← back to projects

Self-hosted homelab

A multi-server homelab built from rescued hardware — evolving from a single Samba share into a hardened, WAN-exposed personal cloud operating behind CGNAT via Cloudflare Tunnel.

Peppermint Ubuntu Debian Arch Linux Samba Cloudflare Tunnel SSH Docker Jellyfin OpenWrt
2022 — present
Skills practiced
Self-hosting & Linux server administrationPrivate networking (static leases, CGNAT, DNS)Securely exposing services to the WAN (Cloudflare Tunnel)SSH hardening (key-only authentication, non-standard ports)Containerization with Docker ComposeRecovering and repurposing legacy hardware
2022

The rescue

Two machines headed for disposal — a sluggish, unpatched Windows 7 box and an old Windows XP machine — were cleaned, re-pasted, and restored to working condition. They started as a testbed for anything I didn't want to run on my main computer.

2023

First contact with Linux

Pressed into service as a daily driver, the Pentium E5400 (2 GB RAM, 500 GB HDD) ran Peppermint Linux. This was where the fundamentals clicked: the terminal, package repositories, and how distributions and flavors actually differ.

2024

From PC to NAS

The box was provisioned as a NAS running Ubuntu 24.04 LTS. Samba — configured from scratch over several late nights — delivered network file storage at speeds well beyond the internet connection, alongside a local Plex server. The first real, tangible understanding of how a private LAN behaves.

The pentium host — a recovered Dell OptiPlex running Ubuntu Server.
The pentium host — a recovered Dell OptiPlex running Ubuntu Server.
2024 — 2025

Hitting the walls

Two obstacles surfaced. A dynamic local IP meant an arp-scan or nmap sweep to find the server each time — which led to OpenWrt for static DHCP leases by MAC, and, in parallel, deep into network security: packet captures, WPA2/WPA3, and hash cracking. The larger wall was , which made conventional port forwarding impossible.

The home network rack — the Archer C59 v1 running OpenWrt at its center.
The home network rack — the Archer C59 v1 running OpenWrt at its center.
2025

Maxing out the hardware

By mid-2025 the pentium host was pushed to its ceiling: 4 GB of DDR3, the most the board would accept. A modest bump on paper, but enough headroom to run Samba, Plex, and the tunneling stack side by side on hardware that was never meant to be a server.

2025

Breaking through CGNAT

resolved the constraint. Reusing the domain bought for this portfolio, a subdomain was pointed at the server's SSH port, making the host reachable from the WAN despite . It was then hardened: SSH moved off its default port, key-only authentication, passwords disabled.

2025

The Debian dinosaur

With the workflow established, the old XP machine was rebuilt on Debian Trixie — single core, 512 MB of RAM, a 20-year-old disk with roughly 1,000 hours of use. Hardened and tunneled, it became a personal cloud reachable only via SSH forwarding: proof that durable hardware and a lean, secure OS still hold up.

2026

A self-hosted personal cloud

Jellyfin, exposed on its own subdomain and paired with yt-dlp for a lossless FLAC music library, replaced a Spotify subscription. A 2011 MacBook Pro joined the fleet on Arch Linux — its SSD and 10 GB of RAM serving a PostgreSQL and Redis stack in Docker Compose for a collaborative database project.

server-mbp — a 2011 MacBook Pro on Arch Linux, the high-agility node.
server-mbp — a 2011 MacBook Pro on Arch Linux, the high-agility node.