Skip to content


Home Lab

Here is the mindmap-style illustration of my home lab. There are always changes made, but the build steps and details for my Kubernetes cluster is available in the following pages under this homelab section.


I have baremetal machines running Linux in headless, and some of them running services using Docker and some consisting Kubernetes cluster.

I use Ansible to run repetitive tasks to manage my machines.

I use Docker Compose to run all the services that are running as Docker containers. I have separate repositories and docker-compose.yml files for every services, and I have systemd service unit files for them to boot up automatically whenever machines have to reboot. I have DNS service running on two different machines, and they use the same repository to be in sync.

My Kubernetes cluster is managed through flux and I am using self-managed GitLab to bootstrap the cluster and the repository. The core infrastructure services are described (and deployed by k8s & flux) in the main flux repository, and I have other gitrepo references (also hosted on my GitLab) to manage services.

I have deployed Bytebase which handles GitOps for databases. This is also integrated with my self-managed GitLab, and the DDL and DML files on the connected repo will spin out the automated change job to be applied to the concerned databases managed by Bytebase.

My GitLab is playing very important role in my home lab and I have backups taken regularly to places including public cloud service. I used to use Google Cloud Storage and I currently use Cloudflare R2.

Service Access

Reverse Proxy and Kubernetes Gateway

When I am on LAN, at home, my DNS points me to either a reverse proxy running as Docker container or Kubernetes gateway depending on where the service I'm accessing is hosted on. Both reverse proxy and Kubernetes gateway is doing TLS offload.

When I am outside, my traffic always reaches the reverse proxy which then TLS pass-through to Kubernetes gateway if the service is hosted on Kubernetes cluster, otherwise TLS offload and reverse proxy to the serves running as Docker containers.

Private and Public Sites

This very website, , is being hosted on a cloud, but I have my personal sites hosted on GitLab Pages, some of which is accessible from the Internet and some not. This control is being done using simple DNS record availability. I register DNS record for sites I want to expose to public network.


There are services I want to make them publicly accessible so that I can use them when I am outside, but not really open to anonymous users out in the Internet.

For services such as GitLab that have built-in MFA, I let reverse proxy just pass through, and for services that don't, I have reverse proxy to include multi-factor authentication service to limit who can access those services.

Monitoring and Logging

Kube-prometheus stack is implemented for monitoring purpose, using PV served through DirectPV to store data. Grafana Loki is implemented for logging purpose, using DirectPV and also Minio S3 to process and store data. Both monitoring and logging data and visualization can be queried and viewed through Grafana.