Homelab

🧠 Homelab Overview

A local-first infrastructure built for privacy and performance. Production and development environments are fully isolated on separate nodes. Public traffic routes through a VPS tunnel via Tailscale, keeping the home IP address private.

🏗️ Infrastructure Overview

  • 4 homelab nodes + 1 VPS for public ingress
  • Ubuntu 24.04 LTS (Noble Numbat) on all systems
  • Docker Engine 28.3.x in standalone mode
  • Portainer CE 2.24.1 for centralized management
  • Tailscale VPN tunnels traffic securely
  • Caddy on VPS handles TLS and reverse proxy
  • Home IP never exposed - all traffic via VPS tunnel

🖥️ Hardware Fleet

The cluster consists of 4 homelab nodes plus a cloud VPS:

johnsen-ci-01
Portainer Manager
AZW MINI S • Intel N100 • 4 cores • 16GB DDR4
johnsen-ci-02
Development / Previews
AZW MINI S • Intel N100 • 4 cores • 16GB DDR4
johnsen-ci-03
Production
AZW MINI S • Intel N100 • 4 cores • 16GB DDR4
johnsen-ci-04
CI Runners
HP Elite SFF 600 G9 • Intel i9-12900K • 24 threads • 64GB DDR5
ingress-01
Public Ingress (VPS)
DigitalOcean Droplet • 1 vCPU • 1GB RAM • NYC Region

🚀 GitHub Actions

Self-hosted runners for CI/CD workflows:

  • 6 runners on ci-04 only (mini PCs host services)
  • Organization-level runners (johnsenai org)
  • Ephemeral containers for security
  • Playwright pre-installed with browser cache
  • Labels: self-hosted, johnsen-ci-04, linux, x64
  • Image: myoung34/github-runner:ubuntu-noble
GitHub Actions Docker Playwright

🐳 Container Platform

  • Docker Engine 28.3.x on all nodes
  • Standalone mode (no Swarm orchestration)
  • 28 containers running across the cluster
  • Compose-based stack deployments via Portainer
  • Registries: Docker Hub + GitHub Container Registry
Docker Standalone BuildKit

🎛️ Management Platform

Portainer CE 2.24.1 provides centralized control:

  • Server on ci-01, agents on ci-02/03/04
  • Web UI on port 9443 (HTTPS)
  • Agent communication on port 9001
  • Compose stack deployment (standalone mode)
  • Container logs, stats, and monitoring
Portainer CE TLS Agents

Cluster Resources

Aggregate capacity across homelab + VPS:

  • Homelab CPU: 28 cores / 36 threads
  • Homelab RAM: 112 GB
  • Homelab Storage: 3.8 TB
  • VPS: 1 vCPU / 1 GB RAM
  • GitHub Runners: 6 concurrent
  • Network: 1 Gbps per homelab node
High Performance Hybrid Cloud

🔧 Key Services

Isolated environments with independent routing:

  • Caddy - Public reverse proxy (ingress-01 VPS)
  • Traefik - Preview routing (ci-02)
  • Nginx - Production static site (ci-03:8080)
  • Preview Dashboard - dev.johnsen.ai (ci-02)
  • Stats Agents - Metrics collection (all nodes)
  • Tailscale - VPN tunnel (ci-01, ci-02, ci-03, VPS)
  • BuildKit - Docker image builds (ci-04)
Caddy Traefik Tailscale

🌐 Network & Access

  • VPS Tunnel - Public traffic via Tailscale
  • No home ports exposed to internet
  • johnsen.ai → VPS → ci-03 (production)
  • *.dev.johnsen.ai → VPS → ci-02 (previews)
  • On-demand TLS for wildcard subdomains
  • Firewall: UFW on all nodes + VPS
Tailscale UFW WireGuard

🔒 VPS Security

Hardened VPS ingress with defense in depth:

  • Fail2ban - Automatic IP blocking for SSH attacks
  • Unattended Upgrades - Auto security patches
  • UFW Firewall - Only SSH/HTTP/HTTPS open
  • Reserved IP - Stable public address
  • WireGuard - Encrypted tunnel to homelab
  • Home IP never exposed publicly
Fail2ban UFW Auto Updates
Back to Research