~ homelab.md

homelab

hypervisor
Proxmox VE
gateway
OPNsense
services
20+
storage
4 × 2TB NVMe
ingress
Cloudflare Tunnel
deploy
git push → Komodo

## architecture

Single Proxmox node running OPNsense as the internal gateway. All public traffic enters via Cloudflare Tunnel — no open ports on the router. Services are split across dedicated LXCs and VMs on an isolated 192.168.50.x bridge, fronted by Caddy with Authelia 2FA.

Homelab architecture diagram — network topology showing Cloudflare tunnel ingress, OPNsense gateway, and internal services on vmbr1

This diagram is auto-generated from the homelab repo. Changes to services or network config trigger a rebuild.

## traffic flow

Internet → Cloudflare Edge → Tunnel (QUIC) → cloudflared on OPNsense → Caddy (192.168.50.2:443) → [Authelia forward_auth] → backend service

Private access (IMAP, Proxmox admin) uses WireGuard VPN direct to internal IPs.

## stack

  • Reverse proxy: Caddy with automatic Let's Encrypt (DNS-01 via Cloudflare)
  • Auth: Authelia SSO with 2FA — most services behind forward_auth
  • Git: Forgejo (self-hosted) with Actions runners on Linux + macOS (M4 Mac mini)
  • Secrets: Infisical (canonical source) + Vaultwarden (personal passwords)
  • Orchestration: Komodo — git push triggers webhook deploy in ~15s
  • Monitoring: Prometheus + Grafana + cAdvisor + pve-exporter + node_exporter everywhere
  • Mail: Stalwart (SMTP/IMAP/JMAP) — outbound via Resend relay, inbound via Cloudflare Email Routing
  • DNS: OPNsense Unbound — split-horizon for internal *.gregsplace.cc resolution
  • VPN: WireGuard on OPNsense (UDP 51820 forwarded by UDM Pro)

## hosts

  • caddy-proxy (LXC 104) — reverse proxy, TLS termination
  • authelia (LXC 107) — SSO / 2FA middleware
  • stalwart (LXC 108) — mail server
  • forgejo (LXC 109) — git platform
  • secrets-lxc (LXC 111) — Vaultwarden + Infisical
  • docker-vm (VM 105) — Homer, Komodo, Prometheus, Grafana
  • forgejo-runner (VM 112) — CI runner (Docker-based)
  • metricaid-dev (LXC 110) — MetricAid dev environment
  • mastaging-app / pg (VMs 113/114) — MetricAid staging + PostgreSQL
  • android-emu (VM 115) — Android emulator + ws-scrcpy for mobile testing
  • tacticalrmm (VM 116) — remote management / MDM
  • nextcloud (LXC) — file sync
  • m4-macmini (physical) — macOS CI runner + Bitcoin Core node

## source

git.gregsplace.cc/greg/greg-homelab