Automation is the backbone of my homelab. This wiki covers the tools, patterns, and workflows that keep 50+ services running with minimal manual intervention.
Automation Stack # n8n Workflow Automation # n8n is my primary workflow automation platform—think Zapier/Make but self-hosted with full code access.
Visibility into 50+ services requires centralized logging, proactive alerting, and dashboards. This wiki covers my monitoring stack and the patterns that make it work.
Monitoring Stack # Graylog Centralized Logging # Graylog is my log aggregation platform—collecting, processing, and visualizing logs from across the homelab.
Enterprise security principles applied to a homelab. This wiki covers the layered security architecture — from next-gen firewall policies to XDR threat detection to certificate lifecycle automation.
Firewall Architecture # The Palo Alto Networks PA-440 provides the network security foundation with App-ID, zone-based policies, and centralized logging. Full details in the Networking wiki — including security zones, VLAN trust levels, and DNS proxy configuration.
My homelab network is segmented into 5 VLANs with a multi-tier DNS architecture and high-availability reverse proxy. This wiki covers the design decisions and implementation details.
Complete Network Topology # ⛶ Click to expand Homelab Network Topology 5 VLANs · PA-440 NGFW · HA DNS · HA Reverse Proxy ☁️ INTERNET 🌐 ISP Gateway 🛡️ Cloudflare CDN + WAF + Access 🔥 SECURITY EDGE 🛡️ PA-440 Next-Gen Firewall App-ID · DNS Proxy · DHCP · NAT · Zone Security ☁️ CF Tunnel Agent Zero-Trust Tunnel 🔀 NETWORK FABRIC 🚪 UniFi Gateway Inter-VLAN Routing 📡 USW-24 Managed 24-Port PoE Switch 📶 U6-LR WiFi 6 AP 📶 U6-Pro WiFi 6 AP TP-Link Switch Authenticated Trunk Trunk Trunk 🔒 VLAN 10 · MANAGEMENT 192.168.10.0/24 💾 NAS-Primary DS920+ · 4-Bay NFS · iSCSI 💾 NAS-Secondary DS719 · 2-Bay Backup Target DNS HIGH AVAILABILITY HA 🟢 DNS-Primary Pi-hole · Pri 200 VIP .110 🟡 DNS-Secondary Pi-hole · Pri 100 keepalived VRRP 🖥️ TinyPilot KVM Remote Console 🖥️ GL KVM IP-KVM Device 🔥 FW Management Out-of-Band Mgmt 📡 Uplink Switch TP-Link Managed ⚙️ VLAN 30 · SERVERS & SERVICES 192.168.30.0/24 PROXMOX VE CLUSTER 📦 Node-2 LVM-thin Mini PC 📦 Node-3 ZFS Primary API 📦 Node-5 LVM-thin Mini PC 📦 Node-6 ZFS Mini PC 💿 PBS Backup Server NFS → NAS REVERSE PROXY HA HA 🔀 Caddy Primary Reverse Proxy VIP .161 🔀 Caddy Backup Hot Standby MONITORING & LOGGING 📊 Graylog SIEM · Log Server 🛡️ Wazuh XDR FIM · Vuln · CIS 📈 Uptime Kuma Status × 2 📉 Prometheus Metrics + Grafana 🔍 Pi.Alert Network Scanner 💨 MySpeed Speed Tracker AUTOMATION & WORKFLOWS ⚡ n8n Workflow Engine 🎯 Semaphore Ansible CI/CD 🐳 Portainer Container Mgmt 📡 UniFi Controller Network Mgmt APPLICATION SERVICES 🔐 Vaultwarden Passwords 🏠 Home Assist. Smart Home 📱 Homarr Dashboard 🔑 Infisical Secrets Mgmt 🌐 NetBox IPAM SECURITY & VPN 🔒 WireGuard VPN Server 🛡️ Panorama FW Mgmt 🔥 VM Firewalls PAN-OS Lab × 5 🤖 AI Assistants Claude · Gilfoyle 40+ LXCs 🧠 VLAN 20 · AI / DEV 192.168.20.0/24 💻 OpenClaw AI Agent MacBook Pro M4 Max · 48GB · Ollama LLM Inference 🔸 VLAN 40 · ISOLATED 172.30.40.0/24 🌐 DNS-40 Standalone Pi-hole 🔒 Isolated Services Restricted Access ❌ No cross-VLAN access 📱 VLAN 50 · IoT 172.30.50.0/24 🌐 DNS-50 Standalone Pi-hole 📱 Smart Devices IoT · Home Auto 🔒 Fully isolated network 🔐 VLAN 254 · FW MGMT 10.254.254.0/24 🔥 PAN-OS Out-of-Band Management Interfaces LEGEND Physical Connection Virtual / Tunnel VIP HA Virtual IP (VRRP) Management Servers Isolated IoT AI / Dev FW Mgmt EXTERNAL ACCESS PATHS ☁️ Cloudflare Tunnel (Zero-Trust): Vaultwarden · WireGuard · TinyPilot Emby · OpenSpeed Test · KASM 🔀 Caddy HA (Internal TLS): *.loc.domain.com wildcard cert All internal services via DNS-01 🔒 Direct (Management only): Proxmox UI · NAS DSM · Pi-hole VLAN Design # VLAN Subnet Purpose Key Services Security Level 10 192.168.10.0/24 Management & Core NAS, DNS HA, KVM devices 🔒 High 30 192.168.30.0/24 Server Network Proxmox, Docker, Apps ⚙️ Medium 40 172.30.40.0/24 Isolated Services Restricted access 🔸 Low 50 172.30.50.0/24 IoT Devices Smart home 📱 Minimal 254 10.254.254.0/24 Firewall Management Out-of-band mgmt 🔐 Critical Design principle: Servers (VLAN 30) can reach management (VLAN 10), but management devices are protected from server-initiated connections. IoT devices are fully isolated—they cannot initiate connections to any other VLAN.
My homelab runs on a 4-node Proxmox VE cluster hosting 50+ LXC containers and VMs. This wiki documents the architecture, conventions, and lessons learned.
Proxmox Cluster Architecture # Cluster Specifications # Node Storage Type CPU RAM Primary Workloads Node 2 ssd-data LVM-thin 4 cores 16 GB PBS, Development Node 3 zdata ZFS 4 cores 32 GB Databases, DNS-Primary Node 5 ssd-data LVM-thin 4 cores 16 GB Graylog VM, DNS-Secondary Node 6 zdata ZFS 4 cores 32 GB Docker-Main, HA services Total Resources:
AI-augmented homelab operations — from multi-agent orchestration to automated content pipelines. This wiki documents how Claude Code and agentic patterns accelerate infrastructure work.
4-Layer Agentic Architecture # A framework for organizing AI-assisted automation into composable layers:
4-Layer Agentic Architecture — Justfile → Commands → Skills → Agents: how each layer has a single responsibility Skill Development # Building custom Claude Code skills for repeatable workflows: