CLI agents make self-hosting on a home server easier and fun

>>websku+(OP)
This posts lists inexpensive home servers, Tailscale and Claude Code as the big unlocks.

I actually think Tailscale may be an even bigger deal here than sysadmin help from Claude Code at al.

The biggest reason I had not to run a home server was security: I'm worried that I might fall behind on updates and end up compromised.

Tailscale dramatically reduces this risk, because I can so easily configure it so my own devices can talk to my home server from anywhere in the world without the risk of exposing any ports on it directly to the internet.

Being able to hit my home server directly from my iPhone via a tailnet no matter where in the world my iPhone might be is really cool.

>>simonw+g6
I'd rather expose a Wireguard port and control my keys than introduce a third party like Tailscale.

I am not sure why people are so afraid of exposing ports. I have dozens of ports open on my server including SMTP, IMAP(S), HTTP(S), various game servers and don't see a problem with that. I can't rule out a vulnerability somewhere but services are containerized and/or run as separate UNIX users. It's the way the Internet is meant to work.

>>drnick+ab
> I'd rather expose a Wireguard port and control my keys than introduce a third party like Tailscale.

Ideal if you have the resources (time, money, expertise). There are different levels of qualifications, convenience, and trust that shape what people can and will deploy. This defines where you draw the line - at owning every binary of every service you use, at compiling the binaries yourself, at checking the code that you compile.

> I am not sure why people are so afraid of exposing ports

It's simple, you increase your attack surface, and the effort and expertise needed to mitigate that.

> It's the way the Internet is meant to work.

Along with no passwords or security. There's no prescribed way for how to use the internet. If you're serving one person or household rather than the whole internet, then why expose more than you need out of some misguided principle about the internet? Principle of least privilege, it's how security is meant to work.

>>buran7+1o
> It's simple, you increase your attack surface, and the effort and expertise needed to mitigate that.

Sure, but opening up one port is a much smaller surface than exposing yourself to a whole cloud hosting company.

>>lmm+os
Ah… I really could not disagree more with that statement. I know we don’t want to trust BigCorp and whatnot, but a single exposed port and an incomplete understanding of what you’re doing is really all it takes to be compromised.

>>apppli+Dv
Even if you understand what you are doing, you are still exposed to every single security bug in all of the services you host. Most of these self hosted tools have not been through 1% of the security testing big tech services have.

>>Schema+Zx
For every remote exploit and cloud-wide outage that has happened over the past 20 years my sshd that is exposed to the internet on port 22 has had zero of either. There were a couple of major OpenSSH bugs but my auto updater took care of that before I saw it on the news.

You can trust BugCorp all you want but there are more sshd processes out there than tailnets and the scrutiny is on OpenSSH. We are not comparing sshd to say WordPress here. Maybe when you don’t over engineer a solution you don’t need to spend 100x the resources auditing it…

>>IgorPa+du2
If you only expose SSH then you're fine, but if you're deploying a bunch of WebApps you might not want them accessible on the internet.

The few things I self host I keep out in the open. etcd, Kubernetes, Postgres, pgAdmin, Grafana and Keycloak but I can see why someone would want to hide inside a private network.

zlacker