Production Homelab Infrastructure

Project Overview

Built a production-grade homelab infrastructure using Proxmox VE hypervisor with consolidated Docker services, TrueNAS cloud storage, and comprehensive monitoring. The system provides a robust foundation for personal and family use while serving as a learning platform for enterprise technologies.

Homelab Infrastructure Specifications

This project runs on my dedicated homelab setup:

• CPU: Intel i9-9900K (8 cores, 16 threads) with Intel QuickSync
• RAM: 32GB DDR4 (non-ECC requiring enhanced monitoring practices)
• Storage: 2x Seagate IronWolf 12TB drives in mirror configuration
• OS: Proxmox VE with Debian LXC containers and TrueNAS VM

Architecture Design

Infrastructure Components

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

# Core Services Docker Compose Stack
version: '3.8'
services:
  nginx-proxy-manager:
    image: jc21/nginx-proxy-manager:latest
    container_name: npm
    restart: always
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    volumes:
      - /root/nginx/data:/data
      - /root/nginx/letsencrypt:/etc/letsencrypt

  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    restart: unless-stopped
    networks:
      wireguard-pihole:
        ipv4_address: 172.20.0.3
    ports:
      - 53:53/udp
      - 53:53/tcp
      - 4443:443/tcp
      - 8080:80/tcp
    environment:
      - TZ=Canada/Vancouver
      - FTLCONF_RATE_LIMIT=20000/60

The infrastructure includes:

• Proxmox VE Hypervisor: Primary virtualization platform with LXC containers and VMs
• TrueNAS VM: Dedicated storage management with SMB/NFS shares and RAM caching
• Docker LXC Container: Consolidated service deployment on Debian with Portainer
• Network Security: WireGuard VPN with Pi-hole DNS filtering and SSL termination

Service Integration Pipeline

Implemented layered service architecture for security and functionality:

1. Network Layer: WireGuard VPN providing secure remote access with Pi-hole DNS filtering
2. Reverse Proxy: NGINX Proxy Manager with LetsEncrypt SSL certificates and custom domains
3. Storage Layer: TrueNAS VM with SMB shares integrated into Nextcloud container
4. Application Layer: Dockerized services including Nextcloud, Jellyfin, and monitoring stack

Technical Implementation

Nextcloud Cloud Storage Stack

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

services:
  db:
    image: mariadb:10.6
    container_name: mariadb
    restart: unless-stopped
    command: --transaction-isolation=READ-COMMITTED --log-bin=ROW
    volumes:
      - /root/mariadb/db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

  app:
    image: nextcloud:30.0.0
    container_name: nextcloud
    restart: unless-stopped
    ports:
      - 8181:80  # Custom port to avoid Pi-hole conflict
    volumes:
      - /root/nextcloud/html:/var/www/html
      - /mnt/center:/data
    environment:
      - MYSQL_HOST=db
      - REDIS_HOST=redis
      - PHP_MEMORY_LIMIT=21G
      - PHP_UPLOAD_MAX_FILESIZE=20G

Monitoring and Media Services

Deployed comprehensive monitoring stack with Prometheus and Grafana alongside Jellyfin media server for family use. All services utilize the centralized TrueNAS storage through SMB mounts, providing unified data management across the entire infrastructure.

Challenges & Solutions

Challenge 1: Storage Permissions and GPU Passthrough

Problem: Proxmox root permissions blocking /mnt/center access on unprivileged LXC container, preventing proper SMB integration

Solution: Researched Proxmox forums and StackOverflow to implement matching /mnt/center structure across datacenter node and container with proper mount point configurations. This enabled full read/write/execute access to 12TB storage array.

Challenge 2: DNS Security Incident

Problem: Misconfigured Pi-hole with open port from old game server caused massive DNS leak, resulting in 2 days of brute force attacks and network slowdown

Solution: Implemented proper DHCP configuration, closed vulnerable ports, and established rate limiting (FTLCONF_RATE_LIMIT=20000/60). Enhanced operational security practices and regular port scanning.

Results & Impact

Performance Improvements

• Service Uptime: Achieved 99%+ uptime across all services with automated machine restarts for RAM data protection at 12am
• Storage Efficiency: 12TB mirrored storage with automated Proxmox backup system alongside preservation of important files on main computer
• Network Security: Zero successful breaches since implementing proper DNS and VPN configuration, more stringent log review habits

Family and Personal Impact

• Data Independence: Successfully migrated family from Google Drive/OneDrive to self-hosted Nextcloud, alongside my own document platform on web
• Media Access: Jellyfin providing centralized access to books, courses, and media content
• Remote Administration: Secure access to homelab services from anywhere via WireGuard VPN

Lessons Learned

1. ECC RAM Importance: Non-ECC RAM requires enhanced monitoring, regular restarts, and comprehensive backup strategies for data integrity
2. Security First: Proper network configuration essential, misconfigured services can expose entire infrastructure to attacks
3. Storage Path Planning: Container volume mapping requires careful planning to avoid permission conflicts in virtualized environments
4. Service Consolidation: LXC container approach provides better resource utilization than individual VMs for lightweight services

Future Enhancements

• ECC Storage Server: Dedicated storage system with ECC RAM to eliminate data corruption concerns, and to separate storage from services with an EPS
• Hardware Upgrade: Consider migrating compute workloads to 7950X3D system (16C/32T, 64GB RAM) for better resource utilization
• Service Mesh: Implement Traefik or Istio for more advanced service discovery and load balancing
• Monitoring Expansion: Add custom alerting and automated remediation for common infrastructure issues beyond n8n which has API costs