Confidential Brief
CS-04
Homelab - Production Infrastructure
Self-Hosted Cloud Running Real Applications Behind Zero-Trust Networking
Role
Infrastructure Engineer
Organization
Personal Infrastructure
Period
2024 - Present
ProxmoxDockerCloudflare TunnelsUniFi NetworkingPrometheusPostgreSQLRedisGitHub ActionsAWS S3UFW
Problem & Context
All portfolio apps run on infrastructure I manage myself. The point was not cost cutting. The point was understanding how production behaves when you own networking, compute, storage, and recovery.
Constraints
Self-hosting requires owning every failure mode. DNS issues, deployment rollbacks, power events, and backup recovery all need tested operating procedures.
Architectural Approach
I split workloads across isolated Proxmox VMs, then run services in Docker inside those boundaries. Traffic comes through Cloudflare tunnels so no inbound ports are exposed. VLANs separate trusted devices, infra, and IoT. Prometheus handles metrics, and backups replicate to S3.
System Architecture
Edge
Cloudflare DNS
Cloudflare Tunnels
Access Policies
Network
UniFi Gateway
VLANs
UFW Firewall
Compute
Proxmox Host
Infrastructure VM
Database VM
Services
Docker Containers
PostgreSQL
Redis
Prometheus
Resilience
UPS Power Protection
S3 Offsite Backups
CI/CD Deploys
Technical Stack
ProxmoxDockerCloudflare TunnelsUniFi NetworkingPrometheusPostgreSQLRedisGitHub ActionsAWS S3UFW
Key Decisions
Chose Cloudflare tunnels over port forwarding to keep inbound surface near zero.
Used VM isolation so failures stay contained.
Segmented network traffic with VLANs and explicit firewall rules.
Locked down Docker port exposure with host firewall policy.
Outcome
This stack runs every production app in my portfolio, including this site. Deployments are automated, recovery paths are tested, and incidents can be debugged end to end.