Portal | Level: L0: Entry | Topics: Homelab | Domain: DevOps & Tooling
Homelab & Learning Infrastructure - Primer¶
Why This Matters¶
Every senior infrastructure engineer you admire built their skills by breaking things in a lab. Production teaches you consequences; a homelab teaches you fundamentals. You can't practice failover on your employer's database cluster, but you can practice it on a three-node k3s cluster running on mini PCs in your closet. A homelab is where you build muscle memory — the kind that lets you type the right iptables command at 2am without Googling it.
This is the L0 entry point. If you're coming from a non-ops background or transitioning from helpdesk/sysadmin into DevOps, this is how you start building the environment where every other topic in this curriculum becomes hands-on practice instead of abstract reading.
Core Concepts¶
1. The Homelab Philosophy¶
A homelab is not a toy. It's a scaled-down production environment where you practice real patterns:
Production Homelab Equivalent
─────────────────────────────────────────────────
VMware vSphere Proxmox VE (free)
AWS EKS k3s on bare metal
Route53 / Cloud DNS PiHole + local DNS
Site-to-site VPN WireGuard tunnel
GitHub Enterprise Gitea (self-hosted)
Datadog / New Relic Prometheus + Grafana
NetApp / EBS ZFS on local disks
Cisco switches Managed switches w/ VLANs
The goal is pattern fidelity, not scale fidelity. You don't need 1,500 servers to practice fleet management — you need 3-5 nodes with the same tooling patterns.
Fun fact: The r/homelab subreddit has over 1.5 million members. The community joke is that "homelab" is a euphemism for "expensive hobby justified by career development." The reality: many hiring managers specifically look for homelab experience because it signals self-directed learning and hands-on curiosity.
2. Hardware Recommendations¶
Budget Tier ($100-$300): Raspberry Pi Cluster
┌──────────────────────────────────┐
│ 4x Raspberry Pi 4 (4GB+) │
│ PoE HAT + PoE switch │
│ USB SSD per node (boot + data) │
│ Cluster case / rack mount │
└──────────────────────────────────┘
Good for: k3s, Docker Swarm, Ansible practice, networking basics
Limitation: ARM architecture, no nested virtualization
Mid Tier ($300-$800): Mini PC Fleet
┌──────────────────────────────────┐
│ 3x Intel N100 mini PCs (16GB) │
│ - Beelink, MinisForum, etc. │
│ - NVMe SSD (256GB+) │
│ - Dual NIC models preferred │
│ 1x managed switch (VLAN-aware) │
│ 1x UPS (even a small one) │
└──────────────────────────────────┘
Good for: Proxmox cluster, nested VMs, k3s, full monitoring stack
Best bang for buck in 2025
Enterprise Salvage Tier ($200-$600): Used Dell/HP Servers
┌──────────────────────────────────┐
│ Dell PowerEdge R630/R730 │
│ HP ProLiant DL360/DL380 Gen9+ │
│ - 64-128GB RAM typical │
│ - Dual Xeon CPUs │
│ - Hot-swap drive bays │
│ - iDRAC/iLO for OOB mgmt │
└──────────────────────────────────┘
Good for: Proxmox, heavy VM workloads, storage experiments
Warning: loud, power-hungry (plan for $20-50/mo electricity)
Power and Noise Reality Check:
| Hardware | Idle Power | Load Power | Noise Level |
|---|---|---|---|
| Raspberry Pi 4 | 3W | 6W | Silent |
| Intel N100 mini PC | 8W | 25W | Silent |
| Dell R730 | 120W | 400W+ | Jet engine |
| HP DL380 Gen9 | 100W | 350W+ | Jet engine |
3. Proxmox VE — Your Virtualization Layer¶
Name origin: Proxmox VE stands for "Proxmox Virtual Environment." The company Proxmox Server Solutions GmbH is based in Vienna, Austria and has developed it since 2008. After Broadcom's acquisition of VMware in 2023 and subsequent licensing changes, Proxmox saw a massive surge in adoption -- both in homelabs and production environments.
Proxmox is a free, open-source hypervisor built on KVM/QEMU with a web UI. It replaces VMware vSphere for homelab use.
# Install: boot from ISO, follow wizard
# Access web UI at: https://<proxmox-ip>:8006
# Remove enterprise repo nag (non-production use)
sed -i 's/^deb/#deb/' /etc/apt/sources.list.d/pve-enterprise.list
echo "deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription" \
> /etc/apt/sources.list.d/pve-no-subscription.list
apt update && apt dist-upgrade -y
Key Proxmox concepts: - VMs: full virtual machines (use for Windows, appliances, anything needing its own kernel) - LXC containers: lightweight Linux containers (use for services like PiHole, Gitea) - Storage: local, NFS, Ceph, ZFS — start with local ZFS - Clustering: 3+ nodes form a cluster with HA and live migration - Templates: create a base VM, convert to template, clone for new VMs
# Create a cloud-init template for fast VM provisioning
qm create 9000 --name ubuntu-cloud --memory 2048 --cores 2 --net0 virtio,bridge=vmbr0
qm importdisk 9000 ubuntu-22.04-server-cloudimg-amd64.img local-zfs
qm set 9000 --scsihw virtio-scsi-pci --scsi0 local-zfs:vm-9000-disk-0
qm set 9000 --ide2 local-zfs:cloudinit --boot c --bootdisk scsi0
qm set 9000 --serial0 socket --vga serial0
qm set 9000 --ipconfig0 ip=dhcp
qm template 9000
# Clone from template
qm clone 9000 100 --name k3s-node-1 --full
qm clone 9000 101 --name k3s-node-2 --full
qm clone 9000 102 --name k3s-node-3 --full
4. k3s — Lightweight Kubernetes¶
k3s is a production-grade Kubernetes distribution that runs on a Raspberry Pi. It strips out cloud-provider-specific components and bundles everything into a single binary.
# Install k3s server (control plane)
curl -sfL https://get.k3s.io | sh -
# Get the join token
cat /var/lib/rancher/k3s/server/node-token
# Join worker nodes
curl -sfL https://get.k3s.io | K3S_URL=https://<server-ip>:6443 \
K3S_TOKEN=<token> sh -
# Verify cluster
kubectl get nodes
# NAME STATUS ROLES AGE VERSION
# k3s-node-1 Ready control-plane,master 5m v1.28.4+k3s1
# k3s-node-2 Ready <none> 2m v1.28.4+k3s1
# k3s-node-3 Ready <none> 1m v1.28.4+k3s1
k3s ships with: - Traefik as ingress controller (swap for nginx-ingress if you prefer) - CoreDNS for cluster DNS - Flannel for CNI (swap for Calico if you want NetworkPolicy enforcement) - Local-path provisioner for persistent volumes - ServiceLB for LoadBalancer-type services (uses host ports)
5. Essential Self-Hosted Services¶
Start with these — they mirror real production patterns:
┌─────────────────────────────────────────────────────┐
│ Tier 1: Infrastructure (deploy first) │
│ ├── PiHole — DNS + ad blocking + local DNS │
│ ├── WireGuard — VPN into your lab from anywhere │
│ └── Traefik/nginx — reverse proxy + TLS │
│ │
│ Tier 2: DevOps Practice │
│ ├── Gitea — self-hosted Git (practice GitOps) │
│ ├── Prometheus + Grafana — monitoring stack │
│ ├── Loki — log aggregation │
│ └── ArgoCD — GitOps continuous delivery │
│ │
│ Tier 3: Production Patterns │
│ ├── Nextcloud — file sync (storage patterns) │
│ ├── Keycloak — SSO/OIDC (auth patterns) │
│ ├── MinIO — S3-compatible storage │
│ └── Vault — secrets management │
└─────────────────────────────────────────────────────┘
6. Network Segmentation with VLANs¶
Even on consumer/prosumer gear, you can practice network segmentation:
VLAN 10 — Management (Proxmox UI, switch mgmt, iDRAC/iLO)
VLAN 20 — Servers (VMs and containers)
VLAN 30 — IoT / Untrusted (smart home, guest wifi)
VLAN 40 — Kubernetes pod network
VLAN 100 — WAN / Internet uplink
┌──────────────┐ ┌──────────────────────┐
│ ISP Router │──────│ Managed Switch │
│ (bridge │ │ (TP-Link TL-SG108E │
│ mode) │ │ or similar) │
└──────────────┘ │ VLAN trunk ports │
│ to Proxmox hosts │
└──────────────────────┘
│
┌─────────┴─────────┐
│ Proxmox hosts │
│ vmbr0 = mgmt │
│ vmbr1 = VLAN- │
│ aware bridge │
└───────────────────┘
Recommended managed switches for homelab: - Budget: TP-Link TL-SG108E (~$30) — 8-port, VLAN support, web UI - Mid-range: Netgear GS308T (~$60) — 8-port, full L2 features - Prosumer: MikroTik CRS305 (~$100) — 4x SFP+ 10GbE, RouterOS
7. WireGuard VPN¶
Access your lab from anywhere with a lightweight VPN:
# Install WireGuard on your Proxmox host or a dedicated VM
apt install wireguard
# Generate keys
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key
wg genkey | tee /etc/wireguard/client_private.key | wg pubkey > /etc/wireguard/client_public.key
# Server config (/etc/wireguard/wg0.conf)
cat <<'EOF' > /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <server_private_key>
Address = 10.200.0.1/24
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.200.0.2/32
EOF
# Enable and start
systemctl enable --now wg-quick@wg0
# Port forward 51820/UDP on your router to the WireGuard host
8. PiHole for DNS¶
PiHole serves two purposes: ad blocking and local DNS resolution for your lab.
# Install in an LXC container or VM
curl -sSL https://install.pi-hole.net | bash
# Add local DNS entries via the web UI (http://<pihole-ip>/admin)
# Or via command line:
# /etc/pihole/custom.list
10.10.20.10 proxmox.lab.home
10.10.20.11 gitea.lab.home
10.10.20.12 grafana.lab.home
10.10.20.13 argocd.lab.home
# Point your DHCP server to use PiHole as primary DNS
# Secondary DNS: 1.1.1.1 or 8.8.8.8 (fallback if PiHole is down)
9. Monitoring Stack¶
Deploy the same monitoring stack used in production:
# Prometheus + Grafana via Helm on k3s
# Add helm repos
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo add grafana https://grafana.github.io/helm-charts
helm repo update
# Install kube-prometheus-stack (Prometheus + Grafana + alerting)
helm install monitoring prometheus-community/kube-prometheus-stack \
--namespace monitoring --create-namespace \
--set grafana.adminPassword=changeme \
--set prometheus.prometheusSpec.retention=30d \
--set prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage=50Gi
10. Automation with Ansible¶
Use Ansible to manage your homelab just like a production fleet:
# inventory/homelab.yml
all:
children:
proxmox:
hosts:
pve1.lab.home:
pve2.lab.home:
k3s_servers:
hosts:
k3s-1.lab.home:
k3s_agents:
hosts:
k3s-2.lab.home:
k3s-3.lab.home:
services:
hosts:
pihole.lab.home:
gitea.lab.home:
# playbooks/base-config.yml
---
- name: Base configuration for all homelab nodes
hosts: all
become: yes
tasks:
- name: Set timezone
timezone:
name: America/New_York
- name: Install base packages
apt:
name:
- vim
- htop
- curl
- git
- net-tools
- tmux
state: present
update_cache: yes
- name: Ensure SSH key authentication only
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
notify: Restart sshd
handlers:
- name: Restart sshd
service:
name: sshd
state: restarted
Common Pitfalls¶
- Over-engineering on day one. You don't need Ceph, a 10GbE backbone, and a three-node HA Proxmox cluster to start. Begin with one node, one k3s install, and build up. Complexity is the enemy of learning.
- Buying enterprise gear without checking power costs. That $150 R730 is a bargain until your power bill jumps $40/month. Do the math first.
- No backups of your lab config. Your homelab will break. Store your Ansible playbooks, Helm values, and Proxmox configs in Git. Infrastructure as code applies here too.
- Ignoring DNS from the start. Accessing services by IP address is a recipe for confusion. Set up PiHole or local DNS on day one. Use
.lab.homeor similar for your domain. - Skipping VLANs because "it's just a lab." Network segmentation is a production skill. Practice it now. Your IoT devices should not be on the same network as your Proxmox management interface.
- Treating the homelab as precious. The whole point is to break things. If you're afraid to
rm -rfa VM and rebuild it, you're not learning. Cattle, not pets — even at home.
Analogy: A homelab is to infrastructure engineering what a flight simulator is to a pilot. You can practice engine failures, crosswind landings, and instrument approaches without risk. The muscle memory transfers directly to production. The engineers who respond calmly at 3 AM are the ones who've already seen the failure mode in their lab.
Wiki Navigation¶
Related Content¶
- Homelab Flashcards (CLI) (flashcard_deck, L1) — Homelab