Single-node Proxmox VE homelab. Architecture diagrams, operational runbooks, and config templates for Traefik, AdGuard, Wazuh, and Vector. LAN-only, no internet exposure beyond a single Cloudflare Tunnel.
Box FAI (192.168.1.1)
|
+--> AdGuard 192.168.1.30 <--- DNS for the whole LAN
| |
| +-> rewrite *.home.example.com -> 192.168.1.20
|
+--> Proxmox host 192.168.1.10
|
+-> Traefik 192.168.1.20:443
|
+-> 17 services on .home.example.com
- 1 host: recycled HP ATX, i7-6700, 32 GB RAM, Kingston SSD + Hitachi 1 TB + 2x Samsung T5/T7 USB
- 2 VMs + 11 LXC containers
- Traefik v3 with wildcard Let's Encrypt cert via Cloudflare DNS-01
- AdGuard Home for LAN DNS (split-horizon)
- Authentik for SSO, Uptime Kuma for monitoring
- Wazuh agents on PVE host + LXC honeypot + service VMs
- Vector for log shipping
- Coolify on a Hetzner CX23 VPS, exposed via Cloudflare Tunnel
| Folder | What's there |
|---|---|
docs/ |
14 architectural docs: network, storage, services, backups, DR, hardening, roadmap, Coolify, security observability |
runbooks/ |
Operational procedures: add a service to Traefik, recover a corrupted VM, update Proxmox, renew certs, create an LXC, onboard a Coolify client, promote staging to prod |
configs/ |
Traefik dynamic configs, AdGuard rules, Wazuh agent configs + custom detection rules, Vector pipelines |
diagrams/ |
drawio source for the network diagram |
CHANGELOG.md |
Real evolution log with Lessons learned sections from actual incidents (HAOS FS corruption, Wazuh API stuck, Coolify domain change gotchas) |
This is documentation, not a working setup you can terraform apply against. Anonymized values to find/replace if you want to use it as a starting template:
192.168.1.X-> your LAN subnet (router on .1, PVE on .10, Traefik on .20, AdGuard on .30, services on .X+)*.home.example.com-> your domain (wildcard zone hosted on Cloudflare)admin@home.example.com-> your admin email02:00:00:00:00:XXMACs -> your actual NIC addressesyouruser/repoGitHub paths -> your own203.0.113.Xexample WAN IPs -> your real public IPs
The architectural decisions (single-node vs cluster, Traefik with DNS-01 wildcard vs port-forward, AdGuard split DNS vs full public DNS, Wazuh on LXC vs VM, USB-attached backup vs PBS) are documented in docs/.
- Proxmox VE 8.x
- Traefik v3, Let's Encrypt wildcard via Cloudflare DNS-01
- AdGuard Home for LAN DNS
- Authentik for SSO, with Uptime Kuma behind it
- Wazuh 4.x SIEM, single-manager on a dedicated VM
- Vector for log shipping (Traefik access logs, AdGuard query log, sshd, cowrie honeypot)
- Coolify v4 self-hosted PaaS, deployed on a Hetzner CX23 VPS via Cloudflare Tunnel
- Backups via Proxmox built-in
vzdumpto an external USB SSD, with documented 3-2-1 strategy
- Architecture - vue d'ensemble + diagrammes
- Inventory - VMs, LXC, IPs, MACs, ressources
- Network - subnet, DNS, DHCP, plan IP
- Storage - disques physiques, datastores Proxmox, mounts
- Reverse proxy & DNS - Traefik + AdGuard + Let's Encrypt
- Services - détail par service (ports, deps, URL)
- Backups - stratégie 3-2-1 + rétention
- Disaster recovery - runbooks de recovery testés
- Hardening - état Phase 1 + checklist
- Roadmap - phases 0 -> 6
- Coolify - self-hosted PaaS + projets clients Hetzner
- RPi usage - Raspberry Pi auxiliary roles
- Network diagram - drawio reference
- Security & observability - Wazuh, Vector, audit
MIT. See LICENSE.