Self-hosted services on a single Proxmox host. Segmented network, runs 24/7.
I started this while studying for CompTIA and the plan was a small router, a few VLANs, and maybe two or three services and then got carried away.
| Layer | Tool |
|---|---|
| Hypervisor | Proxmox VE |
| Firewall | pfSense (low-power x86) |
| Switching | TP-Link Omada (managed VLANs) |
| Reverse proxy | Caddy (Cloudflare DNS-01) |
| Identity | Authentik (OIDC + forward auth) |
| DNS | Pi-hole → Unbound → Cloudflare |
| Remote access | WireGuard |
| Monitoring | Victoria Metrics + Grafana + Beszel |
| Backups | Proxmox Backup Server |
Around 10 LXCs and a couple of VMs running about 20 services across 7 VLANs.
- VLANs are organized by trust tier. Management is its own tier because a compromise there would be no bueno
- Internal services sit behind Authentik. OIDC where the app supports it and then Caddy forward auth where it doesn't
- Public surface is small. A handful of services, behind a DMZ-isolated reverse proxy with firewall rules backing up the proxy config
- Admin surfaces are only available from Management tier and VPN.
| Doc | About |
|---|---|
| Services | What's deployed, grouped by what it does |
| Network | Segmentation, firewall posture, DNS |
| Security | Layered controls, threat model, limitations |
The IP plan, hardware inventory, ADRs, rebuild runbook, and retention policies are in a private repo.