Skip to content

CodisTech/homelab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

Homelab

A production-grade, zero-trust homelab: three servers running a segmented network, a Kubernetes cluster, ZFS storage, and a full security + observability stack — built and operated the way a small production environment would be, with infrastructure-as-code, GitOps deployment, encrypted secrets, and SIEM-backed monitoring.

This repo is the architecture overview. Individual subsystems have their own deep-dive repos (see Companion repos).

Sanitized overview — addressing, hostnames, and domains are intentionally omitted. This describes the design, not deployment specifics.

Design principles

  • Zero-trust & segmentation — no implicit trust by network location; traffic between segments is firewalled and default-deny. Identity-aware access to infrastructure rather than flat SSH.
  • Least privilege & credential isolation — secrets live in a vault and are injected at runtime; nothing sensitive in git.
  • Infrastructure as code / GitOps — cluster workloads are declarative and pull-deployed from a git source of truth; the repo is the desired state.
  • Defense in depth — perimeter firewall + IDS + host hardening + SIEM, each independent, mapped to recognized frameworks (NIST CSF, CIS).
  • Observability first — metrics, logs, and alerting on every tier, so the environment is debuggable and changes are visible.

Hardware tiers

Server Spec Role
A Ryzen 9 (12c), 128 GB RAM, GPU Hypervisor — k3s control plane + GPU worker (transcode / ML)
B Dual EPYC, 256 GB ECC, 7 × 20 TB HDD Primary storage — ZFS / NAS
C Ryzen 9 (12c), 128 GB RAM Hypervisor — k3s workers + HA firewall node

A 10 GbE backbone (aggregation switch + Intel X710 NICs) connects the storage and compute tiers.

Network

            Internet
               │
        ┌──────▼───────┐   HA pair (CARP/VIP)
        │  OPNsense FW  │◄────────────────────┐
        └──────┬────────┘                     │
               │ 10 GbE trunk                  │
        ┌──────▼───────────────────────────┐  │
        │      Managed L3 switching          │  │
        │  VLAN-segmented, default-deny      │──┘
        └──┬────┬────┬────┬────┬────┬────────┘
           │    │    │    │    │    │
         mgmt  srv  k8s  iot  guest sync ...
  • Multiple VLANs segment management, servers, container workloads, IoT, guest, and a dedicated storage-sync network — each with explicit inter-VLAN firewall policy.
  • HA firewall — OPNsense in a high-availability pair so a single node loss doesn't drop the perimeter.
  • DNS / ad-blocking with redundant resolvers; internal name resolution for cluster and self-hosted services.

Compute & orchestration

  • Proxmox on the two hypervisor hosts; VMs and containers for infrastructure services (firewall nodes, automation, monitoring, DNS).
  • k3s Kubernetes cluster — multi-node control plane + workers, including a GPU worker. Workloads are deployed GitOps-style (pull-based from a git source of truth).
  • Ingress + TLS via a reverse proxy with automated certificate issuance (ACME / internal PKI).

Storage

  • ZFS on the storage tier: a RAIDZ2 pool for critical data and a RAIDZ1 pool for bulk/non-critical, with snapshots and scrubs.
  • Exported as NFS (Kubernetes persistent storage) and SMB (media / file shares).
  • Longhorn distributed block storage inside the cluster for replicated app volumes; latency-sensitive workloads pinned to local disk.
  • Layered backups (snapshots → local → off-site object storage).

Security

  • Perimeter: OPNsense HA firewall, segmented VLANs, default-deny policy.
  • Detection: network IDS (Suricata) + host-based SIEM (Wazuh) with file integrity monitoring, log analysis, and CVE correlation.
  • Hardening: CIS/STIG-aligned host configuration, validated as code (private demo, available on request).
  • Secrets & PKI: a secrets vault with auto-unseal, SOPS/age-encrypted manifests, and certificate management.
  • Access: identity-aware access to infrastructure rather than shared keys; root SSH disabled; access attempts surfaced to the SIEM.

Observability

A dedicated monitoring stack — Prometheus (metrics), Loki (logs), Grafana (dashboards), and Alertmanager routing alerts to chat — covers the firewall, hypervisors, cluster, storage, and self-hosted apps. Alert rules are treated as durable operational knowledge, paired with runbooks.

Automation

  • GitOps pipelines deploy cluster manifests on push.
  • n8n workflows for event-driven automation and scheduled jobs (including an AI-assisted daily security digest — see francis).
  • A CVE-to-patch reconciler that distinguishes stale scanner alerts from real exposures (see cve-patch-watch).

Smart home

Matter-first design with a Thread mesh (border-router hubs), integrated into a self-hosted home-automation controller running on the cluster — kept on its own network segment.

Companion repos

Deep dives into individual subsystems of this homelab:

  • francis — self-verifying AI security digest (n8n + Claude, two-stage grounded synthesis over SIEM data).
  • cve-patch-watch — reconciles SIEM CVE findings against the distro CVE database; pages only when a patch actually becomes available.
  • Policy-as-Code (private demo, available on request) — OPA/Rego + InSpec compliance scanning mapped to NIST CSF 2.0 / CIS Controls v8.

Stack

Proxmox · k3s / Kubernetes · OPNsense · ZFS / TrueNAS · Longhorn · HashiCorp Vault · SOPS/age · Suricata · Wazuh · Prometheus · Loki · Grafana · Alertmanager · Traefik · cert-manager · n8n · Matter / Thread.

About

Production-grade zero-trust homelab — architecture overview (k3s, OPNsense HA, ZFS, Wazuh SIEM, GitOps, Vault).

Resources

Stars

0 stars

Watchers

1 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors