Homelab Server

Production-grade self-hosted homelab on RHEL 9.7 with Podman Quadlet, nginx reverse proxy, Cloudflare Tunnel, and a full observability stack.

Screenshot

Overview

A 24/7 self-hosted homelab running essential services on dedicated hardware. Uses Podman Quadlet for declarative container management, nginx for reverse proxying, and Cloudflare Tunnel for secure remote access behind CGNAT. The server hosts monitoring, DNS ad-blocking, security cameras, self-hosted Git, cloud storage, and file sharing for the entire home network.

Role

Owner — Designed, deployed, and maintain the entire infrastructure

Technologies

• RHEL 9.7 (enterprise Linux)
• Podman 5.6.0 + Quadlet (systemd container management)
• nginx (reverse proxy)
• Cloudflare Tunnel (zero-trust remote access)
• AdGuard Home + dnsmasq (DNS ad-blocking)
• Zabbix + Prometheus + Grafana + Uptime Kuma (monitoring)
• PostgreSQL (database backend)
• AgentDVR (security cameras)
• Gitea (self-hosted Git)
• Nextcloud (self-hosted cloud storage)
• Samba + NFS (file sharing)

Architecture

Internet
  │
  ▼
Cloudflare Tunnel (outbound-only, CGNAT bypass)
  │
  ▼
nginx reverse proxy (:80)
  │
  ├── AdGuard Home (DNS, DoH, DoT, DNSCrypt)
  ├── qBittorrent (torrent client)
  ├── AgentDVR (security cameras)
  ├── Uptime Kuma (uptime monitoring)
  ├── Prometheus + Grafana (metrics & dashboards)
  ├── Zabbix (infrastructure monitoring)
  ├── Gitea (self-hosted Git)
  └── Nextcloud (cloud storage)

Key Services

Container Management with Quadlet

Containers are managed declaratively through systemd using Podman Quadlet. Each service has a .container unit file in /etc/containers/systemd/, enabling native systemctl commands for start/stop/restart and automatic restarts on failure.

Remote Access via Cloudflare Tunnel

The home internet runs on a residential plan with CGNAT (no public IP, no inbound ports possible). All external access goes through Cloudflare Tunnel — an outbound-only connection that bypasses NAT entirely. No static IP, DDNS, or port forwarding needed.

Exposed services:

Service	Domain
nginx (web)	*.mydomain.com
Zabbix UI	monitor.mydomain.com
Uptime Kuma	status.mydomain.com
AgentDVR	cameras.mydomain.com
qBittorrent	torrent.mydomain.com
Nextcloud	cloud.mydomain.com
RDP (nginx stream)	rdp.mydomain.com

DNS Ad-Blocking with AdGuard Home

AdGuard Home provides network-wide ad-blocking at the DNS level, supporting DNS-over-HTTPS (443), DNS-over-TLS (853/8853), DNS-over-QUIC (784), and DNSCrypt (5443). dnsmasq runs as a local caching resolver on loopback only.

Full Observability Stack

1. Zabbix — infrastructure monitoring (server + agent + PostgreSQL backend)
2. Prometheus + Grafana — container metrics via node-exporter and podman-exporter
3. Uptime Kuma — HTTP/TCP/DNS uptime checks with status pages
4. Netdata — real-time per-second metrics dashboard

Self-Hosted Services

• Gitea — lightweight Git hosting with web UI, issue tracking, and CI/CD
• Nextcloud — file sync & share with desktop/mobile clients and external storage
• AgentDVR — security camera system with GPU acceleration

Storage

Tier	Disk	Size	Purpose
OS	/dev/mapper/rhel-root	20G	System files, logs
Container Cache	/dev/mapper/vgroup0-lvol0	199G	Podman store, container data
Bulk Storage	/dev/sda1	932G	Camera recordings, downloads, media

Port Allocation

Port	Service	Notes
53	AdGuard Home	DNS
80	nginx	HTTP reverse proxy
3000	AdGuard Home / Grafana	Web UI
3001	Uptime Kuma	Monitoring dashboard
5000	Gitea	Git hosting web UI
8080	qBittorrent	Download client
8090	AgentDVR	Security cameras
9080	nginx → Zabbix	Monitoring web UI
9090	Prometheus	Metrics
9100	node-exporter	Host metrics
9882	podman-exporter	Container metrics
19999	Netdata	Real-time dashboards

Related Documentation

Detailed documentation in the knowledge base:

• Architecture: System info, network topology, monitoring layers, storage tiers, security
• Networking: Interfaces, DNS config, firewall rules, Cloudflare Tunnel
• Troubleshooting: Container, DNS, nginx, monitoring, and storage issues