I used to self-host because I liked tinkering. I worked tech support for a municipal fiber network, I ran Arch, I enjoyed the control. The privacy stuff was a nice bonus but honestly it was mostly about having my own playground. That changed this week when I watched ICE murder a woman sitting in her car. Before you roll your eyes about this getting political - stay with me, because this is directly about the infrastructure we’re all running in our homelabs. Here’s what happened: A woman was reduced to a data point in a database - threat assessment score, deportation priority level, case number - and then she was killed. Not by some rogue actor, but by a system functioning exactly as designed. And that system? Built on infrastructure provided by the same tech companies most of us used to rely on before we started self-hosting. Every service you don’t self-host is a data point feeding the machine. Google knows your location history, your contacts, your communications. Microsoft has your documents and your calendar. Apple has your photos and your biometrics. And when the government comes knocking - and they are knocking, right now, today - these companies will hand it over. They have to. It’s baked into the infrastructure. Individual privacy is a losing game. You can’t opt-out of surveillance when participation in society requires using their platforms. But here’s what you can do: build parallel infrastructure that doesn’t feed their systems at all. When you run Nextcloud, you’re not just protecting your files from Google - you’re creating a node in a network they can’t access. When you run Vaultwarden, your passwords aren’t sitting in a database that can be subpoenaed. When you run Jellyfin, your viewing habits aren’t being sold to data brokers who sell to ICE. I watched my local municipal fiber network get acquired by TELUS. I watched a piece of community infrastructure get absorbed into the corporate extraction machine. That’s when I realized: we can’t rely on existing institutions to protect us. We have to build our own. This isn’t about being a prepper or going off-grid. This is about building infrastructure that operates on fundamentally different principles:
Communication that can’t be shut down: Matrix, Mastodon, email servers you control
File storage that can’t be subpoenaed: Nextcloud, Syncthing
Passwords that aren’t in corporate databases: Vaultwarden, KeePass
Media that doesn’t feed recommendation algorithms: Jellyfin, Navidrome
Code repositories not owned by Microsoft: Forgejo, Gitea
Every service you self-host is one less data point they have. But more importantly: every service you self-host is infrastructure that can be shared, that can support others, that makes the parallel network stronger. Where to start if you’re new:
Passwords first - Vaultwarden. This is your foundation. Files second - Nextcloud. Get your documents out of Google/Microsoft. Communication third - Matrix server, or join an existing instance you trust. Media fourth - Jellyfin for your music/movies, Navidrome for music.
If you’re already self-hosting:
Document your setup. Write guides. Make it easier for the next person. Run services for friends and family, not just yourself. Contribute to projects that build this infrastructure. Support municipal and community network alternatives.
The goal isn’t purity. You’re probably still going to use some corporate services. That’s fine. The goal is building enough parallel infrastructure that people have actual choices, and that there’s a network that can’t be dismantled by a single executive order. I’m working on consulting services to help small businesses and community organizations migrate to self-hosted alternatives. Not because I think it’ll be profitable, but because I’ve realized this is the actual material work of resistance in 2025. Infrastructure is how you fight infrastructure. We’re not just hobbyists anymore. Whether we wanted to be or not, we’re building the resistance network. Every Raspberry Pi running services, every old laptop turned into a home server, every person who learns to self-host and teaches someone else - that’s a node in a system they can’t control. They want us to be data points. Let’s refuse.
What are you running? What do you wish more people would self-host? What’s stopping people you know from taking this step?
EDIT: Appreciate the massive response here. To the folks in the comments debating whether I’m an AI: I’m flattered by the grammar check, but I’m just a guy in his moms basement with too much coffee and a background in municipal networking. If you think “rule of three” sentences are exclusive to LLMs, wait until you hear a tech support vet explain why your DNS is broken for the fourth time today.
More importantly, a few people asked about a “0 to 100” guide - or even just “0 to 50” for those who don’t want to become full time sysadmins. After reading the suggestions, I want to update my “Where to start” list. If you want the absolute fastest, most user-friendly path to getting your data off the cloud this weekend, do this:
The Core: Install CasaOS, or the newly released (to me) ZimaOS. It gives you a smartphone style dashboard for your server. It’s the single best tool I’ve found for bridging the technical gap. It’s appstore ecosystem is lovely to use and you can import docker compose files really easily.
The Photos: Use Immich. Syncthing is great for raw sync, but Immich is the first thing I’ve seen that actually feels like a near 1:1 replacement for Google Photos (AI tagging, map view, etc.) without the privacy nightmare.
The Connection: Use Tailscale. It’s a zero-config VPN that lets you access your stuff on the go without poking holes in your firewall.
I’m working on a Privacy Stack type repo that curates these one click style tools specifically to help people move fast. Infrastructure is only useful if people can actually use it. Stay safe out there.
The average person doesn’t understand anything about technology and probably won’t even be able to install an operating system. The Internet literally became what it is now precisely because everything was left to corporations. For example, sip telephony is as decentralized and secure as possible, but how many people keep their own telephone exchange? therefore, it is more realistic for the average person to simply use services outside the jurisdiction of the state than to install something on their own. In some countries, it is also illegal to engage in self-hosting.
but if we talk about people who are interested enough, then yes, you can do self-hosting. However, people who are ready to understand at least a little, for example, according to the latest steam statistics, make up about 5% of the total mass.
Honestly, you’re right about the skill gap, the convenience trap is exactly how Big Tech won in the first place, but I don’t think the goal is to turn every single person into a sysadmin. My time teaching at the library with the Cyber Seniors program showed me that people don’t need to know how to flash an OS to deserve privacy, they just need a doorway that isn’t owned by a corporation.
If the 5% who actually know how this stuff works start building “community nodes” for their family, their block, or a local shop, then the 95% get all the benefits without the technical headache. We don’t need everyone to be an expert, we just need enough local infrastructure so that “the cloud” isn’t the only option left. It’s not about total purity for everyone, it’s just about building enough exit ramps so the machine becomes optional, you know?
so you’re suggesting storing sensitive data, work documents, passwords, not from a company with which there are at least some legal agreements, but from a neighbor, simply because you see him from time to time? what could possibly go wrong…
UPD: By the way, if we are talking about a state, your neighbor will be approached in the same way as Google, because everyone in the country obeys the same laws.
You’re hitting on the two biggest myths of the current era: that “legal agreements” with giants actually protect you, and that a neighbor is a bigger risk than a faceless corporation.
First, when a tech giant gets a broad subpoena, they don’t fight it for you; they automate the handover because you’re just a line in a database of billions. When you host locally, you’re a specific node. If the state wants your data from a private server, they have to physically knock on a specific door. That is a massive increase in the “cost of surveillance” compared to a silent API request sent to a corporate data center.
Second, this isn’t about “trusting a neighbor” with your plaintext data. In a proper sovereign setup, the data is end-to-end encrypted. I can host your Vaultwarden or your Nextcloud backups, but I don’t have the keys; I’m just providing the “digital real estate.” It’s the difference between giving someone your house keys and just letting them provide the land your safe sits on.
The goal isn’t to make law enforcement impossible; it’s to make the “dragnet” impossible. If they want one person’s data, they have to work for it, rather than just pulling it from a corporate warehouse.
I do not know about Amazon, but in telephony you simply have to install a threat management system in accordance with the law. I think Amazon has the same thing. if there is a court decision, the servers will be arrested or a request for data will be received. It’s exactly the same thing.
what is configured on the server may or may not be enabled. and your neighbor just knows some of your data (your name, address, etc.), which increases the likelihood of an attack. To an Amazon engineer, you’re just bytes out of nowhere.
the normal story would be to encrypt everything on the client before anything gets to the server at all. but who exactly is going to bother so much? in this case, you might as well upload a bunch of encrypted data to Google.
Actually, you’re exactly right about client-side encryption being the answer, and that is the standard we are pushing for. But the reason you don’t just dump those encrypted files into a Google Drive is because of the metadata. Even if Google cannot read your “letter,” they are still mining the “envelope,” they know when you wrote it, where you were, and who you sent it to. In 2026, metadata is often more dangerous than the content itself because it is so easy to automate into a threat profile.
As for the law, you’re right that a court order is a court order, but there is a massive difference in the “cost of surveillance.” Big tech companies have dedicated departments to automate data handovers for thousands of users at a time; it is a streamlined pipeline. A private server forces the state to slow down, to get a specific warrant for a specific physical machine, and to actually do the legwork. It turns a massive dragnet into a targeted investigation, which is exactly how the system is supposed to work.
And regarding the “Amazon engineer” versus a neighbor, an engineer might not know my name, but the Amazon algorithm knows my pulse, my politics, and my habits better than anyone. If I use E2EE, the person hosting the hardware doesn’t have the keys anyway, so they are just a landlord for my digital safe, not a spy.
Well, I don’t work in the USA, but in a telecom company, and I can say that if you really need it, they will just kick down the door and seize the server. no matter what. and a campaign interested in business is, after all, more technologically advanced than some guy who set up a server based on guides on the Internet. you won’t need to take anything from him, with a fairly weak literacy, it’s enough just to intentionally make a mistake in the public guide. Do you remember Hillary Clinton’s private email server case?
You’re right that if the state really wants you, they can always resort to physical force, but that’s exactly the point. In the current system, they don’t have to kick down any doors, they just send a silent request to a corporate office and get everything they need without you or your neighbors ever knowing. Forcing them to physically show up at a specific address in the real world drastically changes the “cost of surveillance,” it turns a cheap, automated dragnet into a slow, expensive, and public operation.
As for the Hillary Clinton example, that’s actually a perfect lesson in what happens when you prioritize convenience over security. Her setup was “shadow IT” at its worst, it had open ports, unencrypted connections, and none of the basic hardening we use in modern sovereign stacks like Docker or NixOS. It wasn’t built for resistance, it was built to bypass government record-keeping, and that lack of professionalism is exactly why it failed.
The “Amazon engineer” might only see bytes, but the Amazon algorithm sees your entire life story, your politics, and your vulnerabilities. If we use end-to-end encryption, it doesn’t matter if the guy hosting the box is a neighbor or a stranger, they can’t read the data anyway. We aren’t just following random guides, we are building professional-grade infrastructure that makes the “dragnet” fail by design. If the state has to kick down a door for one person’s data, the system is at least forced to follow a transparent process again.
so why you think that a public pool of docker images is as secure as an aqua checked image in Google’s infrastructure? It’s a mystery to me. An ordinary user like Hilary can be checked even without a warrant, it’s enough to are plenty of vulnerabilities already.
As someone who has been building infrastructure for over 10 years, I can say that friendship is one thing, but no one is willing to share sensitive data with their friends. People prefer to use services out of border, not self hosted.
UPD: of all my friends, only 7 agreed to use mail on my domain, and after moving from Google Workspace to a private server, only three remained. one of them simply transfers mail to another mailbox, just in case. this is the result. not theoretical, but real.
I dont think this really responds to the comment you replied to.
Lots of comments in this thread are talking about people who dont have the time or expertise to manage their own nextcloud instance.
Saving you stuff on your neighbour’s instance includes genuine risks to your privacy or sensitive information.
The “legal agreements” that commenter referred to are simply the manner in which the host is allowed to use your data. The things you might store might be your will, maybe a spreadsheet of passwords, maybe some notes about your plans for a side hustle, maybe some naughty photos of your wife. Not information thats actionable by Google or Microsoft, but certainly things people dont want their neighbour to access.
“what could possibly go wrong”… looks around
Really?! Can you elaborate?
It is impossible to place telephone nodes in Russia without equipping the server with threat protection equipment. Of course, I won’t buy a box for hundreds of dollars to use a home PBX, so technically I’m outside the law. =) It is also impossible to host sites with more than 10,000 visitors without registering with Roskomnadzor. and all accounts with authorization must support logging in through the public services portal or by phone number. considering that only legal entities can do this, of course I don’t do it.
The United States and the European Union have data protection laws, so if you decide to save money on hosting for friends and install a server outside the Eurozone, depending on the data you store, you are also formally violating the law.
As a population, I would venture to say that we are all formally violating the law in some form or other. Laws are written to be purposefully vague and ambiguous.
I assume you are from Russia since you speak in first person, however, if the laws are so stringent against self hosting or private hosting, why is it a large portion of Warez sites emanate from Russia? They exist all over really, but it seems a lot of the very popular ones are in Russia.
This sort of ties in with the PBX thing. I am certain that popular Warez sites in Russia get way over 10,000 visitors and I’m sure they don’t register with Roskomnadzor.
Just curious. I’ve always had a curiosity with Russia among other countries. The history is very intriguing and vastly unknown in the West because of obvious propaganda. There used to be a blog I followed years ago about people visiting and photographing abandoned structures in Russia. It was very interesting, but sadly I have lost track of it over the years. I always wanted to visit the Red Square, but sadly I am too old to realize that dream. I have been as far as Latvia, which is not part of Russia, but very beautiful as I remember.