Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanitized mirror from private repository - 2026-04-18 11:19:59 UTC
Some checks failed
Documentation / Build Docusaurus (push) Failing after 5m14s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details

Browse Source
This commit is contained in:
Gitea Mirror Bot
2026-04-18 11:19:59 +00:00
commit fb00a325d1
1418 changed files with 359990 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

808
docs/infrastructure/family-network-integration.md Normal file
View File

@@ -0,0 +1,808 @@
# 👨‍👩‍👧‍👦 Family Network Integration Guide
**🟡 Intermediate Guide**
This guide covers integrating your family's separate network and ISP with your homelab infrastructure, enabling seamless access to Plex, Immich photo sync, and Synology services while optimizing for different bandwidth capabilities.
## 🎯 Network Architecture Overview
### **Network Topology**
```bash
# Your Homelab Network
ISP: 20 Gbps up/down
Location: Primary residence
Subnet: 192.168.1.0/24
Key Services: Atlantis (Plex, Immich), Calypso (Media), Synology
# Family Network
ISP: 2 Gbps down / 400 Mbps up
Location: Family residence
Subnet: 192.168.2.0/24 (different to avoid conflicts)
Bridge Device: Concord-NUC (on family network)
```
### **Integration Strategy**
```bash
# Concord-NUC as Bridge/Gateway
Role: Site-to-site VPN endpoint and local cache
Services: WireGuard server, Tailscale exit node, local caching
Network: Connected to family network (192.168.2.x)
Tailscale IP: concord-nuc.vish.local
# Bandwidth Optimization
Homelab → Family: Utilize full 20 Gbps upload
Family → Homelab: Respect 400 Mbps upload limit
Local Caching: Cache frequently accessed content on Concord-NUC
Quality Adaptation: Automatic quality adjustment based on bandwidth
```
---
## 🌐 Site-to-Site VPN Configuration
### **Tailscale Site-to-Site Setup**
#### **Configure Concord-NUC as Subnet Router**
```bash
# On Concord-NUC (at family location)
# Enable IP forwarding
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# Advertise family subnet to Tailscale
sudo tailscale up --advertise-routes=192.168.2.0/24 --accept-dns=false
# Verify subnet advertisement
tailscale status
```
#### **Accept Subnet Routes on Homelab**
```bash
# In Tailscale Admin Console (https://login.tailscale.com/admin)
# Navigate to: Machines → concord-nuc → Route settings
# Enable: 192.168.2.0/24 subnet route
# This allows homelab to reach family network devices directly
# On homelab servers, accept the routes
sudo tailscale up --accept-routes
```
#### **Configure Family Router**
```bash
# Add static routes on family router to route homelab traffic through Concord-NUC
# Router Admin → Advanced → Static Routes
# Route homelab Tailscale network through Concord-NUC
Destination: 100.64.0.0/10
Gateway: 192.168.2.100 (Concord-NUC local IP)
Interface: LAN
# Route specific homelab subnets (optional)
Destination: 192.168.1.0/24
Gateway: 192.168.2.100
Interface: LAN
```
### **WireGuard Site-to-Site (Alternative)**
#### **Configure WireGuard on Concord-NUC**
```bash
# Install WireGuard
sudo apt update && sudo apt install wireguard
# Generate keys
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod 600 /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
# Configure WireGuard interface
sudo tee /etc/wireguard/wg-family.conf << 'EOF'
[Interface]
PrivateKey = CONCORD_PRIVATE_KEY
Address = 10.100.0.2/24
ListenPort = 51821
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
# Homelab endpoint (Atlantis)
PublicKey = ATLANTIS_PUBLIC_KEY
Endpoint = your-homelab-external-ip:51820
AllowedIPs = 192.168.1.0/24, 10.100.0.1/32
PersistentKeepalive = 25
EOF
# Enable and start WireGuard
sudo systemctl enable wg-quick@wg-family
sudo systemctl start wg-quick@wg-family
```
---
## 📺 Plex Integration and Optimization
### **Plex Server Configuration**
#### **Network and Remote Access**
```bash
# On Atlantis (Plex server)
# Plex Settings → Network
# Network Interface: All interfaces
# Secure connections: Preferred
# Remote access: Enable
# Manually specify public port: 32400
# Custom server access URLs:
# - https://atlantis.vish.local:32400
# - https://plex.vish.local:32400 (if using custom DNS)
# Bandwidth settings for family network
# Settings → Network → Remote streaming
Maximum remote streaming bitrate: 20 Mbps (respect family's download limit)
Internet upload speed: 20000 Mbps (your homelab upload)
```
#### **Quality and Transcoding Settings**
```bash
# Settings → Transcoder
Transcoder quality: Automatic
Use hardware acceleration: Enable (if available)
Use hardware-accelerated video encoding: Enable
Maximum simultaneous video transcode: 4
# Settings → Network → Show Advanced
Enable Relay: Disable (force direct connections)
Treat WAN IP As LAN: Add family network subnet (192.168.2.0/24)
List of IP addresses and networks that are allowed without auth: 192.168.2.0/24
```
### **Family Device Configuration**
#### **Plex App Setup on Family Devices**
```bash
# Install Plex app on family devices:
# - Smart TVs, Apple TV, Roku, Fire TV
# - Mobile devices (iOS/Android)
# - Computers (Windows/Mac/Linux)
# Sign in with Plex account
# Server should auto-discover via Tailscale or direct connection
# If not found, manually add server:
# Server address: atlantis.vish.local:32400
# Or: concord-nuc.vish.local:32400 (if using local proxy)
```
#### **Local Plex Cache on Concord-NUC**
```bash
# Set up Plex Media Server on Concord-NUC for caching
# This reduces bandwidth usage for frequently watched content
# Install Plex on Concord-NUC
wget https://downloads.plex.tv/plex-media-server-new/1.40.0.7998-c29d4c0c8/debian/plexmediaserver_1.40.0.7998-c29d4c0c8_amd64.deb
sudo dpkg -i plexmediaserver_*.deb
# Configure as secondary server with sync
# Plex Settings → Sync
# Enable sync for frequently watched content
# Sync location: /var/lib/plexmediaserver/sync
```
---
## 📸 Immich Photo Sync Integration
### **Immich Server Configuration**
#### **Multi-Site Photo Management**
```bash
# On Calypso (primary Immich server)
# Configure for external access via Tailscale
# Immich Admin Settings
# Server Settings → External domain: https://calypso.vish.local:2283
# Storage Settings → Upload location: /volume1/immich/upload
# User Settings → Storage quota: Unlimited (for family)
# Create family user accounts
# Administration → Users → Add User
Username: family-member-1
Email: family1@vish.local
Password: "REDACTED_PASSWORD" strong password]
Storage quota: Unlimited
```
#### **Immich Proxy on Concord-NUC**
```bash
# Set up Nginx proxy on Concord-NUC for local access optimization
sudo apt install nginx
# Configure Nginx proxy
sudo tee /etc/nginx/sites-available/immich-proxy << 'EOF'
server {
listen 2283;
server_name concord-nuc.vish.local;
# Increase upload limits for photos/videos
client_max_body_size 2G;
proxy_request_buffering off;
location / {
proxy_pass https://calypso.vish.local:2283;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Optimize for photo uploads
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
}
}
EOF
sudo ln -s /etc/nginx/sites-available/immich-proxy /etc/nginx/sites-enabled/
sudo systemctl restart nginx
```
### **Family Device Photo Sync**
#### **iOS Immich App Configuration**
```bash
# Install Immich mobile app from App Store
# Configure connection:
Server URL: https://concord-nuc.vish.local:2283
# Or direct: https://calypso.vish.local:2283
# Login with family account credentials
# Enable auto-backup:
# Settings → Auto backup
# Backup when charging: Enable
# Backup on WiFi only: Enable (to respect mobile data)
# Background app refresh: Enable
# Backup settings:
# Include videos: Enable
# Backup quality: Original (you have bandwidth)
# Backup frequency: Immediate
```
#### **Android Immich App Configuration**
```bash
# Install Immich from Google Play Store or F-Droid
# Configure similar to iOS:
Server URL: https://concord-nuc.vish.local:2283
Auto-backup: Enable
WiFi only: Enable
Background sync: Enable
Quality: Original
```
#### **Desktop Immich CLI Sync**
```bash
# Install Immich CLI on family computers
npm install -g @immich-app/cli
# Configure API key (from Immich web interface)
# User Settings → API Keys → Create API Key
# Set up sync script for family computers
cat > ~/sync-photos.sh << 'EOF'
#!/bin/bash
export IMMICH_INSTANCE_URL="https://concord-nuc.vish.local:2283"
export IMMICH_API_KEY=REDACTED_API_KEY
# Sync photos from common directories
immich upload ~/Pictures/
immich upload ~/Desktop/Photos/
immich upload /Users/Shared/Photos/ # macOS
immich upload ~/Documents/Photos/
echo "Photo sync completed: $(date)"
EOF
chmod +x ~/sync-photos.sh
# Schedule regular sync (every 4 hours)
crontab -e
# Add: 0 */4 * * * /home/user/sync-photos.sh >> /home/user/sync-photos.log 2>&1
```
---
## 💾 Synology Integration
### **Synology Drive for Family**
#### **Configure Synology Drive Server**
```bash
# On Atlantis (Synology NAS)
# Package Center → Install Synology Drive Server
# Synology Drive Admin Console
# Enable Synology Drive: ✅
# Enable versioning: ✅ (keep 32 versions)
# Enable team folders: ✅
# External access: Enable via Tailscale (atlantis.vish.local:6690)
```
#### **Create Family Shared Folders**
```bash
# Control Panel → Shared Folder → Create
# Family Photos (for Synology Photos)
Name: FamilyPhotos
Location: /volume1/FamilyPhotos
Description: Family photo collection
Users: family-member-1, family-member-2 (Read/Write)
# Family Documents
Name: FamilyDocuments
Location: /volume1/FamilyDocuments
Description: Shared family documents
Users: family-member-1, family-member-2 (Read/Write)
# Family Media
Name: FamilyMedia
Location: /volume1/FamilyMedia
Description: Family videos and media
Users: family-member-1, family-member-2 (Read/Write)
```
#### **Synology Drive Client Setup**
```bash
# Install Synology Drive Client on family devices
# Download from: https://www.synology.com/en-us/support/download
# Configuration:
Server address: https://atlantis.vish.local:6690
Username: family-member-1
Password: "REDACTED_PASSWORD" member password]
# Sync settings:
Local folder: ~/SynologyDrive
Server folder: /FamilyDocuments, /FamilyPhotos
Sync mode: Two-way sync
Bandwidth limit: 50 Mbps upload (respect family ISP limit)
```
### **Synology Photos Integration**
#### **Configure Synology Photos**
```bash
# On Atlantis
# Package Center → Install Synology Photos
# Synology Photos Settings
# General → Enable Synology Photos: ✅
# Indexing → Auto-index shared folders: FamilyPhotos
# External access: Enable (via Tailscale)
# Face recognition: Enable
# Object recognition: Enable
```
#### **Family Device Photo Backup**
```bash
# Install Synology Photos mobile app
# Configure backup:
Server: https://atlantis.vish.local (Synology Photos port)
Account: family-member-1
Backup folder: FamilyPhotos/[Device Name]
# Backup settings:
Auto backup: Enable
WiFi only: Enable
Original quality: Enable
Include videos: Enable
Background backup: Enable
```
---
## 🚀 Performance Optimization
### **Bandwidth Management**
#### **QoS Configuration on Family Router**
```bash
# Configure QoS to prioritize homelab traffic
# Router Admin → Advanced → QoS
# Upload QoS (400 Mbps total)
High Priority (200 Mbps): Video calls, VoIP
Medium Priority (150 Mbps): Homelab sync, photo uploads
Low Priority (50 Mbps): General browsing, updates
# Download QoS (2 Gbps total)
High Priority (1 Gbps): Streaming, video calls
Medium Priority (800 Mbps): Homelab services, file downloads
Low Priority (200 Mbps): Background updates
```
#### **Traffic Shaping on Concord-NUC**
```bash
# Install traffic control tools
sudo apt install iproute2 wondershaper
# Create traffic shaping script
sudo tee /usr/local/bin/family-qos.sh << 'EOF'
#!/bin/bash
# Family network traffic shaping
# Clear existing rules
tc qdisc del dev eth0 root 2>/dev/null
# Create root qdisc
tc qdisc add dev eth0 root handle 1: htb default 30
# Create classes for different traffic types
# Class 1:10 - High priority (streaming, real-time)
tc class add dev eth0 parent 1: classid 1:10 htb rate 1000mbit ceil 1500mbit
# Class 1:20 - Medium priority (homelab services)
tc class add dev eth0 parent 1: classid 1:20 htb rate 400mbit ceil 800mbit
# Class 1:30 - Low priority (background)
tc class add dev eth0 parent 1: classid 1:30 htb rate 100mbit ceil 200mbit
# Add filters for different services
# Plex traffic (high priority)
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip dport 32400 0xffff flowid 1:10
# Immich uploads (medium priority)
tc filter add dev eth0 protocol ip parent 1:0 prio 2 u32 match ip dport 2283 0xffff flowid 1:20
# Synology sync (medium priority)
tc filter add dev eth0 protocol ip parent 1:0 prio 2 u32 match ip dport 6690 0xffff flowid 1:20
EOF
chmod +x /usr/local/bin/family-qos.sh
# Run on startup
echo "/usr/local/bin/family-qos.sh" >> /etc/rc.local
```
### **Caching and CDN**
#### **Nginx Caching on Concord-NUC**
```bash
# Configure Nginx for caching frequently accessed content
sudo tee /etc/nginx/conf.d/cache.conf << 'EOF'
# Cache configuration
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=homelab_cache:100m max_size=50g inactive=7d use_temp_path=off;
# Cache for Plex thumbnails and metadata
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
proxy_cache homelab_cache;
proxy_cache_valid 200 7d;
proxy_cache_valid 404 1m;
add_header X-Cache-Status $upstream_cache_status;
expires 7d;
}
# Cache for Immich thumbnails
location /api/asset/thumbnail {
proxy_cache homelab_cache;
proxy_cache_valid 200 30d;
proxy_cache_key "$scheme$request_method$host$request_uri";
add_header X-Cache-Status $upstream_cache_status;
}
EOF
# Create cache directory
sudo mkdir -p /var/cache/nginx
sudo chown www-data:www-data /var/cache/nginx
sudo systemctl restart nginx
```
#### **Local DNS Caching**
```bash
# Install and configure dnsmasq for local DNS caching
sudo apt install dnsmasq
# Configure dnsmasq
sudo tee /etc/dnsmasq.conf << 'EOF'
# Listen on family network interface
interface=eth0
bind-interfaces
# Cache size and TTL
cache-size=10000
local-ttl=300
# Forward to homelab DNS (Pi-hole) via Tailscale
server=100.64.0.1 # Atlantis Tailscale IP
# Local overrides for performance
address=/concord-nuc.vish.local/192.168.2.100
address=/plex.family.local/192.168.2.100
address=/photos.family.local/192.168.2.100
EOF
sudo systemctl enable dnsmasq
sudo systemctl start dnsmasq
```
---
## 📊 Monitoring and Analytics
### **Family Network Monitoring**
#### **Grafana Dashboard for Family Network**
```bash
# Create family-specific Grafana dashboard
# Panels to include:
# 1. Bandwidth usage (upload/download)
# 2. Plex streaming sessions and quality
# 3. Photo sync progress and storage usage
# 4. Concord-NUC system resources
# 5. Network latency between sites
# 6. Service availability (Plex, Immich, Synology)
# Add Prometheus monitoring to Concord-NUC
# Install node_exporter
wget https://github.com/prometheus/node_exporter/releases/latest/download/node_exporter-*linux-amd64.tar.gz
tar xvfz node_exporter-*linux-amd64.tar.gz
sudo mv node_exporter-*/node_exporter /usr/local/bin/
sudo useradd -rs /bin/false node_exporter
# Create systemd service
sudo tee /etc/systemd/system/node_exporter.service << 'EOF'
[Unit]
Description=Node Exporter
After=network.target
[Service]
User=node_exporter
Group=node_exporter
Type=simple
ExecStart=/usr/local/bin/node_exporter
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl enable node_exporter
sudo systemctl start node_exporter
```
#### **Family Usage Analytics**
```bash
# Track family usage patterns
# Create InfluxDB database for family metrics
# On homelab (Atlantis), add family data collection
# Plex usage by family members
# Photo upload statistics
# Bandwidth utilization patterns
# Service response times from family network
# Example Telegraf configuration for family metrics
cat >> /etc/telegraf/telegraf.conf << 'EOF'
# Family network monitoring
[[inputs.ping]]
urls = ["concord-nuc.vish.local", "192.168.2.1"]
count = 3
ping_timeout = 10.0
[[inputs.http_response]]
urls = [
"https://concord-nuc.vish.local:2283", # Immich proxy
"https://concord-nuc.vish.local:32400", # Plex proxy
"https://concord-nuc.vish.local:6690" # Synology proxy
]
response_timeout = "10s"
method = "GET"
[[inputs.net]]
interfaces = ["tailscale0", "wg-family"]
EOF
```
---
## 🔒 Security Considerations
### **Network Segmentation**
#### **Firewall Rules on Concord-NUC**
```bash
# Configure UFW for family network security
sudo ufw enable
# Allow family network access to homelab services
sudo ufw allow from 192.168.2.0/24 to any port 32400 # Plex
sudo ufw allow from 192.168.2.0/24 to any port 2283 # Immich
sudo ufw allow from 192.168.2.0/24 to any port 6690 # Synology
# Allow Tailscale traffic
sudo ufw allow in on tailscale0
sudo ufw allow out on tailscale0
# Block direct access to homelab management
sudo ufw deny from 192.168.2.0/24 to any port 22 # SSH
sudo ufw deny from 192.168.2.0/24 to any port 3000 # Grafana
sudo ufw deny from 192.168.2.0/24 to any port 9090 # Prometheus
# Log denied connections
sudo ufw logging on
```
#### **Access Control Lists**
```bash
# Configure Tailscale ACLs for family access
# Tailscale Admin → Access Controls
{
"groups": {
"group:family": ["family-member-1@domain.com", "family-member-2@domain.com"],
"group:admin": ["admin@domain.com"]
},
"acls": [
// Family members - limited access to media services
{
"action": "accept",
"src": ["group:family"],
"dst": [
"atlantis.vish.local:32400", // Plex
"calypso.vish.local:2283", // Immich
"atlantis.vish.local:6690", // Synology Drive
"concord-nuc.vish.local:*" // Local proxy services
]
},
// Admin - full access
{
"action": "accept",
"src": ["group:admin"],
"dst": ["*:*"]
}
]
}
```
### **Data Privacy and Backup**
#### **Family Data Backup Strategy**
```bash
# Automated backup of family data from Concord-NUC to homelab
# Create backup script
cat > /usr/local/bin/family-backup.sh << 'EOF'
#!/bin/bash
# Family data backup to homelab
BACKUP_DATE=$(date +%Y%m%d)
BACKUP_LOG="/var/log/family-backup.log"
log() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$BACKUP_LOG"
}
# Backup family photos to Atlantis
log "Starting family photo backup"
rsync -avz --progress /var/lib/immich/upload/ \
atlantis.vish.local:/volume1/backups/family/photos/ \
>> "$BACKUP_LOG" 2>&1
# Backup Synology Drive sync data
log "Starting Synology Drive backup"
rsync -avz --progress /home/*/SynologyDrive/ \
atlantis.vish.local:/volume1/backups/family/documents/ \
>> "$BACKUP_LOG" 2>&1
# Backup Plex cache/metadata
log "Starting Plex cache backup"
rsync -avz --progress /var/lib/plexmediaserver/ \
atlantis.vish.local:/volume1/backups/family/plex-cache/ \
>> "$BACKUP_LOG" 2>&1
log "Family backup completed"
EOF
chmod +x /usr/local/bin/family-backup.sh
# Schedule daily backups at 2 AM
echo "0 2 * * * /usr/local/bin/family-backup.sh" | crontab -
```
---
## 📱 Family Mobile Device Setup
### **Simplified Mobile Configuration**
#### **Family iOS/Android Setup**
```bash
# Install essential apps on family devices:
# Core Apps:
- Plex (media streaming)
- Immich (photo backup)
- Synology Drive (file sync)
- Synology Photos (photo management)
# Optional Apps:
- Tailscale (for advanced users)
- Home Assistant (if using smart home)
- Grafana (for tech-savvy family members)
# Configure apps to use Concord-NUC as proxy:
Plex Server: concord-nuc.vish.local:32400
Immich Server: concord-nuc.vish.local:2283
Synology: concord-nuc.vish.local:6690
```
#### **Family Network WiFi Optimization**
```bash
# Configure family router for optimal streaming
# WiFi Settings:
Channel Width: 160 MHz (5 GHz)
QAM: 1024-QAM (if supported)
Band Steering: Enable
Airtime Fairness: Enable
Beamforming: Enable
# Device Priority:
High Priority: Streaming devices (Apple TV, Roku, etc.)
Medium Priority: Mobile devices
Low Priority: IoT devices, smart home
```
---
## 📋 Family Integration Checklist
### **Initial Setup**
```bash
☐ Configure Concord-NUC as Tailscale subnet router
☐ Set up site-to-site VPN between networks
☐ Configure family router static routes
☐ Install and configure Plex proxy on Concord-NUC
☐ Set up Immich proxy and photo sync
☐ Configure Synology Drive for family access
☐ Implement QoS and traffic shaping
☐ Set up local DNS caching
☐ Configure monitoring and analytics
☐ Test all services from family network
```
### **Family Device Setup**
```bash
☐ Install Plex app on all family streaming devices
☐ Configure Immich mobile apps for photo backup
☐ Set up Synology Drive clients on family computers
☐ Install Synology Photos apps for photo management
☐ Configure WiFi optimization on family router
☐ Test streaming quality and performance
☐ Set up parental controls if needed
☐ Create user accounts for all family members
☐ Document access credentials securely
☐ Train family members on app usage
```
### **Security and Maintenance**
```bash
☐ Configure firewall rules on Concord-NUC
☐ Set up Tailscale ACLs for family access
☐ Implement automated backup procedures
☐ Configure monitoring alerts
☐ Set up bandwidth monitoring
☐ Create maintenance schedule
☐ Document troubleshooting procedures
☐ Test disaster recovery procedures
☐ Regular security audits
☐ Update documentation as needed
```
---
## 🔗 Related Documentation
- [Tailscale Setup Guide](tailscale-setup-guide.md) - VPN infrastructure setup
- [Mobile Device Setup](mobile-device-setup.md) - Family mobile device configuration
- [Ubiquiti Enterprise Setup](ubiquiti-enterprise-setup.md) - Advanced networking options
- [Individual Service Docs](../services/individual/README.md) - Plex, Immich, Synology configuration
- [Security Model](security.md) - Security considerations for family access
---
**💡 Pro Tip**: Start with Plex streaming to test the connection, then gradually add photo sync and file sharing. Monitor bandwidth usage closely during the first few weeks to optimize QoS settings for your family's usage patterns!