The Self-Hosted Family

An opinionated guide to progressive family computing

Author

Andrew Dunn

Published

March 3, 2026

Preface

Self-hosted software is genuinely good now. Good enough to replace commercial services for photos, files, authentication, code hosting, and inference. Running it yourself is a way to learn how these systems actually work, and a way to offer that capability to the people around you.

This guide documents one approach to doing that for a family. It makes choices and defends them. If you found your way here because someone linked you to a specific chapter, that’s the intended use. If you stick around and discover how the rest of the decisions connect, even better.

One person maintains this stack. That constraint shapes every choice: what’s worth the maintenance burden, whether the upstream project is healthy enough to keep improving, and whether the people using it will actually find it pleasant.

The stack:

Image-based Linux via CentOS Stream and bootc for an immutable, unattended host
Authentik as a family identity provider (OIDC, LDAP, forward auth)
Rootless Podman with quadlet/systemd, one service user per application
pyinfra for agentless configuration management from a laptop
Caddy sidecars for per-pod TLS termination and forward auth
Envoy as the sole rootful component for L4/L7 ingress
ZFS for storage with per-service datasets

The first part of the book covers foundations and design decisions. The second is a set of vignettes for designed implementation, illustrative of integration points or novel concepts. The third gets into operation and sustainment.

This is a living document. It changes when the stack changes.

# Preface {.unnumbered}

Self-hosted software is genuinely good now. Good enough to replace commercial services for photos, files, authentication, code hosting, and inference. Running it yourself is a way to learn how these systems actually work, and a way to offer that capability to the people around you.

This guide documents one approach to doing that for a family. It makes choices and defends them. If you found your way here because someone linked you to a specific chapter, that's the intended use. If you stick around and discover how the rest of the decisions connect, even better.

One person maintains this stack. That constraint shapes every choice: what's worth the maintenance burden, whether the upstream project is healthy enough to keep improving, and whether the people using it will actually find it pleasant.

The stack:

- [Image-based Linux](chapters/immutable-os.qmd) via [CentOS Stream](https://centos.org/) and [bootc](https://containers.github.io/bootc/) for an immutable, unattended host
- [Authentik](https://goauthentik.io/) as a family identity provider ([OIDC](https://en.wikipedia.org/wiki/OpenID_Connect), [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol), forward auth)
- Rootless [Podman](https://podman.io/) with [quadlet](https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html)/[systemd](https://systemd.io/), one service user per application
- [pyinfra](https://pyinfra.com/) for agentless configuration management from a laptop
- [Caddy](https://caddyserver.com/) sidecars for per-pod TLS termination and forward auth
- [Envoy](https://www.envoyproxy.io/) as the sole rootful component for L4/L7 ingress
- [ZFS](https://en.wikipedia.org/wiki/ZFS) for storage with per-service datasets

The first part of the book covers foundations and design decisions. The second is a set of vignettes for designed implementation, illustrative of integration points or novel concepts. The third gets into operation and sustainment.

This is a living document. It changes when the stack changes.