Infrastructure Self-Hosted

HOMELAB
ARCHITECTURE.

Production-grade self-hosted infrastructure with defense-in-depth security, SSO, automated vulnerability scanning, and full observability.

Note — Ce schéma est anonymisé : les sous-réseaux, noms de domaine et règles firewall ont été modifiés.

~50

CONTAINERS

6

VLANS

3

SERVEURS

8+

COUCHES SÉCU.

01.

FLUX RÉSEAU

External Traffic — *.trashbread.fr

InternetCloudflareUDM ProTraefikPangolinServices

Internal Traffic — *.home.arpa

LAN ClientUDM ProTraefikServices

Authentication Flow — SSO / OIDC

forwardAuthAutheliaLLDAP...Pangolin/Gitea
02.

RÉSEAU

UniFi Dream Machine Pro

Router / Firewall / VPN Gateway

VLAN 10Servers10.0.10.0/24
VLAN 20Management10.0.20.0/24
VLAN 30Users10.0.30.0/24
VLAN 40IoT10.0.40.0/24
VLAN 50Lab10.0.50.0/24
VPNWireGuard10.0.3.0/24

Firewall Policy

Inter-VLAN: Default DenyWAN: Cloudflare-only 80/44311 LAN_IN rules

Cloudflare

DNS Proxy / DDoS Protection

Fonctions

DNS ProxyDDoS MitigationWAF L7SSL Full (Strict)ACME DNS Challenge

Domaines

*.trashbread.fr*.home.arpa (LAN)

Certificats

Let's Encrypt (public)Wildcard self-signed (LAN)
03.

SERVEURS

S1

Servo

HP ProLiant ML350 Gen9 — VLAN 10

~40 containers — Docker Compose

Productivité

GiteaPaperless-NGXn8nFirefly IIIMealieWallosKarakeepCommaFeedBookloreBaïkal

Outils & Dev

IT-ToolsHoppscotchPortainerMinIO

Monitoring

Uptime KumaGatusNetdataNtfyWatchtowerDiun

Sécurité

Falco (eBPF)TrivyDefectDojoDependency-Track

IA

Immich MLKopia
S2

OptiPlex

Dell OptiPlex — VLAN 10

Reverse Proxy & Auth — Gateway

Reverse Proxy

Traefik v3Pangolin

Stack Auth (SSO)

AutheliaLLDAPKeycloak

Traefik Plugins

CrowdSec BouncerFail2BanModSecurity WAFGeoBlock (EU only)Rate Limiting

Mail

docker-mailserverSMTP/IMAP

Observabilité

GrafanaPrometheusLokiPromtailCrowdSec

Photo

Immich ServerPostgreSQLRedis
S3

TrueNAS

NAS — VLAN 20 (Management)

NFS SharesZFSBackup target

Immich Split Architecture

Immich ServerOptiPlexServoImmich ML

Photo management on OptiPlex, ML inference offloaded to Servo

04.

SÉCURITÉ

Traefik Middleware Chain

Applied to every incoming request

Real-IPCrowdSec BouncerFail2BanRate LimitSecurity Headers

+ ModSecurity WAF (OWASP CRS) available on-demand — GeoBlock restricts to Europe only

Authelia

SSO / 2FA / OIDC Provider

forwardAuthTOTP 2FAOIDC IdPLDAP backend

Single sign-on across all services. OIDC clients: Pangolin, Gitea (auto-login).

Falco

eBPF Runtime Security

FalcosidekickAppriseNtfy

Kernel-level syscall monitoring. Custom rules for container escape, privilege escalation.

Trivy

Automated Vulnerability Scanner

Image ListerTrivy ScanEmail Report

Daily scan of all Docker images. HIGH/CRITICAL CVEs reported via HTML email.

CrowdSec

Community Threat Intel

Live modeShared blocklistsTraefik bouncer

DefectDojo

Vulnerability Management

Import TrivyFindings trackingRisk scoring

Dependency-Track

SCA / SBOM Analysis

SBOM ingestionLicense complianceComponent risk
05.

ALERTING

Runtime Security Alerts

Falco (eBPF)falcosidekickfalco-adapterAppriseNtfy

Vulnerability Reports

Trivy ScannerHTML ReportSMTP Email

Container Updates

WatchtowerNtfy+ Diun (image update detection)
06.

SAUVEGARDE

Immich Backup

cron 04:00 daily

pg_dumprsyncServo

PostgreSQL dump + library rsync from OptiPlex to Servo.

Kopia

Backup Agent

IncrementalEncryptedDeduplicatedTrueNAS (NFS)

Backblaze B2

Offsite Cloud Backup

KopiaBackblaze B2
S3-compatibleEncrypted at rest3-2-1 rule