This repository aims to show how can be created a home server running on low resource hardware (Raspberry Pi 5, with 8 GB of RAM), and be as local as possible, and easily reproducible. These requirements mean one thing : anyone that clones this repository and follows the instructions in the README of each service should be able to reproduce this home server. Following the requirements, the services chosen in this server should be as open-source as possible : a few exceptions are not open-source as these don't have any open-source alternative.
Here are the different administrative features that allows this server to be easily reachable (local or outside networks), easily maintainable, while having robust security. The list is sorted in an installation order: it is best to first implement the first items, then the later ones, meaning that the first items are the most critical.
- AdGuard: mostly used as a local DNS in order to reach the server with a domain name.
- Traefik: easily access the different web apps through domains and subdomains. Included in the security stack : Fail2Ban, Crowdsec, OWASP's ModSecurity (WAF), GeoBlock, mTLS.
- OpenSSL: this directory includes scripts to create a wildcard domain certificate that will be served through Traefik.
- Authentik: provide authentication, either through forward auth with the help of Traefik, or through OIDC. Authentik needs valid certificates in order for WebAuthn to work. WebAuthn (passkeys) is a great way to add security by creating a first factor authentication that does not rely on the user's memory, but on the user's devices ("something you have", "something you are").
- Backrest: back-up the server and its content through an easy to use interface. Backrest creates backups off-site with the help of a second server (Raspberry Pi 400) and the Docker container REST Server.
- Headscale/Tailscale/Wireguard: access the home server outside of the local network by opening as little ports as possible.
- Beszel/Grafana-Prometheus/Scrutiny: monitor the system and the drives health.
- Diun/Watchtower/WhatsupDocker: regularly check for Docker container's updates and update them with a few clicks.
- Code-Server: Access the server easily for administration
Here are the containers which do not enter in the inner working of the server : none of them are necessary and only exists based on the interest of the server's administrator.
- Actual Budget/Firefly: follow your finances
- Change Detection IO: check for changes in webpages
- Filebrowser: turn this server into a NAS by accessing the files through a web interface.
- Immich: cloud photo and video management solution
- GhostFolio: Stock portfolio tracker
- Home Assistant: smart home hub
- Mealie: keep a collection of your favorites recipes
- Resilio-Sync: selectively synchronize files from this server to personal computers
- Stirling-PDF: easily edit your PDFs
- Vaultwarden : securely (encrypted) store your passwords