Posts on The Home Lab

Immich: Your Self-Hosted Google Photos Replacement

Fri, 13 Mar 2026 00:00:00 +0000

Why You Need This

Let me paint you a picture. You’ve got 80,000 photos scattered across your phone, your partner’s phone, and three old laptops. They’re on Google Photos — until Google changes their storage policy again, or you get locked out of your account, or you just get tired of feeding a trillion-dollar company your entire family’s memories.

Or maybe you’re already off Google and your photos are just… sitting in a folder on your NAS. Perfectly preserved, completely unsearchable, impossible to share.

Homelab Monitoring with Prometheus and Grafana

Sat, 07 Mar 2026 00:00:00 +0000

Why Monitor Your Homelab?

Without monitoring, you find out about problems when something stops working. With it, you see a disk filling up days before it causes an outage, catch a VM chewing CPU in the middle of the night, or notice your UPS battery health declining. It turns reactive firefighting into proactive maintenance.

The Prometheus + Grafana stack is the industry standard for this and runs comfortably on modest hardware. My monitoring stack runs in Docker on a dedicated LXC container and uses less than 1 GB RAM.

Getting Started with Home Assistant

Sun, 01 Mar 2026 00:00:00 +0000

Why Home Assistant?

Most smart home ecosystems (Google Home, Amazon Alexa, Apple HomeKit) are cloud-dependent. Your lights, locks, and sensors phone home to a server. If the company shuts down, changes their API, or has an outage, your devices stop working.

Home Assistant is a local, open-source smart home platform. It runs on your network, integrates with over 3,000 services and devices, and keeps all automations local. Your automations run even when the internet is down.

Self-Hosted Media Streaming with Jellyfin

Sat, 21 Feb 2026 00:00:00 +0000

Why Jellyfin?

Jellyfin is a free, open-source media server — the community fork of Emby after Emby went partially closed-source. It lets you stream your personal media library (films, TV shows, music, photos) to any device through a browser or app.

Compared to Plex, Jellyfin is fully free with no premium tier. Transcoding, sync, and apps are all free. There’s no phoning home to Plex servers — all metadata and authentication is local.

Automated Backups with Proxmox Backup Server

Sat, 07 Feb 2026 00:00:00 +0000

The Problem with Ad-hoc Backups

Proxmox VE has built-in backup functionality — you can snapshot a VM to a directory or NFS share on a schedule. But it stores full backups each time, space grows fast, and restoring requires the whole archive. Proxmox Backup Server (PBS) solves all three problems.

PBS is a dedicated backup server that:

Stores backups with client-side deduplication and compression (typically 50–80% space savings)
Does incremental backups — only changed chunks are uploaded
Supports instant verification by recalculating checksums
Has pruning policies — keep 7 daily, 4 weekly, 12 monthly backups automatically

Architecture

PBS is a separate Debian-based appliance. It does not run inside Proxmox VE. You have a few options:

ZFS for Homelabbers: Pools, Datasets, and Snapshots

Sat, 24 Jan 2026 00:00:00 +0000

What Makes ZFS Different?

ZFS is not just a filesystem — it’s a combined volume manager and filesystem. Everything from disk management to RAID to snapshots to checksumming is handled in one stack. This matters because:

Every block is checksummed. Silent data corruption (bit rot) is detected and, with redundancy, automatically corrected.
Snapshots are instant and cheap. A snapshot is just a pointer — it consumes no space until you delete data that the snapshot still references.
Copy-on-write semantics. Writes never overwrite existing data. Torn writes (partial writes during power failure) cannot corrupt the filesystem.
Compression is transparent. Enable it on a dataset and the CPU handles compression/decompression invisibly.

ZFS does not protect against drive failure any better than hardware RAID — it has the same RAIDZ fault tolerance. What it protects against is silent corruption, which hardware RAID controllers can silently propagate.

Building a Home NAS with TrueNAS Scale

Sat, 10 Jan 2026 00:00:00 +0000

Why TrueNAS Scale?

TrueNAS Scale is a Debian-based NAS operating system built around ZFS. The “Scale” version adds Linux containers (Docker/Kubernetes) on top of the traditional NAS features, so your storage box can also run apps like Jellyfin or Nextcloud alongside your shares.

It’s free, open-source, and the ZFS integration is first-class. Data integrity checks, snapshots, and replication are all built in and accessible through the web UI.

Hardware Recommendations

ZFS is memory-hungry and loves ECC RAM. For a home NAS:

Docker vs LXC Containers in Proxmox: When to Use Each

Sat, 27 Dec 2025 00:00:00 +0000

The Confusion

New Proxmox users often ask: should I run Docker inside a VM, Docker inside an LXC container, or use Proxmox’s native LXC containers directly? The answer depends on what you’re running and what you value. This post breaks down the trade-offs.

What Is LXC?

LXC (Linux Containers) is an OS-level virtualisation technology. LXC containers share the host kernel but have their own filesystem, process tree, network stack, and user namespace. They boot like lightweight VMs — you run pct start 101 and get a full Linux environment in under a second.

Installing Proxmox VE

Sat, 13 Dec 2025 00:00:00 +0000

What is Proxmox VE?

Proxmox Virtual Environment (VE) is a free, open-source hypervisor built on Debian. It supports both KVM-based virtual machines and LXC containers, and comes with a decent web UI out of the box — no need to pay for a VMware licence.

Hardware

For this build I’m running Proxmox on two nodes:

Node	CPU	RAM	Storage
pve-01	Intel Core i5-12400	32 GB DDR4	500 GB NVMe (OS) + 2 TB SSD (VMs)
pve-02	Intel Core i5-10400	16 GB DDR4	256 GB NVMe (OS) + 1 TB SSD (VMs)

Downloading the ISO

Head to the Proxmox downloads page and grab the latest Proxmox VE ISO Installer. At the time of writing that was 8.x.

Zero-Config Remote Access with Tailscale

Sat, 29 Nov 2025 00:00:00 +0000

The Problem with Traditional Remote Access

Setting up WireGuard or OpenVPN yourself works, but it has requirements:

A public IP (harder to get on CGNAT/IPv6-only connections)
Port forwarding on your router
Dynamic DNS if your IP changes
Key management for each client

Tailscale removes all of these requirements. It creates an encrypted peer-to-peer mesh network between your devices without any port forwarding, and works through CGNAT, firewalls, and double-NAT.

How Tailscale Works

Tailscale is built on WireGuard. Each device gets a WireGuard key pair. Tailscale’s coordination server (not a relay server) shares public keys between devices so they can establish direct encrypted connections.

Reverse Proxy and SSL with Nginx Proxy Manager

Sat, 15 Nov 2025 00:00:00 +0000

The Problem Nginx Proxy Manager Solves

As your homelab grows, you accumulate services running on various IPs and ports: Proxmox on :8006, Jellyfin on :8096, Nextcloud on :443, Home Assistant on :8123. Remembering port numbers is tedious, but the bigger issue is HTTPS — browsers complain about self-signed certificates, and accessing services over plain HTTP on your LAN is a security risk.

Nginx Proxy Manager (NPM) solves both problems. It’s a Docker container with a web UI that lets you:

Self-Hosted VPN with WireGuard

Sat, 01 Nov 2025 00:00:00 +0000

Why Self-Host a VPN?

A self-hosted VPN gives you a secure tunnel back into your home network when you’re away. Unlike commercial VPN services (which are for hiding traffic from your ISP), this is about remote access — connecting to your NAS, home automation, internal dashboards, or development environment from a coffee shop or hotel.

WireGuard is the right choice today. It’s built into the Linux kernel, uses modern cryptography (ChaCha20, Curve25519), and has a drastically smaller codebase than OpenVPN (~4,000 lines vs ~400,000). Handshakes complete in milliseconds. Battery drain on mobile is noticeably lower.

Network-Wide Ad Blocking with Pi-hole

Sat, 18 Oct 2025 00:00:00 +0000

Why Pi-hole

Most ad blockers work at the browser level. Pi-hole works at the DNS level, which means it blocks ads for every device on your network — smart TVs, phones, game consoles, IoT devices — without installing anything on them. It works by acting as the DNS resolver for your LAN and returning 0.0.0.0 for known ad and tracking domains instead of the real IP.

The side effect is that you also get a full picture of every DNS query every device makes, which is genuinely eye-opening. You will quickly discover that your smart TV is phoning home every few minutes.

VLAN Segmentation: Isolating Your IoT Devices

Sat, 04 Oct 2025 00:00:00 +0000

Why Segment Your Network?

The average home today has dozens of connected devices — smart bulbs, cameras, thermostats, TVs. Most of these devices have poor security track records: default credentials, infrequent firmware updates, and sometimes outright malicious firmware from vendors.

Putting them on the same flat network as your laptop and NAS is an unnecessary risk. VLANs fix this.

What Is a VLAN?

A Virtual LAN (VLAN) is a logical partition of a physical network. Devices on different VLANs cannot communicate with each other unless you explicitly allow it through firewall rules — even if they share the same physical switch.

Setting Up OPNsense as Your Home Firewall

Sat, 20 Sep 2025 00:00:00 +0000

Why Replace Your ISP Router?

ISP-provided routers are designed to be cheap and manageable by support staff, not to give you control. They have opaque firmware, rarely get security updates, and have none of the features a proper firewall offers: VLAN support, traffic shaping, IDS/IPS, meaningful logs, VPN server, DNS over TLS.

OPNsense is a FreeBSD-based firewall/router that runs on commodity x86 hardware. It’s fully open-source (forked from pfSense in 2015), actively maintained, and has a polished web UI.

Hello, Homelab

Sat, 06 Sep 2025 00:00:00 +0000

Why a Homelab?

Every homelab starts somewhere. Mine started with the frustration of paying for cloud services I could run myself, and curiosity about what actually happens when packets travel across a network.

Current Goals

Full network segmentation — IoT devices on their own VLAN, completely isolated from the trusted network
Self-hosted DNS with ad-blocking (Pi-hole / AdGuard Home)
A proper NAS for media, backups, and general storage
Monitoring stack — Prometheus + Grafana so nothing breaks silently

Hardware on the Bench

Device	Role
TP-Link ER605	Router / gateway
TP-Link SG2008P	Managed PoE switch
TP-Link OC200	Omada hardware controller
TP-Link EAP245	Wi-Fi access point
Proxmox VE × 2	Compute nodes (virtualisation)
Proxmox PBS	Backup server

What’s Coming Next

The first series of posts will cover setting up a flat-to-segmented network from scratch — starting with the router/firewall choice all the way through VLAN tagging and inter-VLAN routing rules.