(nimory)[http://home.nihars.com] is a single machine running everything I need β files, photos, notes, sync, and local AI. No subscriptions. No third-party dependency for the things that matter.
This is a write-up of how it's built and how it works.
Hardware π₯οΈ
A Dell OptiPlex 7060. Small form factor, low power, silent enough to ignore.
- Hostname : nimory
- OS : Debian 12 (Bookworm)
- CPU : Intel i5-8400T β 6 cores, up to 3.3 GHz
- RAM : 16 GB
- Storage : 1.8 TB NVMe SSD
Storage is partitioned with LVM:
nvme0n1
βββ nvme0n1p1 512M /boot/efi
βββ nvme0n1p2 488M /boot
βββ nvme0n1p3 1.8T LVM
βββ nimory--vg-root β /
βββ nimory--vg-swap_1 β swap
It runs continuously with minimal intervention and low power usage.
Access Model π
Internet (Cloudflare Tunnel)
No ports are exposed on the router. nimory establishes an outbound encrypted tunnel.
Browser β Cloudflare DNS β Cloudflare Tunnel β cloudflared β Caddy β App
- Public apps served via
*.nihars.com - TLS + routing handled by Caddy
- Home IP never exposed
Admin (Tailscale)
SSH is private via WireGuard mesh:
bash
tailscale ssh nimory
- Works from anywhere
- No public SSH exposure
Local LAN
AdGuard resolves local domains:
Device β AdGuard DNS β Caddy β App
*.nimorydomains- No external routing
- Ads/tracking blocked
Access Summary
- Internet β apps via Cloudflare, SSH via Tailscale
- LAN β apps via AdGuard, SSH via Tailscale
- Physical β avoided
Reverse Proxy π§
All traffic passes through a single entry point: Caddy
- Handles TLS termination
- Routes based on domain
- Applies security headers
Security headers:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Public Domains
- photos.nihars.com β Immich
- cloud.nihars.com β Nextcloud
- sync.nihars.com β Syncthing
- home.nihars.com β Dashboard
- notes.nihars.com β Samanote
- nimos.nihars.com β AI UI
LAN Domains
- photos.nimory β Immich
- cloud.nimory β Nextcloud
- sync.nimory β Syncthing
- home.nimory β Dashboard
- notes.nimory β Samanote
- nimos.nimory β AI UI
- dns.nimory β AdGuard
Containers π¦
Each service runs in isolation and communicates over a shared internal network.
- Network:
homelab - Communication via container names
- No external exposure unless routed by Caddy
Edge + Networking
- caddy β reverse proxy
- cloudflared β tunnel client
- adguard β DNS + ad blocking
Infrastructure
- postgres β shared database
- redis β cache + queues
Files + Sync
- nextcloud β file storage
- syncthing β folder sync
Photos (Immich)
- immich_server β API + UI
- immich_worker β background jobs
- immich_ml β ML processing
AI Stack (Nimos)
- nimos_ollama β model runtime
- nimos_webui β chat UI
- nimos β backend
Everything runs locally. No external API calls.
Apps
- samanote β notes (file-based)
- dashboard β system homepage
Storage πΎ
All persistent data lives on host:
/home/datar/
βββ data/
β βββ notes/
β βββ backups/
β βββ workspace/
βββ docker/
- Containers mount host paths
- Rebuilds donβt affect data
Automation βοΈ
Two cron jobs manage the system:
30 2 * * * flock -n /tmp/notesctl.lock timeout 60m ./notesctl
30 3 * * * flock -n /tmp/nimoryd.lock timeout 180m ./nimoryd
notesctl
- Creates daily notes
- Removes empty notes
- Archives old notes
- Encrypts + uploads backups
nimoryd
- Ensures Tailscale is running
- Restarts containers
- Updates compose stacks
- Pulls git repos
- Builds tools
- Manages backups
Security Model π
- No open router ports
- No public SSH
- Internal-only databases
no-new-privilegesenabled- Encrypted backups (AES-256)
- All access via Caddy
Attack surface is intentionally minimal.
Not Done Yet π§
- Alerting system
- Restore documentation
- Backup retention policy
- Advanced monitoring
nimory runs quietly and stays out of the way.
Itβs not complex for the sake of it. Just controlled, predictable, and entirely mine.
# Last updated on .