Homelab Architecture

Josh Noll | Dec 16, 2024 min read

« BACK

Diagram

Click to Expand

Automation

I’m slowly attempting to automate everything in my homelab. I have a massive Ansible playbook that baselines all of my servers, manages config files, cifs mounts, cron jobs, and deploys containers. You’ve heard of infrastructure-as-code? Well, this is homelab-as-code.

The playbook uses a bunch of custom roles that I have written and published to Ansible galaxy.

The User Experience

Getting up on Tailscale

Nothing in my homelab is exposed to the internet. It’s all protected by Tailscale, which I describe in this GitHub repo.

If I were to share my homelab with you, I would ask you to make a Tailscale account (if you don’t have one already) and I would share a single node with you.

That node is Traefik, a proxy server that forwards requests to the container or server providing the service. Public DNS records will point you to the Tailscale IP of Traefik, which forwards your requests on to the corresponding service based on information in the HTTP headers. You won’t have direct access to any servers other than Traefik, and if I ever decided to cut you off completely, I would simply unshare Traefik with you via Tailscale.

Here’s a pretty picture for the visual learners like myself:

Creating an Account in Authentik

Now, just because you have access to Traefik and can touch all of my homelab services from a network perspective, does not mean you can access any of them yet.

I use Authentik for Single Sign-On (SSO) and Identity and Access Management (IAM). So, the second thing I’ll ask you to do, if I’m sharing my homelab with you, is to go to the root of my internal homelab domain. Let’s call it https://joshrnoll.homelab

You’ll be presented with a login page that looks like this:

From here, you can click on ‘Sign Up’ and create an account with basic access to most of my homelab services.

Accessing Services

Reloading https://joshrnoll.homelab will bring you to the Heimdall dashboard which looks something like this:

I have a wiki page to answer questions about how to use things like Calibre Web and Mealie. You’ll notice there is a link to ‘Admin Apps’ where I keep the links to things like Portainer and Gitea. But you won’t be able to log in to those unless I give you access to them via Authentik.

Storage

Each node in my Proxmox cluster has a greater-than 2TB HDD to store the VM’s hard disks. For the most part, data is stored directly on the VM hard disk and backed up to my TrueNAS server with Nautical Backup (see below). Some things, however, such as my Jellyfin media, are stored directly on TrueNAS and containers access them via SMB/CIFS.

Overall, I have around 64TB of usable storage throughout my homelab now.

Most of that is severely under-utilized… but it’s fun to say it like that.

Backups

Containers

I use Nautical-Backup, a container that automatically syncs Docker container volumes to an SMB share on TrueNAS via rsync. It’s pretty nifty. Essentially any container that is deployed into my environment with the docker label

nautical-backup.enable="true"

Will have it’s data synced to TrueNAS. The catch is that all of its data needs to be nested inside of a directory with the same name as the container. But I don’t worry about that because I automate it with Ansible.

Another picture for the visual learners:

Now, since two is one and one is none, I also sync my container backups between TrueNAS and my Synology through an Rsync task that runs every night.

Photos

Apple still has me in their clutches for now and I do have my photos synced to iCloud. But, I also use Synology’s photo backup app which works perfectly over tailscale. The only downside is that it does not appear to run in the background, so I do have to open the app occasionally to ensure that backups happen. I could probably automate this through iOS shortcuts somehow…

I have attempted to sync my Photo backups between Synology and TrueNAS just like the container backups, however the Rsync task fails every time it is run. I believe it’s a permissions issue that I still need to figure out. It’s been on my to-do list for forever. I’ll get to it eventually and hopefully write a post about it.

Jellyfin Media

Since I have more media than my Synology has the space to support, none of it has ever been backed up. (Which is why I still keep my DVDs around in case I ever need to RIP them again). However, since I recently built a new TrueNAS server, I can now replicate my media to my old TrueNAS and allow it to live on as a dedicated media backup server.



Infrastructure Services

Management Services

User-Facing Services

« BACK