monospace.studio
Back to Thoughts

Self-hosted AI infra · 2026

Building HomeCloud

HomeCloud is the infrastructure thread behind several newer agent experiments: a Mac mini treated as a small private cloud, with Tailscale, Docker, Ollama, Open WebUI, Uptime Kuma, Sunshine, and OpenClaw managed from code.

A private-cloud field note: turning a fragile Mac mini setup into resilient, monitored, self-hosted infrastructure for AI, development, and media workflows.

I've been running a Mac mini in Barcelona as a remote server for a while. Parsec for remote desktop, Sunshine for streaming, Docker for services, Tailscale for secure access. It worked — until it didn't.

A router reboot knocked Tailscale offline. No Tailscale meant no VNC, no Parsec, no Sunshine, no Open WebUI. Everything gone. The only fix was physical access to the machine.

That incident made something clear: I wasn't running infrastructure. I was running a desktop that happened to be on.

So I built HomeCloud.

What is HomeCloud?

HomeCloud is a private, self-hosted infrastructure project. One Mac mini. No public ports. No cloud subscriptions. Everything runs through a Tailscale encrypted overlay network and is managed as infrastructure-as-code from a single Git repository.

The design principle is simple: the Mac mini is treated as a server that happens to have a GUI.

What Changed

The Problem

The App Store version of Tailscale uses a macOS NetworkExtension — essentially a VPN plugin that depends on the GUI session. When the router rebooted, the NetworkExtension didn't recover. Every service behind Tailscale became unreachable.

The Fix

I replaced the App Store Tailscale with the standalone tailscaled daemon installed via Homebrew. It runs as root through launchd, independent of any GUI session. It starts on boot. It reconnects automatically. No user login required.

That single change turned a fragile setup into a resilient one.

The Stack

Everything DaMini (the Mac mini) runs:

  • Tailscale — standalone daemon, encrypted overlay network, zero public ports
  • Docker Desktop — container runtime with restart policies
  • Open WebUI — local AI chat interface (Docker container)
  • Ollama — local LLM runtime (native via Homebrew)
  • Uptime Kuma — uptime monitoring dashboard (Docker container)
  • Sunshine — low-latency desktop streaming (login item + LaunchAgent)
  • Parsec — remote desktop (login item)

All services auto-start. All containers have restart: unless-stopped or restart: always. Sunshine and Tailscale have watchdog plists that check every 60–120 seconds.

Infrastructure as Code

The HomeCloud repo isn't documentation — it's a control plane.

homecloud/
├── compose/          # Docker Compose service definitions
├── scripts/          # Operational scripts
├── launchd/          # macOS service persistence (plists)
├── configs/          # Configuration documentation
├── inventory/        # Host inventory and secrets templates
└── Makefile          # Control plane entry point

Every operational action has a make target:

make up              # Start services
make down            # Stop services
make health          # Run 13-point healthcheck
make health-alert    # Healthcheck + Telegram alert on failure
make alert-test      # Test Telegram notification
make bootstrap       # Initial server setup
make backup          # Backup configs

Secrets are never committed. Environment variables are loaded from ~/.secrets (shell-level) with a fallback to a project-level .env file for launchd jobs.

The Healthcheck

The healthcheck script runs 13 checks across 6 categories:

  • Network — internet reachable, DNS resolving
  • Tailscale — daemon running, connected to tailnet
  • Docker — daemon running, open-webui container, uptime-kuma container
  • Ollama — process running
  • Services — Sunshine running, Screen Sharing enabled
  • Disk — usage for System, HomeCloud_Data, and LaCie volumes (warns at 85%)

Results are logged with timestamps. Failures trigger a Telegram alert with the specific checks that failed.

The Reboot Test

The real proof: I rebooted DaMini intentionally and watched from my MacBook.

12 out of 13 checks passed with zero manual intervention.

Tailscale reconnected. Docker restarted all containers. Ollama came back. Sunshine resumed streaming. The only failure was Screen Sharing, which isn't enabled — and that's expected.

Recovery time: automatic. No SSH. No physical access. No panic.

What's Next

The roadmap has six phases. Phase 1 (stabilisation) and Phase 2 (monitoring) are complete. Up next:

  • Phase 3 — Hardware resilience: UPS, smart plug for remote power cycling
  • Phase 4 — Networking: Pi-hole for DNS filtering, Tailscale exit node
  • Phase 5 — Infrastructure as code: Docker Compose files, watchdog scripts, config backups all versioned
  • Phase 6 — Migration: evaluate Unraid/Proxmox, containerise everything, cluster expansion

The Takeaway

You don't need a rack. You don't need Proxmox. You don't need Kubernetes.

A Mac mini, Tailscale, Docker, and a well-structured Git repo got me from "hobby setup" to "self-healing private cloud" in one session. The key was treating it as infrastructure from the start — documenting decisions, scripting operations, and automating recovery.

HomeCloud is now a system, not a hobby.

What carries forward

  • The useful shift was mental as much as technical: stop treating the machine as a desktop that happens to be remote, and start treating it as infrastructure.
  • Resilience came from boring systems work: daemonised Tailscale, launchd watchdogs, Docker restart policies, healthchecks, and Telegram alerts.
  • The repo became a control plane, with scripts, plists, compose files, runbooks, incidents, and blog notes living together.
  • The later OpenClaw work extends the same pattern from private cloud into agent runtime: dedicated user, approvals, safe commands, and secrets hygiene.

Why it belongs here

This belongs in Ideas because it shows the practical infrastructure layer behind AI-assisted product work: sovereign compute, operational discipline, local models, and agent guardrails.