Overview
This homelab runs on a single Mini PC with Fedora CoreOS, using Podman Quadlets for containerized services. All external access goes through Cloudflare Zero Trust, with Authentik providing SSO for applications.Infrastructure Diagram
Request Flow
External Access (Public Services)
Admin Access (Tailscale)
Tailscale provides secure SSH access for administration without exposing ports to the internet.Core Components
Fedora CoreOS
Immutable OS with automatic updates. Containers managed via Podman Quadlets (systemd units).
Cloudflare Zero Trust
Tunnel for ingress, Access policies for authentication. No open ports on the router.
Authentik
SSO provider. Apps authenticate via OIDC/SAML. Integrated with Cloudflare Access.
Caddy
Reverse proxy with automatic HTTPS. Routes traffic to containers.
OpenWrt + AdGuard
Router with managed switch for network control. AdGuard Home for DNS and ad-blocking.
Tailscale
Mesh VPN for admin access. SSH into server without exposing ports.
Infrastructure as Code
| Component | Tool | Description |
|---|---|---|
| Cloudflare | Terraform | Tunnel, DNS, Access policies |
| Tailscale | Terraform | ACLs, device authorization |
| Authentik | Terraform | Applications, providers, policies |
| Grafana | Terraform | Dashboards, data sources |
| CoreOS | Ignition | Initial provisioning |
| Containers | Git + SCP | Quadlet files deployed manually |
Network (Current)
Currently running a flat network (no VLANs). Future plans may include segmentation for IoT devices.| Device | Role |
|---|---|
| OpenWrt Router | Main gateway, AdGuard Home DNS |
| Managed Switch | Connects all devices |
| Mini PC | Fedora CoreOS server |