A production-grade, zero-trust homelab: three servers running a segmented network, a Kubernetes cluster, ZFS storage, and a full security + observability stack — built and operated the way a small production environment would be, with infrastructure-as-code, GitOps deployment, encrypted secrets, and SIEM-backed monitoring.
This repo is the architecture overview. Individual subsystems have their own deep-dive repos (see Companion repos).
Sanitized overview — addressing, hostnames, and domains are intentionally omitted. This describes the design, not deployment specifics.
- Zero-trust & segmentation — no implicit trust by network location; traffic between segments is firewalled and default-deny. Identity-aware access to infrastructure rather than flat SSH.
- Least privilege & credential isolation — secrets live in a vault and are injected at runtime; nothing sensitive in git.
- Infrastructure as code / GitOps — cluster workloads are declarative and pull-deployed from a git source of truth; the repo is the desired state.
- Defense in depth — perimeter firewall + IDS + host hardening + SIEM, each independent, mapped to recognized frameworks (NIST CSF, CIS).
- Observability first — metrics, logs, and alerting on every tier, so the environment is debuggable and changes are visible.
| Server | Spec | Role |
|---|---|---|
| A | Ryzen 9 (12c), 128 GB RAM, GPU | Hypervisor — k3s control plane + GPU worker (transcode / ML) |
| B | Dual EPYC, 256 GB ECC, 7 × 20 TB HDD | Primary storage — ZFS / NAS |
| C | Ryzen 9 (12c), 128 GB RAM | Hypervisor — k3s workers + HA firewall node |
A 10 GbE backbone (aggregation switch + Intel X710 NICs) connects the storage and compute tiers.
Internet
│
┌──────▼───────┐ HA pair (CARP/VIP)
│ OPNsense FW │◄────────────────────┐
└──────┬────────┘ │
│ 10 GbE trunk │
┌──────▼───────────────────────────┐ │
│ Managed L3 switching │ │
│ VLAN-segmented, default-deny │──┘
└──┬────┬────┬────┬────┬────┬────────┘
│ │ │ │ │ │
mgmt srv k8s iot guest sync ...
- Multiple VLANs segment management, servers, container workloads, IoT, guest, and a dedicated storage-sync network — each with explicit inter-VLAN firewall policy.
- HA firewall — OPNsense in a high-availability pair so a single node loss doesn't drop the perimeter.
- DNS / ad-blocking with redundant resolvers; internal name resolution for cluster and self-hosted services.
- Proxmox on the two hypervisor hosts; VMs and containers for infrastructure services (firewall nodes, automation, monitoring, DNS).
- k3s Kubernetes cluster — multi-node control plane + workers, including a GPU worker. Workloads are deployed GitOps-style (pull-based from a git source of truth).
- Ingress + TLS via a reverse proxy with automated certificate issuance (ACME / internal PKI).
- ZFS on the storage tier: a RAIDZ2 pool for critical data and a RAIDZ1 pool for bulk/non-critical, with snapshots and scrubs.
- Exported as NFS (Kubernetes persistent storage) and SMB (media / file shares).
- Longhorn distributed block storage inside the cluster for replicated app volumes; latency-sensitive workloads pinned to local disk.
- Layered backups (snapshots → local → off-site object storage).
- Perimeter: OPNsense HA firewall, segmented VLANs, default-deny policy.
- Detection: network IDS (Suricata) + host-based SIEM (Wazuh) with file integrity monitoring, log analysis, and CVE correlation.
- Hardening: CIS/STIG-aligned host configuration, validated as code (private demo, available on request).
- Secrets & PKI: a secrets vault with auto-unseal, SOPS/age-encrypted manifests, and certificate management.
- Access: identity-aware access to infrastructure rather than shared keys; root SSH disabled; access attempts surfaced to the SIEM.
A dedicated monitoring stack — Prometheus (metrics), Loki (logs), Grafana (dashboards), and Alertmanager routing alerts to chat — covers the firewall, hypervisors, cluster, storage, and self-hosted apps. Alert rules are treated as durable operational knowledge, paired with runbooks.
- GitOps pipelines deploy cluster manifests on push.
- n8n workflows for event-driven automation and scheduled jobs (including an
AI-assisted daily security digest — see
francis). - A CVE-to-patch reconciler that distinguishes stale scanner alerts from real
exposures (see
cve-patch-watch).
Matter-first design with a Thread mesh (border-router hubs), integrated into a self-hosted home-automation controller running on the cluster — kept on its own network segment.
Deep dives into individual subsystems of this homelab:
francis— self-verifying AI security digest (n8n + Claude, two-stage grounded synthesis over SIEM data).cve-patch-watch— reconciles SIEM CVE findings against the distro CVE database; pages only when a patch actually becomes available.- Policy-as-Code (private demo, available on request) — OPA/Rego + InSpec compliance scanning mapped to NIST CSF 2.0 / CIS Controls v8.
Proxmox · k3s / Kubernetes · OPNsense · ZFS / TrueNAS · Longhorn · HashiCorp Vault · SOPS/age · Suricata · Wazuh · Prometheus · Loki · Grafana · Alertmanager · Traefik · cert-manager · n8n · Matter / Thread.