Back to Portfolio
INFRASTRUCTURE

Home Lab Personal Cloud

A hybrid 3-node cluster combining Raspberry Pi, laptop, and Oracle Cloud VPS. Powers custom web apps with SSO, media automation, and a K3s cluster.

Last updated: 18/02/2026

The "Small but Mighty" Setup

This isn't a noisy server rack tucked away in a basement—it's a silent, efficient cluster running in my living room. With only one LAN outlet in the home, I needed the cluster where internet speeds matter most. This constraint pushed me to prioritize silent operation and low power consumption so it wouldn't disturb daily life. What started as a way to learn Docker evolved into a capable personal cloud hosting 6+ custom web applications with unified SSO, a complete media automation stack, and a K3s cluster for containerized services — all running across ~15 containerized services.

Primary Node

arm64 / raspberry-pi-5
4 cores
8GB RAM

The heart of the cluster. Efficient, silent, and always on. Handles orchestration and lightweight services.

[MASTER] [ARM64] [LOW-POWER]

Worker Node

amd64 / ryzen-5-5600u
6 cores
16GB RAM

The heavy lifter. Repurposed x86 laptop acting as the muscle for demanding containers. Built-in battery serves as a dedicated UPS.

[WORKER] [X86_64] [BATTERY-UPS]

Cloud Gateway

arm64 / oracle-ampere
4 cores
24GB RAM
FREE TIER

The public face. Handles ingress, reverse proxy, and secure tunneling. Connects the home cluster to the world.

[GATEWAY] [CADDY] [WIREGUARD]

What It Does

The system powers a variety of critical services across two orchestration layers:

Docker Compose Stack

Media Automation Stack

  • Jellyfin: Self-hosted media streaming server with hardware transcoding
  • Radarr: Movie collection manager with automatic downloads and organization
  • Sonarr: TV series manager with episode tracking and automated downloads
  • Bazarr: Subtitle management for Radarr and Sonarr
  • Seerr: User-friendly media request interface integrating with Jellyfin, Radarr, and Sonarr
  • qBittorrent: Torrent client with web interface and ClamAV integration
  • Jackett: Indexer proxy/adapter for torrent trackers
  • FlareSolverr: Proxy to bypass Cloudflare protection on certain indexers
  • ClamAV: Antivirus scanner for all downloaded content before library ingestion

Custom Web Platform (Self-Built Applications)

  • Backend API (FastAPI): Developed from scratch with JWT authentication, token blacklisting, user management, and AI-powered content processing
  • Content Digest App: Built a custom AI-powered web scraping and summarization tool with browser automation (SvelteKit)
  • Admin Panel: Created a comprehensive web interface for managing users, applications, and permissions (SvelteKit)
  • Authentication Portal: Designed and implemented a centralized login system with cross-subdomain SSO (SvelteKit)
  • App Hub: Built a user portal for accessing platform applications and account management (SvelteKit)
  • QR Generator: Developed a QR code generation microservice deployed on Kubernetes (React 18)
  • Vault App: AI-assisted acquisition and ownership tracker with smart item structuring, product summarization, and image optimization (SvelteKit)
  • Task Log: Internal backlog and run-tracking system for operator and agent task workflows (SvelteKit)

Deployment Workflow: All applications are initially built and hosted on Docker Compose for rapid development and testing. Once stable, they are compiled into Docker images and deployed to the K3s cluster. Currently, the QR app is the only application running in K3s, with others still in the Docker Compose stack.

Worker Offload Architecture

Heavy compute tasks are offloaded from the Raspberry Pi to the laptop Docker host over the local network, avoiding Pi overload and ARM64 build complexity for certain native libraries.

  • Playwright Scraping Worker: Node.js + headless Chromium on the laptop — receives URLs via HTTP API, returns extracted content. Falls back to local Playwright on the Pi if unreachable
  • Sharp Image Worker: Node.js + Sharp (libvips) on the laptop — receives raw images via HTTP API, returns WebP-optimized output (quality 80, max 1600px). Falls back to Pillow on the Pi if unreachable

Infrastructure Services

  • SQLite + Alembic: Database with automated migrations versioned per feature area (auth, digest, apps, vault)
  • Single Sign-On: JWT-based SSO across all subdomains with HttpOnly cookies, token blacklisting, and bcrypt password hashing
  • Docker Registry: Private self-hosted image registry for consistent distribution across the mixed-architecture environment (ARM64 + x86_64)

K3s Cluster

  • Traefik Ingress: Automatic routing and load balancing for Kubernetes services
  • Portainer: Web-based Kubernetes management UI for cluster monitoring and deployment
  • QR App: QR code generator running as a Kubernetes deployment with React 18

Cloud Gateway (Oracle VPS)

  • Caddy: Reverse proxy with automatic SSL/TLS certificates, security headers (HSTS, CSP, X-Frame-Options), rate limiting, and Gzip/Zstd compression
  • CrowdSec: Collaborative threat detection and automatic IP blocking integrated as a Caddy plugin for inline request filtering
  • WireGuard VPN: Encrypted tunnel connecting VPS to home server — the Pi has zero direct internet exposure
  • Tailscale: Mesh VPN across all devices for zero-config secure remote access during administration and development

Why I Built It

I needed a sandbox to break things safely. This was my first real personal project that pushed me beyond tutorials and into actual problem-solving. What started with Jellyfin for media streaming grew into a full platform after I built a custom secure tunnel to replace third-party services.

Beyond learning, I kept running into the same frustration: existing tools were either limited, ad-ridden, or just didn't fit what I needed. The QR generator? Most online versions were locked behind paywalls or covered in ads. The Vault app? Nothing out there matched the workflow I had in mind. So instead of settling, I started building my own — and that grew into a full self-hosted ecosystem of custom applications replacing third-party tools on my own terms.

Along the way I learned: how Docker containers communicate, how to build and deploy FastAPI backends, how JWT authentication flows work, and how to manage a hybrid architecture spanning ARM and x86 nodes. I built 6+ custom web applications from scratch with a unified SSO system — proving that you don't need enterprise gear to build enterprise-grade solutions.

Lessons Learned

  • ARM has quirksNot all Docker images support ARM64. Finding compatible alternatives and tweaking configs taught me to read docs carefully.
  • DNS is powerfulManaging records in Cloudflare and understanding how traffic flows made the whole system click.
  • Start small, iterate fastThis setup grew organically. Each problem solved unlocked the next improvement.
  • Cost-conscious infrastructureRunning on low-power devices and free-tier cloud taught me to optimize before scaling.
  • Security is a journeyImplementing SSO, token blacklisting, and audit logging taught me that authentication is more than just passwords.
  • Hybrid architecture complexityCoordinating Docker Compose and K3s on the same node, plus a remote VPS gateway, required careful port planning and network design.
  • Environment mattersWith only one LAN outlet in the home, the cluster had to live in the living room. This constraint forced smart hardware choices: silent components, low-power ARM processors, and efficient cooling. Adapting to real-world limitations made me a better engineer.

What's Next

The platform continues to evolve with planned improvements to the application suite, expanded automation workflows, and additional self-hosted tools. The modular architecture makes it easy to add new services as needs arise.