home_lab_v2_logic.png

Visual overview of the home lab network and service layout

Remote Access

Standard port forwarding isn't an option for me as my ISP uses CGNAT. To bypass this, I use Tailscale to create secure, point-to-point mesh tunnels. These tunnels are built on the WireGuard protocol, which encrypts traffic and allows me to access services from anywhere without exposing them to the public internet.

Access Control

I have implemented Tailscale ACLs to enforce a Zero-Trust model. By using Tags, I've restricted access so that only authorized devices can reach private management services, while untrusted nodes are limited strictly to necessary service ports.

Network Isolation

To minimize the attack surface, I use Tailscale Docker Sidecars for all public-facing services. This ensures that services like Jellyfin and this portfolio are logically isolated from the rest of the home network, preventing potential lateral movement in the event of a container compromise.

Docker Containers

Media Streaming: I run Jellyfin for my movie library, with Sonarr, Radarr, and Prowlarr handling automation and indexing. qBittorrent manages the downloads in the background.

Photo Backup: I use Immich for high-performance mobile photo backups. It serves as my primary alternative to Google Photos, ensuring my data stays on my own hardware.

Cloud Storage: I use Filebrowser as a self-hosted Google Drive alternative to manage and access my files from any device.

Monitoring

System Health: I use Beszel to monitor system resources in real-time, which is essential for managing the 4GB RAM limit and tracking container health.

To improve the lab's storage capacity and multitasking capabilities, I have the following upgrades planned:

• • RAM Upgrade: Increasing from 4GB to 8GB to provide more overhead for the Docker stack and Memory issues.
• • Storage Expansion: Adding a 1TB HDD specifically for the Immich library.
• • Redundancy: Implementing a basic backup rotation for the configuration files of my primary services.