Network map

Homelab

Top-down: fiber (with T-Mobile 5G as automatic failover) drops in through a dual-WAN UniFi Cloud Gateway, fans out to a rack-mounted Pro Max 16 PoE and a desk-side Flex 2.5G edge switch over a single 30 m SFP+ DAC. A Proxmox host runs the compute and storage pool; inside its Ubuntu Docker VM, Nginx Proxy Manager terminates Let’s Encrypt for every *.sgreenlab.net hostname.

No IPs, no MACs, no SSIDs. Public hostnames resolve to the tailnet, not the WAN. Click any node for hardware, services, and which VLAN it sits on.

·· ·· ·· ·· ·· ·· ·· ··
Pro Max 16 PoE
UCG Fiber HA Green
Pi · Pi-hole 2° Matter hub
PDU · · · · · · · ·
Proxmox · Ubuntu VM + TrueNAS
CyberPower 2U UPS

Open-frame rack · a top-of-rack monitor + keyboard run off the GPU passed to the Ubuntu VM

WAN

Gateway

Gateway-direct

Distribution

Rack core, the spine every wired run terminates at.

VMs

Desk side, trunked to the rack over a 30 m SFP+ DAC.

Off-site

Network fabric Compute / hypervisor Storage / backup Workstation / appliance

trust homelab iot security guest

Last updated 2026-06-04.

Homelab inventory

Last updated 2026-06-04.

CenturyLink Fiber

network · Primary WAN, symmetric residential fiber feeding the rack.

Specs

Carrier: CenturyLink
Service: Symmetric fiber
Hand-off: SFP+ → RJ45 adapter into the UniFi Cloud Gateway

The primary WAN. Cloudflare DNS sits in front for the public domain; everything else lives behind the gateway.

T-Mobile 5G (failover WAN)

network · Cellular backup internet for automatic WAN failover.

Specs

Carrier: T-Mobile Home Internet (5G)
Role: Backup WAN
Failover: Gateway fails over automatically if the fiber drops

Keeps the lab and the house online when the fiber is down. The gateway watches the primary WAN and cuts over to cellular without manual intervention.

UniFi Cloud Gateway Fiber

network · Dual-WAN edge router / firewall / IDS that drives the whole tailnet seam.

Specs

Model: UniFi Cloud Gateway Fiber
Role: Routing · firewall · DPI · VLAN trunking
WAN: Fiber primary + T-Mobile 5G failover
Storage: M.2 SSD tray for UniFi Network on-box
VLANs: Trust · Homelab · IoT · Security · Guest

What runs here

Default VLAN (Trust) · Family devices, Apple HomeKit, the wife's gear. DNS points at both Pi-holes.
Homelab VLAN · Workstations, servers, and dev VMs. DNS points at both Pi-holes.
IoT VLAN · Smart devices in their own zone, WAN egress allowed, lateral movement blocked.
Security VLAN · Abode hub and security sensors, locked-down egress.
Guest VLAN · Isolated SSID for visitors, internet only, no LAN access.
Site-to-site · Tailscale subnet router on the Ubuntu Docker VM exposes the homelab over the tailnet.
Inter-VLAN ACL · IoT and Security VLANs can only reach the homelab VLAN through specific ports.

Acts as router, firewall, DHCP, and the SSO seam to the UniFi controller. The on-box controller talks to all switches and APs.

UniFi Pro Max 16 PoE

network · Core distribution switch, the spine of the rack.

Specs

Model: USW Pro Max 16 PoE
Form factor: Rack-mount (UniFi Pro Max rack-mount kit)
Patching: UniFi patch panel · Cat 6a RJ45 keystone jacks
Uplink: RJ45 → Cloud Gateway
Downlinks: 10G SFP+ DAC to the desk Flex · PoE to APs · 2.5G to rack hosts

Every wired path in the house terminates here. Rack-mounted with a UniFi patch panel and Cat 6a keystones; a 30 m SFP+ DAC trunks down to the desk.

UniFi Flex 2.5G (8-port)

network · Desk-side edge switch trunked back to the rack over a 30 m fibre-equivalent DAC.

Specs

Model: USW Flex 2.5G 8-port
Uplink: 30 m 10G SFP+ direct-attach cable to the Pro Max
Serves: Windows + Mac Studio workstations, JetKVM, Abode hub, printer

What runs here

Long-haul trunk · A single 30 m SFP+ DAC carries every desk-side VLAN to the rack instead of trenching multiple runs

Lives on the desk so the two workstations, the KVM, the security hub, and the printer land on one short cable run, then ride a single DAC back to the Pro Max.

UniFi U7 Pro

network · WiFi 7 access point, main coverage in the center of the house.

Specs

Model: U7 Pro
Location: Center of the house, wired into the Pro Max
Power: PoE++ from the Pro Max
SSIDs: Trust / Homelab / IoT / Security / Guest (one radio profile per VLAN)

WiFi 7 on the trust SSID, a slower band on IoT to play nicely with older devices.

UniFi U7 Lite

network · Basement AP, wired straight to the gateway as wireless failover.

Specs

Model: U7 Lite
Location: Basement, plugged directly into the Cloud Gateway
Role: Wireless failover if the Pro Max distribution switch drops

Pairs with the U7 Pro for roaming, but sits on its own switch-independent path so wireless survives a Pro Max outage.

Proxmox Host

compute · Single beefy rack host running the whole compute + storage pool.

Specs

CPU: Intel i5-12600K
Motherboard: MSI Pro Z690-A
RAM: 64 GB DDR4-3200 (4 × 16 GB)
GPU: AMD Radeon RX 5500, passed through to the Ubuntu Docker VM for Plex / Frigate + the rack-top console
Boot: 256 GB NVMe (repurposed from a graveyard system)
VM pool: 2× Samsung 870 EVO SATA SSD (mirrored ZFS)
Passthrough: 2 TB Samsung 870 EVO → Ubuntu Docker VM (bulk container storage)
TrueNAS pool: 3× Seagate Ironwolf 8 TB + 1× WD White 8 TB → TrueNAS VM (raidz1)
PSU: Corsair 750 W Gold
Case / cooling: Cooler Master case · Thermalright CPU fan · Noctua + Fractal 120 mm

What runs here

Ubuntu Docker VM · 2 TB SSD + RX 5500 passthrough, hosts the Docker fleet (16 containers)
TrueNAS VM · 4 × 8 TB raidz1 passthrough, bulk storage tier
Rack-top console · A mounted 27" monitor + keyboard/mouse on a shelf above the rack, driven by the passed-through RX 5500 into the Ubuntu VM for hands-on work right at the rack

Heart of the rack, and fully validated: the entire Proxmox host has been rebuilt from backups end-to-end. The GPU passthrough makes Plex, Frigate, and the rack-top console viable on one box. The AI/LLM stack lives on the Mac Studio instead, so Apple Silicon does the inference.

Ubuntu Docker VM

compute · The 16-container Docker fleet, all fronted by Nginx Proxy Manager.

Specs

Host: VM on Proxmox
Storage: 2 TB Samsung 870 EVO (passthrough)
GPU: AMD Radeon RX 5500 (passthrough), Plex + Frigate transcoding and the rack-top console
Tailnet: Runs the Tailscale subnet router that exposes *.sgreenlab.net over the tailnet

Public hostnames

Nginx Proxy Manager · npm.sgreenlab.net · Reverse proxy + LE issuer for every other hostname
Pi-hole (primary) · pihole.sgreenlab.net · DNS sinkhole + local resolution
Plex · plex.sgreenlab.net · Media library, GPU-transcoded
Frigate · frigate.sgreenlab.net · Camera NVR, GPU-accelerated detection
Nextcloud · nextcloud.sgreenlab.net · File sync (MariaDB-backed)
Firefly III · firefly.sgreenlab.net · Personal finance (MariaDB-backed)
Grafana · grafana.sgreenlab.net · Dashboards
InfluxDB · influxdb.sgreenlab.net · Time-series store behind Grafana
Pulse · pulse.sgreenlab.net · Proxmox + Docker host monitoring
Portainer · portainer.sgreenlab.net · Container management UI
Homer · homer.sgreenlab.net · Service launcher / start page
Heimdall · heimdall.sgreenlab.net · Service launcher / dashboard
RustDesk · rustdesk.sgreenlab.net · Self-hosted remote-desktop relay (hbbs + hbbr)
Cairo marketing · cairo.sgreenlab.net · Marketing site for the Cairo platform, fronted by NPM

What runs here

Edge / proxy · Nginx Proxy Manager, Let's Encrypt for every *.sgreenlab.net hostname (incl. the Cairo site)
DNS · Pi-hole primary (the Raspberry Pi is secondary)
Media · Plex · Frigate (GPU-accelerated)
Productivity · Nextcloud + MariaDB · Firefly III + MariaDB
Observability · Grafana · InfluxDB · Pulse
Management · Portainer · Homer · Heimdall
Remote · RustDesk relay (hbbs + hbbr) for remote desktop into every VM

The Docker fleet matches the live `docker ps`: 16 containers, all reverse-proxied through NPM with Let's Encrypt certs. The AI/automation stack (Open WebUI, LiteLLM, Searxng, n8n) runs on the Mac Studio, not here.

TrueNAS

storage · Bulk storage tier that runs as a VM on Proxmox with drive passthrough.

Specs

Pool: 4 × 8 TB raidz1 (3× Seagate Ironwolf, 1× WD White)
Host: VM on the Proxmox box (not a separate physical machine)
vCPU: 1 socket / 4 cores from the Proxmox pool
RAM: 20 GB DDR4-3200
Off-site: rsync to the off-site PBS for an air-gapped second copy of the critical datasets

What runs here

Datasets · Media · backups · container persistence · personal archive
Veeam target · Receives Veeam image backups of the Windows workstation
Off-site mirror · Critical datasets rsync nightly to the off-site PBS box

Drives are physically in the Proxmox chassis but passed through to TrueNAS so the storage stack stays first-class.

Windows Workstation

client · Daily-driver Windows machine at the desk, plus a Win 11 VM on its own NIC.

Specs

CPU: Intel Core Ultra 7 265K
Motherboard: MSI Pro Z890-S
RAM: 32 GB DDR5-6400 (2 × 16 GB)
GPU: EVGA 3070 Ti FTW3
Storage: 2 TB Samsung 970 EVO NVMe
PSU: Seasonic 850 W Gold
Display: Shares the MSI 49" OLED via its built-in KVM with the Mac Studio
Case / cooling: Fractal Meshify C · Noctua CPU + 2× case · Fractal 120 mm

What runs here

Windows 11 VM · Isolated dev VM on a dedicated passed-through NIC so it sits on its own VLAN, segmented from the host

Newest hardware in the lab. The host rides the desk Flex switch; the VM's passed-through NIC drops it onto a separate VLAN. Backed up to TrueNAS with Veeam.

Mac Studio

client · Daily-driver Mac, the AI/LLM stack, and the dev + CI VMs.

Specs

Chip: Apple M2 Ultra
RAM: 192 GB unified memory
Storage: 2 TB internal SSD
Dock: CalDigit TS3 Plus (Thunderbolt 3)
Network: Built-in NIC for the host (Trust); a dedicated NIC drops the dev/CI VMs onto the Homelab VLAN
Console: Wired to a standalone JetKVM and the MSI 49" OLED's built-in KVM

Public hostnames

Open WebUI · owebui.sgreenlab.net · Chat UI for the local + remote model fleet
LiteLLM · litellm.sgreenlab.net · Model router in front of the local MLX model + hosted providers
Searxng · searxng.sgreenlab.net · Metasearch, feeds Open WebUI
n8n · n8n.sgreenlab.net · Workflow automation
Jenkins · jenkins.sgreenlab.net · CI controller for the build/test fleet

What runs here

Jenkins VM · CI controller that orchestrates builds + tests across the mac / linux / windows agents
Ubuntu dev VM · Linux dev environment on the dedicated dev NIC
macOS dev VM · Clean-room build / test
Open WebUI · Chat UI in front of the local + hosted model fleet
LiteLLM + Postgres · Model router; fronts a local MLX model for the coding agent and any hosted provider
Searxng · Metasearch that backs Open WebUI's web tool
n8n · Workflow automation

Apple Silicon handles inference, so the AI/LLM Docker stack and a local MLX model live here, keeping the Proxmox box free for media + storage. The dev and Jenkins VMs ride a dedicated NIC on their own VLAN.

Proxmox Backup Server (off-site)

storage · Off-site backup target with its own power and internet.

Specs

Host: Dell Optiplex 7050 (off-site)
Storage: External HDD docking station · 8 TB Seagate Barracuda
Link: Pulls scheduled backups over Tailscale
Resilience: On a UPS, in a building with a backup generator and backup internet

Pulls scheduled backups from the main rack and receives the rsync mirror of TrueNAS's critical datasets, so a fire / flood / theft at the house doesn't take the data with it. Its site has a backup generator and backup internet of its own.

Raspberry Pi

client · Secondary Pi-hole and the tailnet DNS nameserver.

Specs

Hardware: Raspberry Pi on the rack
Role: Secondary Pi-hole · Tailscale DNS nameserver · independent power

Public hostnames

Pi-hole (secondary) · pihole-bk.sgreenlab.net · DNS failover for the LAN

What runs here

Tailnet DNS · Advertised as the tailnet nameserver so MagicDNS + the exposed subnets resolve across devices

If the Ubuntu Docker VM is rebooting or down for maintenance, the LAN still resolves DNS through this box. It also serves as the Tailscale DNS nameserver for the exposed subnets.

Home Assistant Green

client · Dedicated smart-home hub on the rack, separate from the Docker stack.

Specs

Hardware: Home Assistant Green appliance (rack-mounted)
Role: Home automation + Zigbee/Matter coordinator

Kept off the Docker stack so home automation stays up even when the main host is being worked on.

JetKVM

client · KVM-over-IP, remote console for the Mac Studio.

Specs

Hardware: Standalone JetKVM (full unit, not the Nano)
Attached: Wired to the Mac Studio at the desk
Role: Remote BIOS / boot console for the Mac Studio from anywhere on the tailnet

Public hostnames

JetKVM web console · jetkvm.sgreenlab.net · KVM web interface

Lets me reach the Mac Studio's console and boot menu from anywhere on the tailnet. The rack itself has its own console via the rack-top monitor on the Ubuntu VM.

Abode Security Hub

client · Alarm / sensor hub on the security VLAN.

Specs

Role: Door/window sensors · siren · monitoring

Isolated on its own VLAN; only outbound to the vendor cloud is allowed.

Backups

A 3-2-1 strategy across the whole lab, with at least one copy off-site.

Windows · Veeam Image-level backups of the Windows workstation to the TrueNAS pool.
macOS · Time Machine Continuous Time Machine backups of the Mac Studio host.
Proxmox · PBS Nightly VM/CT backups, pulled to the off-site Proxmox Backup Server over Tailscale.
Every Docker · Borg Deduplicated, file-level Borg backups for all of the Docker containers.
TrueNAS → PBS · rsync The critical datasets rsync nightly from the NAS to the off-site PBS storage for a second, air-gapped copy.
Validated restore The entire Proxmox host has been rebuilt from backups end-to-end and verified, so the strategy is proven, not assumed.

Power & uptime

Battery-backed at every tier, with cellular and off-site fallbacks.

Desk UPS CyberPower 1500 VA tower UPS for the workstations, the 49" OLED, and the desk Flex switch.
Rack UPS Rack-mounted CyberPower 2U UPS for the gateway, switch, Proxmox host, and appliances.
Off-site The off-site PBS box is on its own UPS, in a building with a backup generator and backup internet.
Backup WAN T-Mobile 5G cellular failover keeps the house and lab online when the fiber drops.

Accessories & cabling

Patch panel · UniFi patch panel
Keystones · Cat 6a RJ45
Long-haul uplink · 30 m 10G SFP+ direct-attach cable (desk → rack)
SFP+ to RJ45 · 1× adapter (CenturyLink ONT → UCG WAN)
PoE++ injector · Spare for one-off long-run AP
PoE splitters · 60 W and 12 V / 2 A, to power non-PoE devices off a PoE drop
M.2 SSD tray · UCG-Fiber on-board UniFi controller storage

Rack: StarTech open-frame with deep mount, 1U + 2U shelves, CyberPower 2U UPS, CyberPower PDU. Top-down: a UniFi patch panel, the USW Pro Max 16 PoE, a 1U shelf holding the UniFi Cloud Gateway Fiber and the Home Assistant Green, a 2U shelf with the Raspberry Pi and the HA Green’s Matter hub, the CyberPower PDU, then a gap, the Proxmox server, and the CyberPower 2U UPS at the bottom. A mounted 27″ monitor with keyboard and mouse sits on a shelf above the rack, driven by the GPU passed through to the Ubuntu VM, so changes can be made hands-on right at the rack. Desk: two workstations sharing an MSI 49″ OLED via its built-in KVM, a standalone JetKVM on the Mac Studio, the Flex 2.5G switch, and a CyberPower 1500 tower UPS. The U7 Pro AP lives in the center of the house off the Pro Max; a U7 Lite in the basement plugs straight into the gateway as wireless failover if the distribution switch ever drops.