Back to projects Infrastructure

Homelab &
Private AI.

A zero-trust global mesh bridging Oracle Cloud, a local Proxmox cluster, and a dedicated GPU compute node. Public traffic routes through Cloudflare to an OCI edge, then over Tailscale to local services, with LLM inference offloaded to dedicated hardware. No exposed ports. No cloud AI.

OCI Ampere A1 edge P2P Tailscale mesh PVE Proxmox homelab GPU Local AI compute
Architecture

The Invisible Backbone

Zero open ports on the home router. The OCI instance accepts no inbound traffic except Tailscale peer handshakes, making it invisible to port scanners. Cloudflare Tunnels handle public ingress, routing requests to the OCI edge, which proxies them over the encrypted mesh to local services. The GPU compute node joins the mesh via Tailscale subnet routing, so inference requests from Open WebUI on OCI reach the local GPU with no direct internet exposure.

Internet
Cloudflare DDoS · DNS
OCI Edge Open WebUI · Traefik
Tailscale WireGuard P2P
GPU Node ★ LM Studio · Qwen 3
OCI Ampere A1
Edge & Frontend
  • Open WebUI · :web-ui
  • Traefik · reverse proxy
  • Cloudflare Tunnels
  • CrowdSec IPS
Tailscale
WireGuard P2P
Proxmox VE
Homelab Core
  • Authentik · SSO / OIDC
  • Qdrant · vector DB
  • n8n · automation
  • Ollama · fallback inference
  • Grafana · Loki · Promtail
Subnet
Routing
GPU Compute ★
The Star
  • LM Studio · runtime
  • Qwen 3 · 27B / 35B
  • Tailscale subnet route
Distributed AI Stack

Private AI, No Cloud.

Open WebUI runs on OCI and is the user-facing interface for all LLM interaction. Inference requests are forwarded over the Tailscale mesh to LM Studio on the local GPU node, keeping model weights and conversation data entirely off the internet.

Primary Inference · GPU Node ★
LM Studio

Serves Qwen 3 (27B/35B) on local GPU hardware via an OpenAI-compatible API. Inference requests arrive over the Tailscale mesh from Open WebUI on OCI.

LM Studio Qwen 3 27B Qwen 3 35B
Frontend · OCI
Open WebUI

Deployed on the OCI edge instance. Connects to LM Studio on the GPU node via its OpenAI-compatible endpoint over the encrypted mesh.

Open WebUI Docker
Vector Memory · Proxmox
Qdrant & pgvector

Qdrant handles semantic search for RAG retrieval. PostgreSQL with pgvector stores structured embeddings for hybrid keyword and semantic queries.

Qdrant pgvector
Automation Brain · Proxmox
n8n

Orchestrates agentic workflows, connecting the AI stack to external services and automating multi-step LLM pipelines without custom glue code.

n8n
Fallback Inference · Proxmox
Ollama

Lightweight fallback for smaller models and tasks that don't need GPU compute. Handles embeddings and quick-turnaround requests locally on the Proxmox cluster.

Ollama
Observability · Proxmox
Grafana Stack

Promtail ships logs from all services and the Cowrie honeypot to Loki. Grafana visualises threat patterns, service health, and inference metrics.

Grafana Loki Promtail
Homelab Core

Core Operations

The broader lab stack: DNS, storage, virtualisation, and isolated gaming workloads, all on the same Proxmox cluster as the AI services.

Network & Discovery
AdGuard Home
Network-wide telemetry and ad blocking with DNS-over-HTTPS for all devices.
Traefik
SSL termination via Cloudflare DNS-01 challenges for *.tmkel.com wildcard.
Custom Dashboard
Static HTML service hub - unified entry point for all internal lab services.
Storage & Virtualisation
Proxmox VE
Mixed-node cluster running LXC containers and isolated KVM virtual machines.
ZFS Arrays
ZFS-backed storage with automated snapshots.
Syncthing
Continuous P2P sync between lab storage and mobile devices. No cloud relay.
Edge Gaming Ops
Pterodactyl Panel
Containerised game server management. Isolated from the core production mesh.
Cloudflare Tunnels
Public access via Cloudflare Tunnels with strict IP whitelisting. No ports exposed.
Security

Hardening the Lab

Zero-Port Perimeter
The home router operates with zero port forwarding. All ingress via Cloudflare Tunnels or Tailscale P2P. The router has no open ports and is invisible to scanners.
Identity & MFA
Authentik acts as the global Identity Provider across the stack. Every internal service requires WebAuthn or TOTP via OIDC/SAML before access is granted.
WAF & Geoblocking
Cloudflare WAF rules drop traffic from high-risk ASNs and geolocations before it reaches the OCI edge, reducing noise before CrowdSec even sees it.
Defensive Lab

Real-World Threat Intelligence

A Cowrie SSH honeypot runs alongside the production stack, capturing live attacker behaviour. Logs ship via Promtail to Loki and are visualised in Grafana, providing a continuous feed of real brute-force patterns, credential attempts, and post-exploit command sequences.

pipeline · cowrie → promtail → loki → grafana
$tailscale status
oci-edgedirectonline
proxmox-pvedirectonline
gpu-computesubnetonline
$curl :inference/api/tags
{"models": [{"name": "qwen3:27b", "status": "loaded"}]}

The live data from this honeypot feeds the SSH Honeypot Research page, which breaks down attacker origins, credential reuse, and post-exploit session behaviour.