Home Lab Stacks — Self-Hosted Application Profiles

project: hinata-infrastructuretype: referencestatus: livingcreated: 2026-05-22 Validated self-hosted application stacks for the Hinata home lab. Each entry is a working blueprint: hardware target, software stack, boot strategy, security model, and integration notes. Read home-lab-doctrine.html for philosophy; home-lab-hardware.html for hardware procurement criteria.

Stack 4 — Pi-hole DNS ad-blocking (Pi Zero 2W)

Network-wide DNS ad-blocking on a Pi Zero 2W. Lightweight enough to run 24/7 on a sub-$15 board (when in stock). Sits on the management VLAN, advertises itself as the DHCP DNS server.

Hardware: Pi Zero 2W + 32 GB MicroSD + small case.

Stack: Pi-hole on Pi OS Lite; optional unbound for recursive DNS.

Integration: point UniFi DHCP scope's DNS at the Pi-hole IP; verify all VLANs route DNS through it.

Trade-off: kills convenience domains (some smart TV apps break) — keep an allowlist file in version control.

Stack 3 — Proxmox Backup Server in a 10" rack (mini-PC, ZFS)

Dedicated backup target for Proxmox VMs/containers + TrueNAS replication. Lives in a 3D-printed 10" rack.

Hardware: Mini-ITX 8th-gen Intel (SuperMicro X11SSV-Q or similar) + 32 GB DDR4 + 256 GB NVMe boot + 2x 24 TB Seagate Exos mirror (ZFS) + 2x 4 TB WD for PBS storage + 2.5 GbE NIC + 19 V / 240 W PicoPSU.

Stack: Proxmox VE on bare metal → TrueNAS VM (ZFS replication target for primary TrueNAS) + Proxmox Backup Server VM (Proxmox cluster backup target). Avoid: PBS on the host you're backing up.

Why two layers: PBS handles Proxmox-native incremental backups; TrueNAS VM provides ZFS replication for the primary file server + NFS/iSCSI/SMB shares for desktop backups.

Networking: 2.5 GbE is sufficient — measured backup throughput rarely exceeds 2.5 Gbps on this drive count.

JetKVM: include a JetKVM in the rack — remote BIOS / OS reinstall without physical access.

Stack 2 — Professional home network (UniFi/Ubiquiti, 3 VLANs)

Flatten the network down to 3 VLANs: management, main, iot (+ optional cameras if needed). Avoid the "one VLAN per device class" trap.

Hardware: UniFi Dream Machine / Cloud Gateway as the router + 1x UniFi switch + 1-2x UniFi APs.

VLAN map:

management — UniFi controller, hypervisors (Proxmox, TrueNAS), needs access to all other VLANs.
main — trusted devices (laptops, phones, Apple TV, HomePods). HomePods/Apple TV on main not iot to avoid firewall hellscape.
iot — smart bulbs, thermostats, anything without OS updates or that you don't trust.
cameras (optional) — only if you self-host NVR with strict outbound block.

Rules: allow management → *; deny iot → main; allow main → iot for control flows.

Stack 1.5 — Techno Tim's 2026 reference stack

Reference blueprint to anchor Hinata's mid-term self-hosting trajectory. Not a copy-paste target — read as "what the mature version looks like, given Michael's growth filter".

LayerToolAdoption

VirtualisationProxmox VE (VMs + LXCs) + Proxmox Backup ServerAdopt now StorageTrueNAS Scale (ZFS, NFS/SMB/iSCSI shares, container apps)Adopt for jimmy-tmm tier Orchestration3x RKE Kubernetes clusters managed via RancherDefer — overkill at single-user scale MediaPlex / JellyfinAdopt Jellyfin when home-lab compute lands Docs / filesPaperless-ngx + PDF toolsAdopt — direct fit for archive + receipt workflow MonitoringPrometheus + Grafana + Uptime KumaAdopt for jimmy-vps observability gap Home automationHome Assistant + ZigbeeOut of scope unless smart-home setup Core infraPi-hole (DNS) + Traefik or NGINX Proxy ManagerAdopt — reverse proxy needed before any service goes public

Network shape: UniFi everywhere, 3 VLANs (matches Stack 2 above) — independent corroboration that the flat-network model is the right default.

Stack 1 — Personal cloud storage (Pi 5 + Nextcloud + Tailscale)

Self-hosted Google Drive / Dropbox replacement. Designed for offsite-quality access without the offsite vendor.

Hardware

Compute: Raspberry Pi 5 (4 GB minimum, 8 GB preferred for headroom)
Storage: NVMe SSD attached via Pi 5 NVMe HAT
Cooling: Active cooling required (NVMe + sustained Nextcloud workload)
Power: Official 27 W USB-C PSU

Boot strategy

* **Initial setup** on MicroSD (standard Raspberry Pi OS install)

* **Production boot** on NVMe — use `rpi-clone` to clone the working SD system to NVMe, then boot from NVMe

* **Reason:** SD cards die under sustained write load; NVMe is the durability and performance baseline for any always-on Pi service

Software stack

  * **Nextcloud** — installed via `snap` (cleanest install/update path on Raspberry Pi OS)

  * **Tailscale** — zero-config secure tunnel to the Pi from any device

  * **Required Tailscale trust config:** specific `occ` configuration commands needed so Nextcloud trusts the Tailscale tunnel hostname and handles HTTPS correctly

Integration

    * **Desktop:** Nextcloud desktop client maps the cloud as a native filesystem directory on macOS / Windows / Linux

    * **Browser:** standard Nextcloud web dashboard

    * **Mobile:** Nextcloud iOS / Android client

    * **All access** routed via Tailscale — no port forwarding, no public exposure required

Security model

      * Pi sits inside the LAN with no public ports

      * Tailscale handles authentication + transport encryption

      * HTTPS terminated at Nextcloud after Tailscale decryption

      * No reliance on Cloudflare reverse proxy or dynamic DNS

Open decisions (Jimmy Neutron)

        1. Assess Pi 5 large-file sync performance vs candidate NUC / HP G6 compute heads — is the Pi the right tier for primary storage, or just for backup mirror?

        2. Document the "MicroSD → NVMe clone" procedure as the standard boot method for any Pi-based infrastructure (not just this stack)

        3. Audit the Nextcloud-over-Tailscale tunnel security config — verify `occ` trust commands and HTTPS handling are correct

        4. Propose migration path for small-file sync currently handled by cloud providers (iCloud, Drive) → this Pi-based cloud

Future stacks (placeholders)

          * Media — Jellyfin (likely on TMM mini-PC with QuickSync, not the Pi)

          * Photos — Immich (Google Photos replacement; needs GPU for AI indexing at scale)

          * Network — Pi-hole + Tailscale exit node

          * Game / utility — AMP for game server hosting

          * Backup — secondary Pi as offsite-tier-2 backup target

Each future stack added here follows the same structure: hardware → boot → software → integration → security → open decisions.

◆ hinata · projects/hinata-infrastructure/home-lab-stacks.html · phase-19 conversion

Home Lab Stacks — Self-Hosted Application Profiles ​

Stack 4 — Pi-hole DNS ad-blocking (Pi Zero 2W) ​

Stack 3 — Proxmox Backup Server in a 10" rack (mini-PC, ZFS) ​

Stack 2 — Professional home network (UniFi/Ubiquiti, 3 VLANs) ​

Stack 1.5 — Techno Tim's 2026 reference stack ​

Stack 1 — Personal cloud storage (Pi 5 + Nextcloud + Tailscale) ​

Hardware ​

Boot strategy ​

Software stack ​

Integration ​

Security model ​

Open decisions (Jimmy Neutron) ​

Future stacks (placeholders) ​