Homelab Documentation
Comprehensive documentation for my self-hosted homelab. This repository is the single source of truth for infrastructure, networking, security, and operational procedures.
What This Documents
A two-node Proxmox homelab running on a dual-stack IPv4/IPv6 network, fully segmented with VLANs, accessible remotely via Tailscale with no open inbound ports. All sensitive data is encrypted at rest. Multiple layers of backup — local ZFS snapshots, external encrypted disks, and offsite cloud backup via Backblaze B2.
Structure
servers/ Per-host inventory: hardware, storage, containers, VMs
network/ IP addressing, VLANs, DNS, WiFi
hardware/ Physical appliances (switches, UPS, HDHomerun)
security/ Tailscale zero trust, ZFS encryption, secrets management
backup/ ZFS snapshots, Proxmox backups, external disks, Backblaze B2
Infrastructure at a Glance
| What | Detail |
|---|---|
| Hypervisor | Proxmox VE (2 nodes) |
| Router/Firewall | OPNsense (VM on pve0-core, NIC passthrough) |
| Network | Dual-stack IPv4/IPv6, VLAN-segmented |
| Domain | pob.network (registered) |
| Internal DNS | AdGuard Home + BIND |
| Remote access | Tailscale only |
| WiFi | TP-Link Omada, PPSK per VLAN, single SSID Cosmos |
| Primary storage | ZFS (zpool0, 12.6 TB, 2× mirrored vdevs) on pve1-media |
| Encryption | ZFS native encryption on family and vault datasets |
| Backups | Sanoid snapshots → Syncoid to external disks + Restic to Backblaze B2 |
| Secrets | Bitwarden family vault (shared with partner) |
Nodes
| Host | IP | Purpose |
|---|---|---|
pve0-core |
10.37.16.2 |
Critical infrastructure — network goes down if this does |
pve1-media |
10.37.16.3 |
Media, file server, secondary services |
Design Principles
- Zero trust remote access — Tailscale with ACL policy, posture checks, and Tailscale Lock
- Defense in depth — multiple independent access paths (subnet router + bastion + VLAN 192 SSH fallback)
- 3-2-1 backup strategy — local ZFS snapshots, 2 encrypted external disks (on-site fire safe + off-site), cloud backup
- Encryption at rest — ZFS encrypted datasets for personal and sensitive data
- Self-sufficient — all data and services self-hosted; no dependency on third-party cloud for core functionality