Lurked here for a while, learned a ton from posts like the one I'm hoping this becomes. Time to give back.

Quick context: I'm IT support by trade. Not a developer, not a sysadmin. Everything in this post I figured out by reading r/homelab, watching YouTube at midnight, and reading GitHub README files that occasionally assumed I knew things I absolutely did not know. If you're in the same boat, hopefully something here helps.

Hardware

• Host: ASUS ROG board, Intel i7-11700KF (8c/16t), 32 GB DDR4, RTX 3080 10 GB
• OS: Debian 13 Trixie, kernel 6.12
• Storage (all btrfs):
  • /mnt/media: 21 TB, media library + downloads
  • /mnt/vault: 13 TB external USB drive, paperless docs + backups
  • /mnt/apps: 1.9 TB RAID1, all Docker app data + compose files
• Networking: Caddy as reverse proxy with a Cloudflare wildcard cert (LE prod via DNS-01), Authelia in front of every service for SSO
• GPU: shared between Plex hardware transcode, Immich ML, and Ollama. Secure Boot off, nvidia-driver 550, NVIDIA container toolkit. Has worked surprisingly well.

Software (29 containers, grouped)

• Edge & access: Caddy, Authelia, AdGuard Home
• Media servers: Plex, Jellyfin, Overseerr, Tautulli
• *arr stack: Sonarr, Radarr, Prowlarr, Bazarr, SABnzbd. Dual Usenet providers, one primary + one failover.
• Productivity: BookStack (wiki), Forgejo (self-hosted git), Paperless-ngx (document OCR), Actual Budget
• Photos & AI: Immich (photos with ML on the GPU), Ollama (local LLM)
• Dashboards & ops: Homepage, Uptime Kuma, CasaOS (kept it because the UI is honestly nice)
• IPTV: Threadfin + an EPG service feeding Plex

Everything sits behind Caddy with HTTPS via the wildcard cert. Authelia gates anything that shouldn't be wide open.

Stuff I broke and fixed (in case it helps the next person searching for these at 1 AM)

• AdGuard latency was 1800 ms with default upstreams. Parallel mode with Cloudflare + Google + Quad9 dropped it to ~10 ms.
• SABnzbd was pulling at 3 KB/s on a gigabit line. I'd configured 50 connections to the provider and they were rate-limiting me into oblivion. Dropped to 20 connections, jumped to ~9 MB/s. Less is more.
• Caddy to Plex was hanging on JS assets, 8 second page loads, nothing in the logs. Forcing HTTP/1.1 transport in Caddy fixed it instantly. h2 to Plex is cursed.
• Overseerr to Radarr was 400-ing on tag creation. Setting tagRequests=false in Overseerr was the fix.
• TMDB lookups were 503-ing because Radarr preferred IPv6 and the upstream IPv6 path was broken. Disabled v6 via sysctls.
• Paperless was crash-looping because I'd set OCR_LANGUAGE=ara and the Arabic pack isn't in the image. Just eng for now (annoying since I'd actually use the Arabic one).
• BookStack wouldn't start. The linuxserver image uses DB_USERNAME / DB_PASSWORD, not the upstream's DB_USER / DB_PASS. Burned an hour on that one.
• Overseerr backlog had 262 orphaned movie requests from a previous mess. Recovered them and re-pushed to Radarr. Don't down -v your stack with pending requests.

Known weirdness (in case anyone has hit these)

• immich-ml reports unhealthy but works fine. Strict healthcheck, cosmetic.
• Free IPTV EPG sources keep blocking my scraper. Inherent to free IPTV. Moving on.
• Homepage widgets still need API keys + docker.sock group access. On the list.

Next up

• Off-site backup for Immich + Paperless. The USB vault is a single disk, that's not enough.
• Tiny mini-PC for a secondary AdGuard so DNS doesn't die when the host reboots.
• Proper VLANs. IoT is currently too friendly with the trusted network.