Skip to content

MrTorriz/homelab

BranchesTags

Repository files navigation

Homelab

Self-hosted infrastructure as code — ~50 Docker services, Prometheus + Grafana power-monitoring, defense-in-depth security, fully reproducible.

CI License: MIT Last commit Services Open inbound ports


Linux Ubuntu Docker Nginx Suricata Cloudflare Mullvad

TL;DR

  • Defense-in-depth security — UFW + Suricata IDS + fail2ban + VPN killswitch + zero open ports.
  • Power-aware monitoring — Prometheus + Grafana + Scaphandre measure real wattage and cost.
  • Event-driven alerting — ~20 ntfy callers push SSH, sudo, IDS hits to phone in seconds.

Homelab architecture — Internet → edge perimeter → Docker host (detection, applications, observability) → storage, with WireGuard tunnel as parallel sidoline

By the numbers

~50

services

0

inbound ports

90 d

metric retention

22.7k

UFW drops / 7d

Sourced from docs/metrics.md — every figure links back to the command or dashboard that produced it.

Stack

Reverse proxy & access

Nginx Proxy Manager Cloudflare Tunnel

Media

Plex Sonarr Radarr Lidarr Bazarr Prowlarr qBittorrent Tdarr Audiobookshelf

Photos & files

Immich Nextcloud PostgreSQL Redis

Local AI

Ollama Open WebUI Faster-Whisper

Network & DNS

AdGuard Home UniFi

Security

UFW fail2ban Suricata IDS Mullvad WireGuard Docker socket proxy

Observability

Prometheus Grafana Scaphandre node-exporter cAdvisor Glances Scrutiny ntfy

Container management

Portainer Dozzle Watchtower

Full per-service catalogue: docker/README.md

Showcase

Homepage dashboard with themed feeds, live service tiles, and *arr stack
Homepage — themed dashboards · live tiles · *arr stack

Grafana — Homelab Overview dashboard, twelve panels covering power, energy, cost, capacity
Grafana — power, energy, cost, capacity

Tooling demos

deploy.sh idempotent rsync flow with conditional service reloads
deploy.sh — idempotent rsync with conditional reloads 		Live tail of ntfy events — SSH login, sudo, fail2ban ban, Suricata signature
ntfy — event-driven push alerts to phone

Repo layout

.
├── docker/              # Compose stack (~50 services) + .env.example
├── homepage/            # Dashboard config (services + widgets)
├── scripts/             # deploy, healthcheck, backup/, security/, monitoring/, maintenance/, motd/, systemd/
├── security/            # UFW, fail2ban, SSH, hardening checklist
├── docs/                # Architecture, security model, threat model, runbook, DR, cost, decisions
└── .github/workflows/   # CI: shellcheck + yamllint + markdownlint + gitleaks + sanitize-check

Setup

git clone https://github.com/MrTorriz/homelab.git ~/homelab
cd ~/homelab

# 1. Configure
cp docker/.env.example docker/.env
$EDITOR docker/.env

# 2. Bring up the stack
docker network create homelab
cd docker && docker compose up -d

# 3. Apply security baseline
sudo bash ../security/ufw-baseline.sh
sudo bash ../security/install-fail2ban.sh

# 4. Deploy via the same flow on every change
../scripts/deploy.sh

Note: set LAN_IFACE in .env to match your NIC name. eth0 is a placeholder — modern Ubuntu typically uses enp* or ens* (check with ip -br link).

External access is opt-in — set up a Cloudflare Tunnel and point it at npm:443 (no router port-forwarding needed).

Documentation

License

MIT — fork it, copy bits, learn from it.

About

Self-hosted homelab on Ubuntu 24.04 — ~50 Docker services, defense-in-depth security, zero open inbound ports, fully reproducible IaC

Topics

docker security devops ubuntu docker-compose plex homepage self-hosted infrastructure-as-code fail2ban homelab wireguard ufw nginx-proxy-manager defense-in-depth adguard-home cloudflare-tunnel immich

Resources

Readme

License

MIT license

Security policy

Security policy
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v1.1.0 — polish Latest
Apr 23, 2026

Packages

 
 
 

Contributors

Languages