前言
作为一个喜欢折腾的技术爱好者,我一直想要搭建一个属于自己的家庭实验室(Homelab)。既要能在本地网络中使用,又要能通过互联网安全访问,还要有自动化功能来提高效率。经过一番研究和实践,我成功搭建了一套基于免费域名和 Cloudflare Zero Trust 的现代化 Homelab 方案。
为什么选择这套方案?
市面上有很多 Homelab 解决方案,但大多数要么需要昂贵的域名和证书,要么安全性不够好。我选择这套方案的原因:
- 完全免费 - 使用 DigitalPlat FreeDomain 获取免费域名
- 安全可靠 - Cloudflare Zero Trust 提供企业级安全保护
- 易于管理 - 统一的 Web 界面管理所有服务
- 高度自动化 - n8n 工作流自动化,定时备份
- 隐私保护 - Pi-hole + Unbound 组合保护 DNS 隐私
"最好的 Homelab 方案不是最贵的,而是最适合自己的。"
硬件配置与架构
我的 Homelab 采用了混合架构,主要包括:
主服务器配置
- CPU: Intel i5-6600T 处理器
- 内存: 12GB DDR4
- 存储: 256GB SSD
- 网络: WiFi 连接
辅助设备
- Raspberry Pi Zero 2W: 作为 DNS 服务器和轻量级服务的节能方案
- Tailscale VPN: 连接所有设备形成私有网络
核心服务架构
主服务器服务列表
| 服务名称 | 域名 | 端口 | 功能描述 |
|---|---|---|---|
| Syncthing | syncthing.example.dpdns.org | 8384 | 文件同步服务 |
| Cockpit | cockpit.example.dpdns.org | 9090 | 系统监控面板 |
| Portainer | portainer.example.dpdns.org | 9443 | Docker 容器管理 |
| Nextcloud | nextcloud.example.dpdns.org | 80 | 私have云存储 |
| n8n | n8n.example.dpdns.org | 5678 | 工作流自动化 |
| Ollama | ollama.example.dpdns.org | 11434 | 本地 AI 模型服务 |
Pi Zero 2W 服务列表
| 服务名称 | 域名 | 端口 | 功能描述 |
|---|---|---|---|
| Pi Syncthing | pi-syncthing.example.dpdns.org | 8384 | 备用文件同步 |
| Pi-hole | pihole.example.dpdns.org | 80 | DNS 广告拦截 |
免费域名申请与配置
第一步:申请 DigitalPlat FreeDomain
- 访问 DigitalPlat FreeDomain – NIC 官网
- 选择合适的免费域名后缀(我选择了
.dpdns.org) - 注册域名(使用通用示例域名,避免暴露真实信息)
- 完成域名验证
第二步:迁移到 Cloudflare
- 在 Cloudflare 中添加域名
- 将 DigitalPlat 的 Name Servers 改为 Cloudflare 提供的 NS
- 等待 DNS 传播完成(通常需要 24-48 小时)
小贴士:免费域名虽然功能有限,但对于 Homelab 来说完全够用。
Cloudflare Zero Trust 隧道配置
使用 Web GUI 配置隧道
我选择通过 Cloudflare Zero Trust 的 Web 界面来配置隧道,这种方式更加直观和方便:
登录 Cloudflare Zero Trust 控制台
创建隧道:
- 进入 Access → Tunnels
- 点击 "Create a tunnel"
- 选择 "Cloudflared" 作为连接器类型
- 为隧道命名(如 "homelab-main")
安装 Cloudflared:
bash# Ubuntu/Debian - 按照控制台显示的命令 curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb sudo dpkg -i cloudflared.deb # 运行控制台提供的连接命令 sudo cloudflared service install [YOUR_TOKEN_HERE]配置公共主机名: 在 Web 界面中添加以下服务映射:
syncthing.example.dpdns.org→http://localhost:8384cockpit.example.dpdns.org→https://localhost:9090portainer.example.dpdns.org→https://localhost:9443nextcloud.example.dpdns.org→http://localhost:80n8n.example.dpdns.org→http://localhost:5678ollama.example.dpdns.org→http://127.0.0.1:11434
核心服务部署详解
1. 文件同步服务 - Syncthing
为什么选择 Syncthing?
- 去中心化,无需第三方服务器
- 端到端加密,隐私安全
- 跨平台支持,设备间无缝同步
APT 安装配置:
bash
# 添加官方 APT 源
sudo mkdir -p /etc/apt/keyrings
sudo curl -L -o /etc/apt/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg
echo "deb [signed-by=/etc/apt/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable" | sudo tee /etc/apt/sources.list.d/syncthing.list
# 安装 Syncthing
sudo apt update
sudo apt install syncthing
# 启用系统服务
sudo systemctl enable syncthing@$USER
sudo systemctl start syncthing@$USER通过 Syncthing,我的所有设备(手机、笔记本、服务器)都能保持文件同步,再也不用担心文件丢失或版本混乱。
2. 工作流自动化 - n8n (Docker)
Docker 部署 n8n:
bash
# 创建数据目录
docker volume create n8n_data
# 运行 n8n 容器
docker run -d \
--name n8n \
--network=host \
-v n8n_data:/home/node/.n8n \
-e N8N_HOST=n8n.example.dpdns.org \
-e WEBHOOK_URL=https://n8n.example.dpdns.org \
-e VUE_APP_URL_BASE_API=https://n8n.example.dpdns.org \
-e N8N_PROTOCOL=https \
-e N8N_SECURE_COOKIE=false \
-e N8N_LISTEN_ADDRESS=0.0.0.0 \
-e N8N_RUNNERS_ENABLED=true \
-e N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS=true \
--restart unless-stopped \
docker.n8n.io/n8nio/n8n我的自动化场景:
- 文件备份自动化:检测到重要文件变动时,自动备份到云端
- 系统监控告警:服务器资源异常时,自动发送通知到手机
- 定时任务管理:自动清理临时文件,更新系统补丁
3. 容器管理 - Portainer (Docker)
Docker 部署 Portainer:
bash
# 创建数据卷
docker volume create portainer_data
# 运行 Portainer 容器
docker run -d \
-p 8000:8000 \
-p 9443:9443 \
--name portainer \
--restart=always \
-v /var/run/docker.sock:/var/run/docker.sock \
-v portainer_data:/data \
portainer/portainer-ce:lts4. DNS 过滤与隐私保护 - Pi-hole + Unbound
Pi-hole 配置:
bash
# 安装 Pi-hole
curl -sSL https://install.pi-hole.net | bashUnbound 配置(参考官方文档):
bash
# 安装 Unbound
sudo apt install unbound
# 创建配置文件
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf配置内容:
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to no if you don't have IPv6 connectivity
do-ip6: yes
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
# Ensure no reverse queries to non-public IP ranges (RFC6303 4.2)
private-address: 192.0.2.0/24
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 255.255.255.255/32
private-address: 2001:db8::/32防火墙配置 - Firewalld
基本防火墙配置:
bash
# 安装 firewalld
sudo apt install firewalld
# 启用服务
sudo systemctl enable firewalld
sudo systemctl start firewalld
# 开放必要端口
sudo firewall-cmd --permanent --add-port=8384/tcp # Syncthing
sudo firewall-cmd --permanent --add-port=9090/tcp # Cockpit
sudo firewall-cmd --permanent --add-port=9443/tcp # Portainer
sudo firewall-cmd --permanent --add-port=80/tcp # Nextcloud
sudo firewall-cmd --permanent --add-port=5678/tcp # n8n
sudo firewall-cmd --permanent --add-port=11434/tcp # Ollama
# 重载防火墙规则
sudo firewall-cmd --reload
# 查看开放的端口
sudo firewall-cmd --list-ports自动化备份策略
Rclone 云端备份
Rclone 配置:
bash
# 安装 Rclone
curl https://rclone.org/install.sh | sudo bash
# 配置云存储(以 Google Drive 为例)
rclone config手动备份命令示例:
bash
# 备份重要数据到 Google Drive
rclone sync /home/important-data gdrive:backup/$(date +%Y-%m-%d) --log-file=/var/log/rclone.logTailscale VPN 网络集成
为什么使用 Tailscale?
- 零配置:无需复杂的 VPN 服务器配置
- 点对点连接:设备间直接通信,延迟更低
- 安全加密:基于 WireGuard 的现代加密技术
- 跨平台支持:支持所有主流操作系统
网络拓扑:
Internet
↓
Cloudflare Zero Trust (公网访问)
↓
Home WiFi Router
├── Main Server (i5-6600T, WiFi)
├── Pi Zero 2W (DNS + 监控)
└── Tailscale Subnet Router
↓
Tailscale Network
├── Laptop (移动办公)
├── Phone (随时访问)
└── Remote VPS (异地备份)安全性考虑与最佳实践
1. 网络安全
- Zero Trust 原则:所有连接都需要验证
- Firewalld 防火墙:只开放必要的端口
- 定期安全更新:自动化补丁管理
2. 数据保护
- 多重备份:本地 + 云端备份
- 加密存储:敏感数据加密存储
- 访问日志:记录所有访问行为
3. 监控告警
- 系统监控:通过 Cockpit 监控系统状态
- 服务监控:关键服务可用性检查
- 安全监控:异常访问行为检测
成本分析
| 项目 | 费用 | 备注 |
|---|---|---|
| 域名 | RM 0 | DigitalPlat 免费域名 |
| Cloudflare Zero Trust | RM 0 | 免费套餐(50用户以下) |
| Tailscale | RM 0 | 免费套餐(20设备以下) |
| 主服务器 (i5-6600T + 12GB RAM + 256GB SSD) | RM 400 | 一次性投入 |
| Pi Zero 2W | RM 80 | 一次性投入 |
总成本:RM 480 一次性投入,后续运营成本几乎为零!
未来扩展计划
添加更多服务
- Home Assistant(智能家居控制)
- Grafana(数据可视化)
- GitLab(代码仓库)
硬件升级
- 增加存储容量
- 升级内存到 16GB
- 添加 UPS 不间断电源
网络优化
- 考虑有线网络连接
- 部署高可用集群
- 增加异地容灾节点
结语
经过几天的运行,这套基于免费域名和 Cloudflare Zero Trust 的 Homelab 方案已经完全满足了我的需求。它不仅提供了稳定可靠的服务,还大大提高了我的工作效率。
关键优势总结:
- ✅ 低成本投入:仅 RM 480 一次性硬件投入
- ✅ 企业级安全:Cloudflare 提供的安全保护
- ✅ 高度自动化:减少人工干预,提高效率
- ✅ 隐私保护:数据完全自主可控
- ✅ 易于维护:统一的管理界面
如果你也想搭建自己的 Homelab,但又不想花费太多成本,这套方案绝对值得尝试。记住,最好的技术方案不是最复杂的,而是最适合自己需求的!
Introduction
As a tech enthusiast who loves tinkering, I’ve always wanted to build my own homelab. Something that works on my local network, can be securely accessed from the internet, and has automation features to boost productivity. After some research and practice, I successfully built a modern homelab solution based on a free domain and Cloudflare Zero Trust.
Why Choose This Solution?
There are many homelab solutions available, but most either require expensive domains and certificates or lack adequate security. I chose this solution because:
- Completely Free - Using DigitalPlat FreeDomain for free domain
- Secure and Reliable - Cloudflare Zero Trust provides enterprise-grade security
- Easy to Manage - Unified web interface for all services
- Highly Automated - n8n workflow automation, scheduled backups
- Privacy Protection - Pi-hole + Unbound combo protects DNS privacy
"The best homelab solution isn’t the most expensive one, but the one that fits your needs."
Hardware Configuration and Architecture
My homelab uses a hybrid architecture, mainly including:
Main Server Configuration
- CPU: Intel i5-6600T processor
- Memory: 12GB DDR4
- Storage: 256GB SSD
- Network: WiFi connection
Supporting Devices
- Raspberry Pi Zero 2W: Energy-efficient solution for DNS server and lightweight services
- Tailscale VPN: Connecting all devices into a private network
Core Service Architecture
Main Server Service List
| Service Name | Domain | Port | Description |
|---|---|---|---|
| Syncthing | syncthing.example.dpdns.org | 8384 | File synchronization service |
| Cockpit | cockpit.example.dpdns.org | 9090 | System monitoring panel |
| Portainer | portainer.example.dpdns.org | 9443 | Docker container management |
| Nextcloud | nextcloud.example.dpdns.org | 80 | Private cloud storage |
| n8n | n8n.example.dpdns.org | 5678 | Workflow automation |
| Ollama | ollama.example.dpdns.org | 11434 | Local AI model service |
Pi Zero 2W Service List
| Service Name | Domain | Port | Description |
|---|---|---|---|
| Pi Syncthing | pi-syncthing.example.dpdns.org | 8384 | Backup file sync |
| Pi-hole | pihole.example.dpdns.org | 80 | DNS ad blocking |
Free Domain Application and Configuration
Step 1: Apply for DigitalPlat FreeDomain
- Visit DigitalPlat FreeDomain – NIC official website
- Select appropriate free domain suffix (I chose
.dpdns.org) - Register domain (using generic example domain to avoid exposing real information)
- Complete domain verification
Step 2: Migrate to Cloudflare
- Add domain in Cloudflare
- Change DigitalPlat Name Servers to Cloudflare provided NS
- Wait for DNS propagation (usually takes 24-48 hours)
Tip: Free domains have limited features, but they’re completely sufficient for homelab use.
Cloudflare Zero Trust Tunnel Configuration
Using Web GUI to Configure Tunnels
I chose to configure tunnels through the Cloudflare Zero Trust web interface, which is more intuitive and convenient:
Login to Cloudflare Zero Trust Console
Create Tunnel:
- Go to Access → Tunnels
- Click "Create a tunnel"
- Select "Cloudflared" as connector type
- Name your tunnel (e.g., "homelab-main")
Install Cloudflared:
bash# Ubuntu/Debian - follow the commands shown in console curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb sudo dpkg -i cloudflared.deb # Run the connection command provided by console sudo cloudflared service install [YOUR_TOKEN_HERE]Configure Public Hostnames: Add the following service mappings in the web interface:
syncthing.example.dpdns.org→http://localhost:8384cockpit.example.dpdns.org→https://localhost:9090portainer.example.dpdns.org→https://localhost:9443nextcloud.example.dpdns.org→http://localhost:80n8n.example.dpdns.org→http://localhost:5678ollama.example.dpdns.org→http://127.0.0.1:11434
Core Service Deployment Details
1. File Synchronization Service - Syncthing
Why Choose Syncthing?
- Decentralized, no third-party servers needed
- End-to-end encryption, privacy secure
- Cross-platform support, seamless device sync
APT Installation Configuration:
bash
# Add official APT repository
sudo mkdir -p /etc/apt/keyrings
sudo curl -L -o /etc/apt/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg
echo "deb [signed-by=/etc/apt/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable" | sudo tee /etc/apt/sources.list.d/syncthing.list
# Install Syncthing
sudo apt update
sudo apt install syncthing
# Enable system service
sudo systemctl enable syncthing@$USER
sudo systemctl start syncthing@$USERThrough Syncthing, all my devices (phone, laptop, server) stay in sync, no more worrying about file loss or version conflicts.
2. Workflow Automation - n8n (Docker)
Docker Deployment for n8n:
bash
# Create data directory
docker volume create n8n_data
# Run n8n container
docker run -d \
--name n8n \
--network=host \
-v n8n_data:/home/node/.n8n \
-e N8N_HOST=n8n.example.dpdns.org \
-e WEBHOOK_URL=https://n8n.example.dpdns.org \
-e VUE_APP_URL_BASE_API=https://n8n.example.dpdns.org \
-e N8N_PROTOCOL=https \
-e N8N_SECURE_COOKIE=false \
-e N8N_LISTEN_ADDRESS=0.0.0.0 \
-e N8N_RUNNERS_ENABLED=true \
-e N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS=true \
--restart unless-stopped \
docker.n8n.io/n8nio/n8nMy Automation Scenarios:
- File Backup Automation: Auto backup to cloud when important files change
- System Monitoring Alerts: Send notifications to phone when server resources are abnormal
- Scheduled Task Management: Auto cleanup temporary files, update system patches
3. Container Management - Portainer (Docker)
Docker Deployment for Portainer:
bash
# Create data volume
docker volume create portainer_data
# Run Portainer container
docker run -d \
-p 8000:8000 \
-p 9443:9443 \
--name portainer \
--restart=always \
-v /var/run/docker.sock:/var/run/docker.sock \
-v portainer_data:/data \
portainer/portainer-ce:lts4. DNS Filtering and Privacy Protection - Pi-hole + Unbound
Pi-hole Configuration:
bash
# Install Pi-hole
curl -sSL https://install.pi-hole.net | bashUnbound Configuration (Following Official Documentation):
Following the Pi-hole official Unbound guide:
bash
# Install Unbound
sudo apt install unbound
# Create configuration file
sudo nano /etc/unbound/unbound.conf.d/pi-hole.confConfiguration Content:
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to no if you don't have IPv6 connectivity
do-ip6: yes
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
# Ensure no reverse queries to non-public IP ranges (RFC6303 4.2)
private-address: 192.0.2.0/24
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 255.255.255.255/32
private-address: 2001:db8::/32Firewall Configuration - Firewalld
Basic Firewall Configuration:
bash
# Install firewalld
sudo apt install firewalld
# Enable service
sudo systemctl enable firewalld
sudo systemctl start firewalld
# Open necessary ports
sudo firewall-cmd --permanent --add-port=8384/tcp # Syncthing
sudo firewall-cmd --permanent --add-port=9090/tcp # Cockpit
sudo firewall-cmd --permanent --add-port=9443/tcp # Portainer
sudo firewall-cmd --permanent --add-port=80/tcp # Nextcloud
sudo firewall-cmd --permanent --add-port=5678/tcp # n8n
sudo firewall-cmd --permanent --add-port=11434/tcp # Ollama
# Reload firewall rules
sudo firewall-cmd --reload
# Check open ports
sudo firewall-cmd --list-portsAutomated Backup Strategy
Rclone Cloud Backup
Rclone Configuration:
bash
# Install Rclone
curl https://rclone.org/install.sh | sudo bash
# Configure cloud storage (Google Drive example)
rclone configManual Backup Command Examples:
bash
# Backup important data to Google Drive
rclone sync /home/important-data gdrive:backup/$(date +%Y-%m-%d) --log-file=/var/log/rclone.logTailscale VPN Network Integration
Why Use Tailscale?
- Zero Configuration: No complex VPN server setup needed
- Peer-to-Peer Connection: Direct device communication, lower latency
- Secure Encryption: Modern encryption based on WireGuard
- Cross-Platform Support: Supports all major operating systems
Network Topology:
Internet
↓
Cloudflare Zero Trust (Public Access)
↓
Home WiFi Router
├── Main Server (i5-6600T, WiFi)
├── Pi Zero 2W (DNS + Monitoring)
└── Tailscale Subnet Router
↓
Tailscale Network
├── Laptop (Mobile Work)
├── Phone (Anytime Access)
└── Remote VPS (Off-site Backup)Security Considerations and Best Practices
1. Network Security
- Zero Trust Principle: All connections require verification
- Firewalld Firewall: Only open necessary ports
- Regular Security Updates: Automated patch management
2. Data Protection
- Multiple Backups: Local + Cloud backup
- Encrypted Storage: Sensitive data encrypted storage
- Access Logs: Record all access behavior
3. Monitoring and Alerting
- System Monitoring: Monitor system status through Cockpit
- Service Monitoring: Critical service availability checks
- Security Monitoring: Abnormal access behavior detection
Cost Analysis
| Item | Cost | Notes |
|---|---|---|
| Domain | MYR 0 | DigitalPlat free domain |
| Cloudflare Zero Trust | MYR 0 | Free tier (under 50 users) |
| Tailscale | MYR 0 | Free tier (under 20 devices) |
| Main Server (i5-6600T + 12GB RAM + 256GB SSD) | MYR 400 | One-time investment |
| Pi Zero 2W | MYR 80 | One-time investment |
Total Cost: MYR 480 one-time investment, ongoing operational costs are almost zero!
Future Expansion Plans
Add More Services
- Home Assistant (smart home control)
- Grafana (data visualization)
- GitLab (code repository)
Hardware Upgrades
- Increase storage capacity
- Upgrade memory to 16GB
- Add UPS uninterruptible power supply
Network Optimization
- Consider wired network connection
- Deploy high availability cluster
- Add off-site disaster recovery nodes
Conclusion
After several days of operation, this homelab solution based on free domain and Cloudflare Zero Trust has completely met my needs. It not only provides stable and reliable services but also greatly improves my work efficiency.
Key Advantages Summary:
- ✅ Low Cost Investment: Only MYR 480 one-time hardware investment
- ✅ Enterprise-Grade Security: Security protection provided by Cloudflare
- ✅ Highly Automated: Reduces manual intervention, improves efficiency
- ✅ Privacy Protection: Data completely under your control
- ✅ Easy to Maintain: Unified management interface
If you also want to build your own homelab but don’t want to spend too much, this solution is definitely worth trying. Remember, the best technical solution isn’t the most complex one, but the one that best fits your needs!