Overview
This is an overview of my homelab setup running on a ThinkPad X1 Extreme converted to a home server.
The hardware
Lenovo ThinkPad X1 Extreme Gen 2 serves as the main server:
- CPU: Intel Core i7-9850H @ 2.60GHz (6 cores, 12 threads)
- RAM: 32GB DDR4-2667 SODIMM
- GPU: NVIDIA GeForce GTX 1650 Mobile + Intel UHD Graphics 630
- Connectivity: Wi-Fi 6 AX200, Gigabit Ethernet, Thunderbolt 3
- OS: Ubuntu
The laptop form factor provides built-in UPS via battery backup, integrated debugging interface, sufficient power for transcoding and AI workloads, and low noise operation.
Storage is organized into three tiers: - 512GB internal SSD for the OS - 1TB fast SSD for photos and databases - 4TB external SSD for media storage
Raspberry Pi 4 8GB runs Home Assistant OS for smart home automation on a separate IP address.
Service architecture
All services run in Docker containers organized into functional stacks:
Media
Full automated media acquisition and streaming stack:
- Plex and Jellyfin for streaming movies and TV shows
- Sonarr automatically grabs new TV episodes
- Radarr handles movie downloads
- Prowlarr manages all the indexers
- qBittorrent for downloads
All download traffic routes through a Gluetun VPN container connected to ProtonVPN for security.
Personal
- Immich - self-hosted photo management with AI face recognition
- Nextcloud - cloud storage platform
- PostgreSQL and Redis for Immich's database and caching
Networking
- WireGuard Easy - VPN server for secure remote access
- AdGuard Home - network-wide ad blocking
- Traefik - reverse proxy handling SSL certificates via Let's Encrypt
- Cloudflare DDNS - dynamic DNS updates
A custom domain provides clean URLs instead of IP addresses and ports. Traefik automatically manages SSL certificates from Let's Encrypt for HTTPS across all services.
Admin
- Homarr - centralized dashboard for all services
- Portainer - Docker container management interface
- FileBrowser - web-based file management
- Beszel - system monitoring across multiple drives
Home Automation
- Home Assistant - smart home automation platform (running on separate Raspberry Pi)
Management
Services are organized into four Docker Compose stacks.
Accessing services
Security model exposes only two ports to the internet: Plex (for mobile app compatibility) and WireGuard. All other services require VPN access.
Local Network: Services are accessible via the server's local IP address on their respective ports. Homarr dashboard provides a centralized interface with links to all services. Clean URLs are available through the configured domain and Traefik reverse proxy with automatic HTTPS certificates.
Remote Access: Connect via WireGuard VPN to access the full service stack securely. Plex is directly accessible for mobile streaming without VPN.
Future plans
- S3 Glacier backup implementation
- Service separation across multiple machines
- Container permission hardening
- Automated update strategy with Watchtower
Architecture Diagram
flowchart TB
subgraph homelab["Main Server"]
wireguard["WireGuard"]
gluetun["Gluetun VPN"]
qbittorrent["qBittorrent"]
prowlarr["Prowlarr"]
jellyfin["Jellyfin"]
plex["Plex"]
sonarr["Sonarr"]
radarr["Radarr"]
immich["Immich"]
nextcloud["Nextcloud"]
filebrowser["FileBrowser"]
homarr["Homarr"]
beszel["Beszel"]
ddns["Cloudflare DDNS"]
traefik["Traefik"]
adguard["AdGuard Home"]
internal[("Internal<br>1TB SSD")]
external[("External<br>4TB SSD")]
end
subgraph rpi["Raspberry Pi"]
homeassistant["Home Assistant"]
end
proton(["ProtonVPN<br>Netherlands"]) --> gluetun --> prowlarr & qbittorrent
qbittorrent <-. Downloads client .-> sonarr & radarr
prowlarr <-. Index sync .-> sonarr & radarr
radarr & sonarr--> external
jellyfin & plex --> external
filebrowser <--> external & internal
nextcloud & immich --> internal
internet(["Internet"]) --> proton
internet -. Open ports .-> wireguard & plex
beszel & ddns & adguard & traefik
homeassistant