1. High‑level architecture

The design is built around three layers: a public DNS/mail & web layer, a public ingress/proxy layer, and a private home–lab compute layer. Each layer has a single responsibility and protects the next layer behind it.

The guiding principle: only expose what must be public, and keep everything else on private networks with strictly controlled entry points.

2. Roles of each layer

3. Home–lab machine roles (generic pattern)

While the exact hostnames are omitted, the pattern is role‑based rather than hardware‑based. Machines are promoted into roles where their strengths matter and their weaknesses are irrelevant.

4. Network design and cabling

The network is intentionally over‑provisioned on cabling and under‑provisioned on always‑on nodes to stay efficient and ready for scaling.

• Wiring: Cat8 cables are used for all critical links, typically around 10 m per run.
• Throughput: currently 1 Gbps at the endpoints, but cabling is ready for higher speeds later.
• Ethernet adapters: laptops without native Ethernet use USB–Ethernet dongles (1 Gbps).
• Wi‑Fi: considered legacy/slow and avoided for critical services; wired is the default.
• Power discipline: only machines actively serving a role stay online; reserves remain powered off.

Strategy: invest once in quality cabling so that machines can be rearranged, promoted, or repurposed freely without ever being limited by the physical network.

5. Security posture

Security is achieved by minimizing exposure, not by layering dozens of reactive tools. Services are split into public and private planes, and remote access is restricted by design.

5.1 Public surface

• Websites: hosted on the remote DNS/web/mail server with provider‑level DDoS protection.
• Mail: accounts handled on the same server; sending/usage restricted to trusted IPs.
• Self‑hosted services: exposed via the ingress VPS only (e.g. music, photos, notes).
• Certificates: TLS managed centrally on the Plesk server and/or ingress VPS.

5.2 Restricted access

• SSH (hosting server): bound to a single trusted IP; all other SSH traffic dropped.
• Mail protocols: sending and possibly reading limited to trusted IPs to prevent abuse.
• SSH (home–lab): only available on the LAN; no port forwarding from the internet.
• Admin panels: accessible only from trusted locations or via the LAN.

5.3 Design trade‑offs

• No remote SSH to home–lab: deliberate choice to reduce attack surface to nearly zero.
• Service‑only exposure: users can reach applications, but not the underlying machines.
• Simple ingress: ingress VPS is small, rebuildable, and doesn’t hold critical data.

The core idea: remote access to services is allowed; remote access to systems is not. The system is designed to be stable enough that remote SSH is a convenience, not a requirement.

6. Adaptation checklist

To adapt this pattern for another environment, the following checklist can be used as a starting point:

• DNS: Move domain nameservers to a server you control (or a provider you trust).
• Mail: Centralize mail hosting; lock SMTP/IMAP/POP to specific IP ranges where possible.
• Ingress VPS: Deploy a small VPS to act as the single public entry and reverse proxy.
• Home–lab isolation: Do not expose the home IP; route everything through the ingress VPS.
• SSH policy: Restrict SSH to trusted IPs and/or to the LAN only.
• Role‑based hardware: Assign machines based on strengths (CPU, RAM, GPU, storage, stability).
• Cabling: Overbuild the physical network once so future expansion is trivial.
• Power discipline: Keep reserve nodes powered off until the ecosystem actually needs them.