Overview

This repository contains job definitions for a homelab of self-hosted services orchestrated by Nomad, leveraging containerized workloads with a focus on high availability, automation, and security. The infrastructure runs on bare-metal Debian Stable and is provisioned by ansible-hybrid-cloud.

---

Architecture

• Orchestration:

  • Nomad for workload management
  • Rootless Podman as the task driver

• Networking:

  • Private Wireguard mesh for all inter-service communication
  • Caddy as L4 and L7 reverse proxy
  • HAProxy for internal load balancing of infrastructure services
  • SSH, HTTP, and HTTPS honeypots for threat intelligence and blocking

• Storage:

  • Garage S3 cluster for durable object storage
  • JuiceFS: POSIX-compliant distributed mounts with:
    • Multi-tier caching (memory -> disk -> S3)
    • Valkey for JuiceFS metadata storage
    • Garage S3 as storage backend

• Database:

  • PostgreSQL cluster using Patroni
  • Regular database dumps to encrypted offsite storage

---

Key Features

• Security:

  • Container isolation with rootless execution where possible
  • Zero public exposure – all services communicate via Wireguard
  • SOPS-encrypted secrets with Git integration
  • Automated low-level blocking of honeypot IPs using deceptimeed

• Automation:

  • Self-updating reverse proxy configurations using Nomad service discovery
  • Rolling or Blue-Green update deployments for critical services
  • Self-hosted Renovate bot creating PRs for new container version tags
  • Regular pruning and cleanups via Nomad periodic jobs
  • Service monitoring and alerting with Gatus – fully automated based on Nomad service tags

---

Note

Some configuration files and/or environment variables may be excluded from this repository