Homelab / overview

Architecture Overview

A map of a home lab built around a reliable network core, Proxmox compute, NAS storage, private remote access, smart home automation, and AI experiments.

architecturetopologydocumentation

The lab is useful infrastructure first and a learning platform second. The design keeps the pieces that affect daily life relatively boring: DNS, remote access, backups, and smart home controls. The experimental layer is where AI agents, automation runners, app experiments, and remote workstations are allowed to be more complex.

The map is intentionally role-based. It explains responsibilities and tradeoffs without turning the architecture into an operations manual.

System Zones

  • Edge and access: a generalized UniFi stack, identity-protected tunnel access, and a private overlay network handle remote entry without broad public port exposure.
  • Core network: a 2.5 GbE LAN, Wi-Fi 7, guest access, work isolation, and future IoT/camera segmentation.
  • Compute: a KAMRUI Hyper H1 mini PC with a Ryzen 7 6800H and 64 GB RAM runs Proxmox, with VMs for isolation-heavy workloads and LXCs for lightweight infrastructure.
  • Storage: a Synology DS923+ NAS with four 18 TB drives anchors backups, photos, Time Machine, VM/container backups, and large media storage.
  • Application layer: Docker runs most web apps and self-hosted services, split between the NAS, a Docker VM, and a media-focused LXC.
  • Automation: Home Assistant coordinates daily smart home controls, scenes, cameras, and practical household automations.
  • AI and research: agent VMs, Codex workflows, OpenClaw/Hermes experiments, and local/hybrid AI tooling live on the experimental side of the lab.

Design Pattern

The architecture is built around a simple rule: systems that other people or daily routines rely on should be stable, recoverable, and easy to reason about. Systems built for learning can be more complicated, as long as they are isolated and backed up.

That shows up in a few ways:

  • Tailscale is the primary remote access path for trusted personal devices.
  • Cloudflare Tunnel is reserved for browser-only access from devices where installing Tailscale is not practical.
  • AdGuard Home provides network-level DNS filtering locally and through the private overlay network.
  • Proxmox Backup Server protects VMs and LXC containers, with the NAS as the storage target.
  • Docker Compose, Portainer, and Forgejo make service configuration easier to review and roll back.

Current Service Shape

The lab is not a single monolithic server. Services are split based on uptime needs, hardware access, and isolation:

  • The NAS keeps a few always-useful containers close to storage and remote-access paths.
  • A Docker VM handles most general self-hosted web apps.
  • A media-focused LXC handles Jellyfin, object detection, and other workloads that benefit from hardware encoding.
  • Separate VMs are used where access boundaries matter, especially for AI-agent and work-style environments.