Years ago I set up a Raspberry Pi running Pi-hole to block ads on my home network. That was the gateway drug. Now I’ve got an 8U rack in a closet that’s been running for almost two years, handling everything from media streaming to garage door automation.

I wanted something that just worked without constant tinkering, and everything critical runs locally. If my internet goes out, I can still stream movies, play music, and control the lights. My data lives under my roof, and there’s no better way to learn networking than being responsible when something breaks at 11pm.

Requirements

Before building anything, I wrote down what I actually needed:

  • Media streaming: Stream my movie, TV, and music libraries to any device in the house
  • Photo library: Store and back up photos with a clean UI for browsing
  • Private git hosting: Self-hosted repositories for personal projects
  • Home automation: One dashboard to control lights, garage, appliances, and everything else
  • Robust storage: A NAS with redundancy that can grow over time
  • Remote access: Secure access from anywhere without exposing anything to the internet
  • Battery backup: Graceful shutdown during power outages so nothing gets corrupted
  • Network segmentation: Keep IoT devices isolated from everything else

Everything else flowed from these requirements.

The Rack

Here’s what I ended up with.

Everything lives in a compact StarTech 8U rack with a StarTech shelf. Cable management uses a 1U keystone patch panel and Raplink patch cables. I used Rackstuds instead of cage nuts, which are much easier to work with. I went with 3D-printed rackmounts from Etsy for the Raspberry Pis and Hue bridge. They fit perfectly and keep everything tidy.

Networking

  • Synology RT6600AX: Prosumer router and firewall. Reliable and integrates nicely with the NAS.
  • TP-Link TL-SG1016PE: 16-port PoE switch. Powers the PoE devices and gives me plenty of room to grow.

Power

  • APC UPS 600VA: Battery backup for the rack. At ~85W idle, this gives roughly 10 minutes of runtime, enough for graceful shutdowns. The NAS monitors battery status via USB and runs a NUT (Network UPS Tools) server to coordinate shutdowns across all devices when power goes out.

Compute

Storage

Home Automation

  • Hue Bridge: Runs on PoE via an adapter. Controls about 35 lights and accessories throughout the house.
  • ratgdo: My garage door opener uses MyQ (Chamberlain/LiftMaster’s cloud service), which requires an internet connection and isn’t compatible with Home Assistant. The ratgdo bypasses all that and gives me full local control.

What’s Running

That’s the hardware. Here’s what’s actually running on it.

Pi-hole

Network-wide ad and tracker blocking via DNS. Every device on the network benefits automatically. No browser extensions, no per-device configuration. Blocklists update on their own.

Home Assistant

The central dashboard for all home automation. Lights, garage, thermostat, appliances, TVs, Sonos, all in one place. Automations handle things like turning off lights when no one’s home and sending notifications when the garage door is left open.

Jellyfin

My self-hosted alternative to Plex. Streams 600+ movies and TV shows to any device in the house. The Nvidia Shields run the Jellyfin client and pull media directly from the NAS. No subscription fees, no external accounts, no tracking what I watch.

Handles 1,200+ albums. It’s lightweight and speaks Subsonic, so I can use Nautiline on my phone or stream to Sonos. Streams from the NAS just like Jellyfin does for video.

Synology Photos

Photo library and backup going all the way back to 2004. Phones back up automatically over WiFi (or remotely via Tailscale). The face recognition, albums, and sharing features work well.

Git Server

Private repositories for personal projects. Nothing fancy, just git running on the NAS. Keeps my code off GitHub when I don’t want it public.

Network

The firewall runs a default-deny policy for inter-VLAN traffic. Most consumer routers let everything on the local network talk to everything else. Your smart bulb can reach your NAS, your laptop, anything. With VLANs and default-deny, traffic between segments is blocked unless I’ve explicitly allowed it. So even if an IoT device gets compromised, it can’t reach anything outside its own VLAN.

Segmentation

I use VLANs to keep devices separated. The router makes this straightforward.

VLANWhat’s On It
ManagementRouter, switch
TrustedLaptops, phones, trusted devices
MediaNAS, Sonos
GuestIsolated guest WiFi
IoTAppliances, TVs, untrusted devices
flowchart TB
    fw[RT6600AX Firewall]

    mgmt[Management]
    trusted[Trusted]
    media[Media]
    guest[Guest]
    iot[IoT]

    fw --- mgmt
    fw --- trusted
    fw --- media
    fw --- guest
    fw --- iot

    trusted <-. allowed .-> media

Each VLAN gets its own WiFi SSID.

Remote Access

There’s no port forwarding on my network. Nothing is exposed to the internet.

Instead, the NAS runs Tailscale and acts as a subnet router. When I’m away from home, I connect to my tailnet and the NAS forwards traffic to the Raspberry Pi running Home Assistant. From there I can control lights, change the thermostat, stream movies or music, or access anything else on the dashboard. Firewall rules limit what the subnet router can reach.

Backups

Everything important ends up on the NAS, which is configured with BTRFS snapshots for point-in-time recovery. Hyper Backup handles the rest.

  • Pi-hole & Home Assistant: Configs automatically sync to their own shared volumes on the NAS.
  • Documents, photos & DSM settings: Backed up to a local disk via a SATA dock, and synced to an offsite NAS via Tailscale.
  • Media library: Backed up to Backblaze B2. Replaceable but annoying to lose.
flowchart LR
    pis[Pis] -->|configs| nas[NAS]
    phones[Phones] -->|photos| nas
    laptops[Laptops] -->|docs| nas

    nas -->|docs, photos| local[Local Disk]
    nas -->|docs, photos| offsite[Offsite NAS]
    nas -->|media| b2[Backblaze B2]

This follows the 3-2-1 rule: three copies, two media types, one offsite. If the NAS dies, I have the local backup. If my house burns down, I have the offsite copy.

Updates

Router and NAS updates are managed through Synology’s SRM and DSM interfaces. Jellyfin, Navidrome, and Git Server update via Synology Package Manager.

For the Pis, I use a GitOps approach. Dependabot watches my config repos and opens PRs when updates are available for Pi-hole and Home Assistant. Merging a PR triggers an automatic deploy to Balena. I’ve had to roll back once, and it was painless since everything is version controlled.

Power & Cost

The whole setup idles around 85W:

DevicePower
RT6600AX~15W
DS423+~35W
4x Pi 4B~20W
TL-SG1016PE~12W
Hue bridge + ratgdo~3W
Total~85W

At local rates (~$0.12/kWh), that’s roughly $7/month.

What’s Next

A few things I’d like to add:

  • Observability: Right now it’s scattered across SRM, DSM, and Balena. I’d like something to pull it all together.
  • Wall tablet: A dedicated Home Assistant dashboard mounted in the kitchen.
  • NVMe cache: The DS423+ has two empty slots ready for a read/write cache.

Parts List

CategoryItem
RackStarTech 8U Rack
RackStarTech Shelf
Rack1U Keystone Patch Panel
RackRackstuds
RackRaplink Patch Cables
RackUCTRONICS Pi Rackmount
NetworkingSynology RT6600AX
NetworkingTP-Link TL-SG1016PE
PowerAPC UPS 600VA
ComputeRaspberry Pi 4B (x4)
ComputePoE Hat (x4)
StorageSynology DS423+
StorageSeagate Ironwolf 4TB (x4)
StorageSamsung 4GB RAM
StorageSabrent USB SATA Dock
Home AutomationPhilips Hue Bridge
Home AutomationHue PoE Adapter

Links above are affiliate links. I may earn a small commission if you purchase through them, at no extra cost to you.

Final Thoughts

If you’re thinking about starting a homelab, my advice is to just start. A single Raspberry Pi running Pi-hole will teach you more about DNS and networking than any tutorial. And once you block your first ad at the network level, you’ll be hooked.