Secure Homelab Infrastructure
Overview
A production-grade homelab built on repurposed enterprise hardware, running Proxmox VE as the hypervisor with 25+ LXC containers providing a full self-hosted service stack. The infrastructure is designed around security, resilience, and remote accessibility — with multiple redundant access paths and automated backup strategies.
This is not a hobby project in the casual sense. It is a deliberately engineered infrastructure platform that mirrors enterprise patterns at home-lab scale, and serves as the foundation for all practical cloud and automation work.
Hardware
| Component | Specification |
|---|---|
| Host | Intel NUC (12th Gen Core i5-12500T) |
| CPU | 6 cores / 12 threads @ 3.6GHz |
| RAM | 32GB DDR4 |
| Primary Storage | NVMe SSD (local-lvm, 349GB) |
| Bulk Storage | ZFS pool (tank-storage, 922GB) |
| Backup Storage | Proxmox Backup Server (2.7TB) |
| OS | Proxmox VE 8.3.5 |
A fanless, silent machine running 24/7 with enterprise-grade stability on consumer power consumption.
Container Architecture
All services run as LXC containers rather than full VMs — lighter weight, faster startup, and more efficient resource sharing while maintaining full isolation. Each container is purpose-built for a single service or service group.
Networking & Access
| Container | Service | Purpose |
|---|---|---|
| CT111 | Nginx Proxy Manager | Reverse proxy, SSL termination |
| CT113 | Cloudflared | Cloudflare tunnel for secure external access |
| CT103 | Pi-hole | Network-wide DNS filtering and ad blocking |
| CT999 | Emergency access | Backup access path when primary fails |
Media Stack
| Container | Service | Purpose |
|---|---|---|
| CT100 | Plex | Media server with remote streaming |
| CT101 | Sonarr | TV show automation and management |
| CT102 | Radarr | Film automation and management |
| CT105 | Prowlarr | Indexer management for media stack |
| CT110 | SABnzbd | Usenet download client |
Infrastructure Services
| Container | Service | Purpose |
|---|---|---|
| CT120 | Docker host | 21 Docker containers (Portainer, Frigate, Matrix, Jitsi, etc.) |
| CT116 | n8n | Workflow automation and orchestration |
| CT130 | Vaultwarden | Self-hosted password manager (Bitwarden-compatible) |
| CT900 | Homelab Agent | AI monitoring agent (see separate project page) |
Security & Research
| Container | Service | Purpose |
|---|---|---|
| CT108 | Reticulum | Mesh networking over I2P for resilient backup access |
| CT200 | OSINT Lab | Open-source intelligence tools and research environment |
| CT107 | AI Lab | Local AI model experimentation |
Network Architecture
External Access Strategy
The homelab uses a layered approach to external access, balancing security with usability:
Primary path — Cloudflare Tunnel (CT113) Zero-trust access for web services. No ports exposed to the internet. Cloudflare acts as the security boundary. Services are accessible via subdomains without exposing the home IP address.
Secondary path — WireGuard VPN
Point-to-point encrypted tunnel from home to a Romanian VPS (94.156.152.232). Used for:
- Direct management access to all containers
- Services that cannot be proxied through Cloudflare
- Secure access from anywhere without relying on third-party infrastructure
Tertiary path — Reticulum over I2P (CT108) A resilient mesh networking layer providing access even if both Cloudflare and the VPS become unavailable. Based on the Reticulum Network Stack, routing over the I2P anonymous network. Built following the November 2025 Cloudflare global outage.
Emergency path — CT999 A minimal always-on container providing a last-resort access path to the Proxmox management interface.
IP Scheme
All containers follow a consistent IP naming convention that mirrors their container ID — CT116 is at 192.168.0.116, CT120 at 192.168.0.120, and so on. This makes network management intuitive and eliminates the need for a separate DNS record for internal services.
Storage Architecture
ZFS Pool (tank-storage)
922GB ZFS pool for bulk media storage. ZFS provides:
- Copy-on-write integrity — silent data corruption is detected and corrected
- Snapshots — point-in-time recovery without additional software
- Compression — transparent LZ4 compression reducing effective storage used
Proxmox Backup Server
2.7TB dedicated backup storage running the Proxmox Backup Server stack. All containers are backed up on a schedule with deduplication — only changed blocks are stored, dramatically reducing backup storage requirements.
Local Storage
110GB local storage for container root disks and Proxmox system data. Currently at 86.6% — flagged by the AI monitoring agent as requiring attention.
Security Design Principles
Principle of least privilege — Service accounts and API tokens have only the permissions required for their specific function. The AI monitoring agent uses a read-only Proxmox API token for metrics collection, with a separate write token scoped only to /vms for remediation actions.
No open ports — No services are directly exposed to the internet. All external access goes through Cloudflare Tunnel or WireGuard VPN.
Encrypted transit — All inter-service communication uses TLS. WireGuard provides end-to-end encryption for management traffic.
Automated backups — Container backups run on schedule via Proxmox Backup Server. Recovery from a full container loss takes minutes, not hours.
Redundant access paths — Three independent paths to reach the homelab if the primary method fails. Designed after experiencing a Cloudflare outage that temporarily cut off access to all services.
Self-Hosted Services (Docker, CT120)
The Docker host (CT120) runs 21 containers providing a full communications and productivity stack:
- Portainer — Docker management UI
- Frigate — AI-powered NVR for camera monitoring with local inference
- Matrix Synapse + Element — Self-hosted encrypted messaging
- Jitsi — Self-hosted video conferencing
- Vaultwarden — Password management
- Stirling PDF — Document processing
- Docuseal — Document signing
- Kapowarr — Comics management
- Watchtower — Automated container updates
Monitoring
All infrastructure is monitored by the Homelab AI Monitoring Agent (CT900), which:
- Collects LXC metrics every 15 minutes via Proxmox API
- Collects Docker container status via SSH to CT120
- Analyses combined metrics with AWS Bedrock every 6 hours
- Sends intelligent alerts to Telegram with context and recommendations
- Maintains full audit trail of all alerts, analyses, and actions
See the Homelab AI Monitoring Agent project page for full details.
Key Engineering Lessons
Redundancy at every layer matters. The Cloudflare outage in November 2025 cut off access to everything relying on the tunnel. The Reticulum/I2P backup path was built the following week.
Container IDs as IPs eliminates cognitive load. Remembering that n8n is at 192.168.0.116 because it’s CT116 is far easier than maintaining a separate DNS mapping or having to look up IP addresses.
LXC over VMs for service hosting. The overhead of running a full VM kernel for a single service that needs 256MB RAM is wasteful. LXC containers share the host kernel and boot in seconds.
ZFS is worth the RAM overhead. The copy-on-write integrity checking has caught silent disk errors that would have caused data loss on a traditional filesystem.
Running continuously since 2022. Total infrastructure cost: repurposed workstation hardware. Monthly running cost: standard home electricity.