Veilgrove

Projects

An in-depth look at the Raspberry Pi 5 hardware platform powering this lab and detailed explanations of each self-hosted service.

Raspberry Pi 5 Overview

The Raspberry Pi 5 is a significant leap over previous generations, delivering desktop-class responsiveness for lightweight services while maintaining the low power requirements and versatile I/O that make it ideal for home labs.

Key Hardware

  • Broadcom BCM2712 quad‑core Arm Cortex‑A76 (64‑bit) at 2.4 GHz
  • VideoCore VII GPU with modern graphics support.
  • 8 GB LPDDR4X memory options.
  • Dual micro‑HDMI 2.0 outputs (up to dual 4Kp60).
  • Onboard PCIe 2.0 x1 via FFC (supports NVMe via M.2 HAT).
  • Gigabit Ethernet, dual‑band 802.11ac Wi‑Fi, Bluetooth 5.0 Le.
  • 2× USB 3.0 and 2× USB 2.0; USB‑C power input.
  • Two 4‑lane MIPI connectors for cameras/displays.
  • Real‑time clock, power button, improved I/O bandwidth.

Capabilities for Home Lab

  • Runs multiple light services concurrently without noticeable slowdown.
  • Fast storage with NVMe (via M.2 HAT) improves reliability over microSD.
  • Efficient thermal profile with official active cooler and case options.
  • Strong I/O and networking throughput for DNS, VPN, and reverse proxy tasks.
  • Rich ecosystem of HATs, accessories, and community support.

Overview of ongoing work. Each card highlights the project title, a short description and the current status.

Pi-hole (Active)

Pi-hole acts as a DNS sinkhole, blocking ads and trackers at the network layer before they reach client devices. This improves privacy, cuts bandwidth waste, and can speed up page loads.

  • Network-wide blocking: one configuration protects all devices.
  • Privacy-first: stops data exfiltration to known tracking domains.
  • Performance: fewer requests to ad networks reduce latency.
  • Optional DHCP: Pi-hole can provide DHCP for enhanced control.

Setup details:

Enable logging and define blocklists and allowlists to fit your use cases.

Assign a static IP to the Pi and reserve it in the router.

Set upstream DNS to a trusted provider (e.g., 1.1.1.1) or run Unbound for a local resolver.

Point LAN clients’ DNS to Pi-hole (via router DNS or DHCP options).

WireGuard VPN (Active)

WireGuard is a modern, lightweight VPN built on the Noise protocol. It offers strong security with minimal overhead, making it excellent for remote access to your home network.

  • Fast and efficient: small codebase, low latency.
  • Simple configuration: key pairs and concise interface files.
  • Seamless on mobile: easy QR onboarding for phones.
  • Integrates with Pi-hole: route DNS through Pi-hole for clean browsing.

Configuration insights:

Use systemd and wg-quick for reliable startup on boot.

Generate server and client keys; define AllowedIPs for each peer.

Enable IP forwarding and set NAT rules so VPN clients reach LAN.

On clients, set DNS to the Pi-hole address and use PersistentKeepalive for mobile stability.

Cloudflare (Active)

Cloudflare provides domain management and secure exposure of internal services via Cloudflare Tunnel. You can reach your home services over HTTPS without opening inbound ports.

  • Managed DNS: quick, reliable resolution with global any cast.
  • Secure tunnels: outbound-only connections protect your network.
  • Access controls: gate services with identity-aware policies.
  • Simple routing: map subdomains to local services.

Tunnel workflow:

Run cloudflared as a service for automatic restarts.

Install cloudflared on the Pi and authenticate with your Cloudflare account.

Create a tunnel; define routes to local services (e.g., Nextcloud).

Provision DNS records (CNAME) pointing to the tunnel host name.

Enable Cloudflare Access for identity‑based protection if desired.

RustDesk Server (Active)

RustDesk is an open‑source remote desktop platform. Hosting your own rendezvous and relay servers gives you control over connectivity for remote assistance and internal IT support.

  • Self‑hosted control: avoid third‑party relays.
  • Secure by design: modern Rust stack and encryption.
  • Works across NAT with relay fallback.
  • Policies for allowed clients and address books.

Server composition:

Integrate with WireGuard for admin access paths if preferred.

Run hbbs (signal/rendezvous) and hbbr (relay) services.

Expose via Cloudflare Tunnel with mTLS or behind Access policies.

Issue and pin a server key; restrict who can register.

Define user roles; maintain logs and update regularly.

These services are designed to interoperate: WireGuard routes remote traffic through Pi‑hole; RustDesk benefits from identity controls and VPN access for administrators.