Best Home Lab Services to Run in 2026: What to Install and In What Order
Best Home Lab Services to Run in 2026: What to Install and In What Order
A home lab is only as useful as the software running on it. Whether you just finished setting up Proxmox, Docker, or a NAS, the real question is what to actually run. This guide covers the services that make a home lab genuinely worth having, how to prioritize them, and the order that delivers the most value with the least instability.
The Most Common Home Lab Mistake
New home lab users frequently encounter a list of 40 self-hosted applications, install most of them in a weekend, and then wonder why nothing feels stable. The problem isn't ambition it's sequencing. More containers does not produce a better home lab. It produces more things that can break simultaneously.
The productive approach is to begin only with services you will open every week: tools that replace something you're already paying for externally, or that solve a concrete problem you have right now. Everything else can wait until the foundation is solid. That principle shapes the entire structure of this guide.
Media Services: Jellyfin, Plex & Immich INSTALL FIRST
Jellyfin vs Plex
If you have a collection of films or television shows on local storage, Jellyfin or Plex transforms it into a proper streaming library with metadata, cover art, watch history, and support for practically every device you own. Media servers are typically where home lab users begin because the payoff is immediate configure the library once and you have something genuinely useful the same day.
The distinction between the two is straightforward: Jellyfin is fully open-source with no paid tier and no feature restrictions. Plex offers a polished free experience but reserves certain capabilities including offline downloads and enhanced remote streaming behind a Plex Pass subscription. For users who want full functionality without recurring costs, Jellyfin is the natural choice. Plex makes sense if you already subscribe or prefer its particular interface.
Immich: Self-Hosted Photo Backup
Immich is a self-hosted photo and video management platform built around automatic mobile backup. The experience is comparable to Google Photos browsing, search, albums, facial recognition except the data stays entirely on your own hardware. There is no subscription, no external account required, and no storage limit beyond what your drives provide.
For households where multiple people have phones full of photos they'd rather not store on a commercial platform indefinitely, Immich addresses a genuine privacy concern rather than an abstract one. The mobile app handles background uploads automatically. The interface has matured considerably and is now a viable daily driver for most users.
Which to prioritize? If a media collection is the primary motivation, start with Jellyfin or Plex. If photo privacy and backup are the bigger concern, Immich often delivers more immediate household value. Both are reasonable day-one installations.
Network Services: DNS Ad Blocking & Internal DNS HIGH PRIORITY
Pi-hole or AdGuard Home
A DNS-level ad blocker is one of the most impactful network improvements available to home lab users. Both Pi-hole and AdGuard Home work by intercepting DNS queries from every device on the network and refusing to resolve domains associated with advertising, tracking, and telemetry. The effect is network-wide: phones, smart TVs, laptops, and IoT devices all benefit without requiring any software installed on those devices.
Either tool runs quietly once configured and requires minimal ongoing attention. The practical impact shows up daily noticeably faster page loads on ad-heavy sites, reduced background data usage from apps reporting home to analytics servers, and cleaner browsing experiences across the entire household.
For a detailed side-by-side comparison of both tools including DNS encryption support, parental controls, and per-client configuration, see the full Pi-hole vs AdGuard Home comparison on this site.
Internal DNS
Once more than a handful of services are running, memorizing which IP address belongs to which application becomes an unnecessary cognitive burden. Internal DNS resolves this by mapping readable names to services allowing access to jellyfin.home or nas.home instead of numeric addresses and port numbers.
Both Pi-hole and AdGuard Home include DNS rewrite functionality natively. If one is already running for ad blocking, internal DNS can be handled in the same interface with no additional software. This is a setup that feels minor until it's in place, after which the lab feels considerably more organized and professional.
Important: DNS misconfiguration can take the entire network offline. Before making router-level DNS changes, confirm a fallback DNS server is configured and understand how your router distributes DNS settings to clients via DHCP.
Local Reverse Proxy & SSL AFTER DNS
Once internal DNS is working, a local reverse proxy like Nginx Proxy Manager extends it further. Instead of accessing services through IP addresses and port numbers, a reverse proxy lets you assign clean subdomain names and provision valid SSL certificates for them removing the browser security warnings that appear on self-hosted services by default.
The prerequisite for full functionality is owning a domain name, which not every home lab user will have initially. Internal DNS alone provides substantial usability improvement and is the right first step. A reverse proxy with SSL is the natural progression once DNS is stable and a domain is available.
Productivity: Nextcloud & File Sync WHEN NEEDED
Nextcloud is the most comprehensive self-hosted productivity platform currently available. It handles file storage and sync, calendar and contacts, document collaboration, notes, and more functioning as a private alternative to Google Workspace or Microsoft 365. For users whose workflows genuinely depend on these features, Nextcloud is a strong option.
The practical caveat is that Nextcloud requires more administrative attention than most other services on this list. It benefits from regular updates, and the broader feature surface means more potential points of failure. For users who only need file sync between devices and a NAS, Syncthing is a more focused and lower-maintenance alternative that handles that specific task extremely well.
The decision comes down to how much of Nextcloud's feature set will realistically be used. When the answer is "most of it," Nextcloud earns its place. When the answer is "mostly just file sync," Syncthing is more appropriate.
Home Lab Dashboard OPTIONAL
Applications like Homarr, Heimdall, and Homepage provide a single entry point to all running services. Most include built-in status indicators that show at a glance which services are currently online. A dashboard is not a priority during initial setup, but once five or six services are running it eliminates the need to remember different addresses for different tools. Configuration typically takes under 30 minutes and the usability improvement is immediate.
Smart Home: Home Assistant IF RELEVANT
Home Assistant is the leading self-hosted smart home platform, built around consolidation. Its core function is pulling devices from different vendor ecosystems Zigbee, Z-Wave, Google, Apple, Amazon, MQTT, and hundreds of others into a single interface with a unified automation engine. The automation capabilities extend well beyond what individual manufacturer apps provide, enabling conditional logic, scheduling, and cross-device integrations that would otherwise be impossible.
Home Assistant is not a universal recommendation. Users with only a small number of smart devices may find the initial investment disproportionate. For anyone who is genuinely building out a smart home environment, however, Home Assistant becomes foundational infrastructure rather than a supplementary tool the kind of service that starts small and gradually becomes deeply integrated into daily routines.
Backups: The Non-Negotiable Step DO NOT SKIP
Backups receive less attention than they deserve in home lab discussions, partly because they're unglamorous and partly because the consequences of skipping them only become apparent after something goes wrong. Running a home lab without a backup strategy means that every experiment, misconfiguration, or hardware failure carries the full risk of permanent data loss.
Proxmox Backup Server
For Proxmox-based environments, Proxmox Backup Server should be deployed as early as possible ideally in parallel with the first application installs, not afterward. It provides incremental, deduplicated backups of virtual machines on a configurable schedule. The deduplication capability is particularly valuable: effective deduplication ratios mean that backup storage requirements are a fraction of what uncompressed backups would require. More practically, having reliable VM backups converts experimentation from a risk into a routine restore from backup and be back to a known-good state in minutes.
Machine Backups: UrBackup
For protecting physical machines on the network Windows, macOS, or Linux UrBackup is a capable open-source option that runs as a background service with minimal administrative overhead. Users on Synology hardware may find Active Backup for Business a more integrated option given its native NAS support.
RAID is not a backup. RAID provides redundancy against drive failure. It offers no protection against accidental deletion, ransomware encryption, filesystem corruption, or user error. Proper data protection requires separate physical copies ideally with at least one stored in a different physical location from the primary system.
If the underlying filesystem supports snapshots (ZFS and Btrfs both do), configure them. Snapshots capture point-in-time states of data volumes and allow fast recovery from accidental changes a complement to full backups, not a replacement for them.
Monitoring: Uptime Kuma & Beszel EARLY PRIORITY
Uptime Kuma
Uptime Kuma performs one job reliably: it checks whether your services are responding and sends alerts when they stop. Without monitoring in place, a service can go offline for an extended period without anyone knowing until it's actually needed. Setup is minimal point it at each service URL and configure a notification channel. The time investment is small and the value is immediate.
Beszel
Beszel extends monitoring to the system layer, tracking CPU utilization, memory usage, disk capacity, and network throughput across the devices in the lab. Where Uptime Kuma identifies that a service has stopped responding, Beszel provides the context to understand why a disk approaching capacity, sustained CPU saturation, or abnormal memory consumption. Both tools are lightweight and complement each other well. Running both provides a clear picture of both service availability and underlying resource health.
Authentication & SSO INTERMEDIATE
A foundational security principle for any home lab: services should not share passwords, and any service accessible beyond the local network should have multi-factor authentication enabled. Separate accounts for separate services, strong unique passwords, and MFA wherever it's supported. These measures are straightforward to implement and significantly reduce exposure.
Once the lab has grown to the point where managing individual logins for every service becomes friction, a self-hosted single sign-on solution becomes worthwhile. Authentik is one of the more capable self-hosted identity providers available configure it once with strong authentication and use it as the login mechanism for multiple services. It improves both security and usability simultaneously.
Authentik has a real learning curve and is not an appropriate first-week project. It belongs on top of a stable, well-understood foundation the kind of addition that makes sense once the core of the lab is running reliably and the overhead of managing individual service logins has become a genuine inconvenience.
Remote Access: VPN & Zero Trust Networking DO EARLY
WireGuard
WireGuard is the current standard for self-hosted VPN in home lab environments fast, cryptographically modern, and straightforward to configure compared to older alternatives. It requires port forwarding on the router to function, which works in most residential setups but fails when the ISP provides carrier-grade NAT (where the user does not control the upstream router).
Tailscale
Tailscale is the practical alternative for users behind double NAT or those who want the fastest path to functional remote access. It establishes encrypted peer-to-peer connections between devices without any port forwarding, using a relay infrastructure to handle connections that can't go direct. Installation takes minutes, configuration is minimal, and it works reliably across network topologies that would break a traditional VPN setup.
Zero Trust Networking
The model gaining adoption in the self-hosting community is zero trust networking an approach where access is granted to specific services for specific users rather than placing a user on the network broadly. Traditional VPN access gives a connected device potential reach across the entire network. Zero trust narrows that to exactly the services a given user needs and nothing more.
This model eliminates lateral movement as an attack surface: a compromised credential can only access what it was explicitly permitted to reach. For labs that expose services to external users or handle data that warrants careful access control, understanding zero trust principles is worthwhile even during early setup stages.
Recommended Installation Order
Install in This Sequence
- Useful applications first Jellyfin or Plex for media, Immich for photos, or Nextcloud/Syncthing for file sync. Pick the one that solves the most pressing current need. Run it for a week and confirm it actually gets used before adding more.
- Backups simultaneously Proxmox Backup Server for VMs, UrBackup or equivalent for local machines. This should happen in parallel with step one, not weeks later.
- Monitoring Uptime Kuma and Beszel. Low setup cost, immediate visibility benefit.
- Network services Pi-hole or AdGuard Home with internal DNS rewrites. Improves every device on the network without touching any of them.
- Remote access WireGuard or Tailscale. Configure this before the lab grows complex enough that remote troubleshooting becomes necessary.
- Supporting tools Dashboard (Homarr or Homepage), reverse proxy with SSL (Nginx Proxy Manager) once a domain is available.
- Advanced layers Home Assistant for smart home automation, Authentik for SSO, zero trust networking for access control. These belong on top of a stable foundation.
| Service | Category | When to Install | Difficulty |
|---|---|---|---|
| Jellyfin / Plex | Media streaming | Day 1 | Easy |
| Immich | Photo backup | Day 1 | Easy |
| Proxmox Backup Server | VM backups | Day 1 | Medium |
| UrBackup | Machine backups | Day 1 | Easy |
| Uptime Kuma | Service monitoring | Week 1 | Easy |
| Beszel | System monitoring | Week 1 | Easy |
| Pi-hole / AdGuard Home | DNS ad blocking | Week 1 | Easy |
| WireGuard / Tailscale | Remote access | Week 1–2 | Easy–Medium |
| Nextcloud / Syncthing | File sync | When needed | Medium |
| Nginx Proxy Manager | Reverse proxy + SSL | After DNS + domain | Medium |
| Homarr / Homepage | Dashboard | After 5+ services | Easy |
| Home Assistant | Smart home | If relevant | Medium–Hard |
| Authentik | SSO / Identity | Intermediate stage | Hard |
Frequently Asked Questions
About the author:Bikram Bhujel is an IT Infrastructure Specialist based in Nepal, writing about enterprise networking, server administration, and home lab setups at BIKRAMBHUJEL.COM.NP.
Bikram Bhujel is an IT Infrastructure Specialist based in Nepal, writing about enterprise networking, server administration, and home lab setups at bikrambhujel.com.np
No comments:
Please Don't Spam Comment Box !!!!