Home Lab Series: The Setup

I use the term lab lightly, as my setup consists of an old PC masquerading as a server, complemented by a few Raspberry Pis. My interest in running a server started when I got hold of a Small Business Server 2003 CD from my dad's office. Using a set of old PCs (also from my dads office) I managed to set up an Active Directory domain, driven by my curiosity about logging into any PC and accessing my files, just like I could do at school. Little did I know how painfully slow a roaming profile would be over a WiFi network in the early 2000s (my siblings were not too happy waiting 20 minutes+ to log in to one of the PCs).

Since then, I’ve experimented with various setups and technology, including Windows Home Server, VMware ESXi, Proxmox, TrueNAS, and Unraid, before finally settling on Ubuntu Server. When I moved into my new house, I made sure everything was wired for better stability and performance.

I chose Ubuntu Server primarily for its familiarity and flexibility. I use Ansible to automate 90% of the deployment, and for storage, I rely on SnapRAID + MergerFS for redundancy and pooling capabilities.

Home Lab Architecture

The following diagram illustrates the services I use.

My primary reason for selecting these services is that they offer "free tiers" (albeit with some restrictions on functionality or for non-commercial use), making them cost-effective and providing the opportunity to really get hands on with the platform.

Additionally, my home lab isn’t just about adding functionality, it serves as a hands-on learning environment where I can explore new technologies and concepts that directly support my career. By actively using these tools, I gain a deeper understanding of their capabilities, limitations, and real-world deployment challenges, insights that prove invaluable when discussing solutions in a professional context.

Key Services and Their Use Cases

Entra ID

Microsoft Entra ID is the backbone of identity management in my home lab setup. While it’s primarily designed for enterprise use, I leverage it for both my Office 365 environment and as part of my personal infrastructure to enable Single Sign-On (SSO), with plans to implement Conditional Access in the near future.

Why Entra ID?

• Familiarity & Enterprise-Grade Security – Working in cybersecurity with a focus on Microsoft technologies, Entra ID is one of the primary identity providers (IdPs) I regularly encounter. Using it at home gives me the opportunity to test and apply real-world concepts in a safe, controlled environment.
• SSO Across Services – Integrated with Authentik and Cloudflared, Entra ID enables SSO for my self-hosted services such as Frigate, and Immich.
• Flexible Policies – Entra ID allows me to define who can access what, from where, and under which conditions—similar to what you'd expect in a corporate setup.
• Learning Through Practice – Implementing Entra ID in my homelab has helped deepen my understanding of identity flows like OAuth2, SAML, and OpenID Connect, as well as the real-world challenges of federated authentication.

Cloudflared (Cloudflare Tunnels)

I use Cloudflared to expose specific services externally while integrating them with Entra ID for SSO. When combined with an identity provider like Entra ID, Cloudflared enables Zero Trust Networking, ensuring access control is tightly managed. Unfortunately I don't (yet) have a full Microsoft E5 lab set up but for additional control I could use Authentication contexts and conditional access policies to define the criteria for access to certain applications e.g. Require a compliant device to access services XYZ..

Tailscale

Initially, I set up Tailscale to create a mesh network that allows me to provide remote tech support for my parents, an all-too-common challenge for those in tech! Previously, I used ZeroTier, but I found Tailscale to be more seamless. I also use Tailscale for:

• Exit nodes to route traffic for services that don’t natively support Tailscale.
• Cloud VM access when testing new setups.
• Always-on VPN access to internal services while keeping general internet traffic outside the VPN.
• Tailscale Send for quick file transfers between my iPhone and Windows PC.

Traefik

I use Traefik as a reverse proxy for my Docker containers. This allows me to assign domain names and automate SSL certificate management, improving both accessibility and security.

AdGuard Home

AdGuard functions as an ad blocker and also as my local DNS server, directing traffic to internal services. I previously used PiHole but the out of the box support for features such as DNS over HTTPS and local DNS rewrites.

Authentik

Frustrated with managing multiple logins, I started using Authentik to implement SSO across my services using Entra ID. This gave me a deeper understanding of identity and access management. Though initially challenging to grasp authentication flows, my setup is now stable and integrated as middleware for Traefik.

Docker Containers

Many of my core services run within Docker containers. Below are some of the key ones:

Cloudflared (Cloudflare Tunnels)

This container allows external access to specific Docker services. It operates within its own Docker network, and any container I want to expose externally is attached to it.

Key Benefits:

• Access Policies – I can enforce authentication via Entra ID or restrict access to users connected through the Cloudflare Warp client.
• Free Tier – Cloudflare provides a free tier that supports up to 50 Monthly Active Users (MAUs).
• Dynamic IP Handling – Cloudflare Tunnels eliminate the need for static IP addresses, making remote access more seamless.
• Unified Access Across Networks – A single Cloudflared client can connect to multiple networks (e.g., my house and my parents’ house) without complex VPN setups.
• Cross-Platform Support – Cloudflared connectors can run on various operating systems, providing flexibility in deployment.

At the moment, I’ve only scratched the surface of what Cloudflare Tunnels can do. More 'Zero-trust networking' write-ups will follow as I explore its full potential and also look at competing products such as Entra Private and Internet access.

Authentik & Traefik

As discussed earlier, these are used for reverse proxying traffic and local authentication. Access to these services is only available through my local network or when connected to Tailscale.

Home Assistant

This deserves its own dedicated post, but in short, Home Assistant serves as my home automation hub, managing smart devices across my house, regardless of the vendor.

Frigate

I use Frigate as my local Network Video Recorder (NVR) for security camera footage. When paired with a Google Coral TPU, Frigate enables AI-driven object detection, significantly improving efficiency and performance compared to traditional motion-based detection.

Why Frigate?

• Seamless Integration with Home Assistant – Allows for advanced automations based on detection zones and object types.
• AI Processing – The Google Coral TPU offloads AI inference, reducing CPU usage and improving detection speed.
• Semantic Search – The recent addition of semantic search makes it much easier to find relevant footage. For example, the screenshot below was retrieved by simply searching for "packages."

Immich

Immich is my self-hosted alternative to Google Photos and acts as a secondary, local source for my photos. The reason I use this is I have started to see my total spend on subscriptions including iCloud and Google Photos increase (especially since having kids). I wanted to reduce the overall subscription costs by removing older photos from cloud services whilst still having features such as facial recognition.

Other Docker Services

These tend to be services that I am testing or learning about (for example N8N).

Future Blog Posts

While this post provides an overview of my home lab, I plan to write dedicated posts detailing my setups for:

• Automated server configuration with Ansible.
• Zero-trust networking (including Cloudflare & Entra SSE)
• Home Assistant automation workflows.
• SSO authentication with Authentik.

If you have any questions, comments or something needs to be amended in this post please comment below (members only) or reach out to me on one of the links in my contact page.