Why I Decided to Host a Family‑Only Mastodon Instance

 

I was recently asked by a friend that was concerned with the level of discourse on Social media and He wanted to know if there was something that could be done. While I can’t solve the problems that we are experiencing on social media as a whole, there is one positive direction that you can take: This is why I decided to Host a Family-only Mastodon Instance for him and his family. The whole setup is initially setup on one of his old computers, it had the specs that worked, but eventually when his family get accustomed to their very own Social media hub, he will be getting a NUC with better specs.

Since most of commercial social media is now a nightmare when it comes to privacy and security, it is time to help people jump the train before it crashes. That’s why when my friend asked about hosting something for his family I jumped at the chance to lend a hand. The answer seemed simple: Host his own instance of Mastodon. I write a lot about privacy and self-hosting – this was a chance to put that into effect.

What a Family‑Only Mastodon Instance Gives You:

• Control Over Your Data – Unlike mainstream platforms that harvest posts, photos, and metadata for advertising, a self‑hosted Mastodon server gives me full ownership of everything we share. Only the members I invite can see our timelines.
• Zero‑Tracking, Zero‑Ads – Mastodon is open‑source and runs on the ActivityPub protocol, which means there are no hidden trackers or sponsored posts. Our family feed stays clean and distraction‑free.
• Customizable Moderation – I can set posting rules that match our family values—no profanity, no political trolling, and no unwanted strangers. The admin panel lets me mute, block, or delete content instantly.
• Future‑Proof & Interoperable – Because Mastodon speaks ActivityPub, their private instance can still interact with the broader Fediverse if we ever want to follow public accounts, while keeping our core community isolated.
• Learning Opportunity – Setting up the server gave our tech‑savvy teens a hands‑on lesson in Linux, Docker, and basic network security — a fun, educational side‑effect.

Why I Chose a Pure‑LAN Deployment

1. 1. Absolute ownership – All data stays on a machine that lives in the house. No third‑party cloud provider ever touches our posts, photos, or metadata.
   2. Zero‑tracking, zero‑ads – Mastodon is open‑source; with a LAN‑only setup there is nothing to sell to advertisers.
   3. Family‑only audience – By keeping the server behind the home router, only people who are physically on the network (or tunneled in via VPN) can reach it.
   4. Learning experience – Setting up a server on a spare PC or a Raspberry Pi gave the kids a hands‑on crash course in Linux, Docker, and basic networking security.
   5. Cost‑effective – One modest piece of hardware and a tiny electricity bill. No subscription fees, credit cards or bank involvement. Plus, right now they are running it on an old PC (which they thought was ‘junk’).

Below is the exact roadmap I followed, from hardware selection to a production‑ready Mastodon instance that lives solely on their LAN.

Choose Hardware

Option	Why It Works	Typical Specs
Old desktop(We went with this one)	Already has a power supply, fans, and plenty of storage.	Intel/AMD CPU, ≥8GB RAM, ≥500GB HDD/SSD
RaspberryPi4 (8GB)	Low power, silent, easy to mount.	8GB RAM, USB‑C SSD (≥128GB)
Intel NUC	Small footprint, reliable fan‑less designs.	12CPU cores, 16GB+ RAM, M.2 SSD

Tip: Mastodon’s resource needs are modest for a family of <30 users. 2vCPU + 2GB RAM is enough; give yourself a little headroom if you expect lots of image/video sharing.

Prepare the Operating System

I used Ubuntu Server 22.04 LTS (the same steps work on Debian 12).

1. Flash the OS onto an SD card (Pi) or USB stick (PC)
2. Boot the machine and run a minimal setup.


sudo apt update && sudo apt upgrade -y
sudo apt install -y curl gnupg lsb-release ca-certificates

Assign a static LAN IP Edit /etc/netplan/01-netcfg.yaml 

(replace the values with your network’s scheme):

network: version: 2
renderer: networkd
ethernets: eth0:
dhcp4: no
addresses: [192.168.1.50/24]
gateway4: 192.168.1.1
nameservers: addresses: [x.x.x.x.x.x.x.x] // Put in your own
Apply: sudo netplan apply

Now the server is reachable at http://192.168.1.50 from any device on the same Wi‑Fi/Ethernet.

Install Docker & Docker‑Compose

# Add Docker’s official repository

curl -fsSL https://download.docker.com/linux/ubuntu/gpg |sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \"deb [arch=$(dpkg --print-architecture)
signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] \
https://download.docker.com/linux/ubuntu $(lsb_release -cs)stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudoaptinstall-y docker-ce docker-ce-cli containerd.io docker-compose-plugin

# Add your user to the docker group so you don’t need sudo each time

sudousrmod-aG docker $USER
newgrp docker # reload groups in the current session

Verify: docker version docker compose version

Pull the Official Mastodon Docker Repository

git clone https://github.com/mastodon/mastodon.git cd mastodon git checkout v4.2.0

Configure Mastodon for LAN‑Only Use

Create the environment file

cp .env.production.sample .env.production nano .env.production
Key entries (replace with your own values)

LOCAL_DOMAIN
mastodon.local (or any name you like)
The hostname other devices will use.

WEB_DOMAIN
same as LOCAL_DOMAIN
Used for generating URLs.

SMTP_SERVER
smtp.gmail.com (or your own mail relay)
Needed for password‑reset emails.

SMTP_PORT
587
Standard TLS submission.

SMTP_LOGIN
/ SMTP_PASSWORD
your mail credentials
Authentication for the SMTP server.

SECRET_KEY_BASE
generate with docker compose run –rm web rake secret
Cryptographic secret for cookies.

OTP_SECRET
same command as above
Two‑factor token secret.

VAPID_PRIVATE_KEY
/ VAPID_PUBLIC_KEY
same command as above

Web‑push notifications.
DB_HOST, REDIS_HOST
db, redis (default Docker service names)
Internal networking.

UNICORN_WORKERS
2 (adjust for CPU cores)
Number of web workers.

MAX_MEDIA_SIZE
10 (megabytes)
Prevent huge uploads on a modest LAN.

SINGLE_USER_MODE
false (keep false)
Allows multiple family accounts.

DISABLE_REGISTRATION
true (if you want invite‑only)
Prevent strangers from signing up.

FEDERATION_MODE
disabled (optional)
Stops any communication outside the LAN.

Important: Because the server never sees the public internet, you can safely use a self‑signed TLS certificate.
The LOCAL_DOMAIN can be any name you resolve locally (via /etc/hosts or your router’s DNS).

Make the hostname resolvable on the LAN

Add an entry to every family device’s hosts file (or configure your router’s DNS):
192.168.1.50 mastodon.local

Now https://mastodon.local points to the server.

Secure the Connection – Self‑Signed TLS

Mastodon refuses plain HTTP by default, so we generate a local certificate.

mkdir -p ./certs openssl req -newkey rsa:4096 -nodes -keyout ./certs/privkey.pem \ -x509 -days 3650 -out
./certs/fullchain.pem \ -subj "/CN=mastodon.local"

Edit docker-compose.yml (or create a small override file) to mount these certs into the web service:
services:
web:
volumes: - ./certs/fullchain.pem:/etc/ssl/certs/fullchain.pem:ro
./certs/privkey.pem:/etc/ssl/private/privkey.pem:ro

Restart the stack later and Mastodon will serve HTTPS using the self‑signed cert.

Browsers will warn the first time; click “Proceed anyway” (or import the cert into your
home CA store for a smoother experience).

Launch the Whole Stack

docker compose up -d

Docker pulls PostgreSQL, Redis, and the Mastodon components, then starts them in the background.
Check everything is healthy:

docker compose ps docker compose logs -f web

# watch for “Listening on http://0.0.0.0:3000”

If you see errors about missing secrets, re‑run the rake secret commands and paste the results into .env.production.

Create the First Admin Account

docker compose run --rm web rails console

> User.create!( email: 'admin@family.local', password: 'StrongPass!123', admin: true, confirmed_at: Time.now)

> exit

Open a browser on any LAN device and go to https://mastodon.local. Log in with the admin credentials you just created.

Invite The Family – Invite‑Only Mode

1. In the admin dashboard → Settings → Registrations turn on “Require invitation”.
2. Click Generate Invitation → copy the link.
3. Send the link via an encrypted channel (e.g., Signal, Proton Mail).

Each invited member creates a personal account, and because registration is locked, no stray outsiders can join.

Now their family now enjoys a private, ad‑free, fully owned social feed that lives only on the hardware you control. No cloud, no data mining, just a safe place to share photos, updates, and memes—all under their own roof.

Parting Words

And that’s it — by setting up our own Mastodon server, we’ve turned a simple family chat into a fortress of privacy, giving every member control over their own data and shielding us all from the relentless tracking of big‑tech platforms. Watching our grandparents post photos without a single third‑party cookie watching feels like a win for security, trust, and togetherness. Even better, the knowledge we’ve built isn’t a secret we keep to ourselves; we can walk other families through the same steps, spreading the message that opting out of data harvesting is both doable and empowering. So, let’s share what we’ve learned;  help our friends reclaim their digital spaces, and prove that a safer, more private internet starts right at home.

Want some more information?

•  “Mastodon for Beginners” – https://joinmastodon.org/learn
• “How to Use Mastodon” – https://www.digitaltrends.com/social-media/how-to-use-mastodon/

---