The house where it all started.
It wasn't designed as a case study. It was designed to solve a personal problem: a "smart" home where nothing spies on anyone. Today, it's the reference everything else is built on.
Context
A T3 flat in Almada, primary residence. When it started, the goal was simple: replace a cloud doorbell that had failed for the third time. The doorbell led to a camera. The camera led to a separate network. The separate network led to a server. The server led to everything else.
Six years later, it's the system I offer clients — tested, refined, and lived in every single day. Every technical decision in the Professional tier came from here: tried, failed, adjusted, and validated before reaching any client.
The system in numbers
| Component | Quantity |
|---|---|
| Segmented networks (VLANs) | 4, expanding to 6 |
| Cameras with local recording | 4 (Reolink RTSP) |
| Integrated sensors (motion, door, temperature) | ~15 |
| Zigbee devices | ~20 |
| Active automations | ~30 |
| Average monthly downtime | < 5 minutes |
| Data sent to commercial cloud | 0 |
The architecture, in layers
Layer 1 — Network
Current router: Asus with Merlin firmware, three separate networks (personal, IoT, guests), WireGuard VPN enabled for remote access. IoT networks have no internet access — they only communicate with the central server. Guests have internet but are isolated from everything else.
In transition: planned migration to a dedicated firewall architecture (OPNsense or UniFi Cloud Gateway, still deciding) with 6 segmented networks — personal, local IoT, cloud IoT, cameras, guests, management.
Layer 2 — Central server
In transition. Current setup: Home Assistant running on HA Green. Future setup: mini-PC with Proxmox, virtualising Home Assistant + Debian with Frigate + AdGuard Home, with local NVMe storage for recent events and HDD for archive. Frigate with Coral TPU accelerator for local intelligent detection with no cloud calls.
Layer 3 — Video surveillance
Four Reolink cameras connected via RTSP to Frigate. Internet access blocked on the cameras themselves and at the firewall — defence in depth. Local recording with 30-day retention, privacy masks on areas that capture the public road.
Lesson learned: blocking cloud on the cameras themselves (via Reolink's own menu) isn't enough. Cameras try to reach external servers even with "cloud disabled". The block has to be done at the firewall, with explicit rules that deny internet access by default.
Layer 4 — Devices
Zigbee devices centralised on a local coordinator (no manufacturer hub, no cloud app). Shelly modules for electrical circuit control where it made sense. Various sensors for motion, door/window opening, temperature, humidity.
Principle applied: preference for Zigbee/Z-Wave over WiFi where possible, because it keeps devices on an isolated mesh network that isn't even in the home's IP infrastructure.
Layer 5 — Remote access
WireGuard with per-device profiles (primary phone, secondary phone, laptop). No open port on the router — DDNS used only for name resolution. Access from anywhere, encrypted, with latency under 50ms for most operations.
Lesson learned: WireGuard wins hands-down over OpenVPN on mobile — it doesn't drain battery significantly, and automatic reconnection when switching from WiFi to mobile data is practically invisible.
Three automations worth explaining
Departure routine
When the last family phone leaves WiFi range for more than 5 minutes, the system turns off lights left on, confirms that sensored doors/windows are closed (notification if not), puts the surveillance in "away" mode, and turns off non-essential appliances via Shelly. No cloud involved. No dependency on external geolocation.
Power cut response
Detection via UPS connected to the server: sends an immediate notification to family phones via VPN, reduces server load, and if the outage lasts more than 20 minutes initiates a graceful NAS shutdown. When power returns, everything restarts in the correct order. This automation has saved data at least twice in six years.
Smart camera notifications
When Frigate detects a person in a "perimeter" zone (not in the masked zones that capture the public road): sends a notification with a video clip directly to the phone via VPN, discreetly activates an exterior light (deterrence without being aggressive), and logs the event. The difference from a cloud system: the notification arrives in ~2 seconds (instead of the typical 8–15), never fails because a manufacturer's server is down, and the video never leaves home.
Honest trade-offs
Initial learning curve
It took me months to have a decent system, and years to have a robust one. For a client, this cost is absorbed — you get the refined version. But the complexity exists, and that translates into the value of the service.
Updates require attention
Home Assistant updates every two weeks. Some updates break things. That's why, in my system and my clients' systems, updates aren't automatic — they're tested, scheduled, and applied with a rollback window.
Higher upfront cost
Compared to "buy an Echo Show and plug in Tuya devices", this is more expensive upfront. The difference pays off in 4–6 years through the absence of subscriptions, but it's honest to acknowledge the initial investment.
Greater dependency on the relationship with the installer
Systems like this aren't "install and forget". There's real maintenance. For clients who value technical autonomy, I can document everything so they can self-manage. For clients who want peace of mind, the monthly maintenance plan exists.
How it changed over time
The good news: you won't go through six years of evolution.
The value of installing a system like this in 2026, with me, is exactly this: the path has already been walked. The wrong decisions have already been made and corrected. The right tools have already been identified. The architecture is stable.
Your installation isn't an experiment — it's the refined application of six years of iteration in my home. You get the final version, with 5–7 days of work, instead of the six years it took to discover it.
Get a quote for your home
No commitment, no cost, no pushy follow-up. A 30-minute conversation to understand what makes sense for your case.