KEVIANO GJONAJ · MARCH 2026

Homelab
AMΔDEUS

Private Infrastructure · Self-Hosted · Zero Cloud Dependency

Virtual Servers

329K

Threats Blocked

News Feeds

100%

Remote Access

SCROLL TO EXPLORE ↓

01 — Architecture Overview

Four Layers of Defense

🔐

Encrypted Connection

Tailscale subnet router provides end-to-end encrypted remote access to the entire 192.168.100.0/24 network.

TAILSCALE TAILSCALE UFW

🛡

DNS Filtering

AdGuard Home with 12 active blocklists intercepts all DNS queries, blocking 329K+ malicious domains before any connection is made.

ADGUARD 329K RULES

📦

App Isolation

Infrastructure services run in rootless Podman containers on dedicated VMs. Kubernetes workloads are isolated in separate namespaces under QEMU/KVM.

PODMAN KVM APPARMOR

📡

Private Services

All services are self-hosted with zero cloud dependency. RSS reading, private search, and DNS resolution happen entirely within the homelab.

MINIFLUX SEARXNG

02 — Traffic Flow

How Traffic Moves

💻

Surface Laptop 4

Ubuntu 24.04 LTS · Client device

🔒

Tailscale VPN

Encrypted Tunnel · Zero-trust access

🛡

AdGuard Home

DNS Filter · 192.168.100.135:3001

☸️

K3s Kubernetes

192.168.100.133 · Traefik ingress

🌐

Services Layer

Miniflux · SearXNG · Grafana · ArgoCD

03 — Virtualization Layer

Proxmox Host + Kubernetes

PROXMOX HYPERVISOR · 192.168.100.163

kubes RUNNING

K3s Server · VM 100

4 vCPU · 6 GB · Rocky Linux 10.1

vpn RUNNING

Tailscale Gateway · LXC 101

1 vCPU · 512 MB · Ubuntu Noble

adguard RUNNING

AdGuard Home · LXC 102

1 vCPU · 512 MB · Ubuntu Noble

metrics-vm RUNNING

Prometheus Node · VM 103

2 vCPU · 2 GB · Rocky Linux 10.1

windows STOPPED

Windows 11 · VM 105

4 vCPU · 2 GB · Windows 11

metadata RUNNING

Metadata Inspector · LXC 104

1 vCPU · 512 MB · Debian Trixie

K3S CLUSTER · 192.168.100.133

argocd

ns: argocd · :30443

cert-manager

ns: cert-manager

miniflux

ns: prod · :30900

miniflux-db

ns: prod · 5Gi PVC

searxng

ns: tools · :30910

grafana

ns: monitoring · :30300

prometheus

ns: monitoring · :30091

traefik

ns: kube-system · ingress

calibre-web

ns: media · :30920

node-exporter

ns: monitoring

04 — Running Services

Active Service Mesh

📰

Miniflux

Self-hosted RSS reader. 24 active feeds, minimal and fast.

:30900 · prod LIVE

🔍

SearXNG

Private metasearch engine. No tracking, no logs.

:30910 · tools LIVE

📚

Calibre-Web

E-book library with OPDS catalog and reader interface.

:30920 · media LIVE

🚀

ArgoCD

GitOps continuous delivery. Manages all K3s workloads from Git.

:30443 · argocd LIVE

📊

Grafana K8s

Kubernetes monitoring dashboard. kube-prometheus-stack.

:30300 · monitoring LIVE

📈

Prometheus

Metrics collection and alerting for K8s workloads.

:30091 · monitoring LIVE

🛡

AdGuard

Network-wide DNS filtering. 329K+ domains blocked.

:3001 · LXC 102 LIVE

🔬

Metadata Inspector

ExifTool FastAPI service. EXIF data extraction via REST.

:443 · LXC 104 LIVE

🏠

Homepage

Unified dashboard. All services, metrics and status in one place.

:443 · tools LIVE

📋

Loki

Centralized log aggregation. All K8s pod logs shipped via Promtail DaemonSet.

:3100 · VM 103 LIVE

05 — Security Architecture

Defense in Depth

TLS / CERTIFICATE SECURITY

Amadeus Root CA

Self-signed · Valid 2026–2036 · RSA 4096

cert-manager ClusterIssuer

amadeus-ca-issuer · Automatic cert rotation

6 Services — HTTPS Ingress

miniflux.prod.local · searxng.tools.local · calibre.amadeus.local · argocd.local · grafana.k8s.local · prometheus.k8s.local

Ingress Pattern

<service>.<namespace>.local → Traefik → Pod

TLS Termination

Traefik ingress controller · All internal traffic

DNS SECURITY — ADGUARD HOME

329,392

Domains blocked across 12 blocklists

Ads

150K

Malware

80K

Phishing

60K

Trackers

39K

● UPSTREAM: 1.1.1.1 — Cloudflare DNS

06 — System Status

Infrastructure Online

root@amadeus — bash

root@amadeus:~# kubectl get nodes

NAME STATUS ROLES AGE VERSION

kubes Ready control-plane 46d v1.34.3+k3s1

root@amadeus:~# kubectl get pods -A | grep -v Completed

28 pods Running across all namespaces

root@amadeus:~#

CLICK TO TYPE · TAB AUTOCOMPLETE · ↑↓ HISTORY

🔐

Zero Trust

Tailscale + UFW enforce strict access control. No inbound ports exposed. All traffic is authenticated.

🛡

DNS Shield

329K+ domains blocked daily by AdGuard Home. Network-wide protection with 12 active blocklists.

☸️

Container Native

K3s + ArgoCD GitOps keeps all workloads declarative. Rootless Podman for infrastructure services.

📊

Full Observability

Dual Grafana + Prometheus stack. Infrastructure metrics on VM 103, Kubernetes metrics in cluster.

07 — GENESYS

Destroy Today. Rebuild Tomorrow.

01 · REPRODUCIBLE

🔁

Every step is deterministic

No guesswork. Each phase produces the same result regardless of when or where it runs.

02 · ORDERED

📐

Dependencies are explicit

AdGuard first. Tailscale second. K3s never before DNS is healthy.

03 · MINIMAL

⚡

No unnecessary steps

Each action has a purpose. No ceremony, no redundancy, no cargo-cult configuration.

04 · PRESSURE-READY

🧠

Usable at 2AM after failure

Designed for stress situations. Clear, terse, no assumptions about current state.

FULL REBUILD · EST. 3.5 HRS

~30 min

Network + VMs/LXCs

~20 min

Base OS + SSH

~15 min

AdGuard + Tailscale

~30 min

K3s + ArgoCD

~45 min

All App Services

~30 min

Monitoring Stacks

~15 min

Validation

HomelabAMΔDEUS

Four Layers of Defense

Encrypted Connection

DNS Filtering

App Isolation

Private Services

How Traffic Moves

Proxmox Host + Kubernetes

Active Service Mesh

Defense in Depth

Infrastructure Online

Zero Trust

DNS Shield

Container Native

Full Observability

Destroy Today. Rebuild Tomorrow.

Every step is deterministic

Dependencies are explicit

No unnecessary steps

Usable at 2AM after failure

Homelab
AMΔDEUS