lab.shadeh.dev ← shadeh.dev
● systems nominal --:--:-- AST

// infrastructure ops log — T&T homelab

Self-hosted.
No excuses.

Running production-grade services from a 2015 laptop in Port of Spain. Two-node Proxmox cluster inbound. This is the ops log — unfiltered.

9 Services live
65GB Media under mgmt
B2 Off-site backup
~06/21 Cluster ETA

Node Inventory

live
homelab
Primary compute — 2015 HP laptop
CPU AMD A6-5200 (4c)
RAM 4GB DDR3L
OS Debian 13 Trixie
Role Docker host, Traefik, Immich, HA
Network Tailscale + CF Tunnel
live
cloudlab
Cloud VPS — GCP e2-micro
CPU 2 vCPU shared
RAM 1GB
OS Debian 12
Role Vaultwarden, public ingress
Network GCP VPC + Tailscale
~06/21
optiplex
Box 1 — Dell OptiPlex 5070 SFF
CPU i5-9500 (6c/6t)
RAM 16GB DDR4
Storage 256GB SSD
Role Proxmox primary: Immich, OpenCloud, Vaultwarden, Traefik, Postgres
~06/21
prodesk
Box 2 — HP ProDesk 600 G4 SFF
CPU i5-8500 (6c/6t)
RAM 8GB DDR4
Storage TBD
Role Proxmox secondary: HAOS VM, Zigbee, Frigate
live
auxlab
Aux node — GCP
Role Monitoring, overflow
Stack Prometheus, Grafana, Uptime Kuma
decom
newprod
Decommissioned 06/04/2026
Migrated Immich → homelab
Status VM, disks, IP — gone

Service Registry

Service Host Endpoint Stack Status
Immich
Photo mgmt — 65GB, v2.7.5
 homelab immich.shadeh.dev Docker · CF Tunnel · Traefik live
Home Assistant
Automation, Matter, GE Cync
 homelab ha.shadeh.dev Docker · host net · CF Tunnel live
Vaultwarden
Self-hosted Bitwarden compat
 cloudlab vault.sqlab.duckdns.org Docker · NPM · Restic→B2 live
Traefik v3
Reverse proxy, v3.7.1
 homelab internal Docker · CF DNS-01 · wildcard TLS live
Grafana + Prometheus
Node Exporter Full · dashboard 1860
 auxlab internal Docker · Tailscale mesh live
Uptime Kuma
Service health monitoring
 auxlab internal Docker live
CrowdSec
Collab IPS + firewall bouncer
 cloudlab + homelab Docker · sysctl ip_forward=1 live
OpenCloud
File storage / Nextcloud successor
 homelab Docker deploying
Restic → B2
Immich backup · 02:00 AST daily
 homelab Backblaze B2 systemd timer · Telegram notify pending partial
shadeh.dev
Public web presence · Astro
 CF Pages shadeh.dev Astro · CF Pages · CF DNS live
Frigate
NVR + object detection
 prodesk Proxmox VM planned
Immich ML worker
CLIP / face recognition
 optiplex Disabled until OptiPlex arrives pending hw

Network

Tailscale mesh CF Tunnel CF Zero Trust DNS-01 wildcard CGNAT bypass No open ports
T&T CGNAT kills all inbound. Tailscale handles node-to-node mesh. Cloudflare Tunnel fronts all public services — zero firewall holes. GCP VPC is the only real perimeter for cloudlab (UFW is cosmetic there; Docker bypasses it).
Known issue: homelab dirty power recovery — Docker, Tailscale, SSH occasionally fail after unclean reboot. Fix pending: After=network-online.target on all three systemd units + enable systemd-networkd-wait-online.service.

Backup Strategy

// IMMICH — 3-2-1 in progress
homelab local
Restic → B2
homelab Restic target ⚠
// VAULTWARDEN
cloudlab
Restic → B2
cloudlab→homelab pending
Blocker: secondary Vaultwarden backup requires Tailscale SSH disabled on homelab + keypair auth on port 22. Two empty Immich Restic snapshots pending prune. Telegram notifications not yet wired.

Build Timeline

Late Apr 2026
Multi-node foundation
cloudlab + auxlab on GCP. Tailscale mesh. Vaultwarden, Actual Budget, CrowdSec, Prometheus/Grafana, Uptime Kuma. NPM with DuckDNS DNS-01. Ansible repo scaffolded.
Early May 2026
Homelab rebuild — Debian 13 Trixie
Clean install. Docker CE, Dockge, UFW, CrowdSec, SSH hardening. Home Assistant deployed (network_mode: host). Matter server for GE Cync bulbs.
May–Jun 2026
Immich migration + Traefik v3
newprod → homelab. DB restored, 65GB media rsynced, asset count verified. Restic→B2 pipeline live at /opt/restic/immich/backup.sh, 02:00 AST. NPM nuked. Traefik v3.7.1. CF Tunnel for immich.shadeh.dev and ha.shadeh.dev.
Jun 2026
shadeh.dev — public presence
Domain registered. CF Pages + Astro. Coming-soon page live with countdown. shadeh.dev/homelab this page.
In flight
OpenCloud deployment
SSH session failed mid-script. Troubleshooting ongoing. Target: homelab Docker stack.
~06/21/2026
Proxmox two-node cluster
OptiPlex 5070 SFF + ProDesk 600 G4 arrive. Full service migration. Immich ML worker re-enabled. HAOS on ProDesk. Wildcard *.shadeh.dev via DNS-01 scoped CF token. This reshapes every placement decision currently in flight.
Post-cluster
DIY hardware layer
5× LOLIN S3 Mini wall switches — AHT20 + display, ESPHome native API. Pi Pico 2W: rover motor control (PIO + micro-ROS) or USB HID macro pad. Y11 automotive Pi build gated on OBD-II compat test via Torque Pro.

Full Stack

// core
Docker Compose Traefik v3 Cloudflare Tunnel Tailscale Restic Backblaze B2
// infra
GCP Cloudflare CrowdSec Prometheus Grafana Uptime Kuma systemd UFW
// services
Immich Home Assistant Vaultwarden OpenCloud Dockge Postgres ESPHome Matter
// incoming
Proxmox Frigate Zigbee Ansible micro-ROS ROS2