goonK

Homelab / Unclouding

Running my own infrastructure because cloud bills are silly and breaking things at home is cheaper than breaking them in production.

Why

Cloud providers are great until you realize you're spending โ‚ฌ50/month to host what amounts to a blog and a few Docker containers. Self-hosting brings back the joy of actually owning your infrastructure (and the terror of being your own ops team at 2am).

  • Practice platform thinking without paying AWS for the privilege
  • Own my data instead of being someone else's database entry
  • Learn by breaking things where the blast radius is just me

At a glance

Internet
  โ”‚
      โ””โ”€ VPS: xpekatt-hel (Ubuntu, Hetzner) [PUBLIC]
        โ”œโ”€ Nginx Proxy Manager (public ingress)
        โ”œโ”€ f1-dashboard
        โ””โ”€ Delve (+ other containers)
        โ”‚
        โ””โ”€ Tailscale tailnet (private)
          โ”œโ”€ VPS: claw-hel (Ubuntu, Hetzner)
          โ”‚    โ””โ”€ openclaw
          โ”‚
          โ””โ”€ Home: thunkstation (OpenMediaVault)
            โ”œโ”€ Immich (+ other containers)
            โ”œโ”€ Gitea + runners (CI/CD jobs)
            โ””โ”€ Prometheus + Grafana

    Only xpekatt-hel is internet-facing; 
    everything else is reachable via Tailscale.

Machines

  • thunkstation (physical box)
    • OpenMediaVault
    • Runs containers, including Immich, Jellyfin and a few others
    • Private Gitea instance + Gitea runners for CI/CD jobs
    • Prometheus + Grafana for metrics and dashboards
  • xpekatt-hel (VPS, Ubuntu @ Hetzner)
    • Runs containers including f1-dashboard and Delve (plus other services)
    • Nginx Proxy Manager for routing
  • claw-hel (VPS, Ubuntu @ Hetzner)
    • Runs openclaw
    • Not public-facing: accessed via SSH from other Tailscale nodes (and via Telegram)

Network

  • Tailscale mesh: all machines live on the same tailnet and can talk to each other directly
  • Public ingress: only xpekatt-hel is exposed to the internet (via Nginx Proxy Manager)
  • Private services: thunkstation and claw-hel are only reachable over Tailscale
  • Routing: because xpekatt-hel is also on Tailscale, it can forward traffic to containers/services running on the other machines

Observability

  • node-exporter runs on each machine and exposes health/metrics
  • Prometheus scrapes metrics and stores time series data (on thunkstation)
  • Grafana dashboards sit on top (on thunkstation)

Principles

  • Backups exist (and are tested, because untested backups are just wishful thinking)
  • Updates are planned (and reversible, because YOLO is not a deployment strategy)
    • Pin versions where it matters
    • Keep notes on breaking changes (future-me will thank present-me)
  • Observability: Logs first, then metrics when logs aren't enough
  • Small surface area: Fewer moving parts = fewer things to break at 2am

Todo

  • Move more config/docker compose files into git (because "I'll remember" is a lie)
  • Migrate away from OMV to a normal distro (OMV works but feels like overkill)
  • Move the OMV box out of the kitchen where it quietly judges my cooking :P