7 Jul 2026 I’ve been down a deep, deep self-hosting rabbit hole this past month that began innocuously with an attempt to get away from Plexamp and ended with me setting up a full-blown external VPS, in the process learning a lot. I’m not going to document every step of the process here (no one needs to read about how I learned to create SSH keys and disable root login, and if you do, email me). But I had a ton of fun, so I wanted to log the adventure for posterity. This all started because of Plex’s lifetime price hike (https://mintcitylights.com/2026/05/22/plex-price-hike/). As I mentioned in that previous post, it doesn’t even affect me as I’m a lifetime Plex pass holder, but the knowledge that this was the direction Plex was going didn’t make me feel good about using it. I kept thinking about it. It was like an itch that wouldn’t go away. Updating my music setup: Navidrome and AudioMuse-AI I was already pretty happy with my Jellyfin setup for watching things. The main thing that was keeping me on Plex was music. Jellyfin’s music capabilities can most charitably be described as functional, so I began by looking at other self-hosted music servers, which led me to Navidrome (https://www.navidrome.org/). What impressed me most about it right off the bat was how lightweight and speedy it was compared with Plex and Jellyfin. It was an immediate sort of oh-I-see-the-light moment for the wisdom of keeping your stuff segregated and served by the software that specialises in that particular type of media. Navidrome, unlike Plex and Jellyfin, is made for music, and it really shows. I paired it with Feishin on my computer and Arpeggi on my phone, and was very happy with the outcome. However, I still missed one major feature from Plexamp, which was Sonic Analysis. It generates mixes and playlists based on characteristics of your music, like their tempo and mood. Once you get used to it, it’s a much better way of listening to your music than just putting everything on random shuffle. Enter the open-source world’s alternative: AudioMuse-AI (https://github.com/NeptuneHub/AudioMuse-AI). Initially, I took one look at the 8GB RAM system requirements and ran away; my NAS is extremely basic and only has 6GB. Only later did it dawn on me (in a very doh moment) that I didn’t actually need AudioMuse-AI to be running in the same machine as Navidrome, as you can install it anywhere and just point it to the Navidrome server. So I turned to my very capable main PC for the task, which I think was the right call, though another massive learning point for me: AudioMuse-AI doesn’t have a native package for Arch, and I chose to install the Docker image instead. I have done this plenty of times on my NAS, but not on my computer. The two machines are obviously different (read: I don’t have an idiotproof Synology NAS guide and a friendly GUI to follow), so without going into excruciating detail, suffice it to say that I got my hands very dirty with config file innards and I now feel much more confident in spinning up a Docker container for anything else in the future. (The short answer to everything is Portainer. I discovered this only after a lot of time in the terminal.) Once I was off and running, everything was a breeze. I don’t have a huge library (under 5k songs), so AudioMuse-AI finished its scan in about a day. It’s not a 1:1 replacement for Plex’s functionality, but it’s been pretty great so far. Remote access: Pangolin to the rescue I was now poised to ditch Plex entirely if I wanted to, save for a glaring problem: remote access. I feel like this is one of the trickiest things about self-hosting that no one really highlights to beginners. People will say “just use a reverse proxy/nginx/Caddy” as if that means anything to anyone who is new to homelabbing. The biggest draw of Plex to me was that it handled remote access seamlessly without me having to lift a finger. I ran the gamut of options back when I was trying to figure out how to access all my non-Plex apps outside my house. Synology supposedly has a reverse proxy that Just Works, but personally, I have never been able to get it to work at all. Tailscale was the first and easiest solution I found, but the problem is you need the Tailscale client installed on all of the devices you want to use, and I’m obviously not getting away with that on my work laptop. Cloudflare tunnels was where I eventually landed for almost everything I self-host. They’re secure and easy to set up and use, with one big caveat: it is unclear whether streaming media through them is a violation of their TOS. I won’t go into detail here because I turned the internet inside out trying to find a definitive answer and there simply wasn’t one. TL;DR streaming your non-Cloudflare-hosted media through a Cloudflare tunnel is a grey area. Lots of people say they do it routinely without any issue at all, and my guess is that Cloudflare will close one eye for low-bandwidth personal usage, but I wasn’t interested in running the risk of account suspension in case I happened to get caught. So having heard a lot about Pangolin (https://pangolin.net/) as a private, self-hosted Cloudflare tunnel alternative, I decided my Navidrome switch was as good a reason as any to finally try to figure it out. I rented a surprisingly affordable low-spec VPS, followed the excellent Pangolin documentation, and was a very excited shocked Pikachu when it worked exactly as advertised. How refreshing! The biggest issues I had were 1) learning how to SSH into my VPS (I truly knew Absolutely Nothing when I got started) and 2) waiting for my DNS records to propagate on the domain I chose for Pangolin. TBH Cloudflare tunnels were working fine for me, but I went ahead and switched everything to Pangolin because it just feels really good to be in full control here, and not to rely on Cloudflare for anything. No more having to worry about contravening whatever TOS! I’m the boss of my own tunnels now! (As an aside: If you already have a domain name, you don’t need to go register a new domain just to use Pangolin. Just set up a subdomain for your Pangolin and point that to your VPS. Sounds obvious, but putting it out there in case you, like me, weren’t sure if this would work, since all the examples in the documentation use top-level domains.) Now I have this VPS, what else can I do with it? I felt enormously empowered with my new VPS. Sure, it was a basic entry-level machine (1 vCPU, 2GB RAM) but still, it seemed a bit of a waste to have this always-on machine just to serve my Pangolin tunnels. So naturally I began to poke around for more stuff I could play with. When I first got my Synology NAS, one of my earliest experiments was putting Pi-hole on it. It worked well, but I eventually decided against trying to self-run my DNS server on my own hardware (https://mintcitylights.com/2024/11/03/adventures-in-dns-services/) because it felt like more than I wanted to take on. With a remote VPS that someone else is responsible for keeping alive and online, though, it seemed less risky. I popped Tailscale onto my VPS first then tried installing Pi-hole. Unfortunately, it didn’t play nice (I couldn’t access the admin page at all, and I never figured out why), so I moved on to the other popular self-hosted DNS option, AdGuard Home. It’s good! It’s really good. I’m almost glad Pi-hole didn’t work, because AdGuard Home is super pleasant to use. I followed this detailed and helpful guide (https://adguard.com/en/blog/adguard-home-on-public-server.html) to get it up and running, spent some time going through the options, configured my preferred blocklists and privacy-respecting no-log upstream servers (Quad9 and Mullvad are good options), then set my VPS Tailscale IP as my Tailscale global nameserver. Boom, done. All my devices that are connected to Tailscale (which is all of them all the time) are now using my very own self-hosted AdGuard Home. You could manually set your VPS’s static IP as your DNS resolver everywhere (or at your router level), but I prefer going through Tailscale because it encrypts all your traffic without you having to do extra configuration in AdGuard Home, and also provides a way to easily switch it off in case there’s any issue. Digital hygiene All of the above is good and well, but I learned very quickly while reading about VPS use and best practices that if I didn’t secure this VPS, I was probably asking for trouble. With my starting point of zero knowledge, I managed to do the following: 1. Change the root password 2. Create a new user (me) and add myself to the sudo group 3. Change the default SSH port 4. Create SSH keys 5. Disable root login (I had the most trouble with this step. Most tutorials will tell you to edit /etc/ssh/sshd_config, but nothing happened after I did that and restarted sshd. I found that there was a .conf file in /etc/ssh/sshd_config.d that I needed to edit instead. Parking this here in the niche case that anyone with this same problem finds this post) 6. Set up ufw firewall, open required ports and close everything else This is just what I did—I’m not recommending that everyone does this, since, I emphasise once again, I am merely an amateur figuring things out as best as I can from online research. But I think this makes my VPS as secure as it can get with minimal effort at my level of knowledge. I also wanted to mention that I went with Onidel for my VPS, because they have Singapore-based servers at a good price, and allowed me to pay triennially for a significant discount. I prefer to pay upfront and not think about a thing for several years, so this worked for me. Everything has been humming along very nicely so far. Otherwise, I think Hosthatch would also be a good option (I spun up a machine there at their monthly rate of US$4 to experiment further, all worked well). Racknerd is an ultra-cheap option that I see mentioned a lot on LowEndTalk (https://lowendtalk.com/), but I didn’t want US-based servers for geographical reasons. • So that’s what I’ve been busy with. It probably looks like a whole lot of technobabble soup, now that I write it all up. Going into this, I expected to improve my tech setup in some way, and I certainly did. What I didn’t expect and got in spades was fun. As I worked through it all, it struck me that it’d been a really long time since I got so absorbed in a project because I felt like I was learning so much. And that, I think, is worth just as much as the improved privacy and utility of my tech stack. #tech (https://mintcitylights.com/blog/?q=tech)