lerko/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

migrate CRA to Next.js 16 + React 19 + TypeScript + Tailwind v4

Browse Source 
- replace CRA scaffold with Next.js static export config
- add app router pages: home, homelab, archive
- add components: Nav, Footer, Hero, Skills, ProjectCard, ThemeScript
- add ThemeContext for dark mode with FOUC prevention
- add data layer: projects.ts, services.ts
- update .gitignore for Next.js (ignore .next/, out/, next-env.d.ts)
- add docs: handoff plan, homelab decisions, style reference
This commit is contained in:
lerko96
2026-04-10 18:46:19 -04:00
parent 798027bb9d
commit ea63347cd6
63 changed files with 8342 additions and 19830 deletions
Download Patch File Download Diff File Expand all files Collapse all files

171
docs/homelab-readme.md Normal file
View File

@@ -0,0 +1,171 @@
# README
# 🏠 lerkolabs — Home Infrastructure Lab
> Personal infrastructure environment for learning, self-hosting, and operational practice. Running 24/7 on production-grade hardware with real network segmentation, SSO, monitoring, and IaC-style documentation.
---
## ⚡ At a Glance
| | |
|-----|-----|
| **Hypervisor** | Proxmox VE |
| **Firewall** | pfSense (Intel N100) |
| **Switching** | TP-Link Omada (managed, VLANs) |
| **ISP** | AT&T Fiber 1Gbps — IP Passthrough → pfSense WAN |
| **VPN** | WireGuard (pfSense) |
| **Reverse Proxy** | Caddy + Cloudflare DNS-01 — wildcard SSL on `*.lerkolabs.com` |
| **Auth** | Authentik SSO — OIDC + forward auth across all services |
| **DNS** | Pi-hole → pfSense Unbound → Cloudflare |
| **Containers** | 9 LXC containers + 2 VMs |
| **Self-hosted services** | 20+ |
---
## 🌐 Network Architecture
**8 isolated VLANs** — strict inter-VLAN firewall policy (default deny):
| VLAN | Name | Subnet | Purpose |
|------|------|--------|---------|
| 1000 | MGMT | `10.0.0.0/24` | Network equipment only |
| 1010 | LAN | `10.1.0.0/24` | Trusted personal devices |
| 1020 | Homelab | `10.2.0.0/24` | All self-hosted services |
| 1030 | Guests | `10.3.0.0/24` | Internet only, RFC1918 blocked |
| 1040 | IoT | `10.4.0.0/24` | Smart home, isolated |
| 1050 | WFH | `10.5.0.0/24` | Work devices, no personal access |
| 1 | DMZ | `10.99.0.0/24` | Public-facing, hard-blocked internally |
| — | VPN | `10.200.0.0/24` | WireGuard clients = LAN access |
Work devices (VLAN 1050) are isolated from *all* personal infrastructure — they use pfSense DNS only, never Pi-hole. WireGuard VPN clients get full LAN-equivalent access without being on the physical network.
---
## 🖥️ Compute — LXC / VM Layout
| Container | IP | Cores | RAM | What Runs |
|-----------|-----|-------|-----|-----------|
| `pihole` | 10.2.0.5 | 1 | 512MB | Pi-hole DNS + ad blocking |
| `auth` | 10.2.0.25 | 1 | 512MB | Authentik SSO + Redis |
| `infra` | 10.2.0.20 | 2 | 1GB | Caddy reverse proxy, ntfy |
| `monitor` | 10.2.0.51 | 4 | 4GB | Victoria Metrics, Grafana, Beszel |
| `apps` | 10.2.0.60 | 4 | 6GB | 15+ productivity apps (Docker) |
| `vault` | 10.2.0.X | 1 | 256MB | Vaultwarden (isolated) |
| `servarr` (VM) | — | 4 | 8GB | Plex, Jellyfin, \*arr stack, qBittorrent |
| `haos` (VM) | — | 2 | 4GB | Home Assistant OS |
---
## 🚀 Self-Hosted Services
### Core Infrastructure
| Service | Role |
|---------|------|
| pfSense | Firewall, DHCP, routing, WireGuard VPN |
| Pi-hole | Network-wide DNS + ad blocking |
| Caddy | Reverse proxy, automatic wildcard TLS |
| Authentik | SSO provider — OIDC + forward auth |
| Vaultwarden | Self-hosted password manager |
| Victoria Metrics + Grafana | Metrics, dashboards, alerting |
| Beszel | Container + host monitoring |
| ntfy | Push notifications |
### Productivity (`apps` LXC — all behind Authentik SSO)
| Service | URL | Purpose |
|---------|-----|---------|
| Outline | `outline.lerkolabs.com` | Team wiki |
| Gitea | `gitea.lerkolabs.com` | Personal Git |
| Vikunja | `tasks.lerkolabs.com` | Task management |
| Ghostfolio | `finance.lerkolabs.com` | Portfolio tracking |
| Hoarder | `hoarder.lerkolabs.com` | Bookmark manager |
| Grist | `grist.lerkolabs.com` | Spreadsheets / data |
| Actual Budget | `budget.lerkolabs.com` | Personal budgeting |
| FreshRSS | `rss.lerkolabs.com` | RSS reader |
| Memos | `memos.lerkolabs.com` | Quick notes |
| Traggo | `time.lerkolabs.com` | Time tracking |
| Baikal | `dav.lerkolabs.com` | CalDAV / CardDAV |
| Glance | `glance.lerkolabs.com` | Homepage dashboard |
| Filebrowser | `files.lerkolabs.com` | File management |
### Media
| Service | Purpose |
|---------|---------|
| Plex + Jellyfin | Media streaming |
| Sonarr / Radarr / Lidarr | Automated media management |
| Prowlarr + Bazarr | Indexer aggregation + subtitles |
| qBittorrent (VPN-gated) | Downloads via Gluetun |
| Calibre-Web Automated | Book library with auto-ingest |
| Kavita | E-reader |
---
## 🔒 Security Design
* All services require Authentik authentication — no anonymous access
* Caddy handles TLS termination; internal services run HTTP only
* VPN-only admin access to pfSense, Proxmox, Pi-hole
* IoT devices can only reach the internet and Home Assistant
* Guests are RFC1918 hard-blocked — internet only
* WFH laptop on isolated VLAN, DNS from pfSense only
* Vaultwarden isolated in its own LXC — no shared container
* Zero open ports for management traffic (all VPN-gated)
---
## 🗂️ Architecture Decisions
Short-form ADRs documenting *why* things are built this way:
* **AT&T IP Passthrough over EAP bypass** — AT&T locks 802.1X to their gateway; passthrough mode gives pfSense the real public IP without brittle workarounds.
* **Caddy over NGINX Proxy Manager** — single Caddyfile, auto-cert via Cloudflare DNS-01, no UI overhead.
* **WireGuard over OpenVPN** — lower latency, better mobile battery life, \~600Mbps on the N100.
* **Authentik over Authelia** — full OIDC provider + forward auth in one. Lets services like Outline, Gitea, and Vikunja use real SSO rather than just a login gate.
* **Shared Postgres + Redis in** `**apps**` **LXC** — one instance, multiple databases. Avoids 15 separate DB containers; a single init script provisions all schemas on first run.
* **N100 for pfSense** — 6W idle, handles 23Gbps routing + 600Mbps WireGuard. Right-sized for 1Gbps fiber.
* **Pi-hole in Homelab VLAN, not MGMT** — MGMT access from all VLANs would be a larger attack surface than filtering DNS traffic.
---
## 📁 Repo Structure
```bash
homelab/
├── docs/
│ ├── README.md # quick reference — IPs, URLs, hardware
│ ├── SERVICES.md # full service registry (IP, port, VLAN, status)
│ ├── NETWORK.md # VLAN map, firewall policy, DNS architecture
│ ├── DECISIONS.md # ADRs — why things are configured the way they are
│ ├── RUNBOOKS.md # break-fix procedures
│ ├── SECURITY.md # open ports, update cadence, known debt
│ └── setup/ # one-time deploy guides (archived, read-only)
├── configs/
│ ├── caddy/ # Caddyfile + compose
│ ├── pfsense/ # config.xml exports
│ ├── pihole/ # teleporter backups
│ └── lxc/ # per-container configs
└── scripts/ # automation, health checks
```
---
## 🔗 Contact
\
![LinkedIn](uploads/164c25fb-9f88-4726-87fb-a640c43b142f/75308bef-4010-4a87-8afb-c9896f0eb6ba/LinkedIn-Connect-0A66C2 " =112x20") ![GitHub](uploads/164c25fb-9f88-4726-87fb-a640c43b142f/10d87e72-d33c-4cd3-99b7-2595a9501f5f/GitHub-lerkolabs-181717 " =123x20")
\
> *This lab is actively maintained and evolving. Documentation lives alongside the infrastructure.*