Homelab infrastructure
30+ self-hosted services across Proxmox, TrueNAS SCALE, and OPNsense. Full observability with Grafana and Prometheus, external access via Cloudflare Tunnel, and automated backups with Proxmox Backup Server.
What started as a single Raspberry Pi running Pi-hole has grown into a full rack with a dedicated server, a NAS, and a pfSense-turned-OPNsense router. The homelab is where I learn infrastructure, networking, and systems administration hands-on — faster and more thoroughly than any course.
Hardware
- Main server: Custom build, running Proxmox VE. Hosts all VMs and LXC containers.
- NAS: TrueNAS SCALE, ZFS storage pool. Handles media, backups, and bulk storage.
- Router: OPNsense on dedicated hardware. Full network control, DNS filtering, VPN gateway.
Key services
| Category | Services |
|---|---|
| Photos | Immich |
| Media | Jellyfin |
| Files | Nextcloud |
| Passwords | Vaultwarden |
| Documents | Paperless-ngx |
| Music | Navidrome |
| Monitoring | Grafana + Prometheus + Alertmanager |
| Backups | Proxmox Backup Server |
| Remote access | Cloudflare Tunnel, WireGuard VPN, Tailscale |
Infrastructure highlights
Observability: Prometheus scrapes Node Exporter, cAdvisor, TrueNAS, and Proxmox exporters. Grafana dashboards give real-time and historical visibility into every host. Alertmanager sends Discord notifications for disk usage, certificate expiry, and service downtime.
Networking: OPNsense handles segmented VLANs — IoT devices are isolated from the main network. DNS filtering via Hagezi blocklists drops ads and trackers at the resolver level. WireGuard VPN gives me secure access to home resources from anywhere.
External access: Cloudflare Tunnel exposes select services publicly without opening ports on the firewall. Zero Trust Access policies require authentication for anything sensitive.
Backups: Proxmox Backup Server runs automated daily backups of all VMs and LXC containers, with weekly full backups replicated to TrueNAS. The 3-2-1 rule, more or less.
Not everything is serious
Not every service solves an infrastructure problem. My dad records karaoke at home — I built tooling to manage and serve those recordings through Navidrome on the NAS. It’s one of the more used things on the homelab.
The Hetzner VPS also runs an frp proxy that lets friends connect to a Minecraft server on the homelab without exposing my home IP. A bit of overkill for a game server, but it works and the WireGuard tunnel makes it reasonably secure.