My wife’s laptop crashed one evening. No warning, no recovery option. Years of photos, documents, and personal files — gone in an instant. What I built in response — a home lab running 30+ containers — ended up teaching me more about enterprise architecture than decades of vendor presentations.
The worst part? We had a NAS sitting in the next room, mostly idle. She’d never gotten around to saving her files there.
That crash was the jolt that started everything.
This is not a home lab story. This is how enterprise architecture actually behaves under constraints.
How a Backup Project Became a Home Lab
What began as a simple backup project — configure NFS for Linux devices, Samba for Windows, get every laptop in the house pointing at the NAS — evolved into something I didn’t expect. One service led to another. A file server needed a media server (Jellyfin). A media server needed a document manager (Paperless-NGX). A document manager needed proper authentication. Authentication needed an identity provider. An identity provider needed monitoring. Monitoring needed dashboards.
Eighteen months later, I’m running 30+ Docker containers on a Gentoo Linux server, with a second machine dedicated to AI workloads. And every single problem I’ve solved in my living room maps directly to a problem I’ve seen in enterprise IT.
Let me walk through the layers, because the home lab enterprise architecture tells a story.
Storage: NFS Became My Most Creative Tool
NFS for Linux clients, Samba for Windows. Every device in the house saves to the NAS by default. Losing a laptop means losing a device, not losing data. This is the same principle behind enterprise shared storage — separation of compute and data.
But NFS turned out to be far more than file sharing. My first NAS motherboard throttled the CPU to 800 MHz, making Gentoo compilation painfully slow. I tried distcc — it didn’t work. So I found a workaround: I exported the NAS root filesystem over NFS, mounted it on my Ryzen 8700G, chrooted into the mount, and compiled there. The CPU workload ran on the fast machine while the binaries wrote back to the NAS over the network.
That hack kept me running until I trashed the motherboard and replaced it with a Ryzen 5500. It also taught me something about infrastructure: the best solution often isn’t the obvious one. NFS wasn’t a file-sharing protocol. It was the tool that saved the entire project.
Compute: Docker Compiled From Source
Every service runs in its own Docker container — isolated, with defined resource limits, restart policies, and network segmentation. Portainer provides a management interface. Watchtower handles automatic updates. This is enterprise architecture at home scale — microservices, isolation, orchestration — but the same principles apply.
However, because Gentoo compiles everything from source, you hit configuration issues that Ubuntu users never see. My first real debugging session came when containers couldn’t resolve each other’s names — the Docker daemon wasn’t picking up the host’s DNS configuration. It took hours of tracing through iptables rules and Docker’s embedded DNS server to fix.
That experience taught me more about container networking than any tutorial. When something breaks on a system you compiled yourself, there’s no Stack Overflow answer that matches your exact setup. You have to understand the internals.
Security: Custom Keys From the Firmware Up
Security has three layers in my home lab. AdGuard blocks ads and trackers at the DNS level — no device on the network sees an advertisement, including smart TVs and phones. Unbound acts as a recursive DNS resolver, querying root servers directly instead of trusting the ISP. Cloudflare Tunnel provides secure remote access without exposing any ports to the internet.
But the layer I’m most particular about is Secure Boot. I didn’t use the default Microsoft-only key chain. Instead, I generated my own Platform Key, Key Exchange Keys, and signing database — combined them with Microsoft’s keys for Windows dual-boot support — and enrolled them directly into the motherboard firmware. Every kernel is signed. Every GRUB file gets a GPG signature. Kernel modules use SHA3-512 hashing.
This means my server will only boot code that I have personally verified and signed. It’s the same principle as enterprise code signing — but implemented at the firmware level, on hardware I control.
Identity: Enterprise SSO for My Family
This is where it gets interesting. I built an enterprise-grade SSO stack: OpenLDAP as the directory backend, LLDAP as a lightweight frontend, and Authentik as the identity provider. One login gets you into Nextcloud, Jellyfin, Forgejo (self-hosted Git), Grafana, Paperless, and every other service. Role-based access control means not everyone has admin rights to everything.
My family doesn’t know they’re using enterprise SSO. They just know one password works everywhere. That’s not a footnote — it’s the whole point. Enterprise identity projects fail when users resist them. The best authentication is the kind people don’t notice.
Monitoring: Knowing “Up” Isn’t Enough
Prometheus collects metrics from every container. Grafana renders dashboards — CPU, memory, disk I/O, container health, service response times. Scrutiny monitors disk health using SMART data. Uptime Kuma checks service availability and sends me email alerts when anything goes down.
As a result, I know when a disk is degrading before it fails. I know when storage is filling up. I know when a container is consuming more memory than usual. The system tells me before I have to ask. No surprises.
AI: A Dedicated Inference Machine
A dedicated Ryzen 7 8700G machine with 64GB RAM runs all AI inference. I compiled llama.cpp from source with ROCm support for the AMD 780M iGPU, using GTT memory to load models into the full system RAM — not just the VRAM allocated in BIOS. The NAS runs Ollama + Open WebUI for casual queries; the 8700G handles serious workloads.
On top of the inference layer, I built a React frontend for document research and analysis — multi-model pipelines that process, extract, and cross-reference content. ComfyUI handles image generation. The entire AI stack runs on my own hardware, through interfaces I built. No API keys, no cloud dependency, no vendor lock-in.
Backup: Automation That Survives Bugs
BackupPC automates the 3-2-1 backup strategy. All laptops back up to the NAS incrementally. The NAS backs up to an external drive formatted with Btrfs — I chose it over ZFS for its lighter RAM footprint, kernel-native support, and the fact that a single USB backup disk doesn’t need ZFS’s multi-disk pool architecture. Btrfs gives me checksumming, snapshots, and zstd compression without the overhead.
The external drive is only mounted during the backup window and unmounted afterward — protection against ransomware or accidental deletion.
The automation chain is udev → OpenRC → bash script. An OpenRC bug meant I couldn’t trigger the backup service directly from udev for a specific device, so the udev rule fires on any USB connection. The script itself determines whether the correct backup drive is attached by checking the UUID, retrying up to ten times with five-second intervals. It’s a workaround — the kind of pragmatic engineering that production systems are full of.
Documentation: Generated, Not Written
And here’s the part I’m most proud of — auto-generated MkDocs documentation that pulls from the live system state. Service configurations, container health, storage maps, hardware specs — all rendered as a browsable website that’s always current. No manual documentation that rots the moment you write it.
What This Home Lab Taught Me About Enterprise Architecture
So what does this imply for enterprise decisions?
Identity Sprawl
30 services × individual logins = chaos. The solution is the same at any scale — centralize identity, enforce SSO, implement role-based access. I learned more about IAM from building Authentik at home than from any vendor presentation.
Shadow IT
When the official solution is inconvenient, people find workarounds. My family stored files on laptop desktops instead of the NAS because mapping a network drive felt like effort. The fix wasn’t a policy — it was making the NAS the default save location.
In enterprise, the lesson is identical: if your sanctioned tools are harder to use than the unsanctioned ones, policy won’t save you. Design will.
Observability Gaps
Knowing that a service is “up” is not the same as knowing it’s “healthy.” Prometheus and Grafana taught me the difference. A container can respond to health checks while silently corrupting data if you’re not monitoring the right metrics. In enterprise, this is the difference between uptime dashboards and actual observability.
Documentation Decay
Every organisation I’ve worked at had documentation that was six to twelve months out of date. The solution isn’t “write better docs.” It’s generate docs from the system itself. When documentation is derived from the running state, it can’t go stale.
Backup Theatre
Organisations that “have backups” but have never tested a restore are performing backup theatre. After the laptop crash, I test restores quarterly. The backup that hasn’t been tested doesn’t exist.
Why a Finance Professional Builds This
People in my industry sometimes ask: why does a CA run a home lab?
The answer is the same reason I pursued an LLB while working at a PE firm, or why I compile my operating system from source. I don’t trust what I haven’t built. I can’t evaluate an enterprise AI proposal if I’ve never run a model locally. I can’t assess a cloud migration plan if I don’t understand containerisation. I can’t judge an SSO vendor if I haven’t implemented identity management myself.
The best technology decisions come from people who understand both the business problem and the technology. The home lab is where I build the enterprise architecture understanding. The 20 years in finance is where I build the business understanding. Together, they compound.
Every container I deploy teaches me something that makes me better at the day job. That’s not a hobby. That’s professional development with a blinking cursor.