My Homelab
This website runs on a self-hosted Kubernetes cluster I designed, built, and maintain. It's not hosted on Vercel or AWSβit's running on enterprise-level hardware in my home, demonstrating real-world DevOps skills.
Live Infrastructure Status
Self-hosted monitoring powered by Uptime Kuma
Portfolio Site
Overall Infrastructure
If you're viewing this page, the infrastructure is running. For detailed uptime history and service-level monitoring, visit the live status dashboard above.
Why Homelab?
Learning
You can't truly understand Kubernetes by reading docs. Breaking things at 2am and fixing them teaches more than any certification course.
π― Target: CKA certification by September 2026
Data Privacy
Cloud providers have access to your data. Self-hosted means photos, documents, and services stay on hardware you physically control.
β No vendor lock-in, no surprise pricing changes
"If a company can host it on AWS, I can host it on three mini PCs in my closet β for a fraction of the cost and 100% of the learning."
Performance Metrics
Real-world performance benchmarks from production deployment
Lighthouse Scores
β Average Score: 99.5 / 100
Core Web Vitals
Target: < 2.5s β Good
Target: < 100ms β Good
Target: < 0.1 β Good
Target: < 600ms β Good
All metrics pass Google's "Good" thresholds
Measured on Cloudflare's global CDN network
Architecture Overview
Network Flow
From your browser to my homelab
Public Access
Internet β Cloudflare Tunnel β Gateway API β Services
Private Access
Tailscale VPN β Internal Services
Infrastructure
3-node bare metal Kubernetes cluster
Defense in Depth
Three layers of security protecting the infrastructure
Layer 1: Network Perimeter
Cloudflare Edge Protection
- βDDoS protection and WAF at Cloudflare edge
- βZero exposed ports β all traffic through encrypted Cloudflare Tunnel
- βZero-trust access model (no direct connections)
Layer 2: VLAN Segmentation
OPNsense Firewall
- β8 VLANs with strict inter-VLAN firewall rules
- βIoT and Guest networks isolated from server VLAN
- βStateful inspection with IDS/IPS (Suricata)
Layer 3: Cilium Micro-Segmentation
eBPF Network Policies
- βCiliumNetworkPolicy controls pod-to-pod traffic
- βL3/L4/L7 filtering (IP, port, HTTP path)
- βeBPF enforcement at kernel level (faster than iptables)
CI/CD Pipeline
GitFlow branching with multi-environment deployment
| Environment | Namespace | Trigger | URL |
|---|---|---|---|
| Dev | portfolio-dev | Push to develop | (internal only) |
| Staging | portfolio-staging | Manual trigger | beta.rommelporras.com |
| Prod | portfolio-prod | Merge to main | www.rommelporras.com |
Hardware Stack
Kubernetes Nodes (x3)
Lenovo ThinkCentre M80q
Why M80q? Enterprise-grade reliability, uniform cores (important for K8s scheduling), low power (~35W TDP), excellent value on the used market.
Topton N100
Intel N100, 16GB RAM
Proxmox + OPNsense
Dell OptiPlex 3090
i5-10500T, 32GB RAM
Proxmox + OMV NAS
LIANGUO LG-SG5T1
5x 2.5GbE + 10G SFP+
Managed, VLAN support
CyberPower UPS
1600VA / 1000W
~45 min runtime
Services Running
20+ services across 18 namespaces β all real, all running
βοΈ Platform Infrastructure
3-node HA control plane with stacked etcd
eBPF-based CNI replacing kube-proxy
Distributed block storage (2x replication on NVMe)
HA virtual IP for API server (ARP mode)
Kubernetes-native ingress with Cilium
Automated Let's Encrypt wildcard TLS certificates
Resource metrics for HPA and kubectl top
π Networking & Access
HA tunnel (2 replicas) β zero exposed ports
WireGuard subnet router for private remote access
Primary DNS server for all VLANs (10.10.30.53)
π Observability Stack
Metrics collection with 177+ default alerting rules
Dashboards for every service + infrastructure
Log aggregation (paired with Grafana)
Log collector (Grafana agent, replaces Promtail)
Alert routing to Discord + Email
HTTP/TCP probes for endpoint monitoring
Public status page at status.rommelporras.com
UPS monitoring (CyberPower CP1500)
OpenTelemetry data collection (Claude Code metrics)
π¦ CI/CD
Self-hosted DevOps platform (web, sidekiq, gitaly)
Kubernetes executor for CI/CD jobs
Docker image registry at registry.k8s.rommelporras.com
π Applications
Theme development environment
Local LLM inference (CPU): qwen3, moondream, gemma3
AI bookmark manager (Chrome crawler + Meilisearch + Ollama)
Internal dashboard (2 replicas)
Internet speed test tracker (historical)
Persistent browser via KasmVNC
πΎ Databases
Ghost Blog (dev + prod)
Invoicetron
Karakeep (full-text search)
Uptime Kuma, Karakeep
π₯οΈ Additional Infrastructure
These services run outside Kubernetes but are part of the homelab ecosystem.
Hypervisor on Dell 3090
Firewall / router (Proxmox VM)
NAS / NFS storage
Photo management
Release Timeline
39 releases in ~1 month β from empty repo to full production stack
Network Segmentation
Enterprise-level network design with 8 isolated VLANs for security, performance, and separation of concerns. Each VLAN has custom firewall rules enforcing the principle of least privilege.
| VLAN | Name | Subnet | Purpose | Security |
|---|---|---|---|---|
| 10 | LAN | 10.10.10.0/24 | Trusted wired devices | High (Full Access) |
| 20 | TRUSTED_WIFI | 10.10.20.0/24 | Trusted wireless (SSID: Mugiwara) | High (Full Access) |
| 30 | SERVERS | 10.10.30.0/24 | Internal VMs and LXCs | High (Backend) |
| 40 | IOT | 10.10.40.0/24 | IoT devices (SSID: Mugiwara-IOT) | Low (Internet-Only) |
| 50 | DMZ | 10.10.50.0/24 | Public-facing services (Cloudflare Tunnel) | Medium (DMZ) |
| 60 | GUEST | 192.168.0.0/24 | Guest devices (SSID: Mugiwara-Guest) | Low (Internet-Only) |
| 69 | MGMT | 10.10.69.0/24 | Proxmox host management | Critical (Admin-Only) |
| 70 | AP_TRUNK | 10.10.70.0/24 | OpenWRT AP management | Medium (AP Config) |
Technology Stack
A modern DevOps stack running 24/7, organized by architectural layer.
π¦Layer 1: Hypervisor
- β’Proxmox VE 9.1.4 - Type-1 bare-metal hypervisor
- KVM for VMs, LXC for containers, web-based management
π₯Layer 2: Firewall & Routing
- β’OPNsense 25.7.5 - Enterprise firewall/router
- Dual WAN, 8 VLANs, IDS/IPS (Suricata), WireGuard VPN
- β’OpenWRT - Custom WiFi firmware
πLayer 3: DNS & Ad Blocking
- β’AdGuard Home - Network-wide ad blocking
- DoH/DoT encryption, local DNS rewrites, DNSSEC validation
πLayer 4: Reverse Proxy
- β’Cilium Gateway API - Kubernetes-native ingress
- cert-manager + Let's Encrypt DNS-01, wildcard certs (*.k8s.rommelporras.com)
πLayer 5: Tunneling & CDN
- β’Cloudflare Tunnel - Zero-trust tunnel (cloudflared)
- Global CDN (200+ PoPs), DDoS protection, WAF, automatic SSL
βΈοΈLayer 6: Applications
- β’Kubernetes-managed apps - Portfolio, Ghost blog, GitLab CI/CD, Homepage
- β’Monitoring & Status - Uptime Kuma (public status page), Cloudflare Tunnel (HA)
- β’DNS - AdGuard Home (primary for all VLANs)
- β’NAS services - Immich, OMV (on Dell 3090, running on Proxmox)
The Meta-Project
You're looking at it right now.
This portfolio website (rommelporras.com) is not hosted on Vercel, Netlify, or AWS. It runs on the exact infrastructure described above.
kubectl apply to K8s namespace (dev/staging/prod)Skills Demonstrated
βΈοΈKubernetes / Container Orchestration
- βkubeadm cluster bootstrap (HA, stacked etcd)
- βCilium CNI with eBPF kube-proxy replacement
- βGateway API (replacing deprecated Ingress)
- βLonghorn distributed storage
- βRBAC and ServiceAccount security
πDevOps / SRE
- βGitFlow branching with environment promotion
- βMulti-environment CI/CD (dev β staging β prod)
- βDocker multi-stage builds
- βKubernetes rolling deployments
πObservability
- βPrometheus metrics and alerting rules
- βGrafana dashboards
- βLoki centralized logging
- βMulti-channel alerting (Discord + Email)
πNetworking
- βVLAN segmentation (8 VLANs)
- βCilium NetworkPolicy (L3/L4/L7)
- βCloudflare Tunnel (zero-trust)
- βTLS automation (cert-manager + Let's Encrypt)
β‘High Availability
- β3-node control plane with kube-vip VIP
- βetcd quorum (3-node)
- βLonghorn 2x replication
- βUPS with graceful shutdown
πSecurity
- βZero exposed ports (Cloudflare Tunnel)
- βCiliumNetworkPolicy for egress control
- βEnvironment-scoped RBAC
- βPod Security Standards enforcement
Cost Comparison
Enterprise infrastructure at homelab prices
βοΈ AWS Equivalent
Region: ap-southeast-1 (Singapore)
- 3x t3.xlarge EC2$463/mo
- 1.5TB EBS gp3$144/mo
- 2TB S3 Standard$50/mo
- ALB + ACM$21/mo
- EKS Control Plane$73/mo
- ECR$1/mo
- CodePipeline + CodeBuild$6/mo
- CloudWatch$8/mo
π Homelab
- Electricity (~100W)~$17/mo
- Cloudflare (free tier)$0/mo
- Tailscale (free personal)$0/mo
- Domain~$1/mo
~100W covers all devices: 3 K8s nodes, Dell 3090 NAS, firewall, UPS, switch, 2 WiFi APs, 2 modems
Hardware: 3x Lenovo M80q (~$310) + Dell 3090 NAS (~$302) + Topton N100 firewall (~$164) + CyberPower UPS (~$149) + TP-Link Archer A6 (~$34) + TP-Link AX1500 (~$45) + LIANGUO 2.5GbE switch (~$24)
Why This Comparison Matters for DevOps Work
For Personal Projects: Running services at home eliminates monthly cloud bills while providing hands-on experience with production-grade infrastructure.
For Enterprise Work: Understanding cloud costs deeply helps me make informed infrastructure decisions for clients. Managing physical hardware, networking, and virtualization provides comprehensive knowledge that pure cloud-only engineers often lack.
Want to discuss my homelab setup?
I'm happy to talk about architecture decisions, security strategies, lessons learned, and how this experience translates to enterprise environments.