NAS Homelab
DS423+ · Docker · Immich · Synology Drive/Photos · Plex · Tailscale
Overview
This homelab centers on a Synology NAS used for private cloud storage, media server, and photo management. Services are containerized where appropriate and exposed securely over Tailscale so I can access everything from anywhere without public ports. Data sits on an encrypted shared folder, with jobs for backups and periodic maintenance.
Components
Immich (Self‑Hosted Photos)
- Docker Compose stack with server, PostgreSQL, Redis, and ML services
- Media and DB volumes mapped into an encrypted shared folder
- Mobile apps upload over LAN or via Tailscale
Synology Drive & Photos
- Drive for general file sync and backups
- Photos as a parallel system to Immich for family sharing & quick albums
- Accounts varying in privilege tier permissions
Plex Media Server
- Libraries on the NAS; metadata cached locally
- Remote Plex access over Tailscale (no WAN ports)
- Transcoding settings tuned for the DS423+
Tailscale (Zero‑Trust Access)
- Private tailnet for NAS, PCs, and mobile devices
- ACLs to restrict admin panels only to trusted devices
- Allows connection with other devices without exposing public endpoints
Storage & Backups
- Encrypted shared folder for all user data (Immich media, DBs, Plex metadata)
- Hyper Backup tasks for configs and application data
- Scheduled data scrubbing and SMART monitoring
Access & Networking
- Local access via LAN; remote access via Tailscale
- Certificates handled by Synology or kept private via tailnet
Security & Ops
- Separate admin and user accounts; 2FA for admin
- Least‑privilege service accounts and sensible share permissions
- Routine updates via Package Center and container image refreshes