This repository contains job definitions for a homelab of self-hosted services orchestrated by Nomad, leveraging containerized workloads with a focus on high availability, automation, and security. The infrastructure runs on bare-metal Debian Stable and is provisioned by ansible-hybrid-cloud.
-
Orchestration:
- Nomad for workload management
- Rootless Podman as the task driver
-
Networking:
-
Storage:
-
Database:
- PostgreSQL cluster using Patroni
- Regular database dumps to encrypted offsite storage
-
Security:
- Container isolation with rootless execution where possible
- Zero public exposure – all services communicate via Wireguard
- SOPS-encrypted secrets with Git integration
- Automated low-level blocking of honeypot IPs using
deceptimeed
-
Automation:
- Self-updating reverse proxy configurations using Nomad service discovery
- Rolling or Blue-Green update deployments for critical services
- Self-hosted Renovate bot creating PRs for new container version tags
- Regular pruning and cleanups via Nomad periodic jobs
- Service monitoring and alerting with Gatus – fully automated based on Nomad service tags
Note
Some configuration files and/or environment variables may be excluded from this repository