Home Lab Infrastructure
OngoingEnterprise-level DevOps practices in a self-hosted environment
Overview
This project demonstrates enterprise-level DevOps practices adapted for a home lab environment, featuring multi-host Docker deployments, GitLab CI/CD pipelines with event-driven change detection, and Ansible automation for idempotent deployments.
The infrastructure manages services across three physical servers with centralized observability using Loki, Grafana, and Prometheus, while maintaining a security-first architecture with SSO, intrusion detection, and TLS everywhere.
Challenge and Approach
The Challenge
Managing Docker services across multiple physical hosts requires careful coordination of deployments, configuration management, and monitoring. Manual deployments are error-prone, inconsistent, and don't scale. I needed a solution that would provide enterprise-grade reliability and automation while remaining maintainable for a home lab environment.
The Approach
I designed an Infrastructure-as-Code repository using GitLab CI/CD and Ansible to automate all deployments. Each service follows a standardized pattern with change detection, idempotent playbooks, and Discord notifications. The architecture implements defense-in-depth security with Cloudflare, Traefik, CrowdSec, and Authentik layers.
Architecture & Tech Stack
Three Docker hosts behind Cloudflare DNS, each running Traefik for routing and TLS termination. The primary host (docker-main) runs core infrastructure services while secondary hosts handle distributed application workloads.
Reverse Proxy Layer
Traefik v3.5 on each host handles routing, load balancing, and automatic Let's Encrypt certificate management via Cloudflare DNS challenge
Security Stack
Defense-in-depth with CrowdSec for intrusion detection/prevention, Authentik for OIDC/SSO, and security headers on all services
Observability Stack
Centralized logging with Loki (7-day retention), metrics with Prometheus (30-day retention), and Grafana dashboards. Alloy agents collect metrics from all hosts.
CI/CD Pipeline
GitLab CI/CD with event-driven deployments - pipelines only trigger when relevant files change, using Ansible for idempotent container orchestration
Key Features
Event-Driven Deployments
Pipelines only trigger when relevant files change, with separate stages for each Docker host and Discord webhook notifications
Idempotent Ansible Playbooks
All deployments follow a standardized pattern: directory setup, file sync (preserving secrets), graceful container lifecycle management
Centralized Logging
Every container uses the Loki logging driver with JSON parsing, label extraction, and pipeline stages for structured log aggregation
Single Sign-On
Authentik provides OIDC authentication across all services with group-based access control and multi-factor authentication
Implementation Highlights
Standardized Service Pattern
Created a reusable template for service deployments: GitLab CI/CD pipeline, Ansible inventory, per-host Docker Compose files, and notification playbooks. New services can be onboarded in minutes.
CrowdSec Integration
Implemented application-layer protection with CrowdSec analyzing logs across all services, providing IP reputation scoring and automatic blocking of malicious actors.
Non-Blocking Logging
Configured Loki driver in non-blocking mode with proper retry/backoff settings to prevent container hangs if the logging stack is temporarily unavailable.
Results & Impact
- Reduced deployment time from 30+ minutes of manual steps to under 2 minutes via automated pipelines
- Achieved consistent, reproducible deployments across all three hosts
- Zero security incidents with proactive threat detection via CrowdSec IP reputation
- Centralized visibility into all services through Grafana dashboards
- Eliminated configuration drift through GitOps practices
Explore This Project
Interested in seeing more? Check out the live demo or browse the source code.