Skip to content

Homelab

68 services · 3 hosts · 1 person · Paraguay 🇵🇾

A self-hosted infrastructure running Docker, Ansible, and OPNsense across a Docker VM, NAS, and VPS — connected by a Tailscale mesh over cronova.dev. Every service is named in Guarani, the indigenous language of Paraguay.

graph TB
    subgraph VPS["VPS (Vultr)"]
        hs[Headscale]
        vps_caddy[Caddy]
        vps_mon[Uptime Kuma / ntfy]
    end

    subgraph Proxmox["Proxmox (oga)"]
        opnsense[OPNsense]
        subgraph DockerVM["Docker VM — 36 containers"]
            caddy[Caddy] --- pihole[Pi-hole]
            ha[Home Assistant] --- frigate[Frigate]
            media["Jellyfin / *arr"] --- monitoring[VictoriaMetrics / Grafana]
            vault[Vaultwarden] --- paperless[Paperless-ngx]
            immich[Immich] --- authelia[Authelia]
        end
    end

    subgraph NAS["NAS — 19 containers"]
        forgejo[Forgejo] --- restic[Restic REST]
        samba[Samba] --- coolify[Coolify]
    end

    VPS <-.->|Tailscale| DockerVM
    VPS <-.->|Tailscale| NAS
    DockerVM -->|NFS + Backup| NAS

    style VPS fill:#161b22,stroke:#00d4aa,color:#c9d1d9
    style Proxmox fill:#161b22,stroke:#58a6ff,color:#c9d1d9
    style DockerVM fill:#0d1117,stroke:#58a6ff,color:#c9d1d9
    style NAS fill:#161b22,stroke:#00d4aa,color:#c9d1d9

What's Here

📝 Blog — Incident deep dives, backup war stories, and lessons from running production infra as a solo operator.

📐 Architecture — What runs where. 68 services, network topology, hardware specs.

📖 Guides — How to deploy it. Proxmox, OPNsense, NAS, Caddy, backups.

🛡️ Strategy — Why it's built this way. DNS, security hardening, disaster recovery, monitoring.

📋 Plans — What's next. RPi 5 + OpenClaw, CrowdSec, VPN for torrents.

🔥 Incidents — What broke and how I fixed it. ISP outages, NAT failures, power outages.

Highlights

  • Container hardeningcap_drop: ALL + selective cap_add on every single container
  • Backup hardening — per-service Restic repos, encrypted offsite via rclone crypt, weekly integrity checks, and a log-mtime healthcheck that catches hung busybox crond (the real-world 6-week silent failure mode caught on 2026-04-23)
  • 4 incident reports with real timelines, root cause analysis, and cascading failure diagrams
  • WAN watchdog — auto-recovers OPNsense after ISP outages, including silent NAT failures
  • Recursive DNS — AdGuard + Unbound on VPS, Pi-hole on Docker VM. Zero third-party DNS visibility
  • Forgejo Actions CI — lint + build gates PR merges. Can't merge broken code to main

About

This is a personal infrastructure repo, not a deployable template. Feel free to browse, borrow ideas, and adapt patterns to your own setup.

Built by Augusto Hermosilla from Asunción, Paraguay. Code is public at github.com/ajhermosilla/homelab.