A segmented, security-first home lab built on an OPNsense firewall, VLAN isolation, and a fleet of Linux servers running 30+ self-hosted services — all protected by a layered, automated 3-2-1 backup pipeline to on-site NAS and off-site cloud storage.
Traffic enters through a single hardened edge — the OPNsense firewall — which routes between isolated VLANs. A reverse proxy terminates SSL and fronts every service. Trusted servers live on their own segment, while IoT and guest devices are walled off.
Every device is placed on a VLAN according to how much trust it earns. Inter-VLAN traffic is denied by default and only opened where required — the core principle keeping an untrusted webcam or game console away from personal data.
A defense-in-depth edge: one firewall to rule routing, an encrypted tunnel for remote access, SSO for identity, and DNS-level filtering for every device on the network.
Network edge handling WAN gateway, NAT, VLAN routing, and default-deny inter-VLAN policy. All config is auto-backed up to NextCloud.
Encrypted remote access to the lab on 10.10.50.0/24. Outbound traffic exits via
ProtonVPN by default, with a direct-WAN client profile available.
Central identity provider issuing SSO across self-hosted apps, consolidating authentication behind one hardened gateway.
Network-wide DNS with ad/tracker blocking, distributed to every VLAN via DHCP — including the firewall's own upstream resolution.
Single reverse-proxy ingress terminating Let's Encrypt SSL for all services and enforcing the Public vs Local-Only access boundary.
Live availability monitoring across every service, giving a single status dashboard and the first stop in any troubleshooting runbook.
Six purpose-built Linux hosts, each owning a slice of the platform — from automation and identity to storage and source control. Containerized with Docker and routed through the reverse proxy.
Home automation, security & finance hub
Primary Docker host · network DNS · backup origin
piholeNetwork video recorder & physical security
Identity provider & self-hosted messaging
mistbornZFS network-attached storage & central backup target
Coppermind
SMB + NFS shares
Backup destination datasets
Snapshots & data integrity
truenasSelf-hosted source control & CI/CD
Data flows through three tiers: live application servers replicate nightly to an on-site ZFS NAS,
which in turn pushes an off-site copy to the cloud. Three copies, two media, one off-site — fully
automated with cron + rclone.
rclone sync via nightly cronCoppermind — SMB/NFS targetscron triggers /backup.sh at 3:00 AM daily ·
output logged to /var/log/backup.log ·
rotated weekly by logrotate (4 archives) ·
status surfaced in Uptime Kuma.