A single ARM board now runs my media server, photo backup, home automation, personal cloud, DNS-level ad-blocking and a dozen other things. The interesting part is not that it fits — it’s that I can rebuild all of it from a freshly flashed disk.
A blueprint, not a snowflake
The failure mode of self-hosting is a pile of containers only their author understands, impossible to recreate after a disk dies. I forced the opposite: every service is a sanitized Compose file, every decision is written down, and the docs are good enough that a stranger could reproduce the stack.
# downloads never touch the internet without the tunnel
services:
gluetun: { image: qmcgaw/gluetun } # kill-switched WireGuard
qbittorrent:
network_mode: "service:gluetun" # drops dead if the VPN doesRouting every download through a kill-switched VPN, exposing nothing directly, and getting in over Tailscale and a Cloudflare Tunnel — none of it is exotic. It’s just written down, in order, so future-me can trust it.
The real lesson
Infrastructure you can’t rebuild is a liability dressed up as an asset. Writing the runbook as I went is what turned a hobby into something I’d actually stake my photos on.