A private homelab running local AI, self-hosted services, and full-stack infrastructure — no cloud subscriptions, no data leaving the premises.
All AI workloads run on dedicated hardware with AMD Radeon GPUs. No API calls to third-party services. No data shared externally.
Ollama serves large language models locally on two dedicated AI servers. Each family member gets their own isolated instance and knowledge base.
Documents from Nextcloud are automatically synced and indexed into per-user vector databases. Web articles are captured via a custom Chrome extension.
ComfyUI runs on a dedicated machine with an NVIDIA RTX 5060 Ti, handling image generation workflows independently from the language model servers.
Custom AI agents with persistent memory run on local LLMs and integrate with messaging platforms, enabling fully private, always-on assistants.
A complete self-hosted stack covering productivity, security, storage, and communication — for the whole family.
Nextcloud with OnlyOffice handles documents, calendars, and contacts across all devices. Files are stored on local NAS hardware, not in any cloud.
Over 80,000 photos managed by Immich with AI-powered face recognition, smart search, and automatic album generation — all running locally.
Vaultwarden — a self-hosted Bitwarden-compatible server — manages credentials for the entire family across all platforms and devices.
A full mail stack with external relay servers in the USA and an internal Mailcow instance. Full SPF, DKIM, and DMARC configuration with spam filtering.
Every layer of the infrastructure, from hardware to application.
| compute | AI Servers (×3) | Intel Core i5-14600KF / i5-14400F, AMD Radeon R9700 32 GB, NVIDIA RTX 5060 Ti 16 GB |
| storage | NAS (×2) | 2×2 TB SATA per unit — primary NFS share and Restic backup target |
| virtualisation | KVM Hosts (×2) | AMD Ryzen 7 8845HS / Intel i5-12450H running all internal VMs |
| os | Ubuntu 24.04 LTS | All virtual machines and servers — 64-bit, managed via Ansible |
| automation | Ansible + Semaphore | All deployments, updates, and configuration changes via playbooks |
| networking | WireGuard VPN | Secure tunnel between external servers and internal network |
| firewall | Shorewall | Iptables frontend on all externally-facing servers, strict DROP policy |
| dns / filter | Pi-hole (×2) | Network-wide DNS filtering and ad blocking, redundant setup |
| monitoring | Grafana + Prometheus | Node Exporter on all servers, centralised alerting via email |
| backup | Restic | Incremental, encrypted, deduplicated backups to local NAS — daily |
| proxy / ssl | Nginx + Let's Encrypt | Reverse proxy for all services, automated certificate renewal |
| containers | Docker | All services run in Docker Compose — isolated, reproducible deployments |
These are not decisions made for technical novelty. They are deliberate choices about privacy, ownership, and independence.
Photos, documents, conversations, and passwords never leave our infrastructure. No third-party analytics, no telemetry, no cloud sync.
We deliberately chose not to rely on Microsoft 365, iCloud, Google Workspace, or any commercial AI API as a dependency for daily life.
Local LLMs are capable enough for everyday use. Sensitive queries never need to leave the building to reach an intelligence that can help.
Every server configuration is version-controlled and deployable from scratch. Nothing is configured manually that cannot be reproduced automatically.