Homelab Infrastructure
A multi-cloud homelab environment designed with production-grade security principles. Three VMs across Oracle Cloud, RackNerd, and Hetzner are meshed via Tailscale, running a zero-trust architecture with full observability and defense-in-depth.
Caddy + WAF
CrowdSec
NetBox DCIM
Hermes Gateway
Immich
Monitoring AgentArchitecture Highlights
Zero-Trust Network Mesh
All inter-node traffic traverses a Tailscale WireGuard mesh with ACL-enforced access controls. No ports are exposed between VMs — every connection is authenticated and encrypted end-to-end.
Defense in Depth
The DMZ gateway runs Caddy with WAF rules and CrowdSec threat intelligence. Behind it, Wazuh HIDS provides host-level intrusion detection across all nodes, creating layered visibility from network edge to filesystem.
Observability Pipeline
Prometheus scrapes metrics from all nodes while Alloy agents forward logs to a centralized Grafana dashboard. Alert rules cover service health, resource thresholds, and security events — the same observability stack used in production environments.
Encrypted Data at Rest
Sensitive storage volumes use LUKS encryption with automated mount policies. Backup strategies are designed around encrypted snapshots, ensuring data confidentiality even if physical storage is compromised.