I run quite a few things in my home lab. Here’s a brief overview of the setup and what I have running:
-
k3s cluster running on:
- Four HP Prodesk PCs — RHEL 9
They run a mix of services:
- Jellyfin
- Paperless-ngx
- Pocket ID
- And more…
I use
argocdfor continuous deployment. -
Unifi Dream Machine Pro + Switch + Access Points — meshed (for now)
-
Synology NAS with ~26TB usable storage; running internal DNS — also available over Tailscale which is awesome…
-
AMD Ryzen AI Max 395+ 128GB Mini PC — Running Ubuntu for AI experiments
-
Gaming PC with RTX 4070 Ti 12GB — Running Windows for gaming (I keep installing Linux for AI experiments) 1
-
Raspberry Pi 5 running Home Assistant OS — includes a Zigbee adapter
-
DNS hosted on DNSimple — migrating away from Cloudflare’s centralized control of the web
AI / ML
I split AI model access between local inference, Opencode Go, and ChatGPT Pro-Lite, depending on what I am testing and where the model runs best.
For local inference, the AMD Ryzen AI Max 395+ handles MoE models — the 128GB of unified memory means it can load the full weights of very large sparse models that would be impractical on a GPU-constrained machine. The gaming PC with its RTX 4070 Ti handles smaller dense models. Most of my local experimentation has been with llama.cpp and Qwen3 variants.
Networking
The network starts with a 3 Gbps symmetric fiber connection into a 10 GbE SFP+ port on the Dream Machine Pro, with the main access point also connected over 10 GbE SFP+.
The rest runs on a Unifi Dream Machine Pro with managed switches and access points. IoT and smart home devices live on a dedicated VLAN and isolated WiFi network with no access to the main LAN — the only exception is a firewall rule allowing Home Assistant to reach across and poll devices. Everything else on that VLAN is egress-only to the internet.
Tailscale runs on both the Synology NAS and the Home Assistant instance, acting as subnet routers. This means I can reach internal services and smart home controls remotely without punching holes in the firewall.
Ports 80 and 443 are forwarded into the k3s cluster, where Traefik handles ingress and cert-manager provisions TLS certificates automatically via Let’s Encrypt.