The Stack

Bare-metal hypervisor running on two nodes (bc-001 and bc-003). Hosts all VMs and LXC containers. The entire homelab runs on top of Proxmox — it's what makes running 20+ isolated services on a handful of mini PCs feasible.

Most services run as Docker containers managed through Portainer. Portainer gives a web UI for managing stacks, containers, and images across multiple Docker hosts without needing to SSH in for routine tasks.

Fronts every service with HTTPS and clean domain names. Instead of remembering IP addresses and ports, every service gets a hostname like mealie.domain.com with an automatically renewed SSL certificate. NPM is the gateway for all externally-reachable services.

Handles internal DNS resolution so services are reachable by hostname on the LAN. Split-horizon setup means mealie.domain.com resolves to the internal IP at home and the NPM-proxied address via Tailscale. DNS-over-HTTPS for all client devices is a side benefit.

Mesh VPN that makes the homelab reachable from anywhere without port forwarding. Every device (laptop, phone, tablet) joins the tailnet and can reach home services directly. Subnet routing exposes the entire home network to tailnet devices. No open ports on the router, ever.

Single sign-on layer in front of every exposed service. NPM's forward-auth integration passes each request through Authelia before it hits the service. One login with 2FA covers the entire homelab. Services like Proxmox use native OIDC through Authelia.

Self-hosted Bitwarden-compatible password manager. The full Bitwarden ecosystem — browser extensions, mobile apps, desktop client — pointed at a local server. About 10MB of RAM. All credentials stay on the network.

Automatically pulls and restarts containers when new images are published. Configured to update non-critical services automatically and send notifications for anything needing manual review. Keeps the stack current without manual docker pull cycles.

Bidirectional file sync between server, laptop, and phone. No cloud intermediary. Used for syncing the Obsidian vault, project files, and anything that needs to be on every device. Runs silently in the background, has never lost a file, has been running over a year without touching it.

OCR-indexed document archive. Scan something once, search for it forever. Auto-tagging, inbox folders, and email integration handle the filing automatically. Physical paper has been essentially irrelevant since setting this up.

Self-hosted Google Photos alternative with mobile apps, face recognition, and album organization. Phones back up automatically over Wi-Fi. The alternative to paying Google or Apple for storage that keeps growing every year.

Self-hosted recipe manager with meal planning and shopping lists. Import recipes from any URL, organize by tag or category, and generate a weekly shopping list from the meal plan. Used daily. Replaced a browser bookmarks folder that was completely unmanageable.

Self-hosted media server for movies, TV shows, and music. Streams to every device in the house. The apps are solid, hardware transcoding works well on Intel iGPU, and it's a fully functional Plex/Netflix alternative with no subscription.

Self-hosted RSS aggregator. Replaces Google Reader habits and any number of read-later services. Syncs read state across devices via the Google Reader-compatible API — Reeder, ReadKit, and other clients work with it natively.

Monitors every service and sends alerts when something goes down. Simple setup, clean dashboard, good notification options (Telegram, email, webhooks). The first thing to check when something feels wrong.

System metrics dashboards. Prometheus scrapes CPU, memory, disk, and network stats from all nodes. Grafana turns that into dashboards. More setup than Uptime Kuma, but gives actual historical data when you need to understand why something slowed down at 3am.

Security information and event management. Agents on every node ship logs to a central Wazuh server, which correlates events and alerts on suspicious activity. More infrastructure than most homelabs need, but useful for learning what real security monitoring looks like in practice.

Runs large language models locally. Hosted on a dedicated VM with GPU passthrough available. Useful for experimentation, coding assistance without sending code to external APIs, and understanding what local AI actually looks like in practice — which is often "not as fast as the cloud, but private."

Proxmox handles VM and LXC snapshots and scheduled backups to local and remote storage. A snapshot before any major change has saved hours of recovery work more than once. Backup jobs run nightly, retention keeps the last 7 days.

Encrypted offsite backups of important data volumes. Runs on a schedule, deduplicates, and ships compressed encrypted archives to an S3-compatible target. The only layer of the backup strategy that survives the house burning down.