The current network setup is fairly simple, functional, and slightly allergic to VLANs… mostly due to hardware limitations. At the edge, a stock router connected to a fiber ONT exposes two SSIDs: a flat primary network and a guest network (the latter isolated, with no lateral visibility). No VLAN tagging, no fancy segmentation… yet (see below).
At the core of the homelab is a Synology DS720+, configured with two 4TB HDDs in RAID1 and a 256GB SSD cache. It runs DSM with Btrfs as the filesystem of choice. A daily encrypted backup is handled via USB to a 2TB SSD drive, and Btrfs snapshots are used to replicate key volumes internally, leveraging the snapshot+replication combo that DSM makes pleasantly easy.
Service-wise, the NAS is running multiple Docker stacks via Portainer, organized with some level of OCD. Notable mentions include:
- 📸 Immich for self-hosted photo storage and management
- 📄 Paperless for document archiving
- 🧾 Karakeep for hoarding anything digital
- ✏️ HedgeDoc as a collaborative pad
The NAS also serves as the Time Machine backup target for a personal MacBook on the network. For external access, an nginx reverse proxy is in place, with TLS certificates automatically issued and renewed via DNS-01 challenge through acme.sh.
Complementing the NAS is an old but reliable ThinkPad X1 Carbon Gen 3, running Debian on ext4, booting headless via Wake-on-PowerAC (thanks to a smart plug) and auto-joining Tailscale on boot. The disk is LUKS-encrypted, with SSH unlock enabled, allowing full remote management without ever opening the clamshell.
On this device, Portainer runs in agent mode, connected back to the NAS (filtered through a local firewall so that only the Synology IP can reach it, and only on the needed port). Several Docker containers live here too:
- 🧱 AdGuardHome, currently handling DNS redirection for Tailscale-connected clients
- 💸 Actual Budget, for personal finance tracking
- 📺 Jellyfin, for media streaming
- 📝 AppFlowy, for structured note-taking
Service discovery and internal routing are handled through Tailscale’s SplitDNS, with DNS requests from all devices captured and routed to AdGuardHome (on the ThinkPad). AdGuardHome then resolves them to the appropriate Tailscale IP: either to nginx (NAS) or Traefik (ThinkPad), depending on the service in question.
The wireless network shares the same flat subnet as the wired one, hosting everything from smart home gadgets to entertainment devices. The isolated guest network is used for devices that don’t need internal access… just plain old internet.
Known Issues & Improvements
This setup works, but it’s far from perfect. Here are the key areas where things could and should improve:
The network is mostly flat
No segmentation, no VLANs, just one big happy subnet. Functional, but not ideal from a security or traffic management perspective. Homelabbing is a big learning opportunity, and this will also be a strong security and hardening exercise!
Backups aren’t truly 3-2-1
Right now it’s a 2-2 setup: two copies, on two different media, but no off-site storage yet. RPO and RTO are acceptable for now, but this needs tightening.
ThinkPad has no backup strategy
The NAS is covered, but the ThinkPad is a single point of failure. No snapshots, no backup, no mercy if something goes wrong.
No unified dashboard
Service discovery is DNS-based, but there’s no central landing page or dashboard to keep everything organized and visible. It’s time to admit I need a homepage.
Too much Wi-Fi, not enough copper
Most devices are still on Wi-Fi. It works, but cabling would improve reliability and reduce latency, especially for backup jobs and media streaming.
Power management is fragile
No UPS. A power outage would be… loud. There’s also no gentle shutdown mechanism yet, which is not ideal for Btrfs or LUKS-encrypted disks.
Monitoring is minimal
Right now, most issues are discovered when something fails. There’s no proactive alerting, no performance dashboards, no real observability in place.
Remote management is functional, not elegant
Tailscale makes remote access simple, but there’s room for improvement in automating tasks like wake-on-LAN, OS updates, or restarting containers.
Future Plans
A house move is on the horizon, and with it comes the perfect excuse to improve and rethink. This will be the first real-world test of how portable and resilient the homelab setup actually is.
The new place is already pre-wired with Ethernet cabling, which opens up a world of possibilities. Wi-Fi will finally stop doing the heavy lifting, and critical devices will be plugged into actual copper.
Alongside the move, I’ve started collecting new gear and preparing for the next phase:
Cloud Gateway Fiber + UniFi U7 AP (Ubiquiti)
This will replace the current and future consumer router, unlocking proper VLAN support, traffic segmentation, and the ability to enforce QoS policies where needed.
JetKVM for remote management
Ordered and inbound. This will allow for BIOS-level control of headless systems, remote reboots, and generally less “crawling under the desk with a monitor” situations.
Old MacBook Pro with cracked screen
Repurposed as a Debian box. The idea is to use it as a local AI inference server with Ollama, and a Tdarr node for media encoding offload.
Self-hosted password manager, long overdue. Tailscale integration and 2FA will be configured from day one.
Home automation
Planning to centralize and automate smart home devices, probably via Home Assistant or OpenHAB. Right now there aren’t enough smart devices to justify a full setup.
UPS + Peanut
Once a UPS is in place, Peanut will handle monitoring it via NUT.
For meal planning and recipe management. Not mission-critical, but a quality-of-life addition to the self-hosted stack.