My Home Lab Infrastructure

A two-node Proxmox cluster running 20+ containers and VMs — covering low-code automation with n8n, local AI with Ollama, SSO with Authentik, self-hosted docs with Outline, and all the networking, backups, and monitoring that keeps it running.

Homelab overview

The diagram matches the live layout: public traffic hits Cloudflare (DNS, CDN, security); Cloudflare Tunnel carries it into the lab to Nginx Proxy Manager, which reverse-proxies hostnames to the right backends. The router / firewall is the LAN gateway toward Proxmox and other devices. WireGuard covers remote access; AdGuard Home handles DNS filtering on the LAN. The Proxmox datacenter 234aHome runs two nodes with LXC/Docker workloads, centralized backups, and an optional off-site copy.

Domain: *.balawalraja.uk (Cloudflare). Stack: Proxmox VE, LXC, Docker, Traefik/NPM/Cloudflare, Linux/Ubuntu.

Homelab overview diagram: ingress, Proxmox nodes 234aHome, storage, VPN, and remote backup site

Infrastructure overview

Proxmox platform

Two-node Proxmox VE datacenter 234aHome with 20+ containers/VMs, high-availability patterns where it matters, and a mix of LXC and Docker workloads.

  • Node 1: automation (n8n), local AI (Ollama), docs (Outline), monitoring (Grafana), SSO (Authentik), CI/CD, backups
  • Node 2: networking, reverse proxy, DNS, VPN, Nextcloud, this website, uptime monitoring
  • Storage: Proxmox Backup Server (NewPBS), ZFS pool, LVM-thin on both nodes
  • Remote site: Raspberry Pi with WireGuard client and PBS target for off-site backups
Ingress & access

Public HTTPS, VPN, and LAN paths align with the diagram’s legend (public, VPN tunnel, LAN, management).

  • Web: Cloudflare edge + Tunnel to NPM (reverse proxy / TLS to services)
  • VPN: WireGuard for remote client devices
  • LAN: Router/firewall to Proxmox, PCs, IoT, and NAS
  • DNS: AdGuard Home for filtering and internal resolution

Proxmox datacenter (234aHome)

Workloads are grouped the same way as on the diagram: Node 1 for backup and supporting apps, Node 2 for edge services, identity, applications, automation, and observability.

Node 1

Automation, AI, docs, monitoring, identity, CI/CD, and backups.

n8n Ollama Outline Grafana Authentik Portainer PBS
n8n: Low-code automation workflows — also powers the chatbot on this site
Ollama: Local LLM inference (6 vCPUs, 16 GB RAM dedicated)
Outline: Self-hosted wiki for infrastructure and project docs
Grafana: Monitoring dashboards and metrics
Authentik: SSO identity provider across services
Portainer: Container management UI
GitHub Runner: Self-hosted CI/CD for this website and other projects
Proxmox Backup Server: Centralised backup and restore for the cluster
Ironclaw / Discopanel: Media management and file sharing
Node 2

Networking, reverse proxy, DNS, VPN, apps, and uptime monitoring.

AdGuard WireGuard CF Tunnel NPM Nextcloud Uptime Kuma

Networking & ingress

AdGuard Home: DNS filtering and internal resolution
WireGuard VPN: Encrypted remote access
Cloudflare Tunnel + NPM: Public HTTPS ingress to internal services

Applications

Nextcloud: Self-hosted file sync and sharing
This website: Portfolio site running as an LXC container
Heimdall: Home dashboard
MongoDB: Database for application workloads

Monitoring

Uptime Kuma: Service uptime monitoring and alerting

Security & access control

Operational notes from the architecture: SSO is enabled through Authentik and OAuth2 Proxy; backups run through Proxmox Backup Server on a schedule. Public hostnames are served through Cloudflare and the tunnel into Nginx Proxy Manager, which manages proxy hosts and certificates toward internal apps.

Cloudflare & NPM

Cloudflare for DNS, CDN, and edge controls; tunnel delivers traffic to NPM, which reverse-proxies and handles TLS for internal services

Authentik & OAuth2 Proxy

Identity provider plus proxy layer for SSO across internal applications

WireGuard VPN

Encrypted remote access for clients without exposing management to the public internet

AdGuard Home

DNS filtering and policy on the LAN, aligned with the diagram’s access path

CrowdSec

Collaborative threat detection engine — analyses logs, detects attack patterns (HTTP probing, brute force), and issues live bans via the bouncer

Storage, backup & disaster recovery

What the diagram encodes

  • Proxmox Backup Server: Centralized backups with deduplication and incremental runs
  • Local storage (LVM): VM and container disks on-node
  • External / NAS (optional): Media and long-term archive off the cluster
  • Remote backup site: Raspberry Pi as WireGuard client, off-site PBS target, external USB for off-site data
  • Scheduling: Automated PBS jobs (e.g. nightly) plus periodic restore checks
  • Integrity: Verification and test restores to validate recoverability

Technical Challenges & Solutions

Challenges Overcome

The practical problems solved to get a stable, secure, and maintainable lab.

  • Migrating CI/CD from Jenkins to GitHub Actions without downtime
  • Running local AI (Ollama) without starving other containers of resources
  • Consistent SSO across 20+ services with Authentik
  • Reliable off-site backups to a Raspberry Pi over WireGuard
Solutions Implemented

The changes that made the environment reliable, repeatable, and easy to operate.

  • Self-hosted GitHub runner on the cluster replacing Jenkins
  • Dedicated high-memory LXC container isolates Ollama from other workloads
  • Authentik + OAuth2 Proxy providing consistent SSO across services
  • Proxmox Backup Server with scheduled jobs and off-site PBS target on remote Pi

Learning Outcome: This hands-on experience, combined with professional cloud infrastructure work at ZAVA, has strengthened my skills in system administration, network management, infrastructure automation, and secure operations.