43 lines
1.5 KiB
Markdown
43 lines
1.5 KiB
Markdown
# homelab
|
|
|
|
Self-hosted services on a single Proxmox host. Segmented network, runs 24/7.
|
|
|
|
## Why I built this
|
|
|
|
I started this while studying for CompTIA and the plan was a small router, a few VLANs, and maybe two or three services and then got carried away.
|
|
|
|
## What's running
|
|
|
|
| Layer | Tool |
|
|
|---|---|
|
|
| Hypervisor | Proxmox VE |
|
|
| Firewall | pfSense (low-power x86) |
|
|
| Switching | TP-Link Omada (managed VLANs) |
|
|
| Reverse proxy | Caddy (Cloudflare DNS-01) |
|
|
| Identity | Authentik (OIDC + forward auth) |
|
|
| DNS | Pi-hole → Unbound → Cloudflare |
|
|
| Remote access | WireGuard |
|
|
| Monitoring | Victoria Metrics + Grafana + Beszel |
|
|
| Backups | Proxmox Backup Server |
|
|
|
|
## Scope
|
|
|
|
Around 10 LXCs and a couple of VMs running about 20 services across 7 VLANs.
|
|
|
|
## Design choices
|
|
|
|
- VLANs are organized by trust tier. Management is its own tier because a compromise there would be no bueno
|
|
- Internal services sit behind Authentik. OIDC where the app supports it and then Caddy forward auth where it doesn't
|
|
- Public surface is small. A handful of services, behind a DMZ-isolated reverse proxy with firewall rules backing up the proxy config
|
|
- Admin surfaces are only available from Management tier and VPN.
|
|
|
|
## Documented here
|
|
|
|
| Doc | About |
|
|
|---|---|
|
|
| [Services](docs/SERVICES.md) | What's deployed, grouped by what it does |
|
|
| [Network](docs/NETWORK.md) | Segmentation, firewall posture, DNS |
|
|
| [Security](docs/SECURITY.md) | Layered controls, threat model, limitations |
|
|
|
|
The IP plan, hardware inventory, ADRs, rebuild runbook, and retention policies are in a private repo.
|