Homelab — Jason Dillingham

The honest answer to "why do you have a homelab" is "I like it." The useful answer is that running real infrastructure at home keeps the operations muscles awake, costs roughly what one good SaaS bundle does, and gives my family ad-blocking, VPN, smart home, and password management without any of it phoning home to a stranger.

Network — the backbone

┌── network ─────────────────────────────────────────┐
│                                                     │
│  ISP                                                │
│   │                                                 │
│   └── pfSense (Netgate SG-2100)                     │
│         │                                           │
│         └── managed switch                          │
│               │                                     │
│               └── VLANs:                            │
│                     ├── LAN       trusted           │
│                     ├── IoT       isolated          │
│                     ├── Cameras   isolated          │
│                     ├── Limited   filtered          │
│                     └── Guest     isolated          │
│                                                     │
└─────────────────────────────────────────────────────┘

Five VLANs, all firewalled from each other. The Limited VLAN gets a stricter AdGuard policy and a content-filtering denylist for devices that need extra guardrails. The IoT VLAN can talk to Home Assistant and nothing else. The Guest network reaches the internet and exactly nothing on the LAN.

// network

router / firewallNetgate SG-2100 running pfSense CE
switchmanaged L2 with VLAN trunking
wifiUniFi APs · separate SSIDs per VLAN
dnsAdGuard Home — single source of truth, blocklist + per-client policies
vpnWireGuard tunnels — back to home, plus split-tunnel out

// compute

docker hostUbuntu Server · ~25 services in compose
ai / inferenceRyzen 9 + RX 6700 XT · ROCm + Ollama (gemma 8B / 26B vision)
storageSynology NAS · NFS to all hosts · Snapshot Replication enabled
backup3-2-1 — Synology + Cloudflare R2 + LUKS-rotating offline drives

// services running

identity / ssoAuthentik — single login for everything below
secretsHashiCorp Vault · migrating to Bitwarden Secrets Manager just to see how it works
passwordsBitwarden (cloud) · family plan
smart homeHome Assistant · Z-Wave + Zigbee + a regrettable amount of Wi-Fi
camerasFrigate + go2rtc — distributed streaming, one source, many viewers
monitoringUptime Kuma · Grafana + Prometheus for the things that matter
gitGitea · primary remote for personal repos
notesVaultwarden + Obsidian Sync alternative via NAS

Operating principles

If it can run on my hardware, it runs on my hardware. Cloud is a backup, not the source of truth.
SSO or it doesn't exist. Authentik in front of every web UI. No per-app password sprawl.
Backups are tested, not assumed. Quarterly restore drill on the critical SQL DB. The day you skip it is the day you regret it.
VLAN everything. The IoT vendor with a CVE next year doesn't get to my Synology.
Document or lose it. Every change has a markdown note in the runbook repo. Future-Jason has thanked present-Jason for this many times.

I write about specific pieces of this on the blog as I build them. Setups change; the writeups are dated for a reason.