WEDC Team 8 min read

Setting Up a Self-Hosted Linux Home Lab in 2026

A practical, step-by-step guide to building your own home lab on commodity hardware — covering OS selection, network segmentation, and the essential self-hosted services every developer should run.

Why a Home Lab Still Matters

The cloud is convenient, but running your own infrastructure teaches you things that managed services deliberately hide. In 2026, home-lab hardware is cheap, power-efficient ARM boards and refurbished enterprise gear give you real compute for under $200, and the self-hosted software ecosystem has never been more mature.

This guide walks you through everything from hardware selection to your first running services.

Hardware Selection

You don't need a rack. Three common starting points:

  • Raspberry Pi 5 (8 GB) — fanless, 10 W idle, adequate for a DNS resolver, a web gateway, and a few containers.
  • Mini PC (Intel N100 / AMD 6600H) — $120–180 refurbished, full x86 compatibility, 16–32 GB RAM. This is the sweet spot for most home labs in 2026.
  • Refurbished server (Dell R620, HP DL360 Gen9) — cheap used, noisy, power-hungry, but enormous expandability. Good if you have a basement or dedicated room.

Operating System

Debian 13 "Trixie" is the recommendation for 2026 home labs. Reasons:

  • Rock-stable base; security updates without surprises.
  • Excellent Docker and Podman support out of the box.
  • Clean upgrade path across major versions.

Alternatively, Ubuntu Server 24.04 LTS if you want broader hardware support and Snap integration.

# After minimal Debian install — update and harden
apt update && apt full-upgrade -y
apt install -y unattended-upgrades fail2ban ufw curl git
ufw default deny incoming
ufw allow ssh
ufw enable

Network Segmentation

The biggest mistake home-lab newcomers make is putting everything on a flat LAN. A better approach:

  • Management VLAN — your SSH access, monitoring tools.
  • Services VLAN — publicly exposed services (TLS termination and routing).
  • Storage VLAN — NAS traffic isolated from general use.

    • If you have a Ubiquiti, TP-Link Omada, or pfSense router, VLAN configuration takes about 30 minutes.

    Essential Self-Hosted Services

    1. Web Gateway / TLS Terminator: Caddy or Traefik

    Caddy auto-provisions Let's Encrypt certificates for local subdomains via DNS challenge. With a single Caddyfile entry you get HTTPS everywhere on your home network.

    homelab.lan {
  forward_to localhost:8080
}

    2. Container Orchestration: Docker + Compose

    For a single-node home lab, Docker Compose files are simpler than Kubernetes. Keep your compose files in a Git repo — this doubles as your lab's source of truth and disaster-recovery plan.

    3. Monitoring: Grafana + Prometheus + Node Exporter

    Three containers, one compose file, 15 minutes. You get CPU, memory, disk, and network dashboards for every machine in your lab.

    4. Password Vault: Vaultwarden

    Vaultwarden is a community-maintained, memory-efficient implementation of the Bitwarden server protocol. Self-host it, use the official Bitwarden clients on all your devices. Your credentials never leave your hardware.

    services:
  vaultwarden:
    image: vaultwarden/server:latest
    restart: unless-stopped
    volumes:
      - ./vw-data:/data
    environment:
      WEBSOCKET_ENABLED: "true"
      SIGNUPS_ALLOWED: "false"

    5. File Synchronization: Syncthing

    Syncthing gives you Dropbox-style file sync across all your devices — phone, laptop, home server — with no cloud intermediary. Files are encrypted in transit with TLS and authenticated per-device.

    Linux Hardening Checklist

    Before exposing any service to the internet:

    • [ ] Disable root SSH login (PermitRootLogin no)
    • [ ] Use SSH key authentication only (PasswordAuthentication no)
    • [ ] Enable fail2ban for SSH brute-force protection
    • [ ] Enable automatic security updates via unattended-upgrades
    • [ ] Run all services in containers with non-root users
    • [ ] Audit open ports monthly with ss -tlnp

    Backup Strategy

    The 3-2-1 rule: three copies, two different media, one off-site. For a home lab:

    • Local: rsync daily snapshot to a USB drive or second disk.
    • Near-line: NAS with RAID-1 or ZFS mirror.
    • Off-site: encrypted archive to a cloud object store (Backblaze B2 is $0.006/GB/month).
    # Simple rsync backup script
rsync -aAXv --delete /home/ /mnt/backup/home/

    Next Steps

    Once your base lab is running, explore:

    • Ansible playbooks to automate OS provisioning across multiple machines.
    • Terraform for declarative infrastructure if you mix cloud and on-premises.
    • Kubernetes (k3s) when you outgrow single-node Compose deployments.

    The WEDC membership library includes ready-to-use Ansible playbooks, Terraform modules, and Docker Compose stacks for all the services mentioned here. Members get new configurations dropped weekly.

    Enjoyed this article?

    WEDC members get access to the full library of tutorials, downloadable utility applications, and monthly configuration bundles — plus new content every week.