🏠 My Homelab Setup

Welcome to my homelab documentation. This project tracks the infrastructure, services, and networking configuration of my self-hosted environment. The goal is to create a resilient, automated, and organized system for home services, monitoring, and development.

πŸ“š Documentation Wiki

View Full Homelab Documentation β†’

Complete technical documentation is available on my public wiki, including:

  • Detailed service configurations and architecture diagrams
  • Step-by-step setup guides and troubleshooting
  • GitOps workflow and deployment procedures
  • Security best practices and monitoring setup
  • Project changelogs and infrastructure evolution

The wiki is built with Quartz v4 and features full-text search, graph view, and WikiLinks for easy navigation.

πŸ›  Hardware Infrastructure

DeviceRoleOS / HypervisorSpecs/Notes
Dell R430Primary ServerProxmox VEThe heavy lifter. Runs LXC containers and manages core network services.
Raspberry Pi 5Secondary NodeDebian (Docker)Low-power node for DNS redundancy and lightweight services.
Synology NASNetwork StorageDSMCentralized file storage and backups.

☁️ Virtualization & Software Stack

πŸ–₯️ Node 1: Dell R430 (ProxMoxBox - 192.168.1.4)

The Proxmox host runs LXC Containers to separate concerns:

  1. Nginx Proxy Manager πŸ›‘οΈ

    • Reverse proxy with SSL termination
    • Routes all *.home.lab traffic

  2. Pi-hole (Primary) πŸ›‘

    • Network-wide ad blocking and local DNS (ns1.home.lab)

  3. Docker Host 🐳

    • Core application stack managed by Dockhand
    • Services Running:
      • Homepage: Primary dashboard for the lab
      • Homebox: Asset inventory and tracking
      • Uptime Kuma: Service health monitoring
      • Minecraft Server: PaperMC with Geyser/Floodgate (Java + Bedrock)

  4. Monitoring & Alerting Stack πŸ“Š

    • Grafana: Dashboards and visualization (custom Homelab Overview + Docker Containers dashboards)
    • Prometheus: Metrics collection from 7 targets (ProxMoxBox, Pi5, Pi-hole LXC, NPM LXC, Wazuh VM, cAdvisor)
    • Alertmanager: Alert routing with Discord notifications
    • Loki: Centralized log aggregation
    • Promtail: Log collector agent
    • Node Exporter: Installed on all hosts for system metrics
    • cAdvisor: Container metrics

    Alerts Configured: Disk space >80%/90%, High CPU/Memory >90%, Host down, Container down, Target scrape failures

πŸ“ Node 2: Raspberry Pi 5 (192.168.1.234)

High-availability node for DNS redundancy and isolated services, managed remotely via Hawser agent.

  • Pi-hole (Secondary): Redundant DNS (ns2) for uptime during R430 reboots
  • Tailscale: Secure zero-config VPN access
  • Mealie: Recipe and meal planning manager
  • Nebula-Sync: Syncs DNS records and blocklists between Pi-hole instances
  • Node Exporter: System metrics fed to Prometheus
  • Promtail: Log collector sending to Loki

🌐 Networking & DNS

IPDeviceRole
192.168.1.3Primary Pi-holeMain DNS (ns1.home.lab)
192.168.1.4ProxMoxBoxMain Docker host
192.168.1.5Synology NAS (DS220j)Network storage (7.2TB, SNMP monitored)
192.168.1.6Nginx Proxy ManagerReverse proxy
192.168.1.7Wazuh VMSIEM (security monitoring)
192.168.1.234Pi5Secondary DNS, Tailscale
192.168.1.253ProxmoxHypervisor management

DNS Flow

  1. Client requests dashboard.home.lab
  2. Pi-hole resolves domain to the NPM IP address
  3. NPM routes the request to the correct Docker container port

πŸ” Security & SIEM

Wazuh SIEM (192.168.1.7)

Dedicated VM (Debian 12) running Wazuh v4.14.2 for centralized security monitoring across all homelab hosts.

Components:

  • Wazuh Manager: Core SIEM engine - processes security events, file integrity monitoring, vulnerability detection
  • Wazuh Indexer: OpenSearch-based backend for storing and searching security data
  • Wazuh Dashboard: Web UI for security analysis, threat hunting, and compliance reporting (https://192.168.1.7)
  • Filebeat: Ships alerts from manager to indexer

Agents Deployed:

HostAgent NameMonitors
ProxMoxBox (192.168.1.4)SRV-DOCKER01Docker host, containers, system logs
Pi5 (192.168.1.234)pi-infraSecondary DNS, Tailscale, system logs
Pi-hole LXC (192.168.1.3)SRV-DNS01Primary DNS server, Pi-hole logs
NPM LXC (192.168.1.6)SRV-NPM01Reverse proxy, SSL certificates, access logs

Capabilities:

  • Real-time log analysis and correlation
  • File integrity monitoring (FIM)
  • Vulnerability detection
  • Security Configuration Assessment (SCA)
  • Rootkit detection
  • Ready for Suricata IDS integration (planned with OPNsense)

πŸ“Š Dashboard & Management

  • Docker Management: Dockhand - UI for managing all stacks locally and remotely via Hawser
  • Application Dashboard: Homepage - Central hub for all services
  • Monitoring: Grafana - Custom dashboards for homelab overview and container metrics
  • Alerting: Alertmanager - Alert routing with Discord notifications
  • Log Aggregation: Loki - Centralized logs from all hosts
  • Health Checks: Uptime Kuma - Service availability monitoring
  • Inventory: Homebox - Physical IT gear tracking
  • SIEM: Wazuh Dashboard - Security event analysis and threat detection

πŸš€ Infrastructure as Code

All Docker compose files are managed via GitOps. See my GitOps Project for details on the repository structure and deployment workflow.

Repository: github.com/jhathcock-sys/Dockers

πŸ›‘οΈ Security Hardening

The Docker infrastructure has undergone a comprehensive security audit. Critical vulnerabilities were identified and fixed, including:

  • Removed privileged mode from cAdvisor (replaced with specific capabilities)
  • Added read-only flags to Docker socket mounts
  • Eliminated default password fallbacks

See my Docker Security Review for the full audit report, methodology, and lessons learned.

πŸš€ Recent Projects

Podcast Studio (2026-02-03)

Self-hosted video podcast recording platform with 4K multi-track support. Built for D&D sessions with up to 6 participants.

Stack: LiveKit (WebRTC), React + TypeScript, Node.js/Express, MinIO (S3 storage), FFmpeg (post-processing), Coturn (TURN server)

Features:

  • Hybrid LiveKit + double-ended recording for true 4K quality
  • Client-side MediaRecorder with resumable uploads (Uppy.js)
  • Live streaming to YouTube/Twitch via RTMP
  • Automated audio normalization and multi-track sync with FFmpeg
  • Scene switching with custom layouts

Storage: ~70GB per 1-hour 6-person 4K session

Repository: podcast-studio

πŸ—„οΈ NAS Integration (2026-02-04)

Integrated Synology DS220j (7.2TB) with homelab infrastructure for centralized storage and monitoring.

SNMP Monitoring:

  • Prometheus scrapes NAS metrics via snmp-exporter
  • Monitors: network interfaces, traffic counters, interface status
  • Grafana dashboards available for visualization

SMB Storage Shares:

  • Mounted on ProxMoxBox (via Proxmox host bind mount)
  • Mounted on Pi5 with full read/write access
  • Directories: /mnt/nas/homelab/docker-backups/ and /mnt/nas/homelab/media/
  • Docker containers have full read/write access for backups and media
  • Persistent mounts configured in /etc/fstab on both systems

Syslog Forwarding (Partial):

  • Synology forwards logs to Promtail on ProxMoxBox:1514
  • Messages arriving but needs RFC 3164 β†’ RFC 5424 format conversion
  • Future enhancement: add syslog relay for proper parsing

Storage Capacity:

  • Total: 7.2TB
  • Used: 4.9TB
  • Available: 2.4TB (ready for media library and backups)

πŸ“ Obsidian Vault Sync (2026-02-04)

Self-hosted real-time synchronization for homelab documentation vault using CouchDB.

Deployment: Pi5 (192.168.1.234:5984)

Technology Stack:

  • CouchDB: NoSQL database for document storage
  • Self-hosted LiveSync: Obsidian community plugin for real-time sync
  • End-to-End Encryption: Optional passphrase-based encryption
  • Docker: Containerized deployment with health checks

Features:

  • Real-time vault synchronization across all devices (desktop, mobile, laptop)
  • Sub-second sync latency on local network
  • Automatic conflict detection and resolution
  • Works alongside Git for hybrid workflow (sync + version control)
  • Remote access via Tailscale VPN

Architecture Decision:

  • Deployed to Pi5 instead of ProxMoxBox due to better resource availability
  • Pi5 had 6.9GB free memory vs ProxMoxBox’s 3.7GB
  • CPU nearly idle (1.24% vs 60%+ on ProxMoxBox)
  • Fits Pi5’s role as always-on secondary services node

Resource Usage:

  • CouchDB container: ~500MB-1GB RAM, <2% CPU
  • Memory limit: 1GB max, 512MB reserved
  • Database size: ~100-500MB for text-heavy vault

Integration:

  • Complements existing Git workflow (homelab-docs repository)
  • LiveSync handles real-time editing, Git handles version control
  • Public wiki publishing pipeline unchanged (homelab-wiki)

Monitoring:

  • System metrics via Node Exporter (CPU, memory, disk)
  • Docker health checks every 30 seconds
  • Basic monitoring sufficient; detailed CouchDB metrics optional

Security:

  • Private network deployment (192.168.1.0/24)
  • Strong generated credentials
  • Optional E2E encryption in Obsidian plugin
  • Tailscale VPN for secure remote access

πŸ“‹ Future Plans

  • Podcast Studio Deployment - Deploy and test on 192.168.1.8
  • OPNsense + Managed Switch - Enterprise networking with VLANs and IDS/IPS
  • Add media stack (Jellyfin/Plex, Sonarr, Radarr) - NAS storage ready
  • Implement Home Assistant for home automation
  • Migrate to Kubernetes for orchestration
  • Set up offsite backups to cloud storage
  • Fix syslog format conversion for NAS logs
  • NAS integration (Completed - SNMP monitoring + SMB shares)
  • Container resource management (Completed - memory limits on all 20 containers)
  • Add alerting via Grafana/Prometheus (Completed - Discord notifications active)
  • Wazuh SIEM (Completed - agents on ProxMoxBox and Pi5, ready for Suricata integration)
  • Obsidian vault sync (Completed - CouchDB LiveSync on Pi5, real-time sync across devices)