My Homelab

A self-hosted infrastructure built around privacy, control, and curiosity — every service accessible over a private VPN mesh, secured with automatic HTTPS, and reachable through custom domains without exposing a single port to the public internet.

The System at a Glance

cloud

VPS / Proxy

Edge entry point — routes traffic into the private network

  • Traefik
  • Homepage
developer_board

App Server

Runs the day-to-day application workloads

  • n8n
  • Portainer
  • OpenWebUI
memory

Virtualization Host

Provides compute isolation and persistent storage

  • Proxmox
  • Synology NAS

Traffic flows through the VPS where Traefik terminates TLS and routes requests over the Tailscale mesh to the appropriate backend — whether that's an automation workflow on the app server, a virtual machine on Proxmox, or a file share on the Synology NAS.

Private by Design

swap_horiz

Split-Horizon DNS

A wildcard A record points all subdomains at the VPS. Adding a new service means creating a Docker label or Traefik file rule — no DNS changes, no port forwarding, no manual certificate steps.

vpn_lock

Tailscale VPN

Every node joins a zero-config WireGuard mesh. Services are only reachable from inside the tailnet, so there is no public attack surface. Devices authenticate through SSO and keys rotate automatically.

lock

SSL via DNS-01

Traefik obtains and renews Let's Encrypt certificates using DNS-01 challenges through the Cloudflare API. HTTPS works everywhere — including private-only domains — without opening port 80 or 443 to the internet.

shield

Ubiquiti Networking Equipment

UniFi hardware manage the on-prem network: segmented LAN and Wi-Fi, VLAN-aware routing, PoE switching, and gateway policies that keep trusted services isolated from guest and IoT traffic.

The Services

route

Traefik

Reverse proxy backbone

The single entry point for every HTTP request. Traefik discovers services automatically through Docker labels and Traefik file provider rules, provisions TLS certificates via DNS-01, and routes traffic across the tailnet. Adding a new service is a one-label operation.

layers

Proxmox

Virtualization platform

Runs VMs and LXC containers with hardware-level isolation. Each workload gets its own resource envelope, making it safe to experiment without risking production services.

account_tree

n8n

Workflow automation

Connects services into automated pipelines — webhook triggers, API calls, data transforms — all defined visually and version-controlled.

deployed_code

Portainer

Container management

A visual management layer for Docker across multiple hosts. Deploy, monitor, and update containers without SSH sessions.

smart_toy

OpenWebUI

Self-hosted AI interface

A private chat interface for running local and remote LLMs. Conversations stay on-premises, and model access is fully controlled.

dashboard

Homepage

Centralized dashboard

A single pane of glass for every running service. Integrates with Docker APIs and service health checks to show real-time status across the entire homelab.

storage

Synology

Network-attached storage

The data sovereignty layer — file shares, backups, and media all live here on hardware I own. RAID provides redundancy, and Tailscale makes it accessible from anywhere.

How It All Connects

From any trusted device, a service is reached through a clean custom subdomain. The request resolves through wildcard DNS to the VPS, but access is restricted to devices on the private Tailscale mesh. That keeps the public surface area minimal while still making the environment easy to use from anywhere.

Traefik runs at the edge and handles routing based on the requested hostname. Depending on the service, traffic is forwarded across the WireGuard tunnel to a Docker container, virtual machine, or storage-backed workload inside the homelab. Certificates are issued automatically through DNS-01 challenges, so HTTPS stays valid without exposing web ports or managing renewals by hand.

The end result is an infrastructure pattern that makes new services repeatable: define the workload, attach the right routing rule, and let DNS, TLS, access control, and private networking do the rest. Every service can have a memorable URL, valid HTTPS, and controlled access without turning routine infrastructure work into a manual checklist.