Setting up a privacy-oriented Home Lab

Motivation

I became more interested in personal privacy after myRoku started spying on what we were watching outside the Roku itself, our mesh WiFi router switched to a subscription model for “AI” and “cloud” features, and our smart home switches required access to “the cloud” just to turn on lights. TVs, WiFi routers, and smart home devices are all driving prices down by supplementing hardware sales revenue with personal data sales.

On top of that, after creating a custom smart lock , I saw first hand how Google and Amazon's smart home infrastructures are built around selling cloud services and capturing my personal data, while Apple HomeKit is designed to work without any internet access at all.

Given these consideration, I wanted a more robust router and firewall between my home network and the internet. I wanted to be able to completely block smart home devices from accessing the internet. And I wanted to do everything as cheaply as possible while maintaining compute resource (CPU, RAM, disk) separation between self-hosted services.

Setup

• 1x $59 Ubiquiti EdgeRouter X
• 1x $70 TP-Link 8 Port PoE Switch
• 4x $55 Raspberry Pi 4 Model B 4GB
• 4x $20 Raspberry Pi PoE HAT
• 3x $48 Seagate 1TB USB HDD
• Total: $573

The Ubiquiti EdgerRouter X is the router and firewall while the mesh WiFi is in “bridge” mode, effectively operating as a switch. IP addresses are assigned in ranges and firewall settings are used to block all devices from the internet except those that need it (Apple TV, Laptops, Phones, etc.).

Four Raspberry Pis host all self-hosted services.Public services like code hosting, federated social networks, and a bitcoin node. And private services like DNS-based ad and tracker blocking. (After using Pi-Hole for a while, I switched to AdGuard Home, which is just simpler and easier to maintain.)

Finally, power over Ethernet (PoE) with a PoE switch is used to reduce the cords to the Raspberry Pis.

Custom Racking

A downside of not using a standard rack-mounted host is the non-standard form factors of the Raspberry Pis and hard drives etc.

To handle this, I 3D printed a Raspberry Pi 2U rack mount . It's not used in a rack configuration but it's actually just a great way to have easy, uniform, and modular access to the Pis.

Hardware was purchased from McMaster-Carr.

• 1x $3.33 Super-Corrosion-Resistant 316 Stainless Steel Socket Head Screw, M2.5 x 0.45 mm Thread, 12 mm Long
• 2x $5.66 18-8 Stainless Steel Threaded Rod, M5 x 0.8 mm Thread Size, 300 mm Long
• 1x $3.79 Super-Corrosion-Resistant 316 Stainless Steel Thin Hex Nut, M5 x 0.8 mm Thread, 2.7 mm High
• Total: $18.44

For the hard drives, I designed and 3D printed a custom stand.

Configuration Management

Host configuration is managed with Ansible . The roles are written to be minimally invasive and optimized for low maintenance.

The Ansible roles areopen source.

Layout

For clarity, my specific Raspberry Pi Ansible playbook in provided below:

- hosts: rpis
  roles:
    - rpi-base
    - apt-cacher/client
    - prometheus/rpi-client

- hosts: admin.local
  roles:
    - adguard-home
    - apt-cacher/server
    - prometheus/server

- hosts: btc.local
  roles:
    - block-device
    - bitcoind
    - lnd
    - bitcoind-prometheus-exporter

- hosts: media.local
  roles:
    - block-device
    - plex
    - transmission
    - homebridge
    - minecraft
    - nginx

- hosts: web.local
  roles:
    - block-device
    - postgresql
    - pleroma/aws-s3-backup
    - pleroma/otp
    - writefreely
    - mercurial/aws-s3-backup
    - mercurial/web
    - oragono
    - prosody
    - nginx

Conclusion

Using a hardwired router as the articulation point between the internet and the rest of a home network is a great way to get privacy, security, and self-hosting without really investing much.

# RaspberryPi # SelfHosting # Homelab # Linux # RaspberryPi # Homekit