Looking for ideas on using Incus for a homelab

A homelab is a dedicated server at your premises where you install several self-hosted services, such as media server, DVR software, network ad-blocking, remote access, backups, etc. Typically you put these services in VMs.

Broadcom/VMWare are discontinuing a free virtualization software and apparently users are trying to figure out where to switch to. There are a few options.

Can you give a series of topics that would fit into the theme of using Incus for a homelab? The idea is to produce a set of tutorials, and put them together within the theme of a homelab. Most likely the list will be long; sort the list by importance. The most common software for a task, for example, pi-hole for network adblocking.

When I add the content from your reply, I’ll click on the :heart_decoration: of your reply.


Summary of self-hosted services (in progress)

  1. CMS (WordPress, Grav,
  2. groupware/cloud file storage (NextCloud, Zimbra,
  3. artifact management (jfrog,
  4. collaboration platform (NextCloud, Overleaf,
  5. wiki (MediaWiki,
  6. information management system (IMS) (Alfresco,
  7. customer relations management (CRM) (EspoCRM,
  8. video-conference/chat/RT communication (Jitsi Meet, Zulip, Matrix,
  9. multimedia streaming server, (Icecast,
  10. game server, (Minecraft,
  11. productivity (AppFlowy, AFFiNE,
  12. software development (code-server,
  13. source-code management (gitea,
  14. project management (Redmine,
  15. automation (Jenkins,
  16. home automation (Home Assistant, OpenHAB,
  17. certification authority (step-ca,
  18. web server (nginx, Caddy, httpd,
  19. VPN (WireGuard, Headscale,
  20. DNS Server/DHCP/network ad blocking (coreDNS, unbound, Technitium, bind9,
  21. Network ad-blocking (pi-hole, AdGuard,
  22. Firewall (pfsense, openwrt, OPNsense, VyOS, IPFire,
  23. reverse-proxy or loadbalancer (nginx, nginxproxymanager, traefik,
  24. identity and access management (IAM) (Keycloak,
  25. media system (Jellyfin,
  26. AI software (Stable Diffusion, PrivateGPT, ollama,
  27. OCI containers (podman,
  28. file-sharing server / Active Directory (samba,
  29. media streaming (tvheadend,
  30. remote desktop gateway, (Guacamole,

Tutorial topics

  1. Running Keycloak for incus authentication and authorization. How to integrate this with SSO for other services would also be nice.
  2. Setting up incus to use Let’s Encrypt certificates
  3. Integrate keycloak and let’s encrypt with incus canonical ui
  4. Show how to use incus integration with ansible/terraform/open tofu
  5. Set up incus to serve Prometheus/Grafana/Loki (metrics)
  6. Set up a basic Ceph cluster and integration with incus. Can it integrate easily with microceph/microovn?
  7. ZFS Management, how to deal with issues when something goes wrong.

Material for those with related prior experience

There are prospective users with related prior experience. In their case, it is easier to get them to adopt Incus if certain tutorials take into account their prior experience.

  1. Prior experience in Proxmox
  2. Prior experience in ESXi.
  3. Prior experience in LXD (migration guide).
  4. Prior experience in LXC.

Incus management

  1. Management (OpenTofu, Terraform,
  2. Networking (forwards and video,
  3. Monitoring (metrics,
  4. Backup (backup,
  5. Expose containers to network (remake of @stgraber video).
  6. Show how to use Docker in Incus in a performant way with ZFS. Requires ZFS 2.2 both for kernel module and client.
  7. Adding devices to instances and making sure they work well during the full lifecycle of the instance (ethernet,
  8. Using snapshots for quick testing (snapshot,
  9. Image management with simplestreams. Also, more extensive image management.
  10. Using distrobuilder to build images.
  11. Use Incus instances for compiling/testing software. As a way to keep the host clean of unnecessary development packages or binaries. Also, mention --ephemeral. Show best practices on how to use/move the binaries from within the instance in a convenient way.

I’m not a LXC contributor (yet), but I would like to give my 2c. I hope its useful and I will try to update it regularly.

  • Nextcloud: Server for transparent file sync between multiple computers, with automatic file revision history (with possibility of rollback)

  • Coder (also known as Code Server): Visual Studio Code directly accessible through your browser and already installed on your development environment Linux server

  • AppFlowy or Affine Pro: high quality open source alternatives to Notion, allowing you to self host your own “Notion” server, with complete privacy and without limited plans and their costs

1 Like
1 Like

DNS would typically be Pi-hole (https://pi-hole.net/) or Adguard Home (AdGuard Home | Network-wide software for any OS: Windows, macOS, Linux), with some interest in Technitium DNS (Technitium DNS Server | An Open Source DNS Server For Privacy & Security).
Firewalling - OpnSense/pfSense (essentially, running a FreeBSD VM - there’s a tutorial already LXD pfsense VM installation )
Apart from Caddy, Nginx Proxy Manager (https://nginxproxymanager.com/) and Traefik (https://nginxproxymanager.com/)

And the number one, all time winner : how to run Docker in a LXC. Worth updating the guidance given the changes in ZFS, and previously the information was a bit disperate.

1 Like

I have added your suggestions. Have a look if they are reflected well in the original post.

Regarding DNS, is there some option for self-hosted DNS a la Bind? That is, you bought a domain and you want to set your homelab as the nameserver.

I have seen the bits and pieces for Docker in Incus or LXC. Is there some cheatlist with just the commands so that I or someone else can expand on?

1 Like

I use Caddy as a reverse proxy that also takes care of TLS.

For DNS, I have used CoreDNS and Unbound. I am not sure if they are the best options for all people, but my use case is to expose local services to my local network. I am not blocking ads or trackers. I am still iterating on the topic.

I also have an Incus network that uses a bridge on the host of the incus service that bridges directly to my local network. This way, DNS and DHCP is taken care of by my router.

Also, consider Podman. I use it instead of Docker. It has a lot of benefits.

There are some interesting things which would be directly talked to incus which would be quite nice. Among these:

  • Running Keycloak for incus authentication and authorization. How to integrate this with SSO for other services would also be nice.
  • Setting up incus to use Let’s Encrypt certificates
  • Integrate keycloak and let’s encrypt with incus canonical ui
  • Show how to use incus integration with ansible/terraform/open tofu
  • Set up incus to serve Prometheus/Grafana/Loki
  • Set up a basic Ceph cluster and integration with incus. Can it integrate easily with microceph/microovn?

The points above are que nice since and most are que general to be used with many other services. And it’s stuff directly related to incus usage as well.

Other than that, for firewall, I’m using OpenWRT in an unprivileged container. Linux based, same interface as wireless routers/access points is que nice and no need to run in a VM.

I’ve seen some questions on using Docker inside containers. Some even concerning running Keycloak in Docker, for example.

Jellyfin is an awesome media player. It can be run with GPU passthrough in an unprivileged container and the configuration is super easy compared to proxmox, for example.

Some form of backup system for containers would be super nice.

A lot of people run these things in proxmox VMs. Showing how to run them in unprivileged containers is awesome. And incus ui is super important for these people as well.

1 Like

There’s a very nice video from @stgraber on how to expose lxd services. It would be nice to remake that for incus and also give some extra information on setting up a bridge which he describes as one of the best methods, but did not show up how to set it up in at least one distro.

1 Like

Podman indeed had benefits on Docker when running on the host machine. Once you’re isolated inside an incus container, those benefits are mostly irrelevant and Docker with compose and extensive community far outweighs it.

1 Like

Also, considering that Incus may get at some point support for OCI images.
I’ll leave it on the list, it looks low priority, unless there is a compelling use-case.

I think I have updated the top post with all points, up to this point (pun not intended).

I use Podman at work. One nice thing about it is that you can easily wrap containers into a systemd service. You can also manage them in the same way as you would on Kubernetes. This makes it easy to migrate them to a production Kubernetes cluster. With that you don’t really need Docker compose.

But, yeah, that is all work related stuff. Maybe not so important for homelabs.

Is this the video you were thinking of?

There is another good one on network forwards.


All the options I gave are self-hosted DNS. They mostly leverage Unbound under the hood but “the people” have spoken and they like a nice GUI. I’m afraid - and I say this as someone who actually owned the grasshopper book on DNS and BIND - the days of BIND in homelabs are over except for the diehards. All three options also do DHCP, by the way, and adblocking through dynamic lists.

Ah Docker, my old nemesis. The problem is exactly that there doesn’t seem to be just one post that tells you what to do. Next point is that the changes in ZFS 2.2 allow the use of overlay2 in a more performant way which has never been properly documented or Incus or LXD (that I have seen) :
eg Reddit - Dive into anything

Lots of folks say it can now be used and there is general carousing, but no one explains how to enable it properly in one shot. So many confusing options and pitfalls :

And why not cover shiftfs too :

I see some evangelists here pushing Podman, but unfortunately the whole homelab crowd is basically not interested. It’s a shame, but there it is. I would also expect that anyone wanting Podman would be capable of deploying it themselves, whereas the typical Docker crowd will require some handholding - even me, post the ZFS changes. :frowning: For example, where should the the persisted data for the Docker containers be stored after you’ve configured ZFS delegates? Is it different for volumes and mounts (presumably not)?

1 Like

Since Ceph was mentioned, I would like to suggest Linstor.

In my opinion, its strategy is simpler and more performant than Ceph in the specific context of distributed high-available storage for LXC containers and virtual machines.

Does this describe how Linstor would be used in Incus? Lxd with Linstor storage?

I still think a native storage driver for Linstor would be interesting to get down the line.
There’s also been similar interest around Gluster.

I’m currently doing some work to support LVM on top of a shared block volume, that work is cleaning up a bunch of assumptions made by Incus around remote filesystems and should make it even easier for others to be added down the line.

That said, for anything we add support to, we’ll want there to be a solid community around it, stable releases, good security handling, …


That’s the one. And a comprehensive video should mention the second one as well.

On the podman side of things, it might not have been the correct place to even start that discussion. But both are run inside incus in the same way and talking about both in the same light has its merits. But with that discussion out of the way, focusing on Docker has a higher crowd interest in general.

For homelab users, It would be interesting to know if the following are doable in Incus:

  • Home Assistant, Zigbee2Mqtt, OpenHAB and the likes
  • Apprise for notification, Matrix(Synapse, Dendrite, Element), Jitsi Meet
  • Minecraft servers !?
  • Password managers and note taking apps
  • Guacamole for remote access
  • Wikis

An emphasis of IncusUI would be also helpful

1 Like

Any of these are doable. Anything that is served through a Web browser is OK. With Incus, your instances

  1. can have any type of network access (protected on a private bridge, appearing on the LAN, exposed to the Internet).
  2. can have access to other instances (one instance is the service, another is the MySQL server, as if you have multiple servers)

IncusUI currently replicates well the command-line incus tool.

At some point in the future I expect that it would be possible to setup any of these through a UI like IncusUI. But how would we be able to get there? I think that the first stage would be to figure out the steps to do these manually.

at home we are already running all services on incus and even migrated the QNAP NAS to boot with ubuntu 22 and incus to act as a backup sink for incus and other zfs datasets. Main 24/7 server is a odroidm1 with mirrored ssds, consuming < 10 W, running armbian and incus on zfs with following containers:

  • samba4 active directory
  • samba4 fileservers
  • nextcloud
  • nginx as reverse proxy
  • tvheadend to stream and record from SAT using a DIGIBIT Twin

another system at hetzner having more memory and cpu power is running

  • Joplin (sync shared notes and webclippings)
  • Zimbra (groupware)
  • jitsi-meet (web meetings)

In our office we recently managed to successfully migrate all VMs from ESXi to incus containers among others:

  • Grav CMS
  • Redmine (project management with integrated tickets, wiki, git repos)
  • Jenkins
  • Artifactory
  • Alfresco DMS
  • EspoCRM

as VMs:

  • pfsense (any box connected directly to the internet should have something like a pfsense not to expose containers directly)
  • zulip chat
  • Win10 and Win11 Testsystems

On the company servers we also use custom, independent zfs pools to be mounted into the containers and we replicate the datasets via zrepl to other locations.

The migration of the windows VMs was an unexpectedly steep learning curve but now it’s really great to just clone a snapshot in seconds and delete it after testing. This is even much easier and faster than before in vmware! What I don’t want to miss anymore is the zfs backend under the hood.

I could help creating and managing documentation, how to set these systems up but we should focus on the incus specifics since we don’t want to replicate existing how to’s and maintain them.

What I’m am still looking for are tools and how to’s to create and manage images via simplestreams. If we could create such a howto, it may promote the exchange of incus container images for specific use cases!