Home Lab.

Running a consultancy on a laptop is fine until you realize the boring infrastructure jobs — backups, uptime monitoring, the network plumbing — should not depend on whether the laptop is open.

I needed a small, cheap, always-on box that could do the things SaaS would otherwise nickel-and-dime me for: monitor my clients' sites and tell me when they go down, run scheduled backups, block ads at the DNS level for my whole network, and give me a private mesh into my client environments without exposing anything to the public internet.

A Raspberry Pi 4 in a fanless case, behind a UPS, running a tight stack of self-hosted tools. Each service runs in its own systemd unit so failures stay isolated, and the whole thing pages me via ntfy when something doesn't come back up.

• Pi-hole at the DNS layer for the whole household and any device that VPNs in.
• Uptime Kuma watching every client site I manage — HTTP, SSL expiry, response time.
• Cron-driven backups pulling from client servers and pushing to encrypted offsite storage on a tiered schedule.
• Tailscale mesh so I can reach the lab (and any client environment I've enrolled) from anywhere without poking holes in firewalls.
• ntfy for self-hosted push notifications to my phone when anything goes sideways.

  ┌─────────────────────────────────────────────────┐
  │  RASPBERRY PI 4 · 8GB · DEBIAN BOOKWORM         │
  ├─────────────────────────────────────────────────┤
  │  pi-hole         →  network-wide DNS blocking   │
  │  uptime-kuma     →  watches 14 client sites     │
  │  rsync + cron    →  daily / weekly backups      │
  │  tailscale       →  private mesh, every host    │
  │  ntfy            →  self-hosted push alerts     │
  │  duckdns         →  dynamic DNS for the WAN     │
  │  unbound         →  recursive DNS resolver      │
  │  fail2ban        →  ssh brute-force shield      │
  ├─────────────────────────────────────────────────┤
  │  systemd · ufw · unattended-upgrades            │
  └─────────────────────────────────────────────────┘

• OS: Debian Bookworm on the Pi, hardened with ufw, fail2ban, unattended-upgrades, and SSH key-only auth.
• Service isolation: each tool runs as its own systemd unit so a Pi-hole hiccup can't take down uptime monitoring.
• Backups: rsync pulls nightly snapshots from each managed client server into a local repo, then a weekly dump pushes encrypted to offsite storage. Tiered retention — 7 daily, 4 weekly, 6 monthly.
• Monitoring: Uptime Kuma pings every client site I'm responsible for. If a site returns non-2xx for two consecutive checks, ntfy buzzes my phone with the site name and the failure mode.
• Remote access: the Pi is the Tailscale exit node for my mesh. I can reach client environments, the lab itself, and a couple of side projects from anywhere — no port forwards, no public-facing services.
• Power: the whole box runs on a small UPS so brownouts don't reboot the world.

It's the dullest project on this list and the one I'm most quietly proud of. I know within minutes when a client site goes down. Backups happen whether I'm working or not. The ad blocking pays for itself in saved bandwidth every month. And when a friend asks me to fix their printer, I have a Tailscale node ready to drop into their network.

The temptation with home-lab work is to keep adding services. The discipline is to not. Every service on the box has to earn its place by replacing something I would otherwise pay for, or by enabling something I couldn't do otherwise. The eight running services are eight conscious decisions; everything else got cut.

Also: a $75 Raspberry Pi running for years is a really effective answer to a lot of consulting-overhead problems. Sometimes the right tool is not a SaaS subscription.