    volumes:
      - ~/docker/data/nginx-proxy-manager/data:/data
      - ~/docker/data/nginx-proxy-manager/letsencrypt:/etc/letsencrypt
    networks:
      - home_network

networks:
  home_network:
    external: true

Start Nginx Proxy Manager:

            "hljs-string">"hljs-built_in">"hljs-built_in">cd ~/docker/compose
docker compose -f nginx-proxy.yml up -d

Access the admin interface at http://your-pi-ip:81 and set up proxy hosts for each service.

For each service, add a proxy host with:

Domain name: service.home.internal
Forward hostname/IP: The container name or IP
Forward port: The internal port of the service

To use .home.internal domains on your devices, either:

Add entries to your hosts file on each device
Configure AdGuard Home to handle local DNS resolution (recommended)

Accessing Your Services

On Your Local Network

Using nice local domain names:

Homer Dashboard: http://homer.home.internal
Portainer: http://portainer.home.internal
Jellyfin: http://jellyfin.home.internal
Nextcloud: http://nextcloud.home.internal
n8n: http://n8n.home.internal
AdGuard Home: http://adguard.home.internal

Or using IP address:

Homer Dashboard: http://your-pi-ip:8082
Portainer: http://your-pi-ip:9000
Jellyfin: http://your-pi-ip:8096
Nextcloud: http://your-pi-ip:8080
n8n: http://your-pi-ip:5678
AdGuard Home: http://your-pi-ip:3000

Remote Access with Tailscale

When away from home, connect to Tailscale and access services using the same local domain names or IP addresses.

Remote Access with Cloudflare Tunnel

Access through your custom domains from anywhere:

Jellyfin: https://jellyfin.yourdomain.com
Portainer: https://portainer.yourdomain.com
Nextcloud: https://nextcloud.yourdomain.com
n8n: https://n8n.yourdomain.com
Homer Dashboard: https://homer.yourdomain.com

Advanced Security Enhancements

Set Up Service-Specific Networks

Modify your docker-compose file to use specific networks for different types of services:

            networks:
  frontend_network:
    driver: bridge
  backend_network:
    driver: bridge
  database_network:
    driver: bridge

Then assign services to appropriate networks:

            jellyfin:
  networks:
    - frontend_network
    
nextcloud:
  networks:
    - frontend_network
    - backend_network
    
nextcloud-db:
  networks:
    - database_network
    - backend_network

Container Hardening

Add security constraints to your containers:

            yourservice:
  security_opt:
    - no-new-privileges:true
  read_only: true
  tmpfs:
    - /tmp
  restart: unless-stopped

Implement Traefik as a Reverse Proxy (Optional)

For more advanced configurations, implement Traefik to handle routing and SSL:

            traefik:
  container_name: traefik
  image: traefik:latest
  restart: unless-stopped
  ports:
    - 80:80
    - 443:443
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock:ro
    - ~/docker/configs/traefik:/etc/traefik
  command:
    - --providers.docker=true
    - --providers.docker.exposedbydefault=false
    - --entrypoints.web.address=:80
    - --entrypoints.websecure.address=:443
    - --certificatesresolvers.myresolver.acme.tlschallenge=true
    - --certificatesresolvers.myresolver.acme.email=your@email.com
    - --certificatesresolvers.myresolver.acme.storage=/etc/traefik/acme.json

Troubleshooting Common Issues

Network Connectivity Issues

Problem	Possible Solutions
Can't SSH into server	• Check IP address is correct • Verify hostname resolution works • Ensure SSH service is running • Check firewall settings
Can't access web UIs	• Verify correct ports are open in UFW • Check Docker container is running • Ensure service is bound to correct network interface
DNS not working with AdGuard	• Check port 53 is not in use by systemd-resolved • Verify network configuration points to AdGuard • Check AdGuard logs for errors • Try `sudo systemctl stop systemd-resolved`

Docker Issues

Problem	Possible Solutions
Container won't start	• Check logs: `docker logs container_name` • Verify port conflicts: `netstat -tulpn` • Check volume permissions
Permission errors	• Check UID/GID mappings • Fix permissions: `chown -R user:group /path/to/volume`
Resource limitations	• Check resource usage: `docker stats` • Add memory limits to containers • Monitor with `htop`

Cloudflare Tunnel Issues

Problem	Possible Solutions
Tunnel not connecting	• Check cloudflared logs: `sudo journalctl -u cloudflared` • Verify credentials file exists • Ensure tunnel ID matches in config
Cannot access services	• Check DNS records in Cloudflare dashboard • Verify service is running on specified port • Ensure your Access policies are configured correctly

Maintenance Checklist

To keep your home server running smoothly, perform these maintenance tasks regularly:

Weekly Tasks

Check disk space: df -h
Update containers: docker compose pull && docker compose up -d
Review logs for errors: docker logs --since 24h container_name

Monthly Tasks

Update host OS: sudo apt update && sudo apt upgrade -y
Check for unused containers/images: docker system prune
Review backup integrity
Check UPS battery status (if applicable)

Quarterly Tasks

Change passwords for critical services
Review port forwarding/firewall rules
Check hardware (dust, connections, etc.)
Update documentation of your setup

Community Resources

Get help and inspiration from these community resources:

Forums & Communities

r/selfhosted - Reddit's self-hosting community
r/homelab - More advanced home server setups
Home Assistant Community - Smart home focused
Jellyfin Forums - Media server discussions
TrueNAS Forum - Storage-focused discussions

Discord Servers

Homelab - Home lab discussions

YouTube Channels

TechnoTim - Great server tutorials
DB Tech - Docker-focused tutorials
The Digital Life - Self-hosting guides

What's Next?

You now have a solid foundation for running your own secure private cloud using zero trust principles.

Here are some advanced projects to tackle next:

Advanced Projects

Automated Backups: Set up Restic or Duplicati to automatically backup important data
Analytics: Monitor your network with InfluxDB + Grafana for beautiful dashboards
Home Automation: Connect Home Assistant to your lights, sensors, and more
CI/CD Pipeline: Set up Gitea + Drone CI for your personal development projects
Extended Storage: Build a proper NAS with TrueNAS or Unraid

Final Thoughts

Your zero trust home server is more than just a tech project—it's a statement about data ownership and privacy. With Cloudflare Tunnel and Tailscale, you can access your services securely from anywhere without compromising your home network security.

Last updated: April 2025

]]>

Hello World : Family Edition

Sat, 29 Mar 2025 19:22:29 GMT

Hello World : Family Edition

I've always been into tinkering with tech and problem-solving, but actually diving deep into developing didn't happen until recently. The real push came from a personal project: setting up my own home server. I wanted to build and host my own microservices for all sorts of tasks — media management for our family photos and videos, a central logging solution to keep track of events on our network, some automation tools to streamline home chores — and even create my own website. To make all that happen, I realized I needed to sharpen my coding skills (and learn a bunch about servers too!). Setting up that home server was both exciting and intimidating. I found myself learning everything from basic Linux commands to a bit of networking. I use Portainer (its all containerised with Docker) to manage those microservices. There were moments I felt stuck or overwhelmed, especially when a configuration wouldn't work or a service wouldn't talk to another. But each time I solved a problem, it was incredibly rewarding. That little home server became my coding playground and the spark that ignited my programming journey.

The most challenging bugs I solve aren't in my code - it's figuring out how to balance my passion for building and learning with family life. Both need debugging.

What my day looks like

So how do I actually squeeze coding into a busy day with two kids? It definitely takes planning, flexibility, and a good sense of humour. Here's what a typical day might look like for me:

Early Morning: I try to wake up before the kids do to grab a quick coding session (or at least read about code) while sipping my first cup of coffee. This quiet time doesn't always happen—sometimes I hit snooze, or one of the kids decides 6 AM is playtime—but when it does, it gives me a head start on the day and a little personal victory right off the bat.

Daytime: Once the kids are awake, the house bursts into activity. From making breakfast and doing school drop-offs to focusing on my day job (and countless snack requests in between), my coding brain goes on standby during these hours. If I'm lucky and the stars align (hello, nap time or a generous screen-time break), I might steal a few minutes to brainstorm a feature or jot down a solution that popped into my head. But generally, daylight hours are family and work first, dev later.

Evening: After dinner, it's family time and the kids' bedtime routine. Storybooks, bath time, and goodnight hugs come first—code can wait. By the time the little ones are tucked in, I'm usually pretty tired. Some nights, I'll admit, I collapse on the couch and my plans get pushed aside. Other nights, though, I'm still excited about what I'm building, and that excitement gives me a second wind.

Late Night (Building Time): This is when I dive into code. The house is finally quiet, and I can truly concentrate. I often spend an hour or two writing code, debugging a tricky issue, or learning something new online. It's my dedicated me-time to immerse myself in programming. I do have to be careful not to lose track of time—those early school mornings come around fast, and more than once I've looked up to see it's past midnight!

My Computer Setup

https://strapi.my-home-portal.com/uploads/setup_1_8e8e10f223.jpeg

My main workspace where I spend most of my time

https://strapi.my-home-portal.com/uploads/setup_2_59a96ea7ab.jpeg

I've got a small home office setup—nothing too fancy, but it's my space.

How I Stay Motivated

Some days, sitting down to code feels impossible. I'll finally get a quiet moment, open my laptop, and then… my brain just refuses to function. It's frustrating, but I've learned that motivation isn't about feeling inspired every day—it's about showing up, even when it's hard.

Here are a few things that keep me going:

Building things I actually use. Every project I work on serves a real purpose in my home—whether it's automating tasks, improving security, or just making life a little easier.
Small wins. Even if I can only fix one bug or add one new feature, that's still progress. And progress, no matter how small, keeps me moving forward.
Community & learning. I stay connected with other tech enthusiasts through forums, blogs, and Discord groups. Seeing what others are building inspires me to keep pushing my own skills further.
Taking breaks. When I feel stuck, I step away. A quick gaming session or even just a walk outside helps reset my mind so I can come back with fresh energy.

Little Features with Big Meaning

One of my favourite small projects was a simple color picker I built for my website. Originally, it was just for me—I wanted to play around with CSS variables and theming. But one day, my four-year-old saw me working on it and said, "Aw, Daddy, I want it to be pink!"

Instead of just setting it to pink, I thought, why not let visitors pick their own colors?

What made this project special:

It made my daughter feel like she was part of it.
I got hands-on experience with dynamic theming in CSS.
It added a fun, interactive touch to my site.

Now, every time she watches me work on my site, she clicks through the colors, "helping" me pick a new theme. It's a small, simple feature—but it reminds me why I love coding.

Current Projects

I always have a few projects on the go, but right now, I'm focused on:

Rebuilding my Cloudflare homepage, I want it to be cleaner, faster, and easier to manage.
Improving my home server automation, Automating more tasks so I can spend less time maintaining things and more time building.
Learning n8n.io for workflows, Automating integrations between services I use, like pulling logs from my home server and sending alerts to Telegram.

https://strapi.my-home-portal.com/uploads/website_0bada8f35d.png

My personal website - built using Bootstrap framework and AI assistance through Cursor IDE

Tools I Use

Every coder has their favourite tools—here are mine:

ChatGPT & Cursor IDE – AI-assisted coding has been a game-changer for learning and debugging.
Daily.dev – My go-to source for developer news.
Docker & Kubernetes – Managing microservices on my home server efficiently.

Biggest Challenges

The hardest part isn't the coding—it's the constant context switching.

One moment, I'm troubleshooting a broken API on my home server, and the next, I'm making dinner or looking for a missing toy. Just when I get into deep focus mode, I might hear a shout from the other room: "Dad! I need help!"

Then there's the guilt. When I'm coding, I feel like I should be spending more time with the kids. When I'm with the kids, I'm thinking about the project I want to finish. It's a constant balancing act, and I haven't mastered it yet. But I'm working on it.

What's Next?

I'm taking it one step at a time. My goal isn't to become a developer overnight—that's just not realistic with family life. Instead, I'm focusing on steady progress.

One day, I'd love to build something useful, especially in security, but I also want to make sure it's fun to work on. After all, if I don't enjoy the journey, what's the point?

If you're also balancing coding and family life, I'd love to hear your story. How do you make it work?

]]>

Automating Your Home with n8n

Sat, 29 Mar 2025 19:17:41 GMT

Automating Your Home with n8n

I've been exploring different ways to streamline my home server setup, and one tool that's been a game-changer is n8n. If you're like me—juggling family life while trying to optimise your home tech—this might be exactly what you need.

What is n8n?

n8n is a workflow automation tool. Think of it as the glue that connects different services and applications. It's similar to tools like Zapier or Make but with one massive advantage: you can self-host it.

This means:

Your data stays on your own server
No monthly subscription fees
Complete control over your workflows
The ability to connect to local services on your network

For into home automation, these benefits are huge. I can create workflows that connect my home server alerts to my phone, automate file backups for family photos.

https://strapi.my-home-portal.com/uploads/intergrations_e3dda931cd.png

The ability to connect different services without relying on cloud providers gives me peace of mind about where our family data is stored and processed.

Why I Chose to Self-Host n8n

There are plenty of automation services out there, but most require you to send your data through their servers. As someone who values control over my infrastructure, I prefer keeping things local when possible.

Self-hosting n8n gives me:

Complete data ownership and privacy
Integration with my other self-hosted services
A chance to tinker and learn (during those precious late-night coding sessions)
No limits on the number of workflows I can create
Freedom from subscription fees
The ability to customize and extend as needed

The self-hosted approach fits perfectly with my home server philosophy: why pay for a service when you can run it yourself and learn something in the process?

https://strapi.my-home-portal.com/uploads/cover_a4acfe1747.png

Setting Up n8n with Docker Compose

Let me walk you through how I set up n8n on my home server. It's surprisingly straightforward, especially if you're already using Docker.

Prerequisites

A server running Docker and Docker Compose
Basic understanding of networking (nothing too complex)
A few minutes of quiet time (the hardest part to find!)

Step 1: Create Your Docker Compose File

First, create a new directory for your n8n configuration:

            "hljs-string">"hljs-built_in">"hljs-built_in">mkdir ~/n8n
"hljs-string">"hljs-built_in">"hljs-built_in">cd ~/n8n

Then, create a docker-compose.yml file:

            nano docker-compose.yml

Copy and paste this configuration:

            version: "3"
services:
  n8n:
    image: n8nio/n8n:latest
    container_name: n8n
    restart: unless-stopped
    ports:
      - 5678:5678
    environment:
      - N8N_SECURE_COOKIE=false
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER=YourUsername
      - N8N_BASIC_AUTH_PASSWORD=YourStrongPassword
      - WEBHOOK_URL=https://your-cloudflare-tunnel-url.com
    volumes:
      - ~/Documents/n8n/n8n_data:/home/node/.n8n
    networks:
      - my_custom_network

networks:
  my_custom_network:
    external: true

Step 2: Customize Your Configuration

Here's what each part of the configuration does:

image: n8nio/n8n:latest - Uses the latest version of n8n
restart: unless-stopped - Makes sure n8n starts after a reboot
ports: - "5678:5678" - The default port for n8n's web interface
N8N_BASIC_AUTH_ACTIVE - Enables password protection
N8N_BASIC_AUTH_USER and N8N_BASIC_AUTH_PASSWORD - Your login credentials
WEBHOOK_URL - If you're using Cloudflare Tunnel to access n8n remotely, set this to your tunnel URL
volumes - Maps a local folder to store your workflows and data
networks - Connects to your existing Docker network (if you have one)

Make sure to replace YourUsername and YourStrongPassword with actual values. This is especially important if you plan to access n8n from outside your home network.

Step 3: Create the Data Directory

Before starting the container, create the data directory:

            "hljs-string">"hljs-built_in">"hljs-built_in">mkdir -p ~/Documents/n8n/n8n_data

Step 4: Launch n8n

Now, start up n8n with:

            docker-compose up -d

The -d flag runs it in detached mode, so it continues running in the background.

Step 5: Access the n8n Dashboard

Once the container is running, you can access the n8n dashboard by opening:

http://your-server-ip:5678

If you're running it on the same machine, just use:

http://localhost:5678

You'll be prompted for the username and password you set in the docker-compose file.

Setting Up Remote Access (Optional)

If you want to access n8n from outside your home network, I recommend using Cloudflare Tunnel (formerly Argo Tunnel). It's free, secure, and doesn't require opening ports on your router.

The WEBHOOK_URL environment variable in the docker-compose file should point to your Cloudflare Tunnel URL so that webhooks work properly when triggered from external services.

My First n8n Workflow: WebSecScan Security Auditor

One of my favorite workflows I've implemented with n8n is an AI-powered website security auditor called WebSecScan. It's a powerful tool that provides comprehensive security analysis for any website.

Here's what it does:

Performs dual-layer security analysis using OpenAI models to detect vulnerabilities and misconfigurations
Analyzes HTTP headers, CORS policies, CSP implementation, and cookie security
Identifies potential XSS vectors, information disclosure risks, and client-side weaknesses
Automatically calculates a security grade (A+ to F) based on findings severity
Generates a professional HTML report and delivers it via email

The best part? The entire process is non-invasive, performing analysis without active scanning or exploitation attempts.

https://strapi.my-home-portal.com/uploads/website_Security_Auditor_ef3723d629.png

WebSecScan: AI-Powered Website Security Auditor

Setting this up was surprisingly straightforward. The workflow uses a multi-agent architecture with two specialized OpenAI instances running custom prompts tailored for security analysis. When someone submits a URL through the form, the workflow springs into action, generating a detailed report within minutes.

What I love about this implementation is how it demonstrates n8n's flexibility. By combining AI services with email delivery and custom HTML generation, I've created something truly useful that would typically require a dedicated SaaS subscription.

Tips for Setting Up n8n

If you're just getting started with n8n, here are a few recommendations:

Start simple: Begin with basic workflows before tackling complex automations
Use the schedule feature: Automate recurring tasks to run at optimal times
Leverage the community: Browse the n8n workflow templates for inspiration
Document as you go: Add notes to your nodes to remember your logic months later
Test incrementally: Build and test your workflow in small chunks to easily identify issues

Conclusion

Setting up n8n has been one of the most satisfying additions to my home server setup. It strikes the perfect balance between being powerful enough for complex automations while remaining approachable for those late-night coding sessions when my brain is already half asleep.

If you're into home automation and self-hosting, I highly recommend giving n8n a try. The initial setup is quick, and the time you'll save through automation is invaluable—especially when you're trying to balance tech projects with other responsibilities.

Have you tried n8n or similar automation tools? What workflows have you created to make your digital life easier? I'd love to hear your experiences!

Resources

]]>

Dale John Dunlop

Why Build a Zero Trust Home Server?

Why Build a Zero Trust Home Server?

What You Can Self-Host Securely

Real-World Performance Expectations on Raspberry Pi 4 (4GB)

Setting Up Your Raspberry Pi

Hardware Requirements

Step 1: Install Raspberry Pi OS

Step 2: Initial Configuration

Step 3: Security Hardening

Remove Password Authentication for SSH

Set Up Basic Firewall

Install Fail2Ban to Protect from Brute Force Attacks

Setting Up Docker and Portainer

Install Docker and Docker Compose

Create Directory Structure

Install Portainer for Docker Management

Setting Up AdGuard Home In Detail

Initial Setup

Common DNS Issues and Fixes

Configuring AdGuard Home

1. DNS Settings

2. Filtering

3. Configuring Local DNS Records

4. Client Configuration

5. Security Features

6. Statistics and Logs

Using AdGuard with Tailscale

Setting Up Zero Trust Remote Access

Method 1: Tailscale - VPN-Like Mesh Network

Install Tailscale

Configure Tailscale for Subnet Routing (Optional)

Setting Up ACLs and Policy

Method 2: Cloudflare Tunnel with Docker Compose

Prerequisites

Setting Up Cloudflare Tunnel via Web UI Docker Compose

Setting Up Essential Self-Hosted Services

Create a Complete Docker Compose Stack

Setting Up a Homer Dashboard

Setting Up Nginx Proxy Manager for Local Domain Names

Accessing Your Services

On Your Local Network

Remote Access with Tailscale

Remote Access with Cloudflare Tunnel

Advanced Security Enhancements

Set Up Service-Specific Networks

Container Hardening

Implement Traefik as a Reverse Proxy (Optional)

Troubleshooting Common Issues

Network Connectivity Issues

Docker Issues

Cloudflare Tunnel Issues

Maintenance Checklist

Weekly Tasks

Monthly Tasks

Quarterly Tasks

Community Resources

Forums & Communities

Discord Servers

YouTube Channels

What's Next?

Advanced Projects

Final Thoughts

Hello World : Family Edition

What my day looks like

My Computer Setup

How I Stay Motivated

Little Features with Big Meaning

Current Projects

Tools I Use

Biggest Challenges

What's Next?

Want to Share Your Story?

Automating Your Home with n8n

What is n8n?

Why I Chose to Self-Host n8n

Setting Up n8n with Docker Compose

Step 1: Create Your Docker Compose File

Step 2: Customize Your Configuration

Step 3: Create the Data Directory