Skip to content

Home Lab

Here is the mindmap-style illustration of my home lab.

Right now I am building my kubernetes home lab from scratch again and will be updating the steps on the other page, [[building-home-lab-part-1|building home lab part 1]].


I have baremetal machines running Linux in headless, and some of them running services using Docker and some consisting Kubernetes cluster.

I use Ansible to run repetitive tasks to manage my machines.

I use Docker Compose to run all the services that are running as Docker containers. I have separate repositories and docker-compose.yml files for every services, and I have systemd service unit files for them to boot up automatically whenever machines have to reboot. I have DNS service running on two different machines, and they use the same repository to be in sync.

My Kubernetes cluster is managed through flux and I am using self-managed GitLab to bootstrap the cluster and the repository. The core infrastructure services are described (and deployed by k8s & flux) in the main flux repository, and I have other gitrepo references (also hosted on my GitLab) to manage services.

My GitLab is playing very important role in my home lab and I have backups taken regularly to places including public cloud service. I used to use Google Cloud Storage and I currently use Cloudflare R2.

Service Access

Reverse Proxy and Kubernetes Gateway

When I am on LAN, at home, my DNS points me to either a reverse proxy running as Docker container or Kubernetes gateway depending on where the service I'm accessing is hosted on. Both reverse proxy and Kubernetes gateway is doing TLS offload.

When I am outside, my traffic always reaches the reverse proxy which then TLS pass-through to Kubernetes gateway if the service is hosted on Kubernetes cluster, otherwise TLS offload and reverse proxy to the serves running as Docker containers.

Private and Public Sites

This very website, , is being hosted on a cloud, but I have my personal sites hosted on GitLab Pages, some of which is accessible from the Internet and some not. This control is being done using simple DNS record availability. I register DNS record for sites I want to expose to public network.


There are services I want to make them publicly accessible so that I can use them when I am outside, but not really open to anonymous users out in the Internet.

For services such as GitLab that have built-in MFA, I let reverse proxy just pass through, and for services that don't, I have reverse proxy to include multi-factor authentication service to limit who can access those services.