Most "homelab" posts are about setting up a Raspberry Pi cluster or getting Plex to run in Docker. This is not that post. My homelab runs a small but serious stack — the kind of infrastructure a startup might use in production, but self-hosted, fully owned, and shockingly fun to operate.
Here's everything running on bare-metal Debian 12 servers, managed entirely with Kubernetes.
The Hardware
Eight bare-metal servers (counting blades individually). Over 1TB of RAM, 100+ CPU cores, and 200TB of raw storage. The cluster runs Kubernetes v1.32 on containerd, and CPU utilization hovers around 8% even with everything running. There's a lot of headroom.
For context, the equivalent on a hyperscaler would run north of $20,000/month — roughly $9,000 for the compute (two r6i.24xlarge-class instances to cover the CPU and memory), $16,000 for 200TB of block storage, and that's before you add GPU instances, data transfer, or any of the managed services you'd need to replace what's running here. On collocated hardware in a data center, the same capacity costs a few hundred dollars a month in power and rack space, and I bought it all used on eBay * kijiji for 95% off the MSRP.
The Foundation Layer
Kubernetes
The only real choice once you're past 40 CPU cores. Kubernetes gets unfairly maligned as "enterprise complexity" but once you stop fighting it and commit, it's an incredible platform. GitOps via Flux means the entire cluster is declared in a git repo — every namespace, every deployment, every config. If I nuke the cluster tomorrow, it comes back in minutes.
Rook/Ceph
Distributed block and object storage, running natively inside the cluster. Ceph handles persistent volumes for stateful apps, plus an S3-compatible object store for everything else. No NFS hacks, no external NAS dependency.
MetalLB + ingress-nginx + cert-manager
The networking trifecta. MetalLB provides a real load-balancer IP so every service gets proper L4 routing without a cloud provider. ingress-nginx handles all the L7 routing — every single HTTPS endpoint flows through one IP, one controller, one place to look. cert-manager automates TLS certificates for all of them.
KubeVirt
Full virtual machines running inside Kubernetes. CDI (Containerized Data Importer) handles importing VM disk images. This means I can run VMs for workloads that genuinely need them without standing up a separate hypervisor tier.
WireGuard
Secure tunneling between nodes and for remote access. Paired with MetalLB it's a clean way to expose internal services without punching holes in firewalls.
Tekton + Private Container Registry
CI/CD pipelines, in-cluster. Tekton builds images, pushes them to a private Docker registry also running in the cluster, and triggers deployments — the full loop without touching Docker Hub or any external registry.
Nix
Build reproducibility. Nix defines build environments declaratively so that builds are identical regardless of what's on the host machine. The learning curve is brutal for humans but turns out to be perfect for AI agents — which is how most of my Nix configs get written these days.
NVIDIA Device Plugin
GPUs are first-class citizens in the cluster. The NVIDIA device plugin schedules GPU workloads across nodes, which is what makes the AI services below possible.
Bind9
Internal DNS, running as a cluster workload. All internal names resolve through this rather than leaking to a public resolver.
The Platform Layer
These are the OSS tools that turn raw Kubernetes into an actual platform.
Identity: OpenLDAP + Keycloak
The identity stack is two layers. OpenLDAP is the authoritative directory — the single source of truth for users and groups. Keycloak sits in front of it, providing OIDC and SAML to everything else. Every service that supports modern auth delegates to Keycloak; Keycloak delegates to LDAP. One login, everywhere, with a proper audit trail.
ERPNext
The most underrated piece of OSS business software in existence. ERPNext is a full batteries-included ERP — accounting, HR, CRM, purchasing, inventory, helpdesk — all in one. Running it on Kubernetes via the Frappe Bench Helm chart is not for the faint of heart, but it's worth it. This is the financial and operational backbone of the business.
OpenProject
Sophisticated open-source project management. Gantt charts, work packages, time tracking, agile boards — it handles the full project lifecycle. Far more capable than Jira for a fraction of the cost (i.e., zero).
Pulsar
Apache Pulsar as the event bus. A genuinely mature alternative to both Kafka and RabbitMQ — it handles both event streaming and traditional message queue patterns, with tiered storage built in. This is the event-sourcing backbone that services publish to and consume from.
Nextcloud
File sync, shared drives, calendars, contacts. Basically a self-hosted Google Workspace, minus the surveillance.
Vaultwarden
A lightweight Bitwarden-compatible server. All passwords, SSH keys, and secrets live here. The Bitwarden browser extension and mobile app work against it natively.
Stalwart Mail
A modern, all-in-one mail server (SMTP + IMAP + JMAP) written in Rust. No Postfix config nightmares, no Dovecot plumbing — just one binary with a web admin panel.
Matrix
Federated, self-hosted chat via the Matrix protocol. Decentralized by design, bridges to anything.
Gitolite
Self-hosted git. Lightweight, SSH-key-based access control. Not everything needs a GitHub clone.
Directus
Headless CMS with a REST/GraphQL API auto-generated from your database schema. Drop in a table, instantly get an API and a clean admin UI.
n8n
No-code/low-code workflow automation. Hundreds of integrations, self-hostable, no per-task pricing. Handles everything from webhook routing to scheduled data pipelines.
The AI Layer
Ollama
Pulls and serves local LLMs (Llama, Mistral, Qwen, etc.) via an OpenAI-compatible API. GPU-accelerated, fully local, no usage billing.
ComfyUI
Node-based Stable Diffusion UI. The GPU cluster makes image generation fast enough to be practical.
Open WebUI
A polished chat interface that connects to Ollama and other OpenAI-compatible APIs. Self-hosted AI chat with full model control.
The Fun Stuff
Not everything on the cluster is serious infrastructure. A few personal projects that turned into actual deployments:
Whoop Sync — I wear a WHOOP fitness tracker, and the data is mine. This service pulls from the WHOOP API on a schedule and syncs it somewhere useful. Scratched an itch, took a weekend, runs forever.
MLS integration — A real estate data pipeline that pulls listing data and surfaces it through a search frontend. Turns out the MLS ecosystem is a fascinating mess of legacy standards, and building something clean on top of it is a worthy side project.
QR code and URL shortener — A dead-simple service for generating QR codes and short links under a custom domain. Low complexity, high daily use.
Playwright — Browser automation running as a cluster workload. Useful for testing, scraping, and anything that requires a real browser instead of a raw HTTP client.
Minecraft — The server has survived multiple cluster migrations. It will outlast all of us.
What It All Adds Up To
Forty-plus namespaces. One cluster. Eight servers.
The entire stack is declared in git, reconciled by Flux, stored on Ceph, and routed by nginx. The OSS ecosystem has reached a point where you can self-host the full stack a funded startup would run — ERP, project management, identity, storage, messaging, AI — with no SaaS subscriptions and full data ownership.
The only things I'd call genuinely unpopular picks are the right picks at scale: Pulsar over Kafka, ERPNext over QuickBooks + Salesforce + five other SaaS tools, OpenProject over Jira, Stalwart over a cobbled-together Postfix setup. Each one takes longer to set up and pays dividends forever.
If you're running a homelab and haven't gone full Kubernetes yet — the complexity curve is real, but so is the ceiling once you're through it.
