Tools
A curated directory of 7 tools we use, evaluate, and recommend across the AI security landscape — with our take on each.
Interactive tool
App Picker + Resource Budget Estimator
Set a RAM/CPU budget (or pick a Pi/N100/SFF box), add from a 40-app catalog, and watch a live meter sum realistic idle + active RAM with shared databases counted once — plus lighter-app suggestions when you go over. Runs entirely in your browser.
Hypervisors & Container Hosts
Proxmox VE
Debian-based KVM + LXC hypervisor with a web UI. Clustering, HA, ZFS, Ceph all out of the box. The default homelab hypervisor in 2026.
Our take
Our default recommendation for any new homelab host. VM and container workflows in the same UI, ZFS-on-root works out of the box, and the no-subscription nag is a 30-second fix. Worth running 3 nodes if you can — clustering unlocks live migration.
TrueNAS Scale
Linux-based successor to TrueNAS Core. Native ZFS, Kubernetes (k3s) app store, Docker support, SMB/NFS/iSCSI shares. Strong at being both NAS and small-app host.
Our take
Best fit when storage is the primary workload and apps are secondary. Don't try to run it as your Proxmox replacement — the app story is good but still not Proxmox's flexibility.
Unraid
Slackware-based NAS + Docker + KVM with friendly UI and mixed-size disk pooling (no ZFS-style same-size constraint). Lifetime licenses common.
Our take
Best beginner-friendly platform. The mixed-disk-size pool is genuinely useful when you're growing storage incrementally. Closed-source and one-vendor risk are the trade-offs.
Self-Hosted Apps
Nextcloud
Self-hostable Google Workspace replacement. Files, calendar, contacts, notes, Talk (chat/video), Office (via Collabora/OnlyOffice).
Our take
The default self-hosted productivity suite. Files and calendar are excellent; the optional add-ons (Talk, Office) are heavier — turn them on selectively. Run it behind a reverse proxy with HTTPS, not direct.
Jellyfin
Open-source media server forked from Emby. Streams to web, mobile, smart TVs, Roku, etc. Hardware-accelerated transcoding on Intel QSV / NVIDIA NVENC.
Our take
The free Plex alternative with no telemetry and no premium-feature gating. Native client quality varies (the Roku client is solid; Apple TV client is improving). Worth pairing with hardware transcode for 4K streams.
Vaultwarden
Rust reimplementation of the Bitwarden server. Compatible with all official Bitwarden clients. Runs in a single container with SQLite by default.
Our take
The right way to self-host Bitwarden — much lighter than the official server. Treat it as critical infrastructure: HTTPS only, regular off-site backups, MFA mandatory.
Traefik
Reverse proxy designed for container environments. Auto-discovers Docker labels, terminates TLS via Let's Encrypt out of the box.
Our take
Best fit for Docker-heavy stacks; the Docker-label-driven config is genuinely magical for the first 5 apps. For VM-heavy environments, Caddy or nginx-proxy-manager are simpler.