My Homelab
This website runs on a self-hosted Kubernetes clusterI designed, built, and maintain. It's not hosted on Vercel or AWSβit's running on enterprise-level hardware in my home, demonstrating real-world DevOps skills.
Live Infrastructure Status
Self-hosted monitoring powered by Uptime Kuma
Portfolio Site
Overall Infrastructure
If you're viewing this page, the infrastructure is running. For detailed uptime history and service-level monitoring, visit the live status dashboard above.
Why Homelab?
Learning
You can't truly understand Kubernetes by reading docs. Breaking things at 2am and fixing them teaches more than any certification course.
π― Target: CKA certification by September 2026
Data Privacy
Cloud providers have access to your data. Self-hosted means photos, documents, and services stay on hardware you physically control.
β No vendor lock-in, no surprise pricing changes
"If a company can host it on AWS, I can host it on three mini PCs in my closet β for a fraction of the cost and 100% of the learning."
Performance Metrics
Real-world performance benchmarks from production deployment
Lighthouse Scores
β Average Score: 99.5 / 100
Core Web Vitals
Target: < 2.5s β Good
Target: < 100ms β Good
Target: < 0.1 β Good
Target: < 600ms β Good
All metrics pass Google's "Good" thresholds
Measured on Cloudflare's global CDN network
Architecture Overview
Network Flow
From your browser to my homelab
Public Access
Internet β Cloudflare Tunnel β Gateway API β Services
Private Access
Tailscale VPN β Internal Services
Infrastructure
3-node bare metal Kubernetes cluster
Defense in Depth
Three layers of security protecting the infrastructure
Layer 1: Network Perimeter
Cloudflare Edge Protection
- βDDoS protection and WAF at Cloudflare edge
- βZero exposed ports β all traffic through encrypted Cloudflare Tunnel
- βZero-trust access model (no direct connections)
Layer 2: VLAN Segmentation
OPNsense Firewall
- β8 VLANs with strict inter-VLAN firewall rules
- βIoT and Guest networks isolated from server VLAN
- βStateful inspection with IDS/IPS (Suricata)
Layer 3: Cilium Micro-Segmentation
eBPF Network Policies
- βCiliumNetworkPolicy controls pod-to-pod traffic
- βL3/L4/L7 filtering (IP, port, HTTP path)
- βeBPF enforcement at kernel level (faster than iptables)
CI/CD Pipeline
Two delivery workflows: GitLab CI/CD for app code, ArgoCD GitOps for infrastructure
π¦ GitLab CI/CD β Application Delivery
Portfolio and Invoicetron use GitFlow branching with 3-environment promotion.
| Environment | Namespace | Trigger | URL |
|---|---|---|---|
| Dev | portfolio-dev | Push to develop | (internal only) |
| Staging | portfolio-staging | Manual trigger | beta.rommelporras.com |
| Prod | portfolio-prod | Merge to main | www.rommelporras.com |
π ArgoCD GitOps β Infrastructure Delivery
50+ services delivered via GitOps. Git is the single source of truth β manual changes are automatically reverted.
Pattern
- βApp-of-apps (single root Application)
- βHelm multi-source + Kustomize
- βTrunk-based (direct to main)
Behavior
- βAuto-sync within ~3 minutes
- βSelf-heal (manual kubectl reverted)
- β50+ services across 30+ namespaces
Hardware Stack
Kubernetes Nodes (x3)
Lenovo ThinkCentre M80q
Why M80q? Enterprise-grade reliability, uniform cores (important for K8s scheduling), low power (~35W TDP), excellent value on the used market.
Topton N100
Intel N100, 16GB RAM
Proxmox + OPNsense
Dell OptiPlex 3090
i5-10500T, 32GB RAM
Proxmox + OMV NAS
LIANGUO LG-SG5T1
5x 2.5GbE + 10G SFP+
Managed, VLAN support
CyberPower UPS
1600VA / 1000W
~45 min runtime
Services Running
50+ services across 30+ namespaces β all real, all running
Platform Infrastructure
18 services3-node HA control plane with stacked etcd
eBPF-based CNI replacing kube-proxy
Distributed block storage (2x replication on NVMe)
HA virtual IP for API server (ARP mode)
Kubernetes-native ingress with Cilium
Automated Let's Encrypt wildcard TLS certificates
Resource metrics for HPA and kubectl top
GitOps continuous delivery (app-of-apps pattern)
Secrets management (Raft storage, auto-unseal)
Syncs K8s Secrets from Vault
Automatic Vault unsealing deployment
Cluster backup and restore
Self-hosted S3-compatible object store (Velero backend)
Container/K8s version drift detection
Auto-labels GPU nodes
GPU plugin for Intel QSV transcoding
Weekly CIS Kubernetes benchmark scans
Automated failed pod + stopped replica cleanup
Networking & Access
3 servicesHA tunnel (2 replicas) β zero exposed ports
WireGuard subnet router for private remote access
Primary DNS server for all VLANs (10.10.30.53)
Observability Stack
13 servicesMetrics collection with 177+ default alerting rules
Dashboards for every service + infrastructure
Log aggregation (paired with Grafana)
Log collector (Grafana agent, replaces Promtail)
Alert routing to Discord + Email
HTTP/TCP probes for endpoint monitoring
Public status page at status.rommelporras.com
UPS monitoring (CyberPower CP1600EPFCLCD)
OpenTelemetry data collection (Claude Code metrics)
NVMe S.M.A.R.T. disk monitoring (DaemonSet)
Prometheus metrics for ARR apps
Prometheus metrics for Tdarr
Prometheus metrics for qBittorrent
CI/CD
3 servicesSelf-hosted DevOps platform (web, sidekiq, gitaly)
Kubernetes executor for CI/CD jobs
Docker image registry at registry.k8s.rommelporras.com
Applications
11 servicesTheme development environment
Local LLM inference (CPU): qwen2.5:3b, qwen3:1.7b, moondream, gemma3:1b
AI bookmark manager (Chrome crawler + Meilisearch + Ollama)
Internal dashboard (2 replicas)
Internet speed test tracker (historical)
Persistent browser via KasmVNC
Self-hosted shell history sync (E2E encrypted)
Ghost analytics proxy (browser to Tinybird)
Media Stack
12 services15-service media automation pipeline with Intel QSV hardware transcoding.
Media server with Intel QSV hardware transcoding
TV show management and automation
Movie management and automation
Indexer manager for Sonarr/Radarr
Download client
Subtitle management for Sonarr/Radarr
Media requests and discovery
Library transcoding (Intel QSV hardware acceleration)
AI media recommendations (powered by Ollama)
TRaSH Guide quality profile sync (CronJob)
RAR archive extraction daemon
Cloudflare bypass proxy for indexers
Databases
5 servicesGhost Blog (dev + prod)
Invoicetron
Karakeep (full-text search)
Uptime Kuma, Karakeep
Atuin dedicated database
Additional Infrastructure
4 servicesThese services run outside Kubernetes but are part of the homelab ecosystem.
Hypervisor (2 nodes: Dell 3090 + Topton N100)
Firewall / router (Proxmox VM)
NAS / NFS storage
Photo management
Release Timeline
67 releases in ~3 months β from empty repo to full production stack
Network Segmentation
Enterprise-level network design with 8 isolated VLANs for security, performance, and separation of concerns. Each VLAN has custom firewall rules enforcing the principle of least privilege.
| VLAN | Name | Subnet | Purpose | Security |
|---|---|---|---|---|
| 10 | LAN | 10.10.10.0/24 | Trusted wired devices | High (Full Access) |
| 20 | TRUSTED_WIFI | 10.10.20.0/24 | Trusted wireless (SSID: Mugiwara) | High (Full Access) |
| 30 | SERVERS | 10.10.30.0/24 | Internal VMs and LXCs | High (Backend) |
| 40 | IOT | 10.10.40.0/24 | IoT devices (SSID: Mugiwara-IOT) | Low (Internet-Only) |
| 50 | DMZ | 10.10.50.0/24 | Public-facing services (Cloudflare Tunnel) | Medium (DMZ) |
| 60 | GUEST | 192.168.0.0/24 | Guest devices (SSID: Mugiwara-Guest) | Low (Internet-Only) |
| 69 | MGMT | 10.10.69.0/24 | Proxmox host management | Critical (Admin-Only) |
| 70 | AP_TRUNK | 10.10.70.0/24 | OpenWRT AP management | Medium (AP Config) |
Technology Stack
A modern DevOps stack running 24/7, organized by architectural layer.
π¦Layer 1: Hypervisor
- β’Proxmox VE 9.1.4 - Type-1 bare-metal hypervisor
- KVM for VMs, LXC for containers, web-based management
π₯Layer 2: Firewall & Routing
- β’OPNsense 25.7.5 - Enterprise firewall/router
- Dual WAN, 8 VLANs, IDS/IPS (Suricata), WireGuard VPN
- β’OpenWRT - Custom WiFi firmware
πLayer 3: DNS & Ad Blocking
- β’AdGuard Home - Network-wide ad blocking
- DoH/DoT encryption, local DNS rewrites, DNSSEC validation
πLayer 4: Reverse Proxy
- β’Cilium Gateway API - Kubernetes-native ingress
- cert-manager + Let's Encrypt DNS-01, wildcard certs (*.k8s.rommelporras.com)
πLayer 5: Tunneling & CDN
- β’Cloudflare Tunnel - Zero-trust tunnel (cloudflared)
- Global CDN (200+ PoPs), DDoS protection, WAF, automatic SSL
βΈοΈLayer 6: Applications
- β’Platform - ArgoCD, Vault, Velero, cert-manager, Garage S3
- β’Applications - Portfolio, Ghost, Invoicetron, Ollama, Karakeep, Atuin, Homepage
- β’Media Stack - Jellyfin, Sonarr, Radarr + 9 more
- β’Monitoring - Prometheus, Grafana, Loki, Uptime Kuma, 5 exporters
- β’DNS & Networking - AdGuard Home, Cloudflare Tunnel, Tailscale
- β’Non-K8s - Immich, OMV (on Proxmox)
The Meta-Project
You're looking at it right now.
This portfolio website (rommelporras.com) is not hosted on Vercel, Netlify, or AWS. It runs on the exact infrastructure described above.
kubectl apply to K8s namespace (dev/staging/prod). Infrastructure services use ArgoCD GitOps instead.Skills Demonstrated
βΈοΈKubernetes / Container Orchestration
- βkubeadm cluster bootstrap (HA, stacked etcd)
- βCilium CNI with eBPF kube-proxy replacement
- βGateway API (replacing deprecated Ingress)
- βLonghorn distributed storage
- βRBAC and ServiceAccount security
πDevOps / SRE
- βGitFlow branching with environment promotion
- βMulti-environment CI/CD (dev β staging β prod)
- βDocker multi-stage builds
- βKubernetes rolling deployments
- βArgoCD GitOps continuous delivery
πObservability
- βPrometheus metrics and alerting rules
- βGrafana dashboards
- βLoki centralized logging
- βMulti-channel alerting (Discord + Email)
- βS.M.A.R.T. disk monitoring (smartctl-exporter)
- βVersion drift detection (version-checker)
πNetworking
- βVLAN segmentation (8 VLANs)
- βCilium NetworkPolicy (L3/L4/L7)
- βCloudflare Tunnel (zero-trust)
- βTLS automation (cert-manager + Let's Encrypt)
β‘High Availability
- β3-node control plane with kube-vip VIP
- βetcd quorum (3-node)
- βLonghorn 2x replication
- βUPS with graceful shutdown
πSecurity
- βZero exposed ports (Cloudflare Tunnel)
- βCiliumNetworkPolicy for egress control
- βEnvironment-scoped RBAC
- βPod Security Standards enforcement
- β132 CiliumNetworkPolicies
- βHashiCorp Vault secrets management
- βWeekly CIS benchmarks (kube-bench)
πGitOps
- βArgoCD app-of-apps pattern
- βMulti-source Applications
- βSelf-heal and auto-sync
- βDeclarative cluster state (Git as source of truth)
πSecrets Management
- βHashiCorp Vault (Raft storage, auto-unseal)
- βExternal Secrets Operator integration
- βZero plaintext secrets in Git
πΎBackup & DR
- βVelero cluster backup to self-hosted S3
- βLonghorn volume snapshots
- βCronJob database dumps + NFS offsite
Cost Comparison
Enterprise infrastructure at homelab prices
βοΈ AWS Equivalent
Region: ap-southeast-1 (Singapore)
- 3x t3.xlarge EC2$345/mo
- 1.5TB EBS gp3$144/mo
- 2TB S3 Standard$60/mo
- ALB + ACM$18/mo
- EKS Control Plane$73/mo
- ECR$5/mo
- Secrets Manager$20/mo
- RDS MySQL + PostgreSQL x2$55/mo
- AWS Backup$25/mo
- CodePipeline + CodeBuild$3/mo
- CloudWatch + Logs$15/mo
π Homelab
- Electricity (~110W)~$19/mo
- Cloudflare (free tier)$0/mo
- Tailscale (free personal)$0/mo
- Domain~$1/mo
~110W covers all devices: 3 K8s nodes, Dell 3090 NAS, firewall, UPS, switch, 2 WiFi APs, 2 modems (β±13.82/kWh)
Hardware: 3x Lenovo M80q (~$310) + Dell 3090 NAS (~$302) + Topton N100 firewall (~$164) + CyberPower UPS (~$149) + TP-Link Archer A6 (~$34) + TP-Link AX1500 (~$45) + LIANGUO 2.5GbE switch (~$24)
Why This Comparison Matters for DevOps Work
For Personal Projects: Running services at home eliminates monthly cloud bills while providing hands-on experience with production-grade infrastructure.
For Enterprise Work: Understanding cloud costs deeply helps me make informed infrastructure decisions for clients. Managing physical hardware, networking, and virtualization provides comprehensive knowledge that pure cloud-only engineers often lack.
Want to discuss my homelab setup?
I'm happy to talk about architecture decisions, security strategies, lessons learned, and how this experience translates to enterprise environments.
Last verified: April 2026