homelab-setup

Complete Homelab Setup Guide 2026: Hardware, Software & Security

Frank Stupak

4 min read

Complete Homelab Setup Guide 2026: Hardware, Software & Security

I've been running a homelab for three years now, and I've learned more from failures than successes. When I started in 2023, I made rookie mistakes—oversized hardware, undersized storage, and security practices that would make any sysadmin cringe. Today, I'm sharing the exact setup I use across my production homelab: a hybrid architecture running on an Intel NUC (i7-1355U, 32GB RAM) and a Synology DS923+ NAS, with Docker containers orchestrating everything from media serving to home automation.

Hardware Selection: Finding Your Goldilocks Zone

I tested three platforms before settling on my current stack. A Raspberry Pi 4 (8GB) is excellent for learning—I run Home Assistant on mine—but it maxes out around 5-6 concurrent services before thermal throttling hits. An Intel NUC costs 3x more ($600-800) but handles 15+ containers effortlessly. AMD Ryzen mini-PCs (like the ASUS PN51) split the difference at $400-500, offering better value for CPU-intensive workloads like media transcoding.

My recommendation: Start with a Raspberry Pi 4 (8GB, $75) for automation and monitoring. Graduate to an Intel NUC or AMD equivalent when you need dedicated compute for Plex, Jellyfin, or large-scale Docker deployments. I run both—the Pi handles Home Assistant and Prometheus scraping, while the NUC runs the application stack.

Software Stack Architecture: Docker-First Approach

Everything in my homelab runs in Docker containers. Here's my production docker-compose setup for a minimal but functional stack:

version: '3.8'
services:
  nginx:
    image: nginx:latest
    container_name: homelab-reverse-proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - /var/www/ssl:/etc/nginx/ssl:ro
    restart: unless-stopped
    networks:
      - homelab

  prometheus:
    image: prom/prometheus:latest
    container_name: prometheus-monitor
    ports:
      - "9090:9090"
    volumes:
      - /etc/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
      - prometheus-data:/prometheus
    command:
      - '--config.file=/etc/prometheus/prometheus.yml'
      - '--storage.tsdb.path=/prometheus'
    restart: unless-stopped
    networks:
      - homelab

  grafana:
    image: grafana/grafana:latest
    container_name: grafana-dashboards
    ports:
      - "3000:3000"
    environment:
      - GF_SECURITY_ADMIN_PASSWORD=changeme
    volumes:
      - grafana-data:/var/lib/grafana
    restart: unless-stopped
    networks:
      - homelab

volumes:
  prometheus-data:
  grafana-data:

networks:
  homelab:
    driver: bridge

To start this stack, I use:

sudo systemctl start docker
sudo systemctl enable docker
docker-compose -f docker-compose.yml up -d

I run Traefik (not Nginx) for production because it auto-discovers containers and handles SSL termination automatically. But for simplicity, Nginx works fine with manual configuration. Home Assistant runs in its own container on the Raspberry Pi, isolated from compute-heavy services.

Storage and Backup Implementation

This is where I've failed catastrophically. In 2024, my 4TB external drive died mid-backup. Now I follow the 3-2-1 rule religiously: 3 copies of data, 2 different media types, 1 offsite.

My NAS uses RAID-6 (redundancy for 2 disk failures) with automatic snapshots every 6 hours. I back up critical data to Backblaze ($7/month unlimited) and maintain a secondary 4TB USB drive stored at a friend's house. For Docker volumes, I mount them on the NAS via NFS:

# Mount NAS storage on homelab server
sudo mount -t nfs 192.168.1.100:/volume1/docker-data /mnt/nas-docker
# Add to /etc/fstab for persistent mounting
192.168.1.100:/volume1/docker-data /mnt/nas-docker nfs defaults,_netdev 0 0

Automated backups run via cron at 02:00 daily. I've learned the hard way: test your restore process monthly. I've seen three homelab failures in Reddit discussions where backups existed but couldn't be restored.

Security Hardening: VPN, Firewalls, and SSL

Remote access without VPN is a catastrophic risk. I use WireGuard (faster than OpenVPN, fewer lines of configuration):

wg-quick up wg0
sudo systemctl enable wg-quick@wg0

My firewall rules are restrictive by default:

sudo iptables -A INPUT -p tcp --dport 22 -j DROP
sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT

SSH is blocked externally; only WireGuard peers can access it. I use Let's Encrypt certificates (auto-renewed every 90 days via Certbot) for HTTPS. All external services sit behind Nginx/Traefik with authentication headers (Authentik handles OAuth2 SSO).

What Can Go Wrong: Common Failures I've Experienced

Inadequate Power Supply: A 65W adapter bottlenecks my NUC under transcoding load. Peak consumption is 95W; undersizing causes random shutdowns. I now use a 200W power supply with 2x margin for headroom.

Firewall Misconfiguration: I once opened port 8080 externally "temporarily" and forgot. A bot scanned it within hours. Now I audit firewall rules monthly and use a deny-all-by-default policy.

Full Disks: Docker logs filled my NUC's 256GB SSD in 3 weeks. I now set log rotation limits in daemon.json and monitor disk usage via Prometheus alerts.

Network Switching Issues: Switching between local (192.168.1.x) and WireGuard (10.0.0.x) networks caused DNS failures. I now run Pi-hole on both subnets as a secondary DNS.

Backup Script Failures: My rsync cron job failed silently for 6 months (typo in the target path). I now use monitoring alerts that fire if backups don't complete within the expected window.

Energy Efficiency and Cost Analysis

My setup consumes approximately 180W under load (NUC: 95W, NAS: 60W, networking: 25W). At $0.12/kWh, that's ~$190/year in electricity. The NUC cost $650; the NAS, $800. Total hardware investment: $1,450. Over 3 years, that's $484/year all-in, replacing $600+/year in cloud services (Plex Pass, cloud storage, home automation platform fees).

I've added low-power optimizations: CPU frequency scaling via cpufreq-set, disabling unused USB ports, and setting NAS to spin-down drives after 10 minutes idle. Current idle consumption: 45W.

Final Thoughts

Building a homelab isn't about having the shiniest hardware—it's about learning infrastructure, automation, and security at your own pace without renting cloud resources. I've made expensive mistakes (lost data, security incidents, hardware failures), but each taught me something cloud platforms hide behind abstractions.

Start small. I'd recommend: Raspberry Pi 4 (8GB) + 1TB external drive + WireGuard. Get comfortable with Docker, automate one backup, and harden SSH. Once you own that setup, graduate to a NAS and a dedicated compute node. The homelab community on Reddit and Discord is supportive—don't hesitate to ask questions before making my mistakes.

The complete configuration files for my stack are on GitHub (lumen-homelab/2026-production). I update them quarterly as tools evolve. Welcome to the journey.

Read more