Self-Host — AI, Ops, Security & Useful Self-Hosted
Run LLMs locally, host your own services, and harden infrastructure — Self-Hosted AI, Useful Self-Hosted catalog, Ops, Networking, Security & Pentesting, plus deployment approaches.
Run LLMs locally, host your own services, and harden infrastructure — Self-Hosted AI, Useful Self-Hosted catalog, Ops, Networking, Security & Pentesting, plus deployment approaches.
For other areas of the site see Build, Make, Self-Host, Live, or Contribute. Cross-cutting picks: Self-Hosted Picks Index.
Self-Hosted AI
- Self-Hosted AI Overview — Run LLMs on your own hardware in 2026 — the Llama 4, Qwen 3, DeepSeek V3 / R1, Mistral, Phi-4 era.
- Hardware Tier Guide — From $0 to $25,000+ — what GPU / CPU / RAM and what models actually run at each tier in May 2026. The headline page.
- Ollama Deep Dive — The default starting-point inference engine for local LLMs in 2026.
- llama.cpp — The C++ reference inference engine, GGUF, and the foundation under Ollama and most local LLM tools.
- LM Studio — GUI-first local LLM app, the easiest path for non-developers.
- vLLM and SGLang — High-throughput batched inference servers for production self-host serving.
- TGI, TabbyAPI, Aphrodite — Hugging Face TGI, exllamav2's TabbyAPI, Aphrodite Engine.
- text-gen-webui & KoboldCpp — The roleplay and creative-writing local stack — oobabooga's webui, KoboldCpp, SillyTavern.
- Jan and GPT4All — FOSS desktop chat apps for non-technical users — alternatives to LM Studio that stay open-source.
- Open Weight Models — May 2026 Landscape — Llama 4, Qwen 3, DeepSeek V3 / R1, Mistral, Phi-4, Gemma 3, Command-R+.
- Local Coding Models — Qwen2.5-Coder, DeepSeek-Coder, Codestral, CodeLlama.
- Vision & Multimodal Models — Qwen2.5-VL, Llama-3.2 / 4 Vision, Pixtral, MiniCPM-V.
- Embeddings & Rerankers — BGE, E5, Nomic Embed, Jina, GTE, Mixedbread for local RAG.
- Quantization (GGUF, AWQ, EXL2, FP8) — What each format is, when to use which, why Q4_K_M is the sweet spot.
- Open WebUI — The dominant ChatGPT-clone front-end for local — multi-user, RAG, MCP, the canonical pair with Ollama.
- LibreChat, AnythingLLM, Lobe Chat — Multi-user, multi-model chat dashboards.
- Big-AGI, Msty, and other front-ends — Big-AGI's developer chat, Msty's parallel-conversations approach.
- Agentic Coding Overview — Cursor / Claude Code alternatives that work locally — the honest 2026 reality.
- Aider Deep Dive — The dominant FOSS terminal-based AI pair programmer.
- Cline, Roo Code, IDE Agents — VS Code AI agents that read, edit, and run commands.
- Continue.dev Deep Dive — The FOSS IDE AI assistant — chat, FIM tab completion.
- OpenHands, SWE-agent, Plandex — The "give it a task" autonomous coding agents — what works, what doesn't.
- Model Context Protocol (MCP) — Anthropic's open spec for AI tool servers — and the FOSS server ecosystem.
- Claude Code as Paid Companion — When the paid gold standard is worth it, and how it pairs with self-host.
- Local RAG Stacks — Open WebUI RAG, AnythingLLM, LightRAG, Verba, Khoj — "ask my documents" workflows.
- Voice Stack — Whisper, Piper, Coqui, Kokoro — Local STT and TTS for voice assistants and dictation.
- ComfyUI & Local Image Generation — Stable Diffusion / SDXL / SD3 / Flux.1 in the dominant FOSS image-gen app.
- Local Video Generation — AnimateDiff, Mochi-1, LTX-Video, Hunyuan, Wan — what's actually feasible at home.
- Fine-Tuning — Unsloth, Axolotl, MLX-LM — LoRA, QLoRA, DoRA — when fine-tuning is worth the trouble vs RAG.
- Cloud vs. Local — Honest Cost Math — When does local pay back vs API tokens? The break-even calculation.
- Mac & Apple Silicon Guide — M-series unified memory, MLX framework, the Apple track.
- Cloud Rentals — vast.ai, RunPod, Lambda — Rent before you buy. The honest cheap-GPU marketplaces.
- AI Observability — LiteLLM, Helicone, Langfuse — Logging, budgets, traces, evals for your local and hybrid LLM stack.
Useful Self-Hosted
- Self-Hosted Document Management — Paperless-ngx, Mayan EDMS, Teedy, Papermerge — replace your filing cabinet.
- Self-Hosted Email Servers — Mailcow, Mail-in-a-Box, Mailu, Stalwart, Maddy — run your own SMTP / IMAP / JMAP.
- Self-Hosted Browser-Based IDEs — code-server, OpenVSCode Server, Coder, Daytona, DevPod, Kasm.
- Self-Hosted Web Archiving & Page Capture — ArchiveBox, SingleFile, gallery-dl, ChangeDetection.io.
- Self-Hosted Podcast Hosting & Sync — Castopod, PinePods, gPodder Sync, Podgrab.
- Self-Hosted Link-in-Bio Pages — LinkStack, LittleLink, Linkr — own your "linktr.ee" with one container.
- Self-Hosted Document Signing — Documenso, DocuSeal, OpenSign — DocuSign / HelloSign alternatives.
Security & Pentesting
- Pentest Linux Distributions — Kali, ParrotOS, BlackArch and friends — pre-loaded offensive-security workstations.
- Anonymity & Privacy OS — Tor, Tails, Whonix, Qubes, sandbox / privacy-focused OSes.
- OSINT & Reconnaissance — Shodan, Maltego, theHarvester, SpiderFoot, Sherlock — passive intel from public sources.
- Subdomain & Asset Discovery — Amass, Subfinder, httpx, dnsx — finding everything a target owns.
- Bug Bounty Recon Workflows — Reconftw, Axiom, ProjectDiscovery — automating recon at scale.
- Network Scanning — Nmap & Friends — Port scans, service / version detection, and "what's listening on this /16."
- Vulnerability Scanners — Nuclei, Nikto, OpenVAS — "Is this CVE present?" — template- and signature-driven vulnerability scanners.
- Web App Testing — Burp, ZAP, Caido — Intercepting proxies and web app pentest platforms.
- Web Fuzzing & Content Discovery — ffuf, feroxbuster, Gobuster, dirsearch — finding hidden paths, params, vhosts.
- Active Directory & Entra ID Pentesting — BloodHound, NetExec, Impacket, Rubeus — owning AD and Azure AD.
- Wireless / Wi-Fi Pentesting — Aircrack-ng, Bettercap, hcxdumptool — auditing Wi-Fi, WPA, WPS, captive portals.
- Password Cracking — Hashcat & John — Offline hash cracking, online brute force, wordlist generation.
- Exploitation Frameworks (Metasploit, etc.) — Metasploit, exploit dev kits, and post-exploitation frameworks.
- Red Team C2 — Sliver, Mythic, Havoc — Modern command-and-control frameworks for authorised red-team ops.
- Phishing & Social Engineering — GoPhish, Evilginx — Phishing simulation, MITM phish-proxies, and the awareness-platform alternatives.
- Mobile Pentesting — MobSF, Frida, Drozer — Android & iOS app teardown, dynamic instrumentation, MASTG.
- Container & Kubernetes Pentesting — kube-hunter, Kubescape, Peirates — attacking and auditing containerised infra.
- Cloud Pentesting — AWS, Azure, GCP — Pacu, Prowler, ScoutSuite, AzureHound, gcp_scanner — attacking and auditing cloud accounts.
- AI / LLM Red Teaming — PyRIT, garak, Promptmap, Lakera — finding prompt-injection, jailbreaks, data leakage in LLM apps.
- Reverse Engineering — Ghidra, IDA, Binary Ninja — Disassemblers, decompilers, debuggers — for binaries, drivers, firmware.
- Binary & Protocol Fuzzing — AFL++, libFuzzer, Honggfuzz, Boofuzz — finding bugs by feeding garbage in.
- CTF Tools — pwntools, GEF, angr — Exploit dev, ROP, decoders, scripting glue for capture-the-flag.
- Hardware Hacking — Flipper Zero & Friends — Flipper, ChipWhisperer, JTAGulator, Proxmark, HackRF — for physical / embedded engagements.
- Crypto & TLS Testing — testssl.sh, sslyze, jwt_tool — auditing TLS, JWTs, and weak crypto in the wild.
- Exploit DBs & Cheat Sheets — HackTricks, GTFOBins, LOLBAS, PayloadsAllTheThings, Exploit-DB, OWASP Cheat Sheets.
- Pentest Reporting & Collaboration — SysReptor, Ghostwriter, Dradis, Faraday — the report is the deliverable.
- Bug Bounty Platforms — HackerOne, Bugcrowd, Intigriti, YesWeHack — where to hunt and where to receive.
- Security Training Platforms — HackTheBox, TryHackMe, PortSwigger Academy, OffSec — where to actually learn this stuff.
- Threat Modeling Tools — Threat Dragon, pytm, Threagile, MS TMT — STRIDE / PASTA / data-flow diagrams.
- Detection — Sigma, YARA, ATT&CK — Open detection rule formats and adversary-emulation testing.
- SIEM — Wazuh, Graylog, Security Onion — Open-source SIEMs and the cloud-native paid alternatives.
- Incident Response — TheHive, Cortex, DFIR-IRIS — Case management, playbooks, observable enrichment, IR workflow.
- Endpoint Detection — OSQuery & EDR — OSQuery, Wazuh agents, Velociraptor, Falcon, SentinelOne — visibility on every endpoint.
- Network IDS / NSM — Suricata, Zeek, Snort — Signature + anomaly + protocol-aware traffic monitoring.
- WAF — ModSecurity, Coraza, BunkerWeb, Cloudflare — Web application firewalls — open-source on-prem and cloud-managed.
- Honeypots — T-Pot, Cowrie, Dionaea — Catch attackers in the act, harvest IOCs, study TTPs.
- Threat Intelligence — MISP, OpenCTI, OTX — IOC sharing, threat feeds, and turning intel into detection.
- DFIR — Velociraptor, Autopsy, KAPE — Endpoint forensics, triage collection, timelining — investigate after the alert fires.
- Memory Forensics — Volatility & MemProcFS — Pulling secrets, processes, malware, and rootkits out of RAM dumps.
- Malware Analysis & Sandboxes — REMnux, CAPE, Joe Sandbox, ANY.RUN — detonate samples and learn what they do.
- Steganography & File Carving — binwalk, foremost, ExifTool, zsteg, StegSolve — pulling secrets out of files.
Ops & Infrastructure
These are the categories you'll touch when running infra. Each page lists popular options with a "pick this if…" line.
Infrastructure as Code
- IaC — Terraform / OpenTofu, Pulumi, AWS CDK, SST, Crossplane.
- Configuration Management — Ansible, Salt, Chef, Puppet, cdist.
- Image Building — Packer, Buildah, Kaniko, Earthly, Dagger, BuildKit.
- Cloud-init & Provisioning — cloud-init, Ignition, Tinkerbell, MAAS.
Containers & Images
- Container Basics — Docker, Podman, containerd, runc, Buildah, Skopeo.
- Container Registries — Harbor, Distribution, Quay, ghcr.io, Cloudflare CR.
- Image Supply Chain — Cosign, Sigstore, Syft, SBOM, SLSA, in-toto.
Kubernetes core
- Kubernetes Distros — kubeadm, k3s, k0s, microk8s, Talos, EKS / GKE / AKS.
- Local Kubernetes — kind, k3d, minikube, Rancher Desktop.
- Helm & Templating — Helm, Kustomize, kapp, jsonnet, ytt, cdk8s.
- Kubectl & CLI Tools — kubectl, k9s, kubectx, stern, krew, Lens, Headlamp.
- Operators & Controllers — Operator SDK, Kubebuilder, Kyverno, common operators.
- Ingress — ingress-nginx, Traefik, Contour, Cilium Gateway, Gateway API.
- Storage — Longhorn, Rook, OpenEBS, Portworx, CSI drivers.
- Infra Secrets — Vault, External Secrets, SOPS, sealed-secrets.
Kubernetes advanced
- Service Mesh — Istio, Linkerd, Cilium, Consul Connect, Kuma.
- GitOps / CD — Argo CD, Flux, Spinnaker, Argo Rollouts, Flagger.
- Multi-cluster — Cluster API, Karmada, KubeStellar, Submariner.
- Chaos Engineering — Chaos Mesh, Litmus, Gremlin, AWS FIS.
- Policy as Code — OPA, Kyverno, Gatekeeper, Cedar, Conftest.
- K8s Dev Loop — Tilt, Skaffold, Devspace, Garden, Okteto.
Non-Kubernetes orchestration
- Nomad & Friends — Nomad, ECS, Docker Swarm.
- Self-Host PaaS — Coolify, Kamal, Dokku, CapRover, Easypanel.
Networking
- VPN / Mesh — WireGuard, Tailscale, Headscale, Netbird, Nebula.
- Reverse Proxy & LB — HAProxy, Nginx, Caddy, Traefik, Envoy, MetalLB.
- DNS Infrastructure — PowerDNS, BIND, CoreDNS, Pi-hole, Unbound, Technitium.
- Firewalls — ufw, nftables, pfSense, OPNsense, FirewallD.
- Network Debugging — tcpdump, Wireshark, mtr, iperf3, nmap, ss.
Observability (infra)
- Prometheus Stack — Prometheus, VictoriaMetrics, Thanos, Mimir, Grafana.
- Log Aggregation — Loki, Fluent Bit, Vector, Graylog, OpenSearch.
- Distributed Tracing — Jaeger, Tempo, Zipkin, OTel Collector.
- Continuous Profiling — Pyroscope, Parca, Polar Signals.
- System Monitoring — Netdata, htop, btop, glances, Cockpit.
- eBPF Tools — bpftrace, BCC, Pixie, Cilium, Tetragon, Falco.
Storage & Filesystems
- Filesystems — ZFS, btrfs, XFS, ext4.
- Distributed Storage — Ceph, GlusterFS, MinIO, SeaweedFS.
Database HA
- Postgres HA — Patroni, repmgr, Stolon, PgBouncer, CloudNativePG.
- Redis HA — Sentinel, Cluster, KeyDB, DragonflyDB.
Security & Hardening
- Server Hardening — Lynis, OpenSCAP, fail2ban, CrowdSec, unattended-upgrades.
- PKI & Certs — cert-manager, smallstep, Vault PKI, ACME, Let's Encrypt.
- SSH & Bastion — Teleport, Boundary, smallstep SSH CA, Pomerium, sshpiper.
- Runtime Security — Falco, Tetragon, AppArmor, SELinux.
Backup & DR
- Backup (Sysadmin) — restic, borg, Kopia, Velero, Bacula, BackupPC.
Hardware & Bare Metal
- Bare-Metal Provisioning — MAAS, Tinkerbell, Foreman, Cobbler.
- Container Host OS — Talos, Bottlerocket, Fedora CoreOS, Flatcar.
Workflows & Pipelines
- Workflow / Pipelines — Argo Workflows, Tekton, Airflow, Prefect, Dagster.
Internal Developer Platforms
- IDPs — Backstage, Port, Cortex, Roadie, Humanitec.
Cost & FinOps
- FinOps — Infracost, OpenCost, Kubecost, Komiser, Vantage.
Coordination
- Service Discovery & Coordination — Consul, etcd, Zookeeper.
Self-Hosted Catalog
The day-to-day apps that justify a homelab. Repo links inline.
- Dashboards — Homepage, Glance, Dashy, Heimdall, Homer.
- Container Management UIs — Portainer, Dockge, Komodo, Watchtower, Nginx Proxy Manager.
- SSH Web Terminals — Termix, Wetty, ttyd, Sshwifty, XPipe.
- Monitoring & Uptime — Beszel, Uptime Kuma, Gatus, Netdata, ntfy.
- VPN & Tailscale Management — Headscale, Headplane, Wg-easy, NetBird, Pangolin.
- Photos & Media — Immich, Jellyfin, *arr stack, Audiobookshelf, Navidrome.
- Notes & Wikis — Outline, BookStack, Trilium, AFFiNE, Memos.
- Bookmarks, RSS & Read-Later — Linkding, Karakeep, FreshRSS, Miniflux, Wallabag.
- Files & Cloud — Nextcloud, Seafile, FileBrowser, Pingvin Share.
- Password Managers — Vaultwarden, Passbolt,
pass. - Git Forges — Forgejo, Gitea, GitLab CE, OneDev.
- Chat & Communications — Mattermost, Rocket.Chat, Matrix Synapse, Revolt.
- AI & LLMs — Ollama, Open WebUI, vLLM, ComfyUI, Jan.
- Automation — Home Assistant, n8n, Activepieces, Windmill, Node-RED.
- Personal Apps — Actual Budget, Mealie, Vikunja, Plane, Paperless-ngx.
- Search Front-Ends — SearXNG, Whoogle, Invidious, Redlib.
Workstation & Shell
- Terminal & CLI Tools — tmux, zellij, mosh, Starship, fzf, ripgrep, bat.
- Dotfiles Management — chezmoi, yadm, GNU Stow.
- File Sync & Transfer — rsync, rclone, Syncthing, croc, magic-wormhole.
Self-Host Approaches
- See Self-Host Approaches for the full "where should this thing run?" decision tree — single VPS, homelab, self-host fleet, managed cloud, serverless-only, Kubernetes.