Homelab Infrastructure

source code

This is my homelab configuration. The main goal is simple: learn DevOps and network administration by doing real things, not tutorials.

The idea

I already had a Proxmox server running at home with a few LXCs (AdGuard, Caddy, Vaultwarden) and a VM with Jellyfin and the arr stack. A Raspberry Pi running Uptime Kuma on the side. Everything working but nothing documented, nothing automated, nothing reproducible.

The idea was to take what I already had and turn it into something that looks and works like a real infrastructure. Something I could show to a recruiter and say “I built this”.

Technologies

  • Proxmox VE — hypervisor running all the LXCs and VMs
  • Prometheus + Grafana — monitoring stack installed directly as systemd services
  • Ansible — automation and configuration management
  • OpenTofu — infrastructure as code for provisioning LXCs

Phase 0: Documentation

Before touching anything I documented the existing infrastructure. Network diagram, services, why each thing is where it is. Boring but necessary.

The repo started as just a README and a few markdown files. That was enough to get going.

Phase 1: Monitoring

I set up Prometheus and Grafana directly on a dedicated LXC as systemd services, no Docker involved. Prometheus scrapes metrics from every machine via node-exporter — the LXCs, the Raspberry Pi and the VM. cAdvisor handles the Docker container metrics on the VM so I can see what Jellyfin or Sonarr are consuming at any given time.

The Raspberry Pi runs armv7 so the node-exporter build is different. Ansible handles that automatically by detecting the architecture.

Phase 2: Ansible

Three playbooks so far:

  • update-all.yml — updates and upgrades every machine in one command
  • node-exporter.yml — installs and configures node-exporter, handles amd64 and armv7 automatically
  • hardening.yml — creates a non-root user, copies the SSH key, disables root login and password authentication

The hardening playbook was the interesting one. You have to create the user before disabling root or you lock yourself out. Learned that the hard way.

Phase 3: OpenTofu

This is where it gets interesting. OpenTofu provisions LXC containers on Proxmox via the API and then automatically runs the Ansible hardening playbook on the new machine. It also manages /etc/hosts so the hostname is available immediately after creation.

The full flow is one command:

tofu apply

That creates the LXC, configures it and registers it. tofu destroy removes everything including the hosts entry.

What’s next

  • Run node-exporter automatically on every new LXC via the provisioner
  • Combine OpenTofu and Ansible into a full provisioning pipeline
  • Terraform/OpenTofu state management