Home Lab • Infrastructure • Security

Infrastructure designed to be operated, not merely demonstrated.

My Home Lab is a segmented, monitored and backed-up single-node Proxmox platform. I use it to practise design, operations, security and recovery under realistic constraints.

The goal is not to collect services. Every component must answer a need, produce a useful signal, have a source of truth and be recoverable or removable cleanly.

Left front view of the personal home lab rack with Proxmox server, Grafana wallboard, Synology NAS and Eaton UPS.
Personal physical platform — intentionally unannotated photograph.
12virtual machinesSpecialized roles with monitored state
49containerized servicesAligned with their expected definition
26Compose projectsCanonical and statically validated
69/69observed targetsAvailable at the 2026-07-10 check

Architecture

Clear boundaries and acknowledged dependencies

This view is intentionally functional: no internal addressing, port, credential or exploitable rule is published.

Separate usage

Administration, services, public exposure and IoT traffic remain in distinct functional zones.

Observe before acting

Metrics, logs, probes and alerts provide independent state before and after every change.

Prepare recovery

Backups, hashes, rollback and recovery order are defined before risky operations.

Operating model

Four capabilities connected to evidence

Technologies are means; the objective is to maintain a service that is understandable and reversible.

Architecture & segmentation

Limit implicit dependencies and the exposed surface.

Centralized publication, separate administration access and filtering across functional boundaries.
VLANVPNDNSReverse proxy

Useful observability

Detect actual failure without manufacturing false-green status.

Host, service, exposure, backup and capacity health tracked through complementary signals.
PrometheusGrafanaLokiAlerting

Continuity & recovery

Know what to restore, in which order and with which evidence.

Daily VM backups, monitored verification, logical restores, RTO/RPO targets and runbooks.
PBSDRRTO/RPOVerify

Reproducibility & security

Reduce manual changes and retain a readable return path.

Canonical Compose, pinned images, local validation, change logs, checksums and minimal changes.
DockerGitHardeningRollback

Problem → method → outcome

Three end-to-end improvements

Every change retains its initial state, rollback path, validation and residual debt.

Make Docker reconstructible

Problem
The parameters of 26 projects had to be compared with the actual runtime state.
Method
Inventory, declarative/runtime comparison, Compose normalization and validation without a global recreate.
Outcome
49 aligned services, 47 pinned external images and two identified local builds.

Improve monitoring signal

Problem
Duplicate or misplaced probes could obscure the cause of an outage.
Method
Removed duplication, checked Error/NoData states and added local proxy health.
Outcome
69 useful targets, capacity tracking and no hidden alerts to manufacture a green status.

Move from backup to recovery planning

Problem
Existing backups alone did not demonstrate a recovery capability.
Method
Coverage checks, task verification, dependency mapping and recovery targets by criticality.
Outcome
Expected coverage confirmed, recent verification evidenced, logical restores performed and limits explicitly documented.

DR & limits

Credibility also means stating what remains

Backups are monitored, but they are not confused with high availability or a fully proven recovery plan.

What is in place

  • Daily backups for eligible workloads with coverage checks
  • Monitored PBS verification with failures made visible
  • Logical restores validated on selected critical services
  • Documented recovery order for network, DNS and publishing dependencies
  • Application and infrastructure rollback prepared before every change

Publicly acknowledged limits

  • The platform relies on one Proxmox node and is not presented as highly available.
  • An off-site or immutable copy still needs to be implemented and tested.
  • A timed full Tier 1 recovery exercise is still required to measure every actual RTO/RPO.
  • DNS redundancy remains within the same hardware failure domain.

Physical platform

Real infrastructure, documented without overexposure

Go further

Review projects and detailed outcomes

The case studies cover context, method, outcome and demonstrated skills without publishing sensitive operational data.