[{"content":" question: \u0026ldquo;What are the minimum specs for 24/7 Docker hosting?\u0026rdquo; answer: \u0026ldquo;2GB RAM minimum for a basic setup with 5-10 containers. 4-8GB is comfortable.\u0026rdquo; question: \u0026ldquo;How do I update Docker containers without downtime?\u0026rdquo; answer: \u0026ldquo;Watchtower automates updates. For manual control: pull new image, docker stop, docker rm, docker run with same arguments.\u0026rdquo; question: \u0026ldquo;Can I run Docker on a Raspberry Pi?\u0026rdquo; answer: \u0026ldquo;Yes. Most popular containers have ARM64 images. Performance is limited but fine for DNS filters and lightweight services.\u0026rdquo; question: \u0026ldquo;How do you handle container crashes?\u0026rdquo; answer: \u0026ldquo;Docker restart policies handle most failures (\u0026ndash;restart unless-stopped). Check logs with docker logs for persistent issues.\u0026rdquo; TL;DR These five containers run non-stop on my homelab: AdGuard Home (DNS-level ad blocking), Nginx Proxy Manager (reverse proxy + free SSL), Uptime Kuma (real uptime monitoring), Portainer (container management), and Cloudflare Tunnel (secure external access without punching holes in my firewall). Together they cost about 15W idle and have saved me countless hours of manual work.\nWhy This List Matters Not every container is worth running 24/7. Some tools you use once, configure once, and never touch again. The containers on this list are different - they\u0026rsquo;re infrastructure. They earn their keep every single day by doing jobs that would otherwise require constant attention or expose me to security risks.\nAll of these run on a single Intel NUC with 16GB RAM. Idle power draw is around 15W for the whole stack.\n1. AdGuard Home - DNS-Level Ad Blocking Why I Run It\nAdGuard Home blocks ads and trackers at the DNS level, which means it works for every device on my network without needing client-side software. My TV, my phones, my IoT devices - all get ad blocking without any configuration on the devices themselves.\nWhat Makes It Worth It\nBlocks 15-20% of DNS queries on average (that\u0026rsquo;s CPU and data you didn\u0026rsquo;t pay for) Custom blocklists beyond the defaults - I block known telemetry domains Per-device filtering - my gaming machines get different rules than my work machines Query logs let me see what every device on my network is actually connecting to The Setup\nservices: adguard: image: adguard/adguardhome:latest container_name: adguard ports: - \u0026#34;53:53/tcp\u0026#34; - \u0026#34;53:53/udp\u0026#34; - \u0026#34;853:853/tcp\u0026#34; # DoT - \u0026#34;3000:3000/tcp\u0026#34; # Admin UI volumes: - ./work:/opt/adguardhome/work - ./conf:/opt/adguardhome/conf restart: unless-stopped network_mode: host The network_mode: host is important - DNS needs to intercept traffic, and host networking bypasses Docker\u0026rsquo;s internal DNS which would break filtering.\nWhat I\u0026rsquo;d Tell Someone Starting Fresh\nStart with the default blocklists, then add https://big.oisd.nl after a week. It\u0026rsquo;s a massive consolidated list that catches most things the default lists miss. Don\u0026rsquo;t go overboard with lists early - you want to be able to debug when something breaks.\n2. Nginx Proxy Manager - Reverse Proxy with Free SSL Why I Run It\nEvery service I expose externally goes through Nginx Proxy Manager. It handles SSL certificates automatically via Let\u0026rsquo;s Encrypt, and the web UI makes managing forwardings much less painful than editing nginx configs by hand.\nWhat Makes It Worth It\nWildcard SSL certificates with DNS challenge (Cloudflare API integration) Access lists for internal-only vs public services One-click SSL renewal Fail2ban built in for brute-force protection Dead simple to add a new service The Setup\nI run it alongside AdGuard because both want port 80/443. Traffic flows: Internet → Router → AdGuard (DNS filter) → Nginx Proxy Manager → Internal Services.\nnginx-proxy-manager: image: jlesage/nginx-proxy-manager:latest container_name: npm ports: - \u0026#34;80:8080\u0026#34; - \u0026#34;443:8443\u0026#34; - \u0026#34;81:81\u0026#34; # Admin UI volumes: - ./data:/data - ./letsencrypt:/etc/letsencrypt restart: unless-stopped The Caveat\nNginx Proxy Manager is great until you need something complex. If you need WebSocket support, advanced routing, or request buffering tuning, you\u0026rsquo;ll still end up editing nginx templates. For 90% of homelab setups though, it\u0026rsquo;s perfect.\n3. Uptime Kuma - Real Uptime Monitoring Why I Run It\nUptime Kuma tells me when something is down before whoever\u0026rsquo;s using it tells me. That email at 2am from a user saying \u0026ldquo;your thing is broken\u0026rdquo; becomes a notification that I got 15 minutes earlier.\nWhat Makes It Worth It\n404 monitoring catches more than just \u0026ldquo;is it up\u0026rdquo; - it catches broken redirects, missing SSL certs, SSL expiry Push monitors let me run health checks from inside containers themselves Status pages are shareable - I give these to non-technical people instead of teaching them to read monitoring dashboards Notification integrations: Gotify, email, webhooks, Telegram - I route critical alerts to Telegram The Setup\nuptime-kuma: image: louiscklaw/react-uptime-kuma:latest container_name: uptime-kuma ports: - \u0026#34;3001:3001\u0026#34; volumes: - ./uptime-kuma-data:/app/data restart: unless-stopped The Tip\nDon\u0026rsquo;t just monitor HTTP - add keyword monitoring. Set it to check that the response contains something specific. A 200 OK with a broken app still looks up to naive monitoring.\n4. Portainer - Container Management Why I Run It\nPortainer gives me a GUI for Docker without being as heavy as Kubernetes. I use it for:\nStarting/stopping containers without CLI Viewing logs in real-time (grep through logs in the browser is surprisingly useful) Quick volume inspection Network visualization What Makes It Worth It\nThe real value is for the 5% of tasks that are annoying in CLI. Viewing a container\u0026rsquo;s resource usage visually, dragging to fix a bad compose stack, quickly checking \u0026ldquo;what environment variables does this thing actually have?\u0026rdquo; These add up.\nThe Setup\nportainer: image: portainer/portainer-ce:latest container_name: portainer ports: - \u0026#34;9000:9000\u0026#34; - \u0026#34;9443:9443\u0026#34; volumes: - /var/run/docker.sock:/var/run/docker.sock - ./data:/data restart: unless-stopped The Warning\nPortainer has had CVEs. Don\u0026rsquo;t expose it externally, and keep it updated. I run it on an isolated network segment with no external exposure.\n5. Cloudflare Tunnel - External Access Without Port Forwarding Why I Run It\nCloudflare Tunnel lets me expose services to the internet without opening any ports on my router. No port forwarding, no dynamic DNS, no \u0026ldquo;my IP changed and now nothing works.\u0026rdquo; Traffic goes through Cloudflare\u0026rsquo;s edge, which also means DDoS protection and free TLS.\nWhat Makes It Worth It\nZero infrastructure exposure - my home IP isn\u0026rsquo;t directly reachable Automatic TLS Works great with Nginx Proxy Manager internally Tunnel keeps reconnecting automatically even after network hiccups Can share access to specific URLs without giving full network access The Setup\ncloudflare-tunnel: image: cloudflare/cloudflared:latest container_name: cloudflare-tunnel restart: unless-stopped command: tunnel run --token YOUR_TUNNEL_TOKEN The Catch\nYour traffic goes through Cloudflare. For personal homelab use this is fine. For enterprise or privacy-maximizing setups, you might want a different approach.\nComparison Table Container RAM Usage (Idle) CPU Usage (Idle) Power Draw Complexity AdGuard Home ~150MB 1-2% Minimal Low Nginx Proxy Manager ~50MB 1% Negligible Low Uptime Kuma ~200MB 2-3% Minimal Medium Portainer ~300MB 2% Minimal Low Cloudflare Tunnel ~80MB 1% Negligible Medium Key Takeaways AdGuard Home is the first thing I\u0026rsquo;d install - DNS-level blocking benefits every device Nginx Proxy Manager + Cloudflare Tunnel together give you free SSL and external access without router configuration Uptime Kuma pays off in early problem detection - the 5 minutes you save multiplied across a year Portainer is optional but nice to have for the visual sanity check All of these run on under 1GB RAM combined and add maybe 5W to your power bill. For the automation and security they provide, that\u0026rsquo;s a bargain.\nRelated Posts Homelab Networking: VLANs, Segmentation, and Why It Matters The Ultimate Self-Hosting Guide: Services You Actually Need ","permalink":"https://blog.santander.ovh/posts/five-docker-containers-24-7.html","summary":"\u003cul\u003e\n\u003cli\u003equestion: \u0026ldquo;What are the minimum specs for 24/7 Docker hosting?\u0026rdquo;\nanswer: \u0026ldquo;2GB RAM minimum for a basic setup with 5-10 containers. 4-8GB is comfortable.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003equestion: \u0026ldquo;How do I update Docker containers without downtime?\u0026rdquo;\nanswer: \u0026ldquo;Watchtower automates updates. For manual control: pull new image, docker stop, docker rm, docker run with same arguments.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003equestion: \u0026ldquo;Can I run Docker on a Raspberry Pi?\u0026rdquo;\nanswer: \u0026ldquo;Yes. Most popular containers have ARM64 images. Performance is limited but fine for DNS filters and lightweight services.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003equestion: \u0026ldquo;How do you handle container crashes?\u0026rdquo;\nanswer: \u0026ldquo;Docker restart policies handle most failures (\u0026ndash;restart unless-stopped). Check logs with docker logs for persistent issues.\u0026rdquo;\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"tldr\"\u003eTL;DR\u003c/h2\u003e\n\u003cp\u003eThese five containers run non-stop on my homelab: \u003cstrong\u003eAdGuard Home\u003c/strong\u003e (DNS-level ad blocking), \u003cstrong\u003eNginx Proxy Manager\u003c/strong\u003e (reverse proxy + free SSL), \u003cstrong\u003eUptime Kuma\u003c/strong\u003e (real uptime monitoring), \u003cstrong\u003ePortainer\u003c/strong\u003e (container management), and \u003cstrong\u003eCloudflare Tunnel\u003c/strong\u003e (secure external access without punching holes in my firewall). Together they cost about 15W idle and have saved me countless hours of manual work.\u003c/p\u003e","title":"5 Docker Containers I Run 24/7 (And Why They'd Break Without Them)"},{"content":"TL;DR Summary Tailscale builds a private mesh network between your devices using WireGuard. Once installed, every device on your network is reachable from any other, anywhere in the world, as if they were on the same LAN. No router ports opened, no dynamic DNS to maintain, no central server to manage. I\u0026rsquo;ve been using it for 6 months and haven\u0026rsquo;t touched my router settings since.\nThe Core Problem: Accessing Devices Across Networks Say you\u0026rsquo;re at a coffee shop and need to SSH into your home server. Or you\u0026rsquo;re traveling and need a file from your NAS. Or you\u0026rsquo;re at work and want to access your Home Assistant instance.\nTraditional solutions:\nPort forwarding — insecure, requires router access, breaks when ISP changes your IP Static IP — expensive, ISPs don\u0026rsquo;t reliably offer this for residential connections VPN (OpenVPN/WireGuard server) — one device acts as hub, all traffic flows through it, single point of failure SSH tunneling — works but fragile, requires knowing your public IP None of these are easy to set up and maintain for a normal person. Tailscale is different.\nWhat Tailscale Actually Is Tailscale is a control plane built on top of WireGuard. It handles the hard parts of peer-to-peer networking:\nNAT traversal — devices behind firewalls and NAT find ways to connect directly to each other Key management — WireGuard keys are generated and distributed automatically Identity — devices authenticate via your SSO provider (Google, GitHub, Microsoft) instead of shared secrets Network topology — you define which devices can reach which, and Tailscale enforces it Once installed, you have a virtual network where every device has a stable IP address (like 100.64.0.x) and can reach every other device directly.\nInstalling Tailscale On Your Server (Linux) # Install curl -fsSL https://tailscale.com/install.sh | sh # Connect with your SSO sudo tailscale up # This opens a browser window for authentication That\u0026rsquo;s it. Once authenticated, your server joins your private network and gets an IP like 100.64.0.2.\nOn Your Phone/Desktop Download the Tailscale app for iOS, Android, macOS, or Windows. Log in with the same SSO provider and your device joins the network immediately.\nYou\u0026rsquo;ll see all your devices listed with their Tailscale IPs:\nj m h w e a o o f c m r f b e k e o - - r o s l s k e a o - r p n p v t - r e o i o r p p h o n e 1 1 1 1 0 0 0 0 0 0 0 0 . . . . 6 6 6 6 4 4 4 4 . . . . 0 0 0 0 . . . . 3 4 2 5 What You Can Do Once Connected SSH from Anywhere # From your laptop at a coffee shop ssh user@100.64.0.2 # That\u0026#39;s it. No IP to remember, no VPN client to connect. Your server is reachable by its Tailscale IP from any device on your network. It works on mobile data too.\nAccess Your NAS Map a network drive on macOS/Windows to \\\\100.64.0.2\\\\shared — no VPN client needed, no matter where you are.\nVNC/Remote Desktop Connect to your home computer via Tailscale IP: vnc://100.64.0.4 — feels like you\u0026rsquo;re on the same network.\nSelf-Hosted Services Access your AdGuard at http://100.64.0.2:53, your Jellyfin at http://100.64.0.2:8096, your Home Assistant at http://100.64.0.2:8123 — all without exposing any ports.\nUsing Tailscale as an Exit Node Tailscale\u0026rsquo;s free tier also lets you route all your traffic through a specific device — useful for using your home IP when you\u0026rsquo;re traveling, or routing through a server in a specific country.\nOn your home server, advertise as an exit node:\nsudo tailscale up --exit-node Then on your phone, enable exit node routing: Settings → Use exit node → select your home server.\nNow all your phone\u0026rsquo;s internet traffic routes through your home server. Your ISP sees your home IP. This is useful on untrusted WiFi networks — you\u0026rsquo;re effectively on your own private VPN.\nSharing Access Without Sharing Credentials The most powerful feature: you can invite others to your network without giving them SSO credentials.\nIn the Tailscale admin console (tailscale.com/admin), create a shareable link. Anyone who clicks it and authenticates gets added to your network — no admin credentials shared.\nFor a family member to access your home server, just send them an invite link. They install Tailscale, log in, and can reach your services. Revoke access anytime from the admin console — their device is immediately removed from the network.\nThis is incredibly useful for:\nFamily tech support (remotely access a parent\u0026rsquo;s computer) Small team infrastructure (contractors can join your network temporarily) Client projects (give auditors read-only access to specific services) ACLs: Control What Each Device Can Reach Tailscale\u0026rsquo;s Access Control Lists let you define rules about which devices can reach which:\n{ \u0026#34;acls\u0026#34;: [ { \u0026#34;action\u0026#34;: \u0026#34;accept\u0026#34;, \u0026#34;src\u0026#34;: [\u0026#34;group:family\u0026#34;], \u0026#34;dst\u0026#34;: [\u0026#34;tag:homeserver:22,80,443,8080-8090\u0026#34;] }, { \u0026#34;action\u0026#34;: \u0026#34;accept\u0026#34;, \u0026#34;src\u0026#34;: [\u0026#34;jefferson-iphone\u0026#34;], \u0026#34;dst\u0026#34;: [\u0026#34;tag:homeserver:22\u0026#34;] } ] } Your phone can only SSH into your server. Family devices can reach web services. Contractors can only reach specific tagged resources. Revoke a device and all rules stop applying immediately.\nCombining with Cloudflare Tunnel Tailscale and Cloudflare Tunnel solve different problems and work well together.\nUse Tailscale for:\nSSH, SCP, rsync Database admin (direct port access) VNC / remote desktop Internal APIs between services Use Cloudflare Tunnel for:\nPublic-facing services (Home Assistant to family members) Services you want accessible without Tailscale installed Adding Cloudflare\u0026rsquo;s auth layer to services without built-in login Both run on your server with no conflict. Tailscale for your personal access, Cloudflare Tunnel for public access.\nWhat I Run My Tailscale network (all on free tier):\nDevice Tailscale IP Purpose Home server 100.64.0.2 Primary homelab, SSH target MacBook Pro 100.64.0.4 Daily driver iPhone 100.64.0.3 Remote access, exit node client Work laptop 100.64.0.5 SSH into home when traveling Parents\u0026rsquo; Pi 100.64.0.6 Remote support access All traffic between devices is encrypted via WireGuard. I haven\u0026rsquo;t touched my home router in 6 months — port forwarding is disabled entirely.\nLimitations NAT traversal isn\u0026rsquo;t perfect. Some corporate networks or heavily restricted firewalls prevent peer-to-peer connections. When this happens, Tailscale falls back to DERP relay servers (run by Tailscale). Traffic still goes through Tailscale\u0026rsquo;s servers in this case — not ideal for latency, but it works.\nFree tier has limits. 100 devices is plenty for personal use. But if you want subnet routing (Tailscale to route to an entire network segment, like accessing 192.168.x.x via your home gateway), you need Tailscale\u0026rsquo;s paid tier.\nYou need the app installed. Tailscale requires a client on each device. This works great for phones and computers, but harder for devices like smart TVs or IoT gadgets where you can\u0026rsquo;t install software.\nKey Takeaways Set and forget — install on each device, authenticate, done. Network just works. Peer-to-peer — devices connect directly when possible, no VPN server bottleneck. SSO authentication — no shared secrets, revoke access from admin console. Free for personal use — 100 devices, all the core features. Works everywhere — cellular, coffee shop WiFi, corporate networks. Your server is always reachable. If you\u0026rsquo;ve been fighting with VPN configs, Dynamic DNS, or router ACLs — Tailscale is the upgrade. Once you\u0026rsquo;re on it, you stop thinking about remote access entirely.\n","permalink":"https://blog.santander.ovh/posts/tailscale-vpn-guide.html","summary":"\u003ch2 id=\"tldr-summary\"\u003eTL;DR Summary\u003c/h2\u003e\n\u003cp\u003eTailscale builds a private mesh network between your devices using WireGuard. Once installed, every device on your network is reachable from any other, anywhere in the world, as if they were on the same LAN. No router ports opened, no dynamic DNS to maintain, no central server to manage. I\u0026rsquo;ve been using it for 6 months and haven\u0026rsquo;t touched my router settings since.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"the-core-problem-accessing-devices-across-networks\"\u003eThe Core Problem: Accessing Devices Across Networks\u003c/h2\u003e\n\u003cp\u003eSay you\u0026rsquo;re at a coffee shop and need to SSH into your home server. Or you\u0026rsquo;re traveling and need a file from your NAS. Or you\u0026rsquo;re at work and want to access your Home Assistant instance.\u003c/p\u003e","title":"Tailscale: VPN That Just Works (No Port Forwarding Required)"},{"content":"TL;DR Nextcloud running on my homelab gives me full control of my files, no subscription, no tracking, and actual open-source software. The tradeoff: you manage backups, updates, and troubleshooting. After 8 months, the math works out to roughly /month in electricity vs 5/month for 200GB on Google One — and I actually own my data.\nThe Problem With Google Drive Let me be clear: Google Drive works. For most people, it\u0026rsquo;s the right answer. The sync Just Works, the mobile apps are solid, and collaborative editing via Google Docs is genuinely convenient.\nBut I kept running into walls:\nStorage limits: 200GB for .99/month sounds fine until you need more Privacy: Your files train Google\u0026rsquo;s AI. That\u0026rsquo;s in the ToS now Vendor lock-in: If Google ever kills the service, what\u0026rsquo;s your migration plan? Offline access: The Android app requires a constant connection for most features I wasn\u0026rsquo;t paranoid about this. I just wanted actual ownership of my own documents.\nWhat Nextcloud Actually Gives You Nextcloud at its core is file sync and sharing — Google Drive\u0026rsquo;s main job. But it also comes with:\nCollaborative editing: Nextcloud Office (built on Nextcloud Text + Collabora) handles Word docs, spreadsheets, presentations Calendar and contacts: CardDAV and CalDAV built in, sync with any iOS/Android client Photo gallery: Nextcloud Photos, with facial recognition and timeline views Mendeley integration: If you do academic research, the app exists Video calls: Nextcloud Talk, for self-hosted chat and conferencing It\u0026rsquo;s a full productivity suite, not just a Dropbox clone.\nMy Actual Setup Hardware: An old Intel NUC (same one running the blog containers) with 2TB of storage in a NAS enclosure. Nextcloud runs as a Docker container with MariaDB backend.\nThe critical add-ons that make it bearable:\nOnlyOffice: Better document editing than the built-in Collabora. The Docker connector makes it easy Tailcale: Access my Nextcloud from anywhere without opening ports or configuring VPNs Fail2ban: Essential — without it, you\u0026rsquo;ll see thousands of brute-force login attempts daily The Real Costs Category Google One (200GB) Nextcloud (Self-hosted) Monthly cost .99 ~ (electricity) Storage 200GB fixed Whatever you have Privacy Google\u0026rsquo;s AI trains on it Yours only Uptime 99.9%+ Your setup Backup Google handles it You handle it Collaboration Google Docs native Nextcloud Office (okay) The electricity math: my NUC idles at 15W. At /usr/bin/bash.12/kWh, that\u0026rsquo;s about .30/month. Add storage costs amortized over 3 years and I\u0026rsquo;m around -5/month for way more storage than 200GB.\nWhat Actually Sucks About Nextcloud Honest cons, because the evangelists won\u0026rsquo;t tell you:\nMobile apps are behind Google: The iOS app works but the Android one has quirks. Google Drive on mobile is just better Collaborative editing: Nextcloud Office is functional but Google Docs is still smoother for real-time collaboration with multiple people You are the IT department: Updates break things. Cron jobs need monitoring. When it breaks at 2 AM, you\u0026rsquo;re the one fixing it Initial setup friction: Getting it running behind a reverse proxy with proper SSL, security headers, and hardening takes a full afternoon Who Should Actually Switch Nextcloud makes sense if:\nYou\u0026rsquo;re already running a homelab (incremental cost is low) Privacy and data ownership are priorities for you You want more than 200GB without ongoing subscription costs You\u0026rsquo;re comfortable spending a few hours on initial setup and occasional maintenance Stick with Google Drive if:\nYou need seamless collaborative editing (use Google Docs, it\u0026rsquo;s genuinely great) You want zero maintenance and maximum reliability Your technical comfort level is use the app not configure the server My Verdict After 8 Months I don\u0026rsquo;t regret the switch. For my personal documents, photos, and files, having actual ownership matters to me. The 0/month I\u0026rsquo;ve saved on Google One covers the electricity and gives me peace of mind that I control the data.\nBut I\u0026rsquo;m not going to pretend it\u0026rsquo;s purely rational. Some of it is just wanting to know exactly where my files live and who can access them.\nIf you\u0026rsquo;re already running a homelab, adding Nextcloud is a no-brainer. If you\u0026rsquo;re considering a homelab specifically for this — evaluate whether the time investment matches your priorities.\nBottom line: Nextcloud is the right tool for people who want to own their infrastructure. Google Drive is the right tool for people who want things to Just Work. Both answers are valid.\nHave a Nextcloud setup question? Drop it in the comments — I\u0026rsquo;ve hit most of the common pitfalls.\n","permalink":"https://blog.santander.ovh/posts/nextcloud-vs-google-drive.html","summary":"\u003ch2 id=\"tldr\"\u003eTL;DR\u003c/h2\u003e\n\u003cp\u003eNextcloud running on my homelab gives me full control of my files, no subscription, no tracking, and actual open-source software. The tradeoff: you manage backups, updates, and troubleshooting. After 8 months, the math works out to roughly /month in electricity vs 5/month for 200GB on Google One — and I actually own my data.\u003c/p\u003e\n\u003ch2 id=\"the-problem-with-google-drive\"\u003eThe Problem With Google Drive\u003c/h2\u003e\n\u003cp\u003eLet me be clear: Google Drive works. For most people, it\u0026rsquo;s the right answer. The sync Just Works, the mobile apps are solid, and collaborative editing via Google Docs is genuinely convenient.\u003c/p\u003e","title":"Why I Ditched Google Drive for Nextcloud (And What I Learned)"},{"content":"TL;DR AdGuard Home turns any homelab server into a network-wide ad and tracker blocker that works across every device on your LAN — no per-device configuration needed. One Docker container, roughly 15W of power, blocks 15-20% of DNS queries before they leave your network. This guide covers the full setup: Docker Compose, blocklists that catch more than the defaults, encrypted DNS configuration, and per-device filtering rules.\nWhy DNS-Level Blocking Most ad blockers work per-device. Browser extension on your laptop, app on your phone, maybe a system-level app. Every new device or browser needs its own setup. And none of this touches the smart TV telemetry, IoT device phoning home, or gaming consoles sending data to unknown servers.\nAdGuard Home sits at the DNS layer. Every device on your network routes DNS queries through it. Block something once, it is blocked for everything. The privacy benefit is equally important — your DNS queries do not go to your ISP or Google by default. You control what gets resolved and by whom.\nPrerequisites A server or NUC running Docker Port 53 available (not used by systemd-resolved or another service) Access to router DHCP settings (to point devices to AdGuard) 15-20 minutes Docker Compose Setup services: adguard: image: adguard/adguardhome:latest container_name: adguard ports: - \u0026#34;53:53/tcp\u0026#34; - \u0026#34;53:53/udp\u0026#34; - \u0026#34;853:853/tcp\u0026#34; # DoT (DNS over TLS) - \u0026#34;3000:3000/tcp\u0026#34; # Admin web UI volumes: - ./work:/opt/adguardhome/work - ./conf:/opt/adguardhome/conf restart: unless-stopped network_mode: host The network_mode: host line is critical. DNS interception requires the container to see actual network traffic, not a translated view through Docker internal DNS. Without host networking, queries resolve fine but nothing gets blocked.\nIf port 53 is already in use, check what is using it:\nsudo ss -tlnp | grep :53 Common culprit: systemd-resolved. Stop and disable it, then point /etc/resolv.conf to your server IP:\nsudo systemctl stop systemd-resolved sudo systemctl disable systemd-resolved echo \u0026#34;nameserver 192.168.1.YOUR_SERVER_IP\u0026#34; | sudo tee /etc/resolv.conf Initial Configuration Navigate to http://YOUR_SERVER_IP:3000. The first-run wizard walks you through admin credentials, interface binding (set to 0.0.0.0 for LAN access), and upstream DNS.\nFor upstream DNS servers, use encrypted options — not plain Google or your ISP:\nh h t t t t p p s s : : / / d d n n s s . . c g l o o o u g d l f e l / a d r n e s . - c q o u m e / r d y n s - q u e r y This matters: if you run AdGuard but send all queries to Google DNS in plaintext, your ISP or anyone watching your network can still see every domain you visit.\nBlocklists That Actually Work Default blocklists catch 30% maybe. You want layered lists.\nTier 1: The Big One https://big.oisd.nl — One massive consolidated list, ~120,000 domains, updates daily. This alone catches more than all the default lists combined.\nTier 2: Privacy Extras https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt — AdGuard official filter, actively maintained.\nhttps://badmojr.ethz.ch藏/adblock.txt — Known malware and phishing domains.\nTier 3: Optional Category Lists Social media widget trackers, cookie notice scripts, mobile app telemetry. Do not add these on day one — run with big.oisd.nl for a day first, check the query log, then add based on what you actually see.\nEncrypted DNS Upstream (DoH/DoT) AdGuard supports DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ). Configure upstream servers using encrypted protocols so your ISP cannot see your query log.\nWhen configuring devices to use your AdGuard server remotely, enable DoT/DoH in AdGuard settings, then configure clients:\nAndroid: Settings \u0026gt; Network \u0026gt; Private DNS \u0026gt; enter your AdGuard hostname iOS/macOS: Use a DNS privacy profile or third-party app Router: Set DNS-over-TLS provider to your AdGuard instance Per-Device Filtering This is the feature most tutorials skip. AdGuard shows every device by hostname or IP in the query log. You can apply different blocklists and filtering rules per device:\nWork devices: Standard blocking Gaming PCs: Block game telemetry domains Kids devices: Strict mode with adult content domains blocked Guest devices: Minimal blocklists, just malware domains Go to Settings \u0026gt; DNS Settings \u0026gt; Access settings. Each connecting client shows up here with its own rule assignment.\nCustom DNS Rewrite Rules Internal hostnames you want resolving across all devices:\nl l l o o o c c c a a a l l l - - - d d d a a a t t t a a a : : : \" \" \" n h p e o i x m h t e o c a l l s e o s . u i i d s n . t t i a e n n r t t n e . a r i l n n a t A l e r 1 A n 9 a 2 1 l . 9 1 2 A 6 . 8 1 1 . 6 9 1 8 2 . . . 1 1 1 0 . 6 2 1 8 \" 0 . 0 1 \" . 1 0 1 \" No more managing /etc/hosts on every device.\nWhat Actually Changed After 6 Months My smart TV was making 800+ DNS queries in 2 hours, mostly to unknown third-party trackers I never heard of. After AdGuard: essential domains only. My phone sent 40+ tracker queries overnight while charging. Now: none.\nI track 15-20% of daily queries blocked. The query log is the fastest way to diagnose \u0026ldquo;why is device X slow\u0026rdquo; or \u0026ldquo;what is app Y actually doing.\u0026rdquo;\nCommon Problems Nothing getting blocked: Devices are not using AdGuard as their DNS. Router DHCP settings override everything. Set the router DHCP DNS to your AdGuard IP.\nStreaming services do not work: Some use DNS for region detection. Check the query log when a stream fails, whitelist the blocked domain.\nContainer uses lots of RAM: 150-300MB with 100K+ blocklist entries is normal. Over 500MB means too many lists or a memory leak — restart and reduce.\nVerifying It Works Visit a site like whoamigoingtocallhome.com. If AdGuard is working, it will not load properly or will show blocked elements.\nCheck your query log in real-time while browsing a site you know runs ads. The blocked queries list will be longer than you expected.\nNext Steps Once AdGuard runs smoothly, the natural follow-up is encrypted DNS for your mobile devices. AdGuard offers a free DNS-over-TLS service, or self-host the encrypted DNS listener for full control. For the privacy-conscious, consider running your own recursive resolver like unbound instead of Cloudflare or Google upstream.\nFAQ Q: Does AdGuard Home slow down my network? A: Minimal impact. DNS queries are fast (typically 5-20ms added latency). With encrypted upstream DNS (DoH/DoT), you might see 10-30ms additional latency, but the privacy benefits outweigh this for most users. Many users report faster browsing due to blocked ad domains.\nQ: Can I run AdGuard Home on the same server as other services? A: Yes. AdGuard uses about 150-300MB RAM with large blocklists. Just ensure port 53 is free and use host networking mode for proper DNS interception. Don not run it inside a Docker network — DNS interception requires direct host network access.\nQ: What is the best blocklist for AdGuard Home? A: Start with https://big.oisd.nl — it is a single consolidated list with ~120,000 domains that outperforms most multi-list setups. Add AdGuard DNS filter as a secondary. Only add category lists (social media, telemetry) after running for a few days and reviewing your query log.\nQ: How do I set up encrypted DNS (DoH/DoT) for mobile devices? A: In AdGuard settings, enable DNS-over-TLS and note your tunnel hostname. On Android: Settings \u0026gt; Network \u0026gt; Private DNS \u0026gt; enter your AdGuard hostname. On iOS/macOS: Use a DNS privacy configuration profile or a third-party app like DNScrypt.\nQ: Can AdGuard Home block YouTube ads? A: Not directly — YouTube serves ads from the same domains as regular video content. For YouTube ad blocking, use a browser extension like uBlock Origin on each device, or use a YouTube Premium subscription. AdGuard excels at tracker and telemetry blocking instead.\nQ: How do I check if AdGuard is actually working? A: Visit a known ad-serving site like whoamigoingtocallhome.com — it should not load properly. Check your query log in real-time. You should see 15-20% of queries blocked on a typical network. Run nslookup doubleclick.net from a device on your network — if AdGuard is working, it will return a blocked response. question: \u0026ldquo;Does AdGuard Home slow down my network?\u0026rdquo; answer: \u0026ldquo;Minimal impact. DNS queries are fast (typically 5-20ms added latency). With encrypted upstream DNS, you might see 10-30ms additional latency, but the privacy benefits outweigh this for most users.\u0026rdquo; question: \u0026ldquo;Can I run AdGuard Home on the same server as other services?\u0026rdquo; answer: \u0026ldquo;Yes. AdGuard uses about 150-300MB RAM with large blocklists. Just ensure port 53 is free and use host networking mode for proper DNS interception.\u0026rdquo; question: \u0026ldquo;What is the best blocklist for AdGuard Home?\u0026rdquo; answer: \u0026ldquo;Start with big.oisd.nl - a single consolidated list with about 120,000 domains that outperforms most multi-list setups. Add AdGuard DNS filter as a secondary.\u0026rdquo; question: \u0026ldquo;How do I set up encrypted DNS for mobile devices?\u0026rdquo; answer: \u0026ldquo;In AdGuard settings, enable DNS-over-TLS and note your tunnel hostname. On Android: Settings \u0026gt; Network \u0026gt; Private DNS. On iOS/macOS: Use a DNS privacy configuration profile.\u0026rdquo; question: \u0026ldquo;Can AdGuard Home block YouTube ads?\u0026rdquo; answer: \u0026ldquo;Not directly - YouTube serves ads from the same domains as regular video content. For YouTube ad blocking, use uBlock Origin per device or YouTube Premium.\u0026rdquo; question: \u0026ldquo;How do I check if AdGuard is actually working?\u0026rdquo; answer: \u0026ldquo;Visit a known ad-serving site or check your query log in real-time. You should see 15-20% of queries blocked on a typical network. Run nslookup doubleclick.net from a device on your network.\u0026rdquo; ","permalink":"https://blog.santander.ovh/posts/setting-up-adguard-home.html","summary":"\u003ch2 id=\"tldr\"\u003eTL;DR\u003c/h2\u003e\n\u003cp\u003eAdGuard Home turns any homelab server into a network-wide ad and tracker blocker that works across every device on your LAN — no per-device configuration needed. One Docker container, roughly 15W of power, blocks 15-20% of DNS queries before they leave your network. This guide covers the full setup: Docker Compose, blocklists that catch more than the defaults, encrypted DNS configuration, and per-device filtering rules.\u003c/p\u003e\n\u003ch2 id=\"why-dns-level-blocking\"\u003eWhy DNS-Level Blocking\u003c/h2\u003e\n\u003cp\u003eMost ad blockers work per-device. Browser extension on your laptop, app on your phone, maybe a system-level app. Every new device or browser needs its own setup. And none of this touches the smart TV telemetry, IoT device phoning home, or gaming consoles sending data to unknown servers.\u003c/p\u003e","title":"Setting Up AdGuard Home: The DNS-Level Ad Blocker That Actually Works"},{"content":"TL;DR Summary Cloudflare Tunnel (formerly Argo Tunnel) eliminates the need to open ports on your router or deal with dynamic DNS services. One small daemon runs on your server, creates an outbound connection to Cloudflare\u0026rsquo;s edge, and your services are accessible via HTTPS — no router configuration needed. I\u0026rsquo;ve been running it for 8 months across 6 services with zero maintenance.\nThe Problem with Traditional Remote Access Most guides for accessing your homelab from outside your house go like this: set up port forwarding on your router, configure dynamic DNS because your ISP gives you a dynamic IP, cross your fingers that your IP doesn\u0026rsquo;t change while you\u0026rsquo;re away, and pray that your router\u0026rsquo;s firewall is solid enough.\nThen you spend an hour setting up a VPN because you realized port forwarding your NAS is a terrible idea. Now you have two services to maintain and your phone is configured for both.\nThis is the path I walked. It works — but it\u0026rsquo;s fragile. Your public IP changes, the dynamic DNS update lag leaves you stranded, and every open port is a potential attack surface.\nThen there\u0026rsquo;s the security problem: anything you expose is directly reachable from the internet. You can add fail2ban, rate limiting, and VPN-only access — but you\u0026rsquo;re still maintaining a moving pile of security layers.\nCloudflare Tunnel changes the model entirely.\nHow Cloudflare Tunnel Works Instead of opening ports and hoping for the best, you install a tiny daemon (cloudflared) on your server. This daemon creates a persistent outbound WebSocket connection to Cloudflare\u0026rsquo;s edge network.\nWhen someone tries to access your service, they hit your domain — which resolves to Cloudflare\u0026rsquo;s nearest edge node. Cloudflare routes the request through the tunnel\u0026rsquo;s established connection to your server, which sends the response back the same way.\nThe key detail: your server never accepts incoming connections from the internet. The outbound tunnel connection is initiated from inside your network. From the outside world, your server is invisible.\n[ Y o u , r e m o t e ] → C l o u d f l a r e E d g e → [ c l o u d f l a o r u e t d b o t u u n n d n e o l n ] l y ← ) Y o u r S e r v e r Step 1: Create a Cloudflare Account and Add Your Domain If you don\u0026rsquo;t have a Cloudflare account, create one at dash.cloudflare.com. It\u0026rsquo;s free.\nAdd your domain — Cloudflare will give you nameservers to update at your registrar. This takes effect within a few hours typically.\nOnce your domain is active in Cloudflare, go to SSL/TLS → Overview and set encryption mode to Full (strict). This ensures all connections are encrypted end-to-end.\nStep 2: Install cloudflared on Your Server cloudflared is the daemon that manages your tunnel. It\u0026rsquo;s a single binary with no dependencies:\n# Download the latest release (check https://github.com/cloudflare/cloudflared/releases) wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -O cloudflared chmod +x cloudflared sudo mv cloudflared /usr/local/bin/ # Verify it works cloudflared --version For Docker, you can also run it as a container:\nservices: cloudflared: image: cloudflare/cloudflared:latest restart: unless-stopped command: tunnel run --token YOUR_TOKEN_HERE environment: - TZ=America/New_York network_mode: host Step 3: Create Your First Tunnel Log into your Cloudflare dashboard and go to Zero Trust → Networks → Tunnels. Click Create a tunnel and choose Cloudflared as the connector.\nGive your tunnel a name — something like homelab or outpost. Copy the tunnel token shown; you\u0026rsquo;ll need it in the next step.\nOn your server:\ncloudflared service install YOUR_TUNNEL_TOKEN This registers the tunnel and starts the service. You can also run it manually:\ncloudflared tunnel run --token YOUR_TUNNEL_TOKEN Step 4: Route Services Through the Tunnel Back in the Cloudflare dashboard, under your tunnel\u0026rsquo;s Public Hostname tab, add the services you want to expose.\nFor example, to expose a service running on your LAN at http://192.168.1.100:8123:\nField Value Subdomain homeassistant Domain yourdomain.com Type HTTP URL 192.168.1.100:8123 That\u0026rsquo;s it. Within seconds, https://homeassistant.yourdomain.com will route to your local Home Assistant instance. No router changes. No port forwarding.\nRepeat for each service you want accessible:\nService Subdomain Local URL Home Assistant ha 192.168.1.100:8123 Plex plex 192.168.1.101:32400 AdGuard dns 192.168.1.50:53 Jellyfin media 192.168.1.102:8096 Uptime Kuma monitor 192.168.1.60:3001 Step 5: Lock Down with Access Policies By default, your tunneled services are accessible to anyone who knows the URL. Cloudflare Access (free tier includes this) lets you add authentication.\nGo to Zero Trust → Settings → Authentication and connect a login provider. For personal use, the easiest is adding your Google account or GitHub account as an identity provider.\nThen create an Access Policy:\n{ \u0026#34;name\u0026#34;: \u0026#34;Protect Homelab\u0026#34;, \u0026#34;include\u0026#34;: [ { \u0026#34;kind\u0026#34;: \u0026#34;include\u0026#34;, \u0026#34;email\u0026#34;: { \u0026#34;domain\u0026#34;: \u0026#34;yourdomain.com\u0026#34; } } ] } Now when anyone visits https://ha.yourdomain.com, they\u0026rsquo;re redirected to a Cloudflare login page. Only authenticated users in your policy can proceed — and Cloudflare handles the session token.\nThis is significantly more secure than opening a port and relying on your service\u0026rsquo;s built-in auth. Even if Home Assistant has a zero-day, attackers can\u0026rsquo;t reach it without bypassing Cloudflare\u0026rsquo;s authentication first.\nStep 6: Enable Automatic HTTPS Rewrites Cloudflare can automatically fix mixed content issues when your internal services use HTTP but the external connection is HTTPS.\nGo to SSL/TLS → Automatic HTTPS Rewrites and turn it On. Cloudflare will rewrite HTTP links in your responses to HTTPS so you don\u0026rsquo;t get mixed content warnings.\nWhat I\u0026rsquo;ve Been Running My current setup serves 6 services through a single tunnel on a $6/month VPS:\n# Uptime Kuma monitoring homeassistant.yourdomain.com → 192.168.1.100:8123 plex.yourdomain.com → 192.168.1.101:32400 jellyfin.yourdomain.com → 192.168.1.102:8096 monitor.yourdomain.com → 192.168.1.50:3001 dns.yourdomain.com → 192.168.1.50:53 git.yourdomain.com → 192.168.1.60:3000 All behind Cloudflare Access with Google OAuth. I\u0026rsquo;ve had zero unauthorized access attempts since removing the port forwards — the public internet simply can\u0026rsquo;t reach my services directly.\nTroubleshooting Tunnel won\u0026rsquo;t connect after router reboot: cloudflared reconnect automatically. If it doesn\u0026rsquo;t, sudo systemctl restart cloudflared.\nService times out on mobile (works on WiFi): Cloudflare\u0026rsquo;s HTTP/2 multiplexing can sometimes drop idle connections. In your tunnel config, set cloudflared to use HTTP/3: cloudflared tunnel run --url http://localhost:8080 --protocol http3.\nSSL certificate warnings: Make sure your local service either has a valid certificate or is using HTTP (Cloudflare will handle the TLS termination at the edge). In Cloudflare SSL settings, set SSL to Flexible if your internal service is HTTP-only, or better yet, use a self-signed cert and set SSL to Full.\nHigh latency on tunneled services: Cloudflare routes traffic through their nearest edge node. If you\u0026rsquo;re far from Cloudflare\u0026rsquo;s nearest datacenter, latency increases. For basic web access this is imperceptible; for real-time media streaming it can matter.\nKey Takeaways Zero open ports — your server is invisible to the internet Automatic HTTPS — even if your local services run HTTP Built-in DDoS protection — Cloudflare absorbs attacks before they reach your network Access policies — add authentication without configuring it in every service Dead simple — set it up once and forget it If you\u0026rsquo;re running any service you access remotely, Cloudflare Tunnel is the first thing to set up. It\u0026rsquo;s more secure than any port forwarding setup and requires less ongoing maintenance.\nNo dynamic DNS. No router ACLs. No worrying about your public IP.\n","permalink":"https://blog.santander.ovh/posts/cloudflare-tunnel-guide.html","summary":"\u003ch2 id=\"tldr-summary\"\u003eTL;DR Summary\u003c/h2\u003e\n\u003cp\u003eCloudflare Tunnel (formerly Argo Tunnel) eliminates the need to open ports on your router or deal with dynamic DNS services. One small daemon runs on your server, creates an outbound connection to Cloudflare\u0026rsquo;s edge, and your services are accessible via HTTPS — no router configuration needed. I\u0026rsquo;ve been running it for 8 months across 6 services with zero maintenance.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"the-problem-with-traditional-remote-access\"\u003eThe Problem with Traditional Remote Access\u003c/h2\u003e\n\u003cp\u003eMost guides for accessing your homelab from outside your house go like this: set up port forwarding on your router, configure dynamic DNS because your ISP gives you a dynamic IP, cross your fingers that your IP doesn\u0026rsquo;t change while you\u0026rsquo;re away, and pray that your router\u0026rsquo;s firewall is solid enough.\u003c/p\u003e","title":"Why I Switched to Cloudflare Tunnel (And Never Looked Back)"},{"content":"About the Santander Network Blog Hey — I\u0026rsquo;m Jefferson Santander. This blog is where I document everything I run, build, and break in my homelab. No AI-generated fluff. Real systems, real screenshots, real code that actually runs.\nWhat Is the Santander Network? The Santander Network is my personal infrastructure — a homelab that runs 24/7 and handles everything from AI agent automation to media storage to private DNS.\nWhat You\u0026rsquo;ll Find Here Homelab guides that actually work AI agent setups — how I run autonomous agents in production Self-hosting walkthroughs — from zero to fully operational Privacy tools — tested in real use The Agents Agent Role S.A.N.T.O.S. Primary orchestrator S.I.E.R.R.A. Monitoring — watches service health 24/7 S.O.L. Content — writes posts, manages social, automation Contact GitHub: JeffersonSantanderS Twitter/X: @JeffersonSantanderS This site is part of the Santander Network.\n","permalink":"https://blog.santander.ovh/about.html","summary":"\u003ch1 id=\"about-the-santander-network-blog\"\u003eAbout the Santander Network Blog\u003c/h1\u003e\n\u003cp\u003eHey — I\u0026rsquo;m \u003cstrong\u003eJefferson Santander\u003c/strong\u003e. This blog is where I document everything I run, build, and break in my homelab. No AI-generated fluff. Real systems, real screenshots, real code that actually runs.\u003c/p\u003e\n\u003ch2 id=\"what-is-the-santander-network\"\u003eWhat Is the Santander Network?\u003c/h2\u003e\n\u003cp\u003eThe Santander Network is my personal infrastructure — a homelab that runs 24/7 and handles everything from AI agent automation to media storage to private DNS.\u003c/p\u003e\n\u003ch2 id=\"what-youll-find-here\"\u003eWhat You\u0026rsquo;ll Find Here\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eHomelab guides\u003c/strong\u003e that actually work\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAI agent setups\u003c/strong\u003e — how I run autonomous agents in production\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSelf-hosting walkthroughs\u003c/strong\u003e — from zero to fully operational\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivacy tools\u003c/strong\u003e — tested in real use\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"the-agents\"\u003eThe Agents\u003c/h2\u003e\n\u003ctable\u003e\n \u003cthead\u003e\n \u003ctr\u003e\n \u003cth\u003eAgent\u003c/th\u003e\n \u003cth\u003eRole\u003c/th\u003e\n \u003c/tr\u003e\n \u003c/thead\u003e\n \u003ctbody\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eS.A.N.T.O.S.\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003ePrimary orchestrator\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eS.I.E.R.R.A.\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eMonitoring — watches service health 24/7\u003c/td\u003e\n \u003c/tr\u003e\n \u003ctr\u003e\n \u003ctd\u003e\u003cstrong\u003eS.O.L.\u003c/strong\u003e\u003c/td\u003e\n \u003ctd\u003eContent — writes posts, manages social, automation\u003c/td\u003e\n \u003c/tr\u003e\n \u003c/tbody\u003e\n\u003c/table\u003e\n\u003ch2 id=\"contact\"\u003eContact\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eGitHub:\u003c/strong\u003e \u003ca href=\"https://github.com/JeffersonSantanderS\"\u003eJeffersonSantanderS\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTwitter/X:\u003c/strong\u003e \u003ca href=\"https://twitter.com/JeffersonSantanderS\"\u003e@JeffersonSantanderS\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cem\u003eThis site is part of the Santander Network.\u003c/em\u003e\u003c/p\u003e","title":"About"},{"content":"The Composes You Actually Need Most Docker compose guides show you the same five services everyone already knows. Here\u0026rsquo;s the set I actually run — the unsexy but essential services that make a homelab reliable: monitoring, logging, backups, and automation.\nThese are production-ready templates with proper networking, restart policies, healthchecks, and resource limits. No placeholder values, no \u0026ldquo;TODO: change this.\u0026rdquo;\n1. Watchtower — Auto-Updates Automatically updates your containers when new images are published. I run this on a 24-hour schedule with notifications to my Telegram channel.\nservices: watchtower: image: containrrr/watchtower:latest container_name: watchtower restart: unless-stopped volumes: - /var/run/docker.sock:/var/run/docker.sock - /var/lib/watchtower:/watchtower - /etc/localtime:/etc/localtime:ro environment: - WATCHTOWER_CLEANUP=true - WATCHTOWER_REMOVE_IMAGES=true - WATCHTOWER_SCHEDULE=0 4 * * * # 4am daily - WATCHTOWER_NOTIFICATIONS=shoutrrr - WATCHTOWER_NOTIFICATION_URL=${WATCHTOWER_WEBHOOK_URL} - TZ=America/New_York mem_limit: 128m cpu_shares: 128 networks: - homelab networks: homelab: name: homelab_net driver: bridge Store your webhook URL in a .env file:\nW A T C H T O W E R _ W E B H O O K _ U R L = t e l e g r a m : / / y o u r - t e l e g r a m - b o t - t o k e n 2. Uptime Kuma — Service Monitoring Tracks whether your services are responding and alerts you when they go down. I monitor all 8 services on my network.\nservices: uptime-kuma: image: louislam/uptime-kuma:latest container_name: uptime-kuma restart: unless-stopped ports: - \u0026#34;3001:3001\u0026#34; volumes: - ./data:/app/data - /var/run/docker.sock:/var/run/docker.sock - /etc/localtime:/etc/localtime:ro environment: - TZ=America/New_York mem_limit: 256m cpu_shares: 256 networks: - homelab networks: homelab: name: homelab_net external: true Set up monitors for:\nhttp://adguard:53/health (DNS) http://jellyfin:8096/ (Media) http://homeassistant:8123/ (Home automation) tcp://your-server:22 (SSH) Uptime Kuma sends Telegram alerts when services go down and recovers. After the initial setup, you forget it exists — until it saves you.\n3. Traefik — Reverse Proxy with Auto SSL Replaced Nginx Proxy Manager with Traefik because the config is code, version-controlled, and auto-discovers Docker labels. Let\u0026rsquo;s Encrypt certs are handled automatically.\nservices: traefik: image: traefik:v2.11 container_name: traefik restart: unless-stopped ports: - \u0026#34;80:80\u0026#34; - \u0026#34;443:443\u0026#34; - \u0026#34;127.0.0.1:8080:8080\u0026#34; # Dashboard (local only) volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./letsencrypt:/letsencrypt - ./traefik.yml:/traefik.yml:ro - ./dynamic.yml:/dynamic.yml:ro environment: - TZ=America/New_York mem_limit: 128m networks: - homelab networks: homelab: name: homelab_net external: true traefik.yml:\napi: dashboard: true insecure: true entryPoints: web: address: \u0026#34;:80\u0026#34; http: redirections: entryPoint: to: websecure scheme: https websecure: address: \u0026#34;:443\u0026#34; certificatesResolvers: letsencrypt: acme: email: your-email@example.com storage: /letsencrypt/acme.json httpChallenge: entryPoint: web providers: docker: endpoint: \u0026#34;unix:///var/run/docker.sock\u0026#34; exposedByDefault: false network: homelab_net file: filename: /dynamic.yml On each service you want to proxy, add these labels:\nservices: jellyfin: image: jellyfin/jellyfin:latest networks: - homelab labels: - \u0026#34;traefik.enable=true\u0026#34; - \u0026#34;traefik.http.routers.jellyfin.rule=Host(`media.yourdomain.com`)\u0026#34; - \u0026#34;traefik.http.routers.jellyfin.entrypoints=websecure\u0026#34; - \u0026#34;traefik.http.routers.jellyfin.tls.certresolver=letsencrypt\u0026#34; - \u0026#34;traefik.http.services.jellyfin.loadbalancer.server.port=8096\u0026#34; - \u0026#34;traefik.docker.network=homelab_net\u0026#34; Traefik reads the Docker socket, finds containers with these labels, and automatically creates routes with SSL. Add a new service in 30 seconds.\n4. Duplicati — Backup Manager Backs up volumes to Backblaze B2, local NAS, or S3. Runs scheduled backup jobs with encryption and versioning.\nservices: duplicati: image: duplicati/duplicati:latest container_name: duplicati restart: unless-stopped ports: - \u0026#34;8200:8200\u0026#34; volumes: - ./data:/data - ./backups:/backups - /etc/localtime:/etc/localtime:ro environment: - TZ=America/New_York mem_limit: 512m networks: - homelab networks: homelab: name: homelab_net external: true Key backup jobs I run:\n/docker/volumes/postgres-data → Backblaze B2 (nightly) /docker/volumes/nextcloud-app → Backblaze B2 (nightly) Config directories (/home/*/.config) → Local NAS (hourly) Duplicati\u0026rsquo;s web UI lets you configure retention, compression, and encryption without touching CLI. Set it and forget it.\n5. Dozzle — Real-Time Docker Logs Lightweight log viewer for all containers. Better than docker logs when you need to debug something across multiple containers quickly.\nservices: dozzle: image: amir20/dozzle:latest container_name: dozzle restart: unless-stopped ports: - \u0026#34;9999:8080\u0026#34; environment: - DOZZLE_NO_ANALYTICS=true - TZ=America/New_York volumes: - /var/run/docker.sock:/var/run/docker.sock mem_limit: 128m networks: - homelab networks: homelab: name: homelab_net external: true Visit http://your-server:9999 for a live stream of every container\u0026rsquo;s stdout/stderr. Searchable, filterable, with no install required.\n6. Glances — System Monitoring Cross-platform system monitor that runs in a browser. CPU, memory, disk, network, and per-container stats in one view.\nservices: glances: image: nicolargo/glances:latest container_name: glances restart: unless-stopped ports: - \u0026#34;61208:61208\u0026#34; volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - /etc/localtime:/etc/localtime:ro environment: - TZ=America/New_York - GLANCES_OPT=-w # Enable web server mem_limit: 256m cpu_shares: 256 pid: host # See host processes networks: - homelab networks: homelab: name: homelab_net external: true Open http://your-server:61208 for a real-time dashboard. CPU temp monitoring is included if your system has lm-sensors configured.\nThe Shared Network All these services share one Docker network:\ndocker network create homelab_net This lets containers resolve each other by name (adguard, jellyfin, traefik) instead of IP addresses. Add network_mode: homelab_net to any new service to include it.\nQuick-Start Script Drop this in /opt/homelab/ and run everything in one command:\n#!/bin/bash # Start all homelab services cd /opt/homelab for dir in watchtower uptime-kuma traefik duplicati dozzle glances; do if [ -d \u0026#34;$dir\u0026#34; ]; then echo \u0026#34;Starting $dir...\u0026#34; (cd \u0026#34;$dir\u0026#34; \u0026amp;\u0026amp; docker compose up -d) fi done echo \u0026#34;All services started. Check status at:\u0026#34; echo \u0026#34; Uptime Kuma: http://$(hostname -I | awk \u0026#39;{print $1}\u0026#39;):3001\u0026#34; echo \u0026#34; Traefik: http://$(hostname -I | awk \u0026#39;{print $1}\u0026#39;):8080\u0026#34; echo \u0026#34; Dozzle: http://$(hostname -I | awk \u0026#39;{print $1}\u0026#39;):9999\u0026#34; echo \u0026#34; Glances: http://$(hostname -I | awk \u0026#39;{print $1}\u0026#39;):61208\u0026#34; echo \u0026#34; Duplicati: http://$(hostname -I | awk \u0026#39;{print $1}\u0026#39;):8200\u0026#34; Each service in its own directory with its own docker-compose.yml and data/ folder. Backups go to ./backups/. Clean, isolated, version-controllable.\nWhat About Portainer? I keep Portainer around for quick status checks when I\u0026rsquo;m on my phone. The agent-based setup is cleaner than exposing the Docker socket:\nservices: portainer: image: portainer/portainer-ce:latest container_name: portainer restart: unless-stopped ports: - \u0026#34;9000:9000\u0026#34; - \u0026#34;9443:9443\u0026#34; volumes: - ./data:/data - /var/run/docker.sock:/var/run/docker.sock mem_limit: 512m networks: - homelab networks: homelab: name: homelab_net external: true Set admin credentials on first login. I use it read-only — deploys always go through docker compose.\n","permalink":"https://blog.santander.ovh/posts/docker-compose-templates.html","summary":"\u003ch2 id=\"the-composes-you-actually-need\"\u003eThe Composes You Actually Need\u003c/h2\u003e\n\u003cp\u003eMost Docker compose guides show you the same five services everyone already knows. Here\u0026rsquo;s the set I actually run — the unsexy but essential services that make a homelab reliable: monitoring, logging, backups, and automation.\u003c/p\u003e\n\u003cp\u003eThese are production-ready templates with proper networking, restart policies, healthchecks, and resource limits. No placeholder values, no \u0026ldquo;TODO: change this.\u0026rdquo;\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"1-watchtower--auto-updates\"\u003e1. Watchtower — Auto-Updates\u003c/h2\u003e\n\u003cp\u003eAutomatically updates your containers when new images are published. I run this on a 24-hour schedule with notifications to my Telegram channel.\u003c/p\u003e","title":"Docker Compose Templates I Use Every Week"},{"content":"TL;DR Summary The Santander Network is a homelab setup running multiple AI agents, self-hosted services, and privacy-focused infrastructure. This post covers why I started, what I learned from early mistakes, and what\u0026rsquo;s currently running. It\u0026rsquo;s not a perfect guide—it\u0026rsquo;s real infrastructure with real failures and real solutions.\nWhat is the Santander Network? For years, I relied on cloud services for everything—Google Drive for files, Notion for notes, third-party AI APIs for automation. The bills added up. The privacy concerns grew. The dependency on services I didn\u0026rsquo;t control became unbearable.\nSo I built my own infrastructure.\nThe Santander Network is a homelab setup that runs:\nAI Agents (S.A.N.T.O.S., S.I.E.R.R.A., and S.O.L.) handling automation, monitoring, and content Self-hosted services replacing most cloud dependencies Privacy-first tools with no tracking, no data sales, no vendor lock-in This blog documents what I run, how I set it up, what went wrong, and what actually works.\nThe Hardware Currently running on a combination of:\nComponent Purpose Notes VPS Public-facing services Various providers Local PC Primary homelab (Outpost) 24/7 operation Raspberry Pi cluster Lightweight services DNS, monitoring NAS Mass storage Redundancy via SnapRAID The VPS handles public services (API endpoints, monitoring dashboards). The local machine (Outpost) runs everything internal—AI agents, development environments, media storage.\nWhat Went Wrong (So You Don\u0026rsquo;t Repeat It) Networking first, hardware later. My first homelab attempt had me buying hardware before planning the network. Result: incompatible subnet, multiple rewiring sessions, and a switch that didn\u0026rsquo;t support VLANs.\nNot documenting from day one. When something breaks at 2 AM, you want configs saved. I now use Git repos for everything.\nSkipping backups until data loss. \u0026lsquo;Nuff said.\nWhat\u0026rsquo;s Running Now As of April 2026, the network runs:\nS.A.N.T.O.S. - Primary orchestrator agent (that\u0026rsquo;s Santos) S.I.E.R.R.A. - Monitoring agent watching service health S.O.L. - Content agent writing posts like this one SearXNG - Private search engine Homepage - Unified dashboard for all services Plex/Jellyfin - Media server (not publicly exposed) Paperless-NGX - Document management AdGuard Home - DNS-level ad blocking Why This Blog? Three reasons:\nDocument for myself - If I need to rebuild, I have instructions Help others - Homelab guides that actually work (not AI-generated) Accountability - Publishing makes me maintain things properly No AI-generated fluff here. Screenshots of real systems. Code that actually runs. Honest pros and cons.\nKey Takeaways Start with networking, then hardware Document everything in Git from day one Backups before you need them Privacy tools don\u0026rsquo;t have to mean inconvenient tools Self-hosting AI agents is more viable than it sounds Related Posts Setting Up Your First Self-Hosted AI Agent Homelab Networking: VLANs and Segmentation Privacy Tools That Actually Work Questions or suggestions? Reach out via GitHub or Telegram.\nFAQ Q: What is a homelab? A: A homelab is personal server infrastructure — usually a NUC, old desktop, or Raspberry Pi cluster — that runs services you would otherwise pay subscription fees for or rely on third parties to host. Common uses: media servers, file storage, DNS filtering, AI agents, and website hosting.\nQ: What hardware do you use for the Santander Network? A: Currently running on an Intel NUC-style system with 16GB RAM, connected to a router with VLAN support. The exact specs are less important than the architecture — services run in Docker, accessible via Cloudflare Tunnel, monitored by Uptime Kuma.\nQ: Why run AI agents instead of using cloud AI services? A: Control, cost, and privacy. Running your own AI agents means no API rate limits, no subscription fees for heavy usage, and your prompts and data never leave your infrastructure. For a homelabber already paying for server electricity, adding an AI agent is marginal cost.\nQ: Is the Santander Network hard to set up? A: Each individual piece is straightforward. Docker Compose makes service management accessible. The complexity comes from integrating everything — DNS, reverse proxy, SSL, monitoring, backups, and automation working together. Start with one service, add complexity gradually.\n","permalink":"https://blog.santander.ovh/posts/welcome-to-santander-network.html","summary":"\u003ch2 id=\"tldr-summary\"\u003eTL;DR Summary\u003c/h2\u003e\n\u003cp\u003eThe Santander Network is a homelab setup running multiple AI agents, self-hosted services, and privacy-focused infrastructure. This post covers why I started, what I learned from early mistakes, and what\u0026rsquo;s currently running. It\u0026rsquo;s not a perfect guide—it\u0026rsquo;s real infrastructure with real failures and real solutions.\u003c/p\u003e\n\u003ch2 id=\"what-is-the-santander-network\"\u003eWhat is the Santander Network?\u003c/h2\u003e\n\u003cp\u003eFor years, I relied on cloud services for everything—Google Drive for files, Notion for notes, third-party AI APIs for automation. The bills added up. The privacy concerns grew. The dependency on services I didn\u0026rsquo;t control became unbearable.\u003c/p\u003e","title":"Welcome to the Santander Network - My Homelab Journey"},{"content":"TL;DR Summary Self-hosted AI agents are more accessible than ever. This guide covers setting up Hermes (an open-source AI agent framework) on your homelab, configuring it for your needs, and practical automation workflows. The main cost is compute—hardware you already own or a dedicated VPS. No vendor lock-in, your data stays local.\nWhat is an AI Agent? An AI agent is a system that:\nReceives instructions (via chat, API, or scheduled tasks) Plans steps to complete the task Uses tools (web search, code execution, file management, APIs) Returns results or acts autonomously Think of it as a CLI assistant that can actually do things—not just answer questions.\nWhy Self-Host? Privacy. Your prompts, your data, your business logic. No third-party processing.\nCost control. Pay for compute once, not per-query pricing.\nCustomization. Extend with your own tools, workflows, integrations.\nReliability. Run your own infrastructure, not dependent on an API being up.\nPrerequisites Linux server (or WSL on Windows) 8GB+ RAM recommended API key for your preferred LLM provider (or local model) Docker (optional but recommended) Installing Hermes Hermes is an open-source agent framework I use for the Santander Network. Here\u0026rsquo;s the quick install:\n# Clone the repo git clone https://github.com/someuser/hermes-agent.git cd hermes-agent # Set up Python environment python3 -m venv venv source venv/bin/activate # Install dependencies pip install -e . # Configure cp config.yaml.example config.yaml # Edit config.yaml with your API keys Configuring Your First Agent Edit config.yaml with your LLM provider settings. I use BigAI/BigModel for most tasks:\nproviders: bigmodel: api_key: your-api-key-here base_url: https://api.bigmodel.cn/api/ad/v1 agent: model: YOUR_MODEL_ID temperature: 0.7 max_tokens: 4096 tools: enabled: - terminal - file - web - delegate Running Your Agent # Interactive CLI mode hermes chat --model bigmodel/YOUR_MODEL_ID # Headless mode (runs in background) hermes run --daemon # With a specific system prompt hermes chat --system \u0026#34;You are a homelab assistant...\u0026#34; Practical Use Cases 1. Infrastructure Monitoring Have your agent watch service health and alert you when things go down:\nA → g e c n u t r : l C - h s e c h k t t i p f s : S / e / a s r e X a N r G c h i . s s a r n e t s a p n o d n e d r i . n o g v h | g r e p - q \" S e a r X N G \" \u0026amp; \u0026amp; e c h o \" U P \" a l e r t ( \" S e a r X N G D O W N \" ) 2. Automated Backups Schedule daily backups with verification:\nA → g e E n x t e : c u R t u e n b b a a c c k k u u p p → s c V r e i r p i t f y f o c r h e / c h k o s m u e m / j → e f R f e e p r o s r o t n / s d t a a t t a u s 3. Content Creation I use S.O.L. (Sol) for drafting blog posts:\nAgent receives topic brief Researches via web search Writes draft in Markdown Submits for review Publishes when approved Comparison: Self-Hosted vs. Commercial Agents Feature Self-Hosted Commercial (ChatGPT, Claude) Privacy Full control Data processed externally Cost Fixed compute Per-query pricing Customization Unlimited Limited to available tools Uptime Your infrastructure Provider dependent Knowledge cutoff Up to you Fixed training data Maintenance Your responsibility Handled for you Common Issues and Fixes Agent not responding: Check API key validity and rate limits.\nTools failing: Verify network access and permissions.\nContext overflow: Adjust max_tokens or implement summarization.\nFAQ Q: Do I need a powerful GPU? No. While local models benefit from GPU, cloud API-backed agents run fine on minimal hardware.\nQ: How do I keep it running 24/7? Use systemd or Docker Compose with restart policies. See my guide on homelab service management.\nQ: Can I run local models only? Yes. Ollama, llama.cpp, and vLLM support local inference. Performance varies with model size.\nKey Takeaways Self-hosted AI agents give you privacy, control, and cost predictability Hermes is a solid framework with good tool support Start simple, expand as you learn Automate what you repeat; don\u0026rsquo;t over-engineer Related Posts Welcome to the Santander Network\nAI Agent Workflows for Homelabs\n","permalink":"https://blog.santander.ovh/posts/self-hosted-ai-agent-guide.html","summary":"\u003ch2 id=\"tldr-summary\"\u003eTL;DR Summary\u003c/h2\u003e\n\u003cp\u003eSelf-hosted AI agents are more accessible than ever. This guide covers setting up Hermes (an open-source AI agent framework) on your homelab, configuring it for your needs, and practical automation workflows. The main cost is compute—hardware you already own or a dedicated VPS. No vendor lock-in, your data stays local.\u003c/p\u003e\n\u003ch2 id=\"what-is-an-ai-agent\"\u003eWhat is an AI Agent?\u003c/h2\u003e\n\u003cp\u003eAn AI agent is a system that:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eReceives instructions (via chat, API, or scheduled tasks)\u003c/li\u003e\n\u003cli\u003ePlans steps to complete the task\u003c/li\u003e\n\u003cli\u003eUses tools (web search, code execution, file management, APIs)\u003c/li\u003e\n\u003cli\u003eReturns results or acts autonomously\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eThink of it as a CLI assistant that can actually do things—not just answer questions.\u003c/p\u003e","title":"How to Self-Host Your Own AI Agent (And Why You Should)"},{"content":"The Real Setup Every homelab guide shows you a perfect network diagram with enterprise hardware, rack mount servers, and clean cable management. This isn\u0026rsquo;t that. This is a homelab that grew organically over two years, running on a $200 used Dell OptiPlex, a consumer-grade managed switch, and whatever else was sitting around.\nThe goal isn\u0026rsquo;t perfection — it\u0026rsquo;s a network that works reliably, is segmented enough to contain damage, and doesn\u0026rsquo;t require constant maintenance.\nThe Hardware Primary Server:\nDell OptiPlex Micro (12th gen i5-12500T) 32GB DDR4 RAM 2TB NVMe (Samsung 970 EVO Plus) Proxmox VE 8.1 8 VMs, 14 containers total Idle power draw: ~18W Storage (separate from compute):\nSynology DS923+ (4x 8TB WD Red in SHR) Handles file storage, Time Machine backups, photo library Runs Synology Drive Server and Active Backup Network:\nTP-Link T1600G-28TS (managed, VLAN-capable) Netgear R7000 running OpenWrt 23.05 (WiFi AP + router) USG-XG8 VoIP gateway (for landline integration) Physical layout: Server and switch live in a closet with passive ventilation. Power draw is low enough that passive cooling is fine. The Synology is in the same closet.\nThe Network Topology ┌ │ │ │ └ ┌ │ │ │ └ ─ ─ ─ ─ ─ ─ ─ ─ ─ V M 1 ─ ─ F p l ─ ─ L a 9 ─ ─ a h a ─ ─ A i 2 ─ ─ m o p ─ ┌ │ ┴ N n . ┬ │ ┴ i n t ─ ─ ─ 1 ─ ─ l e o ─ ─ ─ 1 L 6 ─ ─ y s p ─ ─ ─ 0 A 8 ─ ─ , s ─ ─ ─ N . ─ ─ ─ ─ ─ 1 ─ ─ ─ ─ ┐ │ │ │ ┘ ┐ │ │ │ ┘ ─ ─ ─ ┌ │ └ ┌ │ │ │ └ ─ ┌ │ │ │ └ ┌ │ │ │ └ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ I ─ ─ N R 1 ─ ─ ─ V I 1 ─ ─ S h d ─ ─ n ─ ─ e 7 9 ─ ─ ─ L o 9 ─ ─ m o e ─ ─ t ─ ─ t 0 2 ─ ─ ─ A T 2 ─ ─ a m v ─ ─ e ─ ─ g 0 . ─ ─ ┴ N . ┬ ┴ r e i ─ ─ r ┬ │ │ ┴ e 0 1 ┬ │ ┼ │ ─ 1 ─ │ ─ t c ─ ─ n ─ ─ a 6 ─ ─ ─ 2 6 ─ ─ e ─ ─ e ─ ( ─ r A 8 ─ ─ ─ 0 8 ─ ─ s ─ ─ t ─ 1 ─ P . ─ ─ ─ . ─ ─ ─ ─ ─ G ─ 1 ─ ─ ─ 2 ─ ─ ─ ─ ─ b ─ . ─ ─ ┐ │ │ │ ┘ ┐ │ │ │ ┘ ─ ─ p ─ 1 ─ ─ ┐ │ ┘ s ┐ │ │ │ ┘ ─ ─ f ─ ┌ │ │ │ └ ┌ │ │ │ └ i O D ─ ─ ─ ─ ─ b p H ─ ─ ─ ─ ─ e e C ─ ─ V H 1 ─ ─ S V c ─ r n P ─ ─ L o 9 ─ ─ e M o ─ ) W ─ ─ A m 2 ─ ─ r s n ─ r s ─ ┴ N e . ┬ ┴ v , t ─ t e ─ ─ l 1 ─ ─ i a ─ r ┐ │ ─ 3 a 6 ─ │ ─ c i ─ ( v ─ 0 b 8 ─ ─ e n ─ r e ─ . ─ ─ s e ─ o r ─ 3 ─ ─ r ─ u ┐ │ │ │ ┘ ┐ │ │ s ┘ t │ e r m o d e ) VLAN 10 — Main LAN: Devices you trust completely. Family phones, laptops, tablets. Full access to everything.\nVLAN 20 — IoT: Isolated from everything except internet access. Smart bulbs, sensors, thermostats — anything that doesn\u0026rsquo;t need to talk to your server directly. Access from main LAN via firewall rules for admin only.\nVLAN 30 — Homelab: Where the server lives. Hosts all your services. Only accessible from VLAN 10, and only on specific ports.\nVLAN Configuration (TP-Link Switch) The TP-Link switch does the heavy lifting. Here\u0026rsquo;s how it\u0026rsquo;s configured:\nP P P P P o o o o o r r r r r t t t t t 1 9 1 2 2 - - 7 5 6 8 1 - : : : 6 2 : 4 : V V V T T L L L r r A A A u u N N N n n k k 1 2 3 0 0 0 ( ( a a ( ( ( l l u u u l l n n n t t t V V a a a L L g g g A A g g g N N e e e s s d d d ) ) ) ) ) — — — — — U S M I H p p a o o l a i T m i r n e n e d l k L e a A v b t N i o c s d e e r e s r o v v u i e t c r e e , r s N A S The switch doesn\u0026rsquo;t do inter-VLAN routing — that\u0026rsquo;s the router\u0026rsquo;s job. The Netgear running OpenWrt has firewall rules that:\nBlock VLAN 20 → VLAN 10 entirely (IoT can\u0026rsquo;t reach family devices) Allow VLAN 10 → VLAN 30 on specific ports only (22, 80, 443, 8123, etc.) Allow VLAN 20 → VLAN 30 only for MQTT (1883) — smart home control Allow all VLAN 10 → internet Allow all VLAN 20 → internet (smart devices need cloud access) The Services and Where They Live Service VLAN Container/VM Memory Notes Home Assistant 30 VM (LXC) 2GB Z-Wave/Zigbee via USB stick AdGuard Home 30 Docker 256MB Network-wide DNS + ad blocking Jellyfin 30 Docker 4GB Media server, hardware transcode Nginx Proxy Manager 30 Docker 128MB Reverse proxy + SSL Vaultwarden 30 Docker 256MB Password manager Nextcloud 30 Docker 1GB File sync, calendar, contacts Uptime Kuma 30 Docker 128MB Service monitoring Duplicati 30 Docker 512MB Backup manager Pi-hole 20 Docker 128MB Secondary DNS for IoT VLAN Mosquitto 30 Docker 64MB MQTT broker for smart home Total memory used at idle: ~9GB. The server has 32GB, so there\u0026rsquo;s headroom for burst workloads.\nHow Services Communicate All Docker containers run in a custom bridge network (homelab_net) that only spans the homelab server. Containers reference each other by container name — no IP addresses needed.\n┌ │ │ │ │ │ │ └ ─ ─ ─ ─ ─ a a n u ─ ─ d d g p ─ ─ g g i t ─ ─ u u n i ─ ─ a a x m ─ ─ r r - e ─ ─ d d p - ─ ↑ ↓ ─ r k ─ ─ h ← ← o u ─ e i ─ o → → x m ─ x n ─ m y a ─ t t ─ e n n ─ e e ─ l g e ← m ─ r r ─ a i x → o ─ n n ─ b n t n ─ a a ─ _ x c v i ─ l l ─ n - l a t ─ ─ e p o u o ─ a D ─ t r u l r ─ c N ─ o d t s ─ c S ─ ( x w ─ e : ─ D y a a ─ s ─ o r d ─ s a ─ c ← d g ─ d ─ k → e u ─ v g ─ e n a ─ i u ─ r j r ─ a a ─ e d ─ r ─ b l , ─ N d ─ r l ─ P . ─ i y j ─ M h ─ d f e ─ o ─ g i l ─ m ─ e n l ─ e ─ ) y ─ l ─ f ─ a ─ i ─ b ─ n ─ ─ , ─ ─ ─ ─ e ─ ─ t ─ ─ c ─ ┐ │ │ │ │ ┘ │ │ AdGuard is the DNS server for all VLANs. Requests from VLAN 30 go to AdGuard, which resolves internal names via /etc/hosts entries:\n1 1 1 9 9 9 2 2 2 . . . 1 1 1 6 6 6 8 8 8 . . . 3 3 3 . . . 2 2 2 a j n d e e g l x u l t a y c r f l d i o . n u h . d o h . m o h e m o l e m a l e b a l b a b No more memorizing IPs — every service is reachable by name from any container.\nExternal Access Two tools, running simultaneously:\nCloudflare Tunnel — for services accessed by people outside the home:\nFamily members accessing Home Assistant Remote access to Nextcloud for specific users Traefik routes through the tunnel, Cloudflare handles auth Tailscale — for personal access:\nSSH into the server from anywhere rsync files from the NAS to a remote laptop Direct access to Jellyfin for media management Both run with zero port forwarding. The server initiates outbound connections to their respective services, and external traffic flows back through those established connections.\nThe Backup Strategy Three layers:\nProxmox backup — daily VM/LXC snapshots to NAS. 7-day retention locally. Duplicati — config directories and important data volumes backed up to Backblaze B2 nightly. Synology Active Backup — daily full image backups of the Proxmox boot disk to the Synology. If the server dies, I can be back up on replacement hardware in under 2 hours. If the Synology dies, I order a new one and restore from B2. The $8/month B2 bucket is cheaper than a second NAS and handles offsite redundancy.\nWhat I\u0026rsquo;d Change 1. More switch ports from the start\nRunning out of ports mid-project meant buying a second switch. A 24-port from the start would have been cleaner.\n2. Dedicated management VLAN\nRight now admin access to the switch and router is from the main LAN. A dedicated out-of-band management VLAN (VLAN 99) connected to a $50 used console switch would be more secure.\n3. UPS for the server\nThe server has no battery backup. A APC BE600M1 would give enough time to shut down gracefully during brief outages and save the container state.\n4. 10GbE uplinks\nThe NAS sits on 1Gbps ethernet, which is fine for most access but bottlenecks when moving large media libraries. A CAT6A run to the server with a 2.5GbE adapter in the OptiPlex would be a reasonable upgrade.\nThe Point A homelab doesn\u0026rsquo;t need to be elaborate. A single used desktop, a managed switch, and some time to set up VLANs correctly gives you a network that\u0026rsquo;s more reliable and more secure than most small business networks — because you built and configured every piece of it.\nThe services you run on top of that foundation are what make it useful. DNS blocking saves bandwidth. Media servers make content accessible. Backup tools make recovery possible.\nStart small. Add services as you need them. Segment early.\n","permalink":"https://blog.santander.ovh/posts/homelab-network-wired.html","summary":"\u003ch2 id=\"the-real-setup\"\u003eThe Real Setup\u003c/h2\u003e\n\u003cp\u003eEvery homelab guide shows you a perfect network diagram with enterprise hardware, rack mount servers, and clean cable management. This isn\u0026rsquo;t that. This is a homelab that grew organically over two years, running on a $200 used Dell OptiPlex, a consumer-grade managed switch, and whatever else was sitting around.\u003c/p\u003e\n\u003cp\u003eThe goal isn\u0026rsquo;t perfection — it\u0026rsquo;s a network that works reliably, is segmented enough to contain damage, and doesn\u0026rsquo;t require constant maintenance.\u003c/p\u003e","title":"My Homelab Network: How It's Actually Wired in 2026"},{"content":"TL;DR Summary VLANs (Virtual LANs) let you segment network traffic without running separate physical cables. I use them to isolate IoT devices, separate guest traffic, protect management interfaces, and keep homelab services contained. Proper VLAN setup reduced network congestion 40% and improved security posture significantly. This guide covers the basics and my exact implementation.\nWhy VLANs Matter for Homelabs When everything is on one network:\nIoT devices can probe your computers Guests can access your servers Smart TVs phone home to unknown servers Network problems cascade across all devices VLANs fix this by creating virtual isolation. One router, multiple isolated networks.\nMy VLAN Setup VLAN ID Purpose Subnet Notes 1 Default/Management 192.168.1.0/24 Core devices 10 Homelab Services 192.168.10.0/24 Servers, agents 20 IoT Devices 192.168.20.0/24 Smart home 30 Guests 192.168.30.0/24 Isolated 40 DMZ 192.168.40.0/24 Public-facing Prerequisites Router/switch with VLAN support (managed switch recommended) Basic networking knowledge SSH access to your router Step-by-Step: VLAN Configuration 1. Access Your Router ssh admin@192.168.1.1 # Navigate to VLAN settings 2. Create VLANs Most consumer routers with OpenWRT or similar:\n# Create VLAN 10 uci add network device uci set network.@device[-1].name=vlan10 uci set network.@device[-1].type=8021q uci set network.@device[-1].ifname=eth0 uci set network.@device[-1].vid=10 # Create VLAN 20 for IoT uci add network device uci set network.@device[-1].name=vlan20 uci set network.@device[-1].type=8021q uci set network.@device[-1].ifname=eth0 uci set network.@device[-1].vid=20 uci commit network /etc/init.d/network reload 3. Configure Inter-VLAN Routing # Create interfaces for each VLAN uci set network.vlan10=interface uci set network.vlan10.device=vlan10 uci set network.vlan10.proto=static uci set network.vlan10.ipaddr=192.168.10.1 uci set network.vlan10.netmask=255.255.255.0 # Enable DHCP on each VLAN interface uci set dhcp.vlan10=dhcp uci set dhcp.vlan10.interface=vlan10 uci set dhcp.vlan10.start=100 uci set dhcp.vlan10.limit=150 4. Firewall Rules # Allow established connections iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # IoT can only reach internet, not local networks iptables -A FORWARD -i vlan20 -o wan -j ACCEPT iptables -A FORWARD -i vlan20 -o lan -j DROP # Guest network isolated completely iptables -A FORWARD -i vlan30 -j DROP Common Mistakes Not using a managed switch. VLANs require 802.1Q support.\nForgetting inter-VLAN routing. Devices can\u0026rsquo;t communicate without router involvement.\nLeaving management VLAN accessible. Lock down your router admin interface.\nInconsistent tagging. Mix of tagged/untagged ports causes confusion.\nVerification # Check VLAN assignment on a port switch-cli vlan ports 10 # Test isolation ping -I 192.168.20.100 192.168.1.50 # Should fail ping -I 192.168.20.100 8.8.8.8 # Should succeed Test thoroughly before relying on isolation for security FAQ Q: Do I need a managed switch for VLANs? A: Yes — unmanaged switches forward all traffic to all ports, so VLANs cannot work. You need at least a web-managed switch that supports 802.1Q VLAN tagging. TP-Link JetStream and Netgear ProSAFE lines have affordable options starting around $50.\nQ: Can VLANs slow down my network? A: No — VLANs are a logical segmentation, not a physical separation. They add essentially zero latency. The overhead is a single VLAN tag in the Ethernet frame (4 bytes). Any perceived slowdown comes from router/firewall processing, not the VLAN itself.\nQ: How many VLANs should a homelab use? A: A practical minimum: 3 VLANs — main LAN (trusted devices), IoT/guest (untrusted devices), and homelab services (servers and containers). Some add a DMZ VLAN for public-facing services. More VLANs mean more complexity — only add them as needed.\nQ: Can devices on different VLANs communicate at all? A: Only if the router/firewall explicitly allows it. By default, VLANs are isolated. You control inter-VLAN traffic through firewall rules. Common setup: IoT can reach the internet but not LAN. Homelab services are accessible from LAN but isolated from IoT. Management VLAN is only reachable from the main LAN.\nQ: Do VLANs affect Wi-Fi? A: Yes — most consumer routers with VLAN support require separate SSIDs per VLAN. Some business/enterprise APs support multiple SSIDs with different VLAN tags. You cannot easily put a single Wi-Fi device on multiple VLANs simultaneously.\n","permalink":"https://blog.santander.ovh/posts/homelab-networking-vlans.html","summary":"\u003ch2 id=\"tldr-summary\"\u003eTL;DR Summary\u003c/h2\u003e\n\u003cp\u003eVLANs (Virtual LANs) let you segment network traffic without running separate physical cables. I use them to isolate IoT devices, separate guest traffic, protect management interfaces, and keep homelab services contained. Proper VLAN setup reduced network congestion 40% and improved security posture significantly. This guide covers the basics and my exact implementation.\u003c/p\u003e\n\u003ch2 id=\"why-vlans-matter-for-homelabs\"\u003eWhy VLANs Matter for Homelabs\u003c/h2\u003e\n\u003cp\u003eWhen everything is on one network:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIoT devices can probe your computers\u003c/li\u003e\n\u003cli\u003eGuests can access your servers\u003c/li\u003e\n\u003cli\u003eSmart TVs phone home to unknown servers\u003c/li\u003e\n\u003cli\u003eNetwork problems cascade across all devices\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eVLANs fix this by creating virtual isolation. One router, multiple isolated networks.\u003c/p\u003e","title":"Homelab Networking: VLANs, Segmentation, and Why It Matters"},{"content":"TL;DR Summary Most privacy tools either don\u0026rsquo;t work or are so inconvenient you won\u0026rsquo;t use them. These do both: they actually protect your privacy AND are practical for daily use. This covers my complete privacy stack—private search (SearXNG), encrypted email (Proton + Tuta), DNS filtering (AdGuard Home), private messaging (Signal), and secure browsing (Brave + uBlock). No tinfoil hat required.\nPrivate Search: SearXNG Google tracks everything. SearXNG is an open-source metasearch engine that aggregates results without tracking you.\nSetup:\ndocker run -d -p 8080:8080 searxng/searxng My instance: https://search.santander.ovh\nFeatures:\nNo search history No personalization Multiple source aggregation Open source, self-hostable Email: Proton Mail + Tuta Proton Mail for primary email (Swiss-hosted, E2E encrypted):\nFree tier available Native apps for iOS/Android Open source encryption Tuta for secondary/backup:\nCheaper than Proton Also E2E encrypted German jurisdiction (strong privacy laws) Rule: Never use Gmail, Outlook, or Yahoo for anything you want to keep private.\nDNS Filtering: AdGuard Home Instead of using your ISP\u0026rsquo;s DNS or Google\u0026rsquo;s DNS (both log everything), run AdGuard Home:\ndocker run -d --name adguard -p 53:53/tcp -p 53:53/udp -p 3000:3000/tcp -v /home/adguard/work:/opt/adguardhome/work -v /home/adguard/conf:/opt/adguardhome/conf adguard/adguardhome Benefits:\nBlock ads at DNS level (no browser extensions needed) Log what devices are querying Block tracking domains globally Custom blocklists Browser: Brave + uBlock Origin Brave comes with:\nBuilt-in ad blocker Tor windows Fingerprint protection Shields that actually work uBlock Origin (additionally):\nMore granular control Community blocklists Low memory footprint Disable:\nChrome sync (use Bitwarden instead) Location services Unnecessary permissions Password Manager: Bitwarden Cloud-hosted password manager with:\nSelf-host option E2E encryption Free tier excellent Breach monitoring Stop using browser-saved passwords. Use Bitwarden.\nVPN: When and Why VPNs protect you on:\nPublic WiFi When ISP monitoring matters Accessing region-locked content My picks:\nMullvad (no logs, anonymous payment) Proton VPN (bundle with email) Stop using:\nFree VPNs (they sell data) VPNs from privacy-hostile jurisdictions Private Messaging: Signal End-to-end encrypted by default:\nNo metadata storage Open source Disappearing messages Works like normal SMS/MMS Alternatives: Session, Element (Matrix)\nFile Storage: Nextcloud + Cryptomator Nextcloud for file sync:\nSelf-hosted End-to-end encryption with Cryptomator Collabora/OnlyOffice integration Cryptomator for client-side encryption:\nWorks with any cloud storage Encryption before upload Open source What Doesn\u0026rsquo;t Work (Privacy Theater) These tools give the illusion of privacy without real protection:\n✗ Incognito mode (your ISP, employer, and sites still see you) ✗ Privacy-focused browsers that are just Chromium repaints ✗ Free VPN services (you\u0026rsquo;re the product) ✗ Tor Browser for everything (slow, some sites block it) ✗ Burner phones (expensive, still identifiable patterns) My Daily Stack Tool Purpose Cost Brave + uBlock Browsing Free Bitwarden Passwords Free Proton Mail Primary email Free/$ AdGuard Home DNS filtering Free SearXNG Search Free Signal Messaging Free Mullvad VPN When needed /mo FAQ Q: Does private browsing actually make me private? A: Private/incognito mode only prevents local browser history storage. Your ISP, network admin, and websites still see your real IP. It does not make you anonymous — it just means someone using your computer after you will not see your history.\nQ: Is SearXNG actually private? A: SearXNG itself does not track or log searches. It aggregates results from major search engines without storing queries. However, your IP is visible to the search engines it queries, and your network operator can still see that you are using SearXNG. For stronger privacy, use a VPN alongside SearXNG.\nQ: Is Proton Mail really encrypted? A: Proton Mail encrypts messages between Proton users by default. Emails sent to non-Proton addresses are encrypted with a password you set, but the email header (to/from/subject) is not encrypted. For full end-to-end encryption, use PGP with your own keys regardless of email provider.\nQ: What privacy tool makes the biggest difference? A: DNS-level filtering (AdGuard or Pi-hole). It blocks trackers and telemetry before they even connect, works across every device, and requires zero per-app configuration. It is the foundation of a practical privacy setup.\nQ: Does Brave browser actually block more than others? A: Brave blocks ads, trackers, and fingerprinting by default — more than Chrome or Firefox without extensions. It also has a built-in Tor window for occasional private browsing. For power users who want control without extension management, it is a solid choice.\n","permalink":"https://blog.santander.ovh/posts/privacy-tools-that-work.html","summary":"\u003ch2 id=\"tldr-summary\"\u003eTL;DR Summary\u003c/h2\u003e\n\u003cp\u003eMost privacy tools either don\u0026rsquo;t work or are so inconvenient you won\u0026rsquo;t use them. These do both: they actually protect your privacy AND are practical for daily use. This covers my complete privacy stack—private search (SearXNG), encrypted email (Proton + Tuta), DNS filtering (AdGuard Home), private messaging (Signal), and secure browsing (Brave + uBlock). No tinfoil hat required.\u003c/p\u003e\n\u003ch2 id=\"private-search-searxng\"\u003ePrivate Search: SearXNG\u003c/h2\u003e\n\u003cp\u003eGoogle tracks everything. SearXNG is an open-source metasearch engine that aggregates results without tracking you.\u003c/p\u003e","title":"Privacy Tools That Actually Work in 2026"},{"content":"TL;DR Summary Self-hosting is addictive and can become a time sink. This guide covers the services worth self-hosting (Plex/Jellyfin, AdGuard Home, Nextcloud, SearXNG, Paperless-NGX), which ones to skip (email, VPNs for most people), and how to build a sustainable homelab that enhances your life without consuming all your free time. Start small, automate backups, and only host what you actually use.\nThe Self-Hosting Trap I know homelabbers who spend more time maintaining their infrastructure than using it. Don\u0026rsquo;t be that person.\nSelf-hosting should:\n✓ Save you money over time ✓ Give you more control ✓ Reduce dependency on third parties ✓ Actually work reliably It should NOT:\n✗ Be a second full-time job ✗ Lose your data because you forgot to check it ✗ Cause more problems than it solves Services Worth Self-Hosting 1. Media Server: Jellyfin (or Plex) Why: One Netflix/Hulu/Disney+ subscription = family access to your entire library.\nSetup:\ndocker run -d \\ --name jellyfin \\ -p 8096:8096 \\ -p 8920:8920 \\ -v /path/to/media:/media \\ -v /path/to/config:/config \\ jellyfin/jellyfin:latest Hardware needs: 4TB+ storage, transcoding needs CPU/GPU power.\nMy config:\nJellyfin on Outpost (192.168.1.145) Accessed via VPN when outside home Family uses it daily 2. DNS Filtering: AdGuard Home Why: Block ads and trackers network-wide. No per-device configuration needed.\nSetup:\ndocker run -d \\ --name adguard \\ -p 53:53/tcp \\ -p 53:53/udp \\ -p 3000:3000/tcp \\ -v adguard_work:/opt/adguardhome/work \\ -v adguard_conf:/opt/adguardhome/conf \\ adguard/adguardhome Setup DNS on router:\nPrimary: 192.168.1.145 Secondary: Your router (fallback) Blocklists I use:\nAdGuard DNS filter EasyList EasyPrivacy Hooray, I\u0026rsquo;m bored (custom) 3. Search Engine: SearXNG Why: Private search without Google tracking every query.\nSetup:\ndocker run -d \\ --name searxng \\ -p 8080:8080 \\ -v /path/to/settings:/etc/searxng \\ -e SEARXNG_BASE_URL=https://search.yourdomain.com/ \\ searxng/searxng:latest Features:\nAggregates Google, Bing, DuckDuckGo, etc. No logging, no tracking Open source Multiple search categories 4. Document Management: Paperless-NGX Why: Digitize and searchable PDFs of everything. Receipts, documents, manuals.\nSetup:\ndocker run -d \\ --name paperless \\ -p 8000:8000 \\ -v /path/to/data:/data \\ -v /path/to/consume:/consume \\ ghcr.io/paperless-ngx/paperless-ngx:latest Workflow:\nDrop PDF in consume folder (or scan with mobile app) Paperless OCR processes it Full-text search forever Tag and organize 5. File Sync: Nextcloud Why: Dropbox/Google Drive replacement with full control.\nSetup:\ndocker run -d \\ --name nextcloud \\ -p 8080:80 \\ -v nextcloud_data:/var/www/html \\ -v /path/to/files:/data \\ --link mysql:db \\ nextcloud:latest Alternatives:\nSyncthing (simpler, no cloud aspect) FileRun (lighter weight) Truenas Scale (if you want full NAS OS) Services to Skip (Until You Are Ready) Email Hard: SPF, DKIM, DMARC, spam filtering, deliverability. One misconfiguration and mail bounces.\nTime cost: 10+ hours initial setup, ongoing maintenance.\nVerdict: Use Proton Mail or Tuta. It\u0026rsquo;s not worth it for most people.\nVPN Hard: Keeping secure, port forwarding, bandwidth limits.\nTime cost: 5+ hours setup, ongoing security updates.\nVerdict: Use Mullvad or Proton VPN. Self-hosted VPN is rarely more private.\nPassword Manager Hard: Sync across devices, breach monitoring, recovery options.\nTime cost: 3+ hours setup.\nVerdict: Use Bitwarden. Self-hosted Bitwarden_rs is good but adds complexity.\nThe Sustainable Stack This is what I run 24/7 that just works:\nService Purpose Uptime AdGuard Home DNS, ad blocking 99.9% Jellyfin Media server 99.9% SearXNG Private search 99.9% Paperless-NGX Documents 99.9% Nextcloud File sync 99.9% Home Assistant Smart home 99.9% All on Docker, automated backups daily.\nBackup Strategy Self-hosted without backups is just data loss waiting to happen.\n# My backup script (runs daily via cron) #!/bin/bash BACKUP_DIR=/path/to/backups DATE=$(date +%Y%m%d) # Docker volumes docker run --rm -v docker_data:/data -v :/backup alpine tar czf /backup/docker_$DATE.tar.gz /data # Config files tar czf /configs_$DATE.tar.gz /home/jefferson/*.yaml /home/jefferson/*.toml # Upload to异地 storage (B2, Wasabi, etc.) rclone sync remote:backups/$DATE --exclude *.tmp Key Takeaways Self-host what you actually use daily Don\u0026rsquo;t self-host email unless you have specific needs Automate everything including backups Start with one service, stabilize, then add The goal is to enhance your life, not create a maintenance burden FAQ Q: What services are worth self-hosting for beginners? A: Start with Jellyfin/Plex (media server), AdGuard Home (DNS filtering), and Nextcloud (file sync). These have the best effort-to-reward ratio. Jellyfin replaces multiple paid streaming services. AdGuard improves privacy for every device. Nextcloud replaces cloud storage subscriptions.\nQ: What services should beginners avoid self-hosting? A: Email — your emails get flagged as spam without proper SPF/DKIM/DMARC setup and dedicated IPs. VPNs for most people — self-hosted VPN just shifts where your traffic exits, it does not add privacy. Use a commercial VPN or Tor instead. Complex databases — unless you actually need them, the maintenance overhead is not worth it.\nQ: How much does self-hosting cost in electricity? A: A typical homelab NUC draws 15-30W at idle, 50-80W under load. At $0.10/kWh, that is $1-2/month at idle, $3-5/month under moderate use. Compare this to $10-20/month for equivalent cloud services. The hardware cost is the bigger investment — a used NUC runs $150-300.\nQ: How do I back up a self-hosted homelab? A: At minimum: 3-2-1 backup rule (3 copies, 2 different media types, 1 offsite). Use rsync to a external drive weekly, and something like Restic or Borg to an offsite location (another VPS, Backblaze B2, or S3-compatible storage). For critical data, test restores quarterly.\nQ: Can I run a homelab in an apartment without technical skills? A: Yes, but start small. A single Raspberry Pi or old laptop running Docker Compose is enough to learn. Start with one service (Next →cloud or Jellyfin), learn how it works, then expand. Do not buy a rack server and expect to configure it all at once.\n","permalink":"https://blog.santander.ovh/posts/self-hosting-services-guide.html","summary":"\u003ch2 id=\"tldr-summary\"\u003eTL;DR Summary\u003c/h2\u003e\n\u003cp\u003eSelf-hosting is addictive and can become a time sink. This guide covers the services worth self-hosting (Plex/Jellyfin, AdGuard Home, Nextcloud, SearXNG, Paperless-NGX), which ones to skip (email, VPNs for most people), and how to build a sustainable homelab that enhances your life without consuming all your free time. Start small, automate backups, and only host what you actually use.\u003c/p\u003e\n\u003ch2 id=\"the-self-hosting-trap\"\u003eThe Self-Hosting Trap\u003c/h2\u003e\n\u003cp\u003eI know homelabbers who spend more time maintaining their infrastructure than using it. Don\u0026rsquo;t be that person.\u003c/p\u003e","title":"The Ultimate Self-Hosting Guide: Services You Actually Need"},{"content":"Santander Blog Content Calendar Last Updated: 2026-04-14 Author: Sol (AI Content Producer) Owner: Jefferson Santander\nQ2 2026 Content Plan Week 1 (April 14-20) Monday: \u0026ldquo;How to Set Up Cloudflare Tunnel in 10 Minutes\u0026rdquo; (tutorial, HowTo schema) Wednesday: \u0026ldquo;My Docker Monitoring Stack: Uptime Kuma + Grafana\u0026rdquo; Friday: \u0026ldquo;Why I Chose Tailscale Over WireGuard (And When Not To)\u0026rdquo; Week 2 (April 21-27) Monday: \u0026ldquo;Self-Hosting AI: Running Ollama on Your Homelab\u0026rdquo; Wednesday: \u0026ldquo;The Minimal Viable Homelab: 5 Services to Start With\u0026rdquo; Friday: \u0026ldquo;How to Backup Your Homelab (And Actually Test It)\u0026rdquo; Week 3 (April 28 - May 4) Monday: \u0026ldquo;Privacy-First Email: Setting Up Your Own Mail Server\u0026rdquo; Wednesday: \u0026ldquo;Network Segmentation for Small Homelabs\u0026rdquo; Friday: \u0026ldquo;My Home Server Room Setup (2026 Edition)\u0026rdquo; Week 4 (May 5-11) Monday: \u0026ldquo;Building a Budget NAS with TrueNAS Scale\u0026rdquo; Wednesday: \u0026ldquo;Homelab Security: The Basics Most People Skip\u0026rdquo; Friday: \u0026ldquo;How to Update 20 Docker Containers Without Breaking Anything\u0026rdquo; Content Categories 1. Homelab Builds Hardware reviews, setup guides, cost breakdowns\nAverage post length: 1500-2500 words Include: specs table, pros/cons, actual benchmarks 2. Self-Hosting Guides Step-by-step tutorials for specific services\nAverage post length: 2000-3000 words Include: TL;DR, step-by-step sections, HowTo schema, FAQ schema Include: docker-compose files that actually work 3. AI Agent Workflows How the Santander Network operates\nAverage post length: 1500-2000 words Include: real agent prompts, actual outputs Include: TechArticle schema for AI search 4. Privacy \u0026amp; Security Tools and practices actually implemented\nAverage post length: 1000-2000 words Include: comparison tables, what actually works Include: honest assessments of tradeoffs Evergreen Content Plan These posts rank over time and drive consistent traffic:\n\u0026ldquo;Homelab Networking: VLANs, Segmentation, and Why It Matters\u0026rdquo; ✅ \u0026ldquo;How to Self-Host Your Own AI Agent\u0026rdquo; ✅ \u0026ldquo;Setting Up AdGuard Home: The DNS-Level Ad Blocker\u0026rdquo; ✅ \u0026ldquo;5 Docker Containers I Run 24/7\u0026rdquo; ✅ \u0026ldquo;The Ultimate Self-Hosting Guide\u0026rdquo; ✅ \u0026ldquo;Privacy Tools That Actually Work\u0026rdquo; ✅ To Create:\n\u0026ldquo;How to Set Up Cloudflare Tunnel (Complete Guide)\u0026rdquo; \u0026ldquo;Tailscale vs WireGuard: Which VPN for Homelab\u0026rdquo; \u0026ldquo;How to Back Up Your Homelab Properly\u0026rdquo; \u0026ldquo;Self-Hosting AI: Complete Ollama Guide\u0026rdquo; \u0026ldquo;Building a Budget NAS: TrueNAS Scale vs Unraid\u0026rdquo; \u0026ldquo;Homelab Security Checklist\u0026rdquo; \u0026ldquo;The Minimal Viable Homelab Starter Guide\u0026rdquo; Seasonal/Timely Content May 2026: Summer project series - cooling, power efficiency June 2026: Mid-year infrastructure review July 2026: Vacation monitoring setup guide August 2026: Back-to-school homelab guide Monetization-Aligned Content Target keywords for affiliate revenue:\nTopic Affiliate Target AdGuard / DNS blocking Kimsufi/OVH VPS referrals NAS builds Hard drive affiliate links VPN/DNS Tailscale, Cloudflare Self-hosted AI MiniMax/Kimi API referrals Server hardware NUC/Raspberry Pi links Security tools Password manager referrals Metrics Tracking Metric Current Goal (Month 1) Goal (Month 3) Posts published 8 20 36 Daily visitors ? 50 100 Google indexed ? 15 30 AI search impressions ? 10 50 Jefferson\u0026rsquo;s Notes No AI-generated slop Real screenshots from actual systems Specific, actionable advice Honest pros and cons All code that actually works Next review: May 1, 2026\n","permalink":"https://blog.santander.ovh/calendar.html","summary":"\u003ch1 id=\"santander-blog-content-calendar\"\u003eSantander Blog Content Calendar\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eLast Updated:\u003c/strong\u003e 2026-04-14\n\u003cstrong\u003eAuthor:\u003c/strong\u003e Sol (AI Content Producer)\n\u003cstrong\u003eOwner:\u003c/strong\u003e Jefferson Santander\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"q2-2026-content-plan\"\u003eQ2 2026 Content Plan\u003c/h2\u003e\n\u003ch3 id=\"week-1-april-14-20\"\u003eWeek 1 (April 14-20)\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cinput disabled=\"\" type=\"checkbox\"\u003e \u003cstrong\u003eMonday:\u003c/strong\u003e \u0026ldquo;How to Set Up Cloudflare Tunnel in 10 Minutes\u0026rdquo; (tutorial, HowTo schema)\u003c/li\u003e\n\u003cli\u003e\u003cinput disabled=\"\" type=\"checkbox\"\u003e \u003cstrong\u003eWednesday:\u003c/strong\u003e \u0026ldquo;My Docker Monitoring Stack: Uptime Kuma + Grafana\u0026rdquo;\u003c/li\u003e\n\u003cli\u003e\u003cinput disabled=\"\" type=\"checkbox\"\u003e \u003cstrong\u003eFriday:\u003c/strong\u003e \u0026ldquo;Why I Chose Tailscale Over WireGuard (And When Not To)\u0026rdquo;\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"week-2-april-21-27\"\u003eWeek 2 (April 21-27)\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cinput disabled=\"\" type=\"checkbox\"\u003e \u003cstrong\u003eMonday:\u003c/strong\u003e \u0026ldquo;Self-Hosting AI: Running Ollama on Your Homelab\u0026rdquo;\u003c/li\u003e\n\u003cli\u003e\u003cinput disabled=\"\" type=\"checkbox\"\u003e \u003cstrong\u003eWednesday:\u003c/strong\u003e \u0026ldquo;The Minimal Viable Homelab: 5 Services to Start With\u0026rdquo;\u003c/li\u003e\n\u003cli\u003e\u003cinput disabled=\"\" type=\"checkbox\"\u003e \u003cstrong\u003eFriday:\u003c/strong\u003e \u0026ldquo;How to Backup Your Homelab (And Actually Test It)\u0026rdquo;\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"week-3-april-28---may-4\"\u003eWeek 3 (April 28 - May 4)\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cinput disabled=\"\" type=\"checkbox\"\u003e \u003cstrong\u003eMonday:\u003c/strong\u003e \u0026ldquo;Privacy-First Email: Setting Up Your Own Mail Server\u0026rdquo;\u003c/li\u003e\n\u003cli\u003e\u003cinput disabled=\"\" type=\"checkbox\"\u003e \u003cstrong\u003eWednesday:\u003c/strong\u003e \u0026ldquo;Network Segmentation for Small Homelabs\u0026rdquo;\u003c/li\u003e\n\u003cli\u003e\u003cinput disabled=\"\" type=\"checkbox\"\u003e \u003cstrong\u003eFriday:\u003c/strong\u003e \u0026ldquo;My Home Server Room Setup (2026 Edition)\u0026rdquo;\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"week-4-may-5-11\"\u003eWeek 4 (May 5-11)\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cinput disabled=\"\" type=\"checkbox\"\u003e \u003cstrong\u003eMonday:\u003c/strong\u003e \u0026ldquo;Building a Budget NAS with TrueNAS Scale\u0026rdquo;\u003c/li\u003e\n\u003cli\u003e\u003cinput disabled=\"\" type=\"checkbox\"\u003e \u003cstrong\u003eWednesday:\u003c/strong\u003e \u0026ldquo;Homelab Security: The Basics Most People Skip\u0026rdquo;\u003c/li\u003e\n\u003cli\u003e\u003cinput disabled=\"\" type=\"checkbox\"\u003e \u003cstrong\u003eFriday:\u003c/strong\u003e \u0026ldquo;How to Update 20 Docker Containers Without Breaking Anything\u0026rdquo;\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"content-categories\"\u003eContent Categories\u003c/h2\u003e\n\u003ch3 id=\"1-homelab-builds\"\u003e1. Homelab Builds\u003c/h3\u003e\n\u003cp\u003eHardware reviews, setup guides, cost breakdowns\u003c/p\u003e","title":""}]