Published on

Home Server

Authors
  • avatar
    Name
    Thomas Quan
Reading time

Reading time

12 min read

A hobby of owning.

Table of Contents

I didn’t grow up owning much. Games, software, even storage space were all things I had to figure out how to get on my own. Like a lot of kids from that era, I got into cracking games early, usually getting a virus or two in the process. That eventually led me to torrenting, learning how to patch installers, mount ISOs, and find the least shady download links. It wasn’t just about getting stuff for free, it was survival mixed with curiosity.

Back then, the internet actually felt free. Not just in cost, but in spirit. You could do things, build things, break things, and no one was locking you into subscriptions or limiting your access behind paywalls and terms of service.

But things changed. Everything became a monthly fee. Music, movies, storage, tools, even note-taking apps. Suddenly you didn’t own anything, you just rented access to your own digital life.

This NAS project is me pushing back.

It’s about owning my data again. Hosting my own services. Cutting the dependency on platforms I have zero control over. And maybe most importantly, it's about having a part time gig as a sysadmin and network guy in the house, running containers, monitoring systems, optimizing networks.

What started as a storage box became something much more. This is how I turned a Synology NAS into my personal server stack, and why I'm still obsessed with improving it.

Hardware

The server is currently running on a Synology DS423+ with two 12TB HDDs, 2GB of built-in RAM, plus an additional 16GB upgrade.
This setup offers a solid baseline for running multiple Docker containers while still keeping the NAS responsive and stable.

I'm not trying to max it out, instead, the goal is to keep things lightweight and reliable. Its main job is to store and serve a large amount of media: movies, TV shows, music, photos, and videos, the side jobs is to support it main job which we will touch upon later on.

Architecture

It might sound funny to have an "architecture" section for a NAS that's already pre-built and runs a full OS like DSM, but there's still some structure worth mentioning. With the right tweaks, you can turn a basic NAS into a pretty capable automation and self-hosting hub.

Core features

These are the parts I don’t really need to worry about day-to-day. Most of them are either handled directly by Synology or are "set-and-forget" configurations that don’t heavily impact the system once dialed in.

Share Folder Permission

This is mostly hands-off. The only thing I do here is double-check that folders have the right access settings, and that services using them are scoped to the minimum required permissions.

User and User Group Permission

This needs a bit more attention. Some services I’ve set up (and plan to build out) require specific permissions to run correctly.

For example, cAdvisor which I had some trouble getting to talk to Grafana needs both read and write access to certain Docker directories. Meanwhile, most of my monitoring stack (Prometheus, Node Exporter, SNMP Exporter) only needs read access.

Luckily, Synology makes this easy with folder-level permissions: Read, Write, and Admin. You can also configure inheritance to control whether subfolders follow parent permissions. Done right, you avoid any weird permission crossovers between services.

Data backup

This is an easy one to be honest, so I will keep it short. Enable SHR which basically a better alternative to where it mirror the data that you store. So, if you have 12TB of data in one drive and you have another 12TB drive plug in. All data from the first drive will be mirror into the second drive, but as you continue to add more drive now (regardless of it size), it will add more space to the volume but not to the mirrored drive.

This is an easy setup, you just need money lol. I'm using [Synology Hybrid RAID (SHR)](SHR, which is a smarter, more flexible version of RAID 5. It mirrors your data across drives but also scales nicely when you add different-sized disks.

Here’s how SHR works at a high level:

Drive SetupAvailable StorageRedundancyNotes
2x 12TB (same size)12TB1-drive failureOne disk is used for redundancy (mirrored), the other holds the data
Add 1x 4TB~14TB1-drive failureSHR intelligently adds usable space while keeping redundancy
Add 1x 6TB~18TB1-drive failureSpace increases again, depending on parity & data distribution

In short, SHR mirrors your data initially, but unlike strict RAID setups, it can mix drive sizes and still use extra space efficiently.

Extended features

Now we’re getting into the good stuff, the part where we stretch the meaning of “NAS” a bit. This is where we start fully using the CPU and RAM for more than just storage.

The possibilities here are wide open:
You can run a torrent client behind a VPN and become a digital pirate, host a personal finance server to manage your budget, run a local PDF toolchain for merging and converting files, self-host an Obsidian vault for notes, or securely access everything on your NAS from anywhere in the world.

With great power comes great responsibility. by Man Spider

Synology Package Install

This part is super simple with Synology Package Center. It’s click-and-run. No deep config, no YAML, just install and go.

Here are the only 4 apps I use from the official Synology Package Center:

  • Plex: Pretty much the main reason I even have this NAS to begins with.
  • Synology Photos: Great for photo syncing when I’m on the same network, but I'm considering phasing it out in favor of direct folder sync via Tailscale + custom photo viewer (e.g. Immich).
  • Text Editor: Nothing fancy, just a lightweight way to tweak files directly from DSM (useful for editing .yml or config files quickly).
  • TailScale: a very very very powerful and useful invention that help me securely access my NAS without exposing to the network, uses WireGuard under the hood.

Docker

Since Synology is basically a small PC packed with a bunch of storage, it opens the door for doing much more than just file serving. And thanks to one of the greatest inventions of the 21st century Docker we can actually make those possibilities real.

That’s why Synology ship DSM with Container Manager, which is their version of Docker with a more user-friendly interface.
But I'm going to opt out of using that, and instead went ahead and installed Portainer, a more flexible Docker GUI that gives you more control and a cleaner dashboard.

Once Portainer was up, I went on a month-long rampage, spinning up services like a madman.

Here’s what I’ve got running now to support and extend the core job of the NAS:

  • Grafana: I set up a full monitoring stack to keep tabs on system metrics. My rule of thumb is no single container should use more than 5% CPU, and the whole system should idle below 2% when not in use. This is mostly a personal sanity check but honestly, watching live stats and pretty graphs was a big reason I wanted a home server to begin with.
  • Stirling PDF: Super useful tool that handles most of my PDF tasks like merging, compressing, rotating, etc. It’s not perfect, but it’s free, local, and does the job most of the time. It is pretty resource heavy so I only turn it on when I need to use it.
  • qBittorrent + Gluetun: For pulling down media (movies, TV shows) over P2P. Gluetun wraps qBittorrent in a container that routes everything through a WireGuard VPN, keeping things private and locked down.
  • Actual Budget: A slick personal finance app I used to host on PikaPods, but moved locally for more control. It needs HTTPS to run properly, which leads to [[#HTTPS Connection]]
  • Caddy: This is my local HTTPS reverse proxy. It automatically gets TLS certs and serves anything I want over HTTPS. Perfect for things like Actual Budget that demand secure connections.

Networking

The Laundry List

This was by far the trickiest part of the entire setup: figuring out how to access my NAS and its services **securely from anywhere in the world without exposing it to unnecessary risks.

Here were my strict non-negotiables:

  • ✅ Must go through a VPN
  • ✅ Must be a direct peer-to-peer (P2P) connection
  • ✅ Must not allow internet access to the internal network
  • ✅ Must have a kill switch to prevent rogue access
  • ✅ Must offer a simple, memorable DNS to type and access
  • ✅ Must support HTTPS for apps that require secure access (like Vaultwarden and Actual Budget)
The Perfect Gateway

After a month or so of testing and breaking things (Mostly weekend, cause I got a job and a life), I finally landed on the perfect access setup. At first, I considered Synology QuickConnect, but it felt like a black box, very limited control and questionable security. Then I tried setting up a custom domain, but that meant exposing my NAS to the public internet so hard pass.

Eventually, I discovered Tailscale, and it turned out to be exactly what I needed, I think...

So, What’s Tailscale?

Tailscale is a zero-config VPN that creates a private network between your devices called a tailnet. It uses the WireGuard protocol under the hood, which is fast, secure, and modern.

It builds direct P2P encrypted tunnels between devices whenever possible. And when it can’t (due to NAT or firewalls), it falls back to relays without compromising security.

Why Tailscale works so well:

  • No port forwarding or firewall headaches, thank god 🙏🏼
  • Each device gets a predictable, easy-to-type domain like nas.tailnet123.ts.net
  • Only devices you've approved can connect
  • All traffic is encrypted using WireGuard
  • It "just works" across platforms: Linux, macOS, iOS, Android, Synology, etc.

🔐 Now there is another way of achieving this, and that is with Cloudflare Tunnel. Compared to it, Tailscale doesn’t require exposing your services to the public. Everything stays within your private mesh network, which was a huge deal for me as that is one less problem I need to worry about.

The only problem with it...

The only thing I wish it could do is map a subdomain to my tailnet like dsm.mydomain.com routing to my Synology DSM inside Tailscale. Right now, that's not supported natively without DNS tricks or self-hosted middle layers.

Still, Tailscale ended up being the second-best solution and in this case, good enough is more than nothing. I can securely access everything I need from any of my devices, without touching port forwarding, firewall rules, or public DNS records.

Securing HTTPS Access for Tailscale

Once I had Tailscale set up, the next challenge was supporting apps that require HTTPS to function properly.

Take Actual Budget, for example. While it technically runs over HTTP, it works much better on HTTPS especially for things like browser security policies, autofill, and mobile access. I used it as a test case to set up Caddy as my internal HTTPS reverse proxy, and it worked perfectly.

This gave me two wins:

  • On the service side: Caddy handles HTTPS using automatic TLS certificates and reverse proxy routing.
  • On the Tailscale side: I secured my internal .ts.net domains with real HTTPS certs by automating cert generation on my Synology NAS.

To get this working, I followed the instructions from this video, and the process boiled down to just three steps:

  1. Install Tailscale on Synology
  2. Create a Task Scheduler script to keep Tailscale up-to-date
  3. Use Tailscale’s built-in cert generation to pull valid TLS certs for your *.ts.net domains

I had previously tried solutions like Nginx, Synology's built-in reverse proxy, mkcert, and Certbot, but they all felt too complex or too aligned with exposing services to the public internet, which wasn’t my goal. I wanted everything to stay internal and secure.

With this setup, everything now runs over HTTPS within my private tailnet, with proper certs and no need for public DNS or Let's Encrypt rate limits.

Final Though

Even with everything I’ve set up so far, this NAS project is far from "finished" if that’s even a real thing. There’s still so much more to learn and tweak before I can call it a day, maybe never.

I’ve got a few services on my list that I haven’t tackled yet, like setting up a proper Homepage dashboard to act as a central control panel, or figuring out how to host Obsidian remotely so I can journal or take notes wherever I am.

But there is always a question burning inside of my head I keep asking myself:

  • Is it secure enough to use confidently outside my home?
  • Is my data truly safe from corruption or accidental loss?
  • Is all this even worth the time and investment?

I don’t know all the answers yet, but time will tell.

What I do know is this: I’m going to keep improving it until it fits all of my personal needs. And maybe, just maybe, this whole thing will help me return to a simpler time. A time when I everything was accessible. Movies, TV Shows, Services are free and one time purchase and not a subscription base service.

This NAS might be just a beef up storage pc but it is kinda a statement for me to the world that you don't own me, even thought that is the case.

If you like what I wrote and wanted to learn more about the services I setup, feel free to contact me and I can share it with you, or write up another article (blog or project) about it.