Skip to content

Home Server Architecture

I self-host a private cloud to manage my smart home, back up media, collaborate on documents, and run local AI models. This setup focuses on enterprise-grade reliability using workstation hardware, a Zero Trust network architecture, and a roadmap towards a robust 3-2-1 backup strategy.

Home Server Architecture

1. Hardware Stack

My server is built on a refurbished Lenovo ThinkStation P520. I chose this platform for its reliability (ECC memory), expandability (PCIe lanes), and silent operation.

Component Specification Purpose
Host Lenovo ThinkStation P520 Enterprise Workstation Base
PSU Lenovo 54Y8979 900W certified for 92% energy efficiency (80 PLUS Platinum)
CPU Intel Xeon W-2150B 10 Cores / 20 Threads (Skylake-W)
RAM 128GB DDR4 ECC 2133MHz Quad-Channel stability for ZFS/Database caching
GPU 1 NVIDIA RTX 3060 12GB NVENC Transcoding, Frigate NVR, Local LLM Inference, & Secondary Gaming Card (for two players)
Refurbished with Gelid GP-Extreme and Thermal Grizzly Kryonaut
GPU 2 NVIDIA RTX 3060 12GB Additional VRAM for AI Workloads & Primary Gaming Card
Refurbished with Gelid GP-Extreme and Thermal Grizzly Kryonaut
Connected with ADT-Link 16x Riser for PCIE Relocation
Mounted with 1" Diameter Sorbothane Bumpers
Storage 2TB NVMe (Gen3x4)
1TB Samsung 870 QVO		 Fast boot and application datasets
Cooling Noctua NH-D9DX i4 3U (CPU)
2x NF-A12 (Front), 1x NF-A8 (Flex Bay)
1x NF-A9 (Rear), 2x NF-A4 (PCIe)		 Positive pressure airflow and silent operation
Fan Control Aqua Computer Quadro Setting fan curves to optimize for noise and eliminate specific hotspots, with onboard memory to remove software dependency
Networking Intel AX210 Wi-Fi 6E Backup connectivity & Bluetooth
Accessories 4K EDID HDMI Plug
Magnetic PVC Mesh
Antminer Fan Simulator		 Headless operation
Air filter
Eliminate high-noise fans

2. Network & Security Architecture

I utilize a Zero Trust ingress strategy. There are no open ports on my physical router. All traffic enters via an encrypted Cloudflare Tunnel, passes through Authentik for identity verification, and is then proxied to the internal Docker network.

Security Strategy: "Defense in Depth"

For Home Assistant, I employ a split-security model to accommodate mobile clients without compromising safety:

  • Browser Access: Protected by Authentik. I must authenticate via SSO (with 2FA) before the request ever reaches Home Assistant.
  • API Access: The ^/api/.* path bypasses Authentik to allow the Home Assistant Companion App to sync background data (battery, location). Security is delegated to Home Assistant's Native Auth, which rejects any request lacking a valid Long-Lived Access Token.
  • Zero-Trust: "Trusted Networks" bypass is disabled. Even requests passing through the internal proxy are treated as untrusted until valid credentials are provided.

Identity Management (LDAP)

I have transitioned from disparate local accounts to a centralized LDAP architecture. * Source of Truth: Authentik serves as the LDAP Provider. * User Sync: Services like Nextcloud sync user accounts and groups directly from Authentik via an LDAP Outpost. * Role-Based Access Control (RBAC): * nc_admin: A dedicated "Break Glass" service account for system maintenance. * dcdavid: A standard user account with no administrative privileges, used for daily operations to adhere to the Principle of Least Privilege.

3. Implemented Services

All services run as Docker containers managed via docker-compose.

Local AI Stack

A completely private, offline Artificial Intelligence platform running on the RTX 3060.

  • Backend: Ollama running in Docker with NVIDIA Container Toolkit (GPU Passthrough).
  • Frontend: Open WebUI (ChatGPT-style interface) accessible at ai.dcdavid.net.
  • Capabilities:
    • Web Search: Integrated DuckDuckGo for real-time fact-checking.
    • Code Interpreter: Sandbox environment for executing Python/Data Analysis tasks.
  • Model Roster:
    • The Coder (Qwen 2.5 14B): Specialized for Python, Docker, and SQL generation.
    • The Reasoner (DeepSeek R1): Uses Chain-of-Thought processing for complex logic.
    • Daily Driver (Llama 3.1): General purpose chat and summarization.

Nextcloud Hub

A complete productivity suite replacing Google Drive and Microsoft Office.

  • Modules:
    • Files: Secure cloud storage for documents and projects.
    • Office: Integrated Collabora Online for real-time editing of Word, Excel, and PowerPoint documents directly in the browser.
    • Notes & Collectives: Markdown-based journaling and wiki documentation.
  • Security Hardening:
    • HSTS Enforced: Strict Transport Security is applied both at the Cloudflare Edge and the application level (via custom Apache headers).
    • Transactional Email: Integrated via Resend (SMTP) for reliable password resets and notifications.
    • Background Jobs: Offloaded to system cron (via sidecar container) to prevent UI lag during maintenance tasks.

Home Assistant

Integrates disparate IOT ecosystems into a single dashboard.

  • Auth Strategy: Double Login (Authentik Proxy + Native Login).
  • Dashboard: Custom dashboard using Mushroom Cards, Advanced Camera Card (Frigate), and Card-Mod for CSS overrides.
  • Key Integrations:
    • Blueair: Reliable local control for the 211i Max purifier.
    • Dreame Vacuum: Map & mode control via the Dreame Vacuum (Beta) integration.
    • SmartRent: Bridges my apartment's lights, thermostat, and door locks into HA.
    • Cync (GE): Local control for kitchen LED strips.
    • Tuya: Official cloud integration for Eightree smart plugs.
    • Frigate: Local NVR integration for object detection, recording, and rich notifications.
  • Rich Notifications: highly-detailed notifications are sent to family devices via Home Assistant, with deep-linking to specific event clips.

Frigate NVR

Local Network Video Recorder replacing cloud subscriptions.

  • Architecture: Runs alongside Mosquitto (MQTT Broker) to provide real-time sensor data to Home Assistant.
  • Streams: Dual-stream configuration (SD @ 5fps for AI Detection, 2K HD @ 15fps for Recording).
  • Storage: Continuous 24/7 recording retained on dedicated SSD storage.
  • Live Provider: go2rtc bundled service for instant low-latency streaming to dashboards.

Immich

A self-hosted photo and video backup solution replacing Google Photos.

  • Hardware Acceleration: Uses the RTX 3060 (NVENC) for machine learning (face recognition) and video transcoding.
  • Auth: OIDC (OpenID Connect) via Authentik. Native database login is disabled.
  • Storage: Data is bound to physical SSDs (Drive D:), separate from the boot NVMe.

Authentik

Unified Identity Provider (IdP) & LDAP Source.

  • Handles Single Sign-On (SSO) for all services via OIDC and Proxy.
  • Acts as an LDAP Provider, allowing legacy or complex apps (like Nextcloud) to sync users and groups dynamically.
  • Enforces Multi-Factor Authentication (MFA) for all services.
  • Acts as a forward-auth proxy for services that lack built-in robust authentication.

4. Automated Content Pipeline

To ensure professional documentation standards, I maintain a custom CI/CD pipeline for this repository that treats assets as code.

  • Algorithmic Asset Generation: I utilize a custom Python engine (generate_assets.py) to render academic figures. This ensures all visualizations (from ML4T financial charts to KBAI benchmarks) adhere to a strict design system (Georgia Tech color palette) and are automatically watermarked to prevent plagiarism.
  • Asset Optimization: Build scripts like one_time_compress_jpgs.py and optimize_pngs.py run against the asset directory to perform lossless compression and strip metadata. This keeps the deployment lightweight without compromising visual fidelity.
  • Git Hygiene: The repository enforces strict separation of code and state. Secrets, databases, and sensitive variables are strictly excluded (via .gitignore) and managed via environment variables.

5. Roadmap & Active Development

I am currently developing the following subsystems to reach full operational capability (FOC).

Security Hardening

  • Headless Service Architecture: Transitioning Docker Desktop to run as a native Windows Service. This will decouple application uptime from user sessions, allowing for stricter physical access controls (locking the console) without interrupting background services.
  • Remote Access (Tailscale): Implementing a Mesh VPN to enable a "virtual hardwire" experience for coding and gaming while travelling, bypassing the need for open ports.

Bird Identification System

  • Objective: Automated species recognition and public livestreaming.
  • Classification: WhosAtMyFeeder (Docker Container).
    • Subscribes to Frigate via MQTT.
    • Processes "Bird" object snapshots against a specialized species model.
    • Returns species confidence scores to Home Assistant for "New Species" notifications.
  • Public Stream: Embed go2rtc WebRTC streams directly into the personal website.
    • Ingest: RTSP feeds from PoE cameras.
    • Expose: Dedicated Cloudflare Tunnel hostname (e.g., stream.dcdavid.net) bypassing Authentik for public read-only access.
    • Embed: Low-latency iframe integration into MkDocs.

Disaster Recovery (3-2-1 Strategy)

  • Objective: Eliminate single points of failure for critical data (Configs, Databases, Photos).
  • Hot Sync (Failover): Establish real-time, unidirectional sync to a secondary Lenovo P520 using Syncthing.
  • Cold Storage (Offsite): Implement scheduled, encrypted delta-syncs to AWS S3 Deep Glacier using rclone.

Storage & Media Expansion

  • File Server: General purpose NAS storage for documents and installers.
  • Media Server: Dedicated service for long-form media (Movies/TV), separate from personal photo backups.
  • DigiKam Workflow: Implement a pipeline to generate and write standard EXIF data to legacy childhood photos and videos, ensuring they appear correctly in the Immich timeline.

6. Build Notes & Technical Gotchas

Remote Hard Reboots

To ensure high availability, the BIOS is configured for AC Power Recovery: Power On. This allows me to hard-reboot the server remotely by simply toggling my smart plug off and on if the OS ever completely freezes.