Home Lab Overview: Alecto and Friends

I’ve always enjoyed tinkering with operating systems and finding ways they improve day-to-day life. I’m not a cloud hater. Cloud services are useful and I still use them. I self-host because it’s fun.

With most SaaS tools, you’re limited by design choices you had no part in. My biggest self-hosted system is a Plex machine. I watch what I want, how I want, for roughly the cost of electricity. There’s also been a serious learning component: networking, security, general IT practice. That alone has made it worth running.

Topology

Starting at the internet edge and working inward:

Router / Firewall I settled on OPNsense. It met and exceeded what I needed. The box runs intrusion detection, Unbound DNS, and a handful of other security-focused services.

Switching Traffic hits a 24-port unmanaged gigabit switch with SFP ports. Nothing exotic, but most ports are in use.

Flat Network The network is currently flat, so traffic flows directly to access points, servers, Raspberry Pis, NVR systems, gaming consoles, and everything else.

The topology is simple. The interesting part is what the devices are doing, not how complex the diagram looks.

Core Infrastructure

Alecto

Hardware

  • Ryzen 7 1700X
  • 1 TB NVMe
  • 4 TB HDD
  • GTX 1050 Ti

Nothing exotic, but it handles everything I need with around 85% idle time.

Software Ubuntu LTS as the host OS, Docker for everything else: media acquisition, media consumption, networking, local services, metrics, and automation.

Docker makes backing up and restoring critical services significantly easier, which is the main reason I keep everything containerised.

Services

Media Acquisition

The pipeline follows a simple request, acquire, process, library chain.

  • Overseerr
  • Prowlarr
  • Sonarr / Radarr
  • qBittorrent
  • Deluge
  • Unpackerr
  • cross-seed

Prowlarr manages indexers. Private trackers have far less fake or malicious content than public ones, which matters later in the chain.

Sonarr and Radarr handle TV and movies. Quality profiles are simple: HD and 4K. That has covered everything so far. Both monitor RSS feeds from configured indexers and push matched torrents to the downloader automatically.

I run two download clients. qBittorrent handles the entire arr stack. Deluge handles manual downloads and non-media content. Dynamic save paths split movies and TV cleanly for Plex.

Unpackerr handles automatic extraction for downloads that arrive as archives. cross-seed finds identical or near-identical torrents across trackers and advertises that I already have the data, which improves speeds and availability for others.

The only recurring issue is Sonarr or Radarr occasionally grabbing a fake title. Aggressive regex-based filters have mostly resolved it.

Media Consumption

  • Plex
  • Tautulli
  • Overseerr
  • Homepage

Plex is the primary player. Mature, stable, available on every device, and accessible for non-technical users. I’ve tested Jellyfin and like it, but haven’t switched.

Tautulli gives visibility into Plex usage: playback activity, per-user bandwidth, transcoding load. That data makes decisions around limits and capacity easier.

Overseerr lets users request titles themselves rather than messaging me. Requests still require approval, but that takes seconds instead of a back-and-forth conversation.

Homepage is a single customisable dashboard with a high-level view of everything running. It doesn’t replace Zabbix or Grafana for monitoring, but it’s useful for day-to-day glancing.

Networking and VPN Containment

Torrent clients are routed through Gluetun, a dedicated VPN container running WireGuard. The downloaders have never touched my LAN directly and never see my public IP.

Gluetun runs in strict kill-switch mode. If the VPN drops, traffic stops. There’s no fallback to my home connection. Given the provider’s SLA, this hasn’t been an issue in practice.

No inbound ports need to be open, which reduces exposure further. Speed degradation from the VPN hasn’t been noticeable.

Observability

Prometheus, Node Exporter, cAdvisor, and Grafana cover system-level metrics: CPU load, memory usage, container behaviour. Critical alerts go to Telegram. I’m refining thresholds so only actionable issues send a notification.

Automation

Watchtower handles container updates on a schedule at 03:00. If an update breaks something, rolling back means redeploying from the same configuration paths. Docker’s stateless container model makes that straightforward.

Portainer handles anything that needs a UI.

Network Edge

OPNsense

OPNsense sits between the internet and all internal systems. UPnP is disabled. No device exposes itself automatically. Only explicitly required services are permitted outbound or inbound.

All traffic is statefully inspected. DNS is forced through Unbound. Suricata monitors inbound and outbound traffic for known malicious patterns. Devices can’t quietly phone home, bypass DNS filtering, or accept unsolicited inbound connections without generating an alert.

Services get published deliberately, not accidentally exposed.

Boreas

A Raspberry Pi running Nginx Proxy Manager and WireGuard. This started as a workaround for a previous router that lacked VPN support. After moving to OPNsense, the separation made enough sense to keep.

Boreas is my remote access point back into the LAN. Nginx Proxy Manager exposes Overseerr to friends and family outside the local network. Both services sit behind Cloudflare, primarily to obscure my real IP.

The throughput on the Pi is better than you’d expect for the hardware.

Chronos

A Tor middle relay running as a small contribution to online privacy. No exit node: the ISP complaints and CAPTCHA overhead aren’t worth it. A middle relay provides value without the operational noise. It’s low-maintenance and largely invisible once configured.

Failures and Lessons

In the past year, two things actually broke:

  • Disks filled up from log spam. Entirely my fault. Log rotation is properly configured now.
  • Incorrect or fake titles downloaded. Better filters and denied extension lists resolved most of it.

Beyond that, issues have been minor misconfigurations and occasional reboots.

What I’d Do Differently

I’d spread services across more hosts if I could go back. Some hardening measures were probably over-engineered, but I don’t regret that trade-off. Deploying the arr stack earlier would have saved time.

What’s Next

Hardware: managed switch, better access points, a more capable GPU for transcoding.

Monitoring: a consolidated Zabbix dashboard with proper alerting.

Networking: VLANs.

Self-hosted AI models aren’t on the list. Cloud tools cover what I need without the overhead.

Closing

Running this lab has mostly taught me patience. Getting multiple devices, containers, and services working together takes iteration. It’s improved my understanding of networking and containerised systems more than any course I’ve taken.

I keep running it because it’s fun and I learn from it. That’s enough reason.