Hello Hello..! Good to see you here!
A while ago, I came across a blog that said:
“Homelabs are the perfect places to learn about technology infrastructure in hands-on ways.”
That couldn’t be more true. You don’t need to take anyone’s word for it—just try building one, and you’ll understand exactly what it means.
Let’s skip the long introductions and dive straight into what my homelab setup looks like.
Currently, my homelab runs on an old MSI laptop, which, despite its age, still packs a punch with a beastly i7 processor, 24GB of RAM, and a 512GB SSD.
Now, you might be wondering—don’t I have better hardware lying around? Yes, I do! I also own a Legion Slim 5 and a Mac Mini M4 (2024). But interestingly, I don’t consider them part of my homelab. Why? Well… you’ll find out soon.
So, without further delay, let’s look at the hardware components that make up my homelab:
| Device | Description | Role |
|---|---|---|
| MSI GF65 Thin 9SEXR | Intel Core i7-9750H, 24GB RAM, 512GB SSD, RTX 3060 | Primary Homelab Server |
| GPON Modem | Provided by ISP, terminates fiber connection | Internet Gateway |
| TP-Link Router (modified) | Reconfigured as Layer 2 switch | Smart Switch / Access Point |
Main component in the setup is the Laptop (Linux Server), which does so many things but specifically it serves as
| Service | Purpose | Notes |
|---|---|---|
| Pi-hole | 🔹 DHCP Server 🔹 DNS Resolver 🔹 Network-wide Ad Blocking | Handles all network-level IP allocation and DNS filtering |
| Local Web Server (e.g., Nginx) | Hosts internal sites/tools | |
| OLLama Server | LLM backend (e.g., DeepSeek + VSCode extension) | Provides AI coding support over LAN |
| Grafana | Monitoring all the services in the network |
While these may looks straight forward setup, there is always some customization here.
PiHole:
Pihole is installed directly inside Ubuntu without any containers thus allowing more customization.
After the completion of Setup I got into a dilemma
DoH or Dot?
I went ahead with DoT with cloudflared and unbound, had to create custom services to allow my own cloudlfared instance too.
The setup was fairly simple
1. Install pihole
curl -sSL https://install.pi-hole.net | bash2. Followed all the steps
3. Installed unbound
sudo apt update
sudo apt install unbound4. Edit Unbound conf
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
and change it to
server:
interface: 127.0.0.1
port: 5353
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
access-control: 127.0.0.0/8 allow
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
sudo systemctl restart unbound
sudo systemctl enable unbound
6. Create cloudflared custom config,
[Unit]
Description=cloudflared
After=network-online.target
Wants=network-online.target
[Service]
TimeoutStartSec=0
Type=notify
ExecStart=/usr/bin/cloudflared --no-autoupdate tunnel run --token YourTokenHere
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
- Uncheck all upstream DNS providers
- Under “Custom 1 (IPv4)” put:
- → for Unbound
127.0.0.1#5335 - OR → for Cloudflared
127.0.0.1#5054 - OR set both as Custom 1 and Custom 2 if you want fallback
Click Save.
Bonus, add these adlists to block all kind of ads and malicious links too
https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
http://sysctl.org/cameleon/hosts
https://v.firebog.net/hosts/Easyprivacy.txt
https://hosts.oisd.nl/
https://adaway.org/hosts.txt
https://v.firebog.net/hosts/AdguardDNS.txt
https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
https://v.firebog.net/hosts/Easylist.txt
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/UncheckyAds/hosts
https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts
https://v.firebog.net/hosts/static/w3kbl.txt
https://v.firebog.net/hosts/Prigent-Ads.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt
https://v.firebog.net/hosts/Prigent-Malware.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
https://raw.githubusercontent.com/superover/TikTok-Blocklist/master/tiktok.txt
8. Test it
Go to any website to test the DNS resolution and goto https://one.one.one.one/help/ for check whether DoT is working fine or not.
ECH :ECH stands for Encrypted Client Hello. It is a protocol extension in the context of Transport Layer Security (TLS). ECH encrypts part of the handshake and masks the Server Name Indication (SNI) that is used to negotiate a TLS session.
Which generally means your DNS queries are completely hidden from ISP. (There is a catch, Whatever the website you visit, should be supporting it too)
To check it, just go to https://tls-ech.dev/
Now that I had already setup my homelab, I installed NGINX for reverse proxy
Did the same with Grafana and you can read more about that here .
Evidently, this is running my whole network since 6 months and it is running great. My father stopped installing unnecessary apps in his phone. Can read any news articles just by single click. And bonus many malicious sites are blocked too.
Will be writing about the Ollama deepseek vscode extension very soon., Keep tuned.