A password manager is the single most important piece of software most people never think about. It quietly holds the keys to your email, your bank, your tax account, and the embarrassing forum you joined in 2009 and forgot to delete. Handing that responsibility to a cloud service is perfectly reasonable, and the big providers do a genuinely good job. But if you would rather your encrypted vault lived on a box in your own cupboard than on someone else’s servers, Vaultwarden is the project that makes self-hosting practical without demanding you become a cryptographer first. This guide walks through what it is, how to stand one up safely, and the honest trade-offs you accept when you take the keys back.

Setting up a traditional VPN is one of those tasks that looks simple in the brochure and turns into a weekend of misery in practice. You allocate subnets, open ports on a router you may not control, wrestle with NAT, distribute keys, and then discover that two clients behind the same carrier-grade NAT cannot talk to each other no matter how politely you ask. Tailscale exists because someone got tired of all that. It promises a private network where every device can reach every other device, with essentially no configuration, and for the most part it delivers.

There are two ways to learn that your website is down. The first is a polite alert on your phone at the first sign of trouble, giving you time to fix it quietly. The second is an angry message from a user, a customer, or your boss, after the outage has already done its damage. Uptime Kuma exists to make sure you get the first kind. It is a self-hosted monitoring tool that watches your services and shouts the moment one stops answering — and it is genuinely pleasant to use.

When a language model is not behaving as you would like, there is a powerful temptation to reach straight for the heaviest tool in the shed. People hear “fine-tuning,” picture a model retrained on their data, and book a pile of expensive GPU hours before they have even worked out what the actual problem is. More often than not, the result is wasted money and a model that is no better. The truth is that prompting, retrieval, and fine-tuning solve genuinely different problems, and choosing well saves you both effort and grief. This guide gives you a clear framework for picking the right one.

There is a particular magic to the modern hosting platforms. You connect a Git repository, push a commit, and moments later your application is live on the internet with a valid HTTPS certificate, a database attached, and a URL to share. Heroku pioneered it, Vercel and Netlify polished it, and a generation of developers grew used to never touching a server. The catch is the meter: those conveniences are billed by the seat, the build minute, and the gigabyte, and the numbers add up. Coolify offers the same workflow on a server you own, for the price of the server itself. This guide explains what it does and walks you through deploying a real application from a Git repository.

When you suspect something is wrong with a server — a sluggish response, an odd process, a vague unease — the temptation is to start poking at running state. But the running state is the present, and an intruder’s interesting work is usually in the past. The record of that past is sitting right there in your logs, already written, already timestamped. Logs are your first and cheapest forensic tool, and two utilities turn them from an overwhelming wall of text into a readable story: journalctl and lnav.

Cloud storage is wonderfully convenient right up until you read the fine print. Your files sync everywhere, your photos back themselves up, your calendar follows you between devices, and in exchange a very large company gets a detailed map of your life and the right to change the terms whenever it likes. Nextcloud is the open-source answer to that bargain: a self-hosted platform that gives you file sync, calendars, contacts, and even office documents, all running on a Linux box you control. This guide gets a robust Nextcloud running with Docker, puts it behind HTTPS, connects your devices, and sets sensible expectations about how it compares to the polished giants.

There is a particular kind of frustration in knowing that the answer you need is somewhere in a forty-page PDF, and that finding it means reading all forty pages. Retrieval-Augmented Generation turns that pile of documents into something you can simply talk to. Ask a question in plain English, and the system finds the relevant passages and answers from them. The very best part is that you can build a working version yourself, on your own machine, using only open-source tools and a modest Python script. This guide walks through exactly that — a small but complete RAG pipeline that lets you interrogate your own documents.

Git was designed to be distributed. Every clone is a full copy of the history, which means no single server is special and no company holds your project hostage. Yet somewhere along the way the world decided that “git” and “GitHub” were synonyms, and a vast amount of the world’s source code now lives on infrastructure owned by a single corporation. That is convenient right up until it is not. If you have ever wanted a home for your repositories that you fully control, that runs on a Raspberry Pi or a spare VPS, and that boots in milliseconds, Gitea is the answer. This guide gets you from nothing to a running, self-hosted git forge you can push to over SSH.

Every generation of software gets the vulnerability it deserves. The web era handed us SQL injection, a flaw so persistent it still tops vulnerability lists decades after the fix was well understood. The large language model era has produced its own signature weakness, and it rhymes almost perfectly with the old one. It is called prompt injection, and if you are building anything that lets a model read untrusted text, you need to understand it.

Everyone agrees backups are important, and almost nobody does them properly. The reason is rarely ignorance; it is friction. A backup scheme that is fiddly, slow or expensive simply does not get run, and an un-run backup is worth precisely nothing the day the disk dies. The good news is that two excellent open-source tools — BorgBackup and Restic — have made encrypted, deduplicated, automatable backups genuinely painless. This article walks through both, so you can pick one and actually use it.

If you have spent any time near the technology press recently, you will have noticed that the word “agentic” has quietly taken over. Where last year everyone wanted a chatbot, this year everyone wants an agent. The shift is real, but the hype has run well ahead of the substance, and it is worth slowing down to ask what agentic AI actually means, what it can genuinely do today, and where the marketing outpaces reality.

Kubernetes has a reputation for being magnificent and miserable in equal measure. It runs much of the modern internet, and it also reduces grown engineers to tears with its YAML, its jargon, and its sprawling list of moving parts. The good news is that you do not need a data centre, a cloud bill, or a team of platform engineers to learn it. You need a Raspberry Pi, a memory card, and an evening. K3s, a fully certified but dramatically slimmed-down Kubernetes distribution, will turn that little board into a real cluster you can poke at fearlessly. This guide takes you from a blank Pi to a running, internet-style deployment.

Go, sometimes called Golang to make it searchable, was born at Google out of frustration with the languages already on offer. The brief was unusual: build something deliberately small. Where most languages accumulate features over time, Go’s designers spent their energy leaving things out. The result is a language you can learn in a weekend and read at a glance, and one that occasionally makes you wish it would just let you do the clever thing. Simplicity is Go’s defining virtue and its defining limitation, often in the very same line of code. Here is the good, the bad, and the ugly.

Stand up a server, give it a public IP address, and within minutes complete strangers will start trying to log in. They are not people; they are tireless scripts sweeping the entire internet, guessing usernames and passwords, probing for known vulnerabilities, and hammering login forms in the hope that one in a million lands. Your authentication logs fill with failed attempts from places you have never been. This background radiation of automated attacks is simply the weather of the modern internet, and the question is not whether you will be probed but how cheaply you can make the probing fail. Two tools dominate the answer: the venerable Fail2ban and the newer, crowd-sourced CrowdSec. This guide covers both, and how they fit together.

Cloud coding assistants are wonderful right up until you remember where your code is going. Every keystroke, every half-finished function, every comment grumbling about a colleague’s API design is shipped off to someone else’s server. For a side project that scarcely matters; for proprietary code under a strict NDA it can be a genuine problem. The good news is that you can run a capable coding assistant entirely on your own machine, with no network round-trips and no data leaving the building. If you have already met Ollama in our introductory piece, this guide takes the next step: wiring a local model directly into your editor so it suggests code as you type.

Your phone has quietly become the family archivist. Every birthday, holiday, and blurry photograph of a meal you wanted to remember is funnelled, by default, into a cloud service owned by a company whose business is understanding you. Google Photos is genuinely excellent software, but the price of that convenience is handing over an intimate, decades-long record of where you have been, who you know, and what your life looks like. There is now a credible way to keep all of that magic while moving the storage onto a server you control. It is called Immich, and this guide walks through standing it up on a Linux box and pointing your phone at it instead of the cloud.

A chatbot answers a question and goes quiet. An agent reads the question, decides on a plan, calls a few tools, checks the result, and tries again until it considers the job done. That loop is enormously useful, and it is also exactly why a misbehaving agent can do real damage before anyone notices. When software can act on its own, securing it stops being a matter of sanitising inputs and becomes a question of bounding behaviour.

You have written a small program. It runs beautifully in your terminal. Then you close the terminal, or the box reboots, or the process quietly dies at 3am, and your service is simply gone. There is a tool already installed on virtually every modern Linux machine that solves all of this, and yet a surprising number of people treat it like forbidden magic. That tool is systemd, and writing your first service unit is far less frightening than its reputation suggests.

JavaScript is famous for being the language that lets you do anything, including all the things you absolutely should not. TypeScript is JavaScript that has finally sat down and read the manual: same language, same runtime, but with a type system bolted on top that catches your mistakes before your users do. It has gone from a curiosity to the default way large teams write JavaScript, and for good reason. Continuing our series on programming languages, here is TypeScript in three acts.

Most filesystems are optimists. They write your data, assume the disk told the truth, and trust that the bytes you read back tomorrow are the bytes you wrote today. ZFS is a pessimist, and that pessimism is exactly why people who care about their data fall in love with it. It checksums everything, verifies what it reads, repairs what it can, and tells you loudly when it cannot. Born at Sun Microsystems and now thriving as OpenZFS on Linux, FreeBSD, and macOS, it folds the volume manager, the RAID layer, and the filesystem into one coherent whole. This guide walks you through the ideas and the actual commands you need to run ZFS at home without a degree in storage engineering.

Imagine a brilliant colleague who has read most of the internet, speaks with unshakeable confidence, and occasionally invents a fact so smoothly that you only catch it because you happen to know the truth. That is a large language model on a bad day. It is not lying, exactly; it simply does not know what it does not know. Retrieval-Augmented Generation, or RAG, is the technique that hands that colleague a library card and a quiet instruction: before you answer, go and look it up. The result is an AI that grounds its words in real documents rather than in the foggy recollections of its training data.

The most common way servers get compromised is not some dazzling zero-day wielded by a state actor. It is a known vulnerability, with a published fix that has been sitting in the distribution’s repositories for weeks, on a box where nobody ran the update. Patching is unglamorous, easy to defer, and quietly catastrophic when neglected. The fix is to take human procrastination out of the loop entirely — and on Debian and Ubuntu, the tool for that is unattended-upgrades.

If you have ever wrestled with certificate files, cron jobs that renew them, and a configuration syntax that feels designed to punish typos, you will appreciate what follows. There is a web server that obtains valid HTTPS certificates for you, renews them before they expire, and routes traffic to your applications using a configuration file short enough to read in a single breath. It is called Caddy, and by the end of this guide you will have two services sitting safely behind it with proper TLS, no manual certificate handling, and roughly ten minutes of effort. This is what a reverse proxy is supposed to feel like.

“AI agent” is the phrase of the moment, and like most phrases of the moment it is doing a lot of work for a term few people can define. The simplest way to understand it is by contrast: a chatbot talks, an agent acts. One answers your question; the other goes off and tries to get the job done. That difference sounds small and turns out to be enormous, especially once the job in question is something as personal and consequential as managing your email. Let us unpack what an agent really is, and then ask the question in the title properly.

Browser ad blockers are good, but they only protect the browser. Your smart TV, your phone’s apps, the various gadgets quietly phoning home across your network, none of them benefit from an extension you installed on a laptop. Pi-hole solves this at the source by blocking unwanted domains for every device on your network at once. Pair it with Unbound and you go a step further, resolving DNS yourself rather than trusting a third party with the record of every site you visit. This guide builds that combination, explains why each piece matters, and is candid about the gotchas. If you have ever cleared a DNS cache to fix a stubborn lookup, you already understand more of this than you think.

Rust is a systems programming language that has spent the better part of a decade topping developer surveys for being the most loved and, in roughly the same breath, the most intimidating. It promises the performance of C and C++ with none of the dreaded segfaults, buffer overflows, or use-after-free bugs, and it delivers on that promise through a famously strict compiler. Whether that strictness feels like a guardian angel or a bureaucratic nightmare depends entirely on the day. Let us walk through the good, the bad, and the ugly.

Picture the scene: you are on a train, you want to check a service running at home, and your options are to expose that service to the entire internet or to go without. For years the answer to this dilemma was a clunky VPN that took an afternoon to configure and never quite behaved on mobile. WireGuard changes the calculus completely. It is a modern virtual private network so lean that its entire configuration fits in a file you can read at a glance, fast enough that you forget it is there, and secure enough that it has been merged into the Linux kernel itself. This guide builds a WireGuard tunnel from scratch so you can reach your homelab from anywhere without exposing a single service to the open web.

Every conversation you have with a language model is quietly measured, chopped, and counted in a unit you almost never see. It is not the word, nor quite the letter. It is the token: the atom of AI text, the thing the model actually reads, the thing your bill is calculated from, and the reason your carefully crafted prompt sometimes behaves in ways that feel slightly arbitrary. Understand tokens and a great deal about how these systems read, reason, and charge suddenly clicks into place.

That old desktop in the cupboard, the one too slow for modern games but far too capable to bin, is a homelab waiting to happen. With Proxmox VE you can carve a single physical machine into a dozen virtual ones, each isolated, each snapshot-able, each ready to host a different service. Instead of one box doing one job, you get a flexible platform where you can spin up a test server in two minutes and throw it away just as fast. This guide explains what Proxmox is, what hardware it needs, how to install it, and how to plan a sensible first homelab that complements the self-hosted services covered elsewhere on this blog.

Bash is the language nobody chooses and everybody uses. It is the duct tape and baling wire holding the internet together: the install scripts, the CI pipelines, the cron jobs, the “quick” one-liner that has been running in production for nine years. You do not set out to write Bash; you reach for it because it is already there, on every server you will ever touch, and before you know it you have a 400-line script with feelings. In keeping with our series on programming languages, here is Bash in three acts.

There was a golden age when Plex felt like magic: you pointed it at a folder of films, and suddenly your living room television displayed glossy posters, plot summaries, and trailers as if you ran a private streaming service. For many people that magic has slowly curdled into nagging account prompts, paywalled features, and the creeping sense that the software guarding your own files now answers to someone else. If you have started eyeing the monthly subscription column of your bank statement with suspicion, this guide is for you. We will build a media server that is genuinely yours, runs on a modest Linux box, transcodes video efficiently, and never once asks you to log in to a remote service to watch the films sitting on your own hard drive.

The password has had a remarkable run for something nobody likes. It is the default way we prove who we are online, and it is also the single most reliable way attackers break in. Passkeys are the industry’s serious attempt to retire it, and unlike most “the password is dead” headlines of the past decade, this one is actually shipping. Here is what a passkey is, why it is so much harder to steal than a password, and where it still falls short.

Not so long ago the idea of a capable language model running on the computer under your desk, with no internet connection and no monthly bill, sounded faintly absurd. We have written before about the leap from the stumbling early days of GPT-2 to the polished conversations of modern chatbots, and the assumption baked into all of it was that the clever part lived in someone else’s datacentre. That assumption no longer holds. A tool called Ollama has made running open-weight language models on your own hardware about as difficult as installing a music player. This guide shows you how to do it, what to expect from the machine you already own, and where the honest limits lie.

If you have followed any of our self-hosting guides, you will have noticed the same quiet hero turning up again and again: a file called compose.yaml. That is no accident. Docker Compose is the tool that turns a sprawling mess of container commands into one readable blueprint you can start, stop, and share. Understanding it properly will make every other containerised project on this blog click into place. This guide explains the problem Compose solves, walks through the anatomy of a Compose file, builds a real three-service stack, and covers the everyday commands you will actually use.