My personal lab environment for experimenting with infrastructure and hosting self-hosted services. Professionally, I work with these technologies daily, but the homelab gives me freedom to explore ideas and patterns that don't always fit production constraints. This is where curiosity meets practicality, testing new tools, solving real problems at home, and yes, occasionally breaking things in the pursuit of learning.
The repository is public by design. Transparency keeps me honest about following best practices, even when it's just for fun.
Feel free to send me a DM, open a pull request, or steal code from here. The goal is to learn and make connections.
Click to open the full-size image. A map of the whole homelab — how the hardware, cluster and services fit together. Auto-generated through the pipeline from this file.
Click to open the full-size image. Shows which services talk to each other and how traffic flows through the cluster. Auto-generated through the pipeline from this file.
Note: This is a simplified view showing the main folders and key files. The actual repository contains additional directories and configurations.
homelab
├── k8s/talos/
│ ├── apps/ # Application deployments
│ │ ├── arr-stack/
│ │ ├── blog/
│ │ └── plex-media-stack/
│ └── infra/ # Infrastructure components
│ ├── argocd/
│ ├── cilium/
│ └── traefik/
├── terraform/
│ ├── azure/
│ │ └── state/ # Remote state backend
│ └── proxmox/ # Proxmox cluster IaC
│ └── hyper-cluster/
│ └── k8s/
├── blog/ # Hugo blog source
│ ├── Dockerfile
│ ├── config/
│ ├── content/
│ └── themes/
├── portfolio/ # Portfolio site source
│ ├── Dockerfile
│ ├── nginx/
│ └── src/
└── ai/ # AI agents, skills, projects, local LLM
├── agents/
├── skills/
├── projects/
├── local-llm/
├── prompts/
└── notes/
| Category | Components |
|---|---|
| GitOps | ArgoCD |
| Networking | Cilium (CNI + eBPF), Traefik (Gateway API), external-dns (Cloudflare DNS automation) |
| Security | Falco (runtime security), Authentik (SSO), Cert-manager, External Secrets Operator |
| Observability | Prometheus, Grafana, Loki (logs), Tempo (traces), OpenTelemetry, Metrics-server |
| Automation | Reloader (config/secret-triggered rollouts) |
| Storage | Proxmox CSI, Synology (NFS) |
| Platform | Proxmox VE (6-node HA cluster), Talos Linux, Terraform |
Automated vulnerability scanning runs weekly and on every Dockerfile change using Trivy. Scans detect CRITICAL and HIGH severity vulnerabilities in both blog and portfolio containers, with results automatically uploaded to GitHub Security tab for tracking and remediation.
Falco runs as a DaemonSet on every node, detecting anomalous activity at the syscall level through a modern eBPF probe (the Talos-safe driver — no kernel module). Detections are routed to Discord via Falcosidekick, false positives are tuned out using the upstream rules' own template macros (keeping signal high), and Falco metrics feed a Grafana dashboard for at-a-glance security visibility.
| Workflow | Trigger | Purpose |
|---|---|---|
| Build and Deploy Blog | Push to main (blog changes) |
Builds Hugo blog, pushes to GHCR, updates k8s manifest |
| Build and Deploy Portfolio | Push to main (stage); manual dispatch (prod) |
Builds portfolio image, pushes to GHCR, deploys stage/prod |
| Container Vulnerability Scan | Weekly, Dockerfile changes, manual | Scans blog & portfolio containers with Trivy |
| Render Diagrams | Push to main (docs/diagrams/*.d2), manual |
Renders D2 sources to SVG + PNG, commits the result |
| K8s Update Reminder | Monthly (1st) | Discord notification for Kubernetes maintenance |
| Server Update Reminder | Monthly (15th) | Discord notification for server updates |
| Node | Model | CPU | RAM | Storage |
|---|---|---|---|---|
| Hyper1 | Lenovo ThinkCentre M70q Gen 2 | Intel Core i5-11400T (6C/12T @ 1.30 GHz) | 32 GB | 1 TB |
| Hyper2 | Lenovo ThinkCentre M920q | Intel Core i5-8500T (6C/6T @ 2.10 GHz) | 32 GB | 1 TB |
| Hyper3 | Lenovo ThinkCentre M920 Tiny | Intel Core i7-8700T (6C/12T @ 2.40 GHz) | 32 GB | 1 TB |
Community Proxmox VE Helper-Scripts run on each node after install:
| Script | Purpose |
|---|---|
| Post PVE Install | Post-install tuning — repo sources, subscription nag, updates |
| NIC Offloading Fix | Disables NIC hardware offloading to fix interface connectivity issues |
| Device | Model | CPU | RAM | Capacity | Details |
|---|---|---|---|---|---|
| NAS | Synology DS1522+ | AMD Ryzen R1600 (2C @ 2.6 GHz) | 8 GB | 3 × 20TB (60TB) | SHR, Btrfs, 2 × 1TB NVMe cache · DSM 7.3.2 · hosts a Proxmox Backup Server (PBS) VM |
| Device | Model | Type |
|---|---|---|
| Router | UniFi Cloud Gateway | Gateway/Router |
| Switch | UniFi Lite 8 PoE | Managed Switch |
| Access Point | UniFi U6+ | WiFi 6 AP |
| Modem | Telia | Cable Modem |
| Component | Model | CPU | RAM | Storage | OS | Network |
|---|---|---|---|---|---|---|
| Hardware | Topton N100 Fanless Mini PC | Intel N100 | TBD | 512 GB SSD | Home Assistant OS | 4 × 2.5G i226-V |
| Device | Type | Purpose |
|---|---|---|
| Philips Hue Bridge Pro | Smart Lighting Hub | Lighting control |
| Nabu Casa Connect ZBT-2 | Zigbee Coordinator | Zigbee device coordination |
| M5Stack Atom Lite | Bluetooth Proxy | Bluetooth range extension |
| UniFi G6 Instant | Security Camera | Indoor surveillance |