/self-hostingLast reviewed May 20, 2026

Self-hosted service review without storing secrets

Readers running local services who need a periodic review of versions, permissions, exposure, accounts, and backup posture.

Criteria

Track what the service is for, where it runs, how it updates, what data it stores, and whether it is internet-reachable.
Record account and 2FA/passkey posture as review status only; do not put passwords, recovery codes, or secret URLs in the register.
Tie each service to backup and restore evidence before treating it as operationally safe.

Limitations

This guide covers security hygiene and operational notes. It does not replace project documentation, threat modeling, or professional security review.

Primary sources

Nextcloud administration manual
Immich administration docs
Jellyfin documentation

Sponsorship and affiliate disclosure

No paid placement or affiliate compensation is attached to this guide unless a future update clearly labels it here.