Proxmox Homelab: Your Private Cloud—Architecture, Services, and Setup
February 22, 2026
This project documents a Proxmox-based homelab: one (or more) hosts running Proxmox VE, with VMs and LXCs for DNS, reverse proxy, backup, VPN, monitoring, and optional self-hosted services. The goal is a reproducible, well-understood private cloud you can use for learning, development, and running your own stack. Tutorials will be added for each major component so you can follow along and end up with a working homelab—screenshots and diagrams will align with a real Proxmox setup.
Overview
- Hypervisor: Proxmox VE (KVM + LXC on Debian).
- Must-have services: DNS (Pi-hole/AdGuard), reverse proxy + TLS (Traefik or Nginx Proxy Manager), backup (Proxmox Backup Server or scheduled VM/LXC backups), VPN (WireGuard or Tailscale), dashboard (Homepage/Homarr).
- Good-to-have: Monitoring (Prometheus/Grafana or Pulse), uptime checks (Uptime Kuma), containers (Docker + optional Portainer), identity (Authelia/Keycloak), notifications (Gotify/ntfy).
- Optional: Firewall VM (OPNsense/pfSense), media (Jellyfin), storage (Nextcloud), password manager (Vaultwarden), Git + CI (Gitea + Woodpecker).
High-Level Architecture
flowchart TB
subgraph Internet
User[User / Devices]
end
subgraph Home["Home Network"]
subgraph VPN["VPN (WireGuard / Tailscale)"]
VPN_Gate[Secure Access]
end
subgraph Proxmox["Proxmox VE Host(s)"]
direction TB
VM1[VM: DNS / Technitium or Pi-hole]
VM2[LXC/VM: Reverse Proxy]
VM3[LXC/VM: Docker]
VM4[VM: PBS / Backup]
VM5[Other VMs/LXCs]
end
subgraph NAS["NAS / Storage (optional)"]
Backup[(Backup Target)]
end
User --> VPN_Gate
VPN_Gate --> Proxmox
Proxmox --> Backup
end
Service Layers (What Runs Where)
flowchart LR
subgraph Layer1["Layer 1: Foundation"]
DNS[DNS / Ad-block]
Proxy[Reverse Proxy + TLS]
Backup[Backup]
end
subgraph Layer2["Layer 2: Access & Ops"]
VPN[VPN]
Dashboard[Dashboard]
Monitor[Monitoring]
end
subgraph Layer3["Layer 3: Apps"]
Docker[Docker / Containers]
Auth[Identity / SSO]
Apps[Media, Git, etc.]
end
DNS --> Proxy
Proxy --> Dashboard
Backup --> Layer2
VPN --> Layer2
Layer2 --> Layer3
Must-Have Tools and Services
| Component | Suggested tool(s) | Purpose | Tutorial (planned) |
|---|---|---|---|
| Hypervisor | Proxmox VE | Run VMs and LXCs; central management | Proxmox install & base config |
| DNS / Ad-block | Pi-hole, AdGuard Home, or Technitium | Internal DNS, ad blocking, stable names | Technitium DNS chain: Create VM 112-Technitium-DNS_Server → Docker & utilities → Technitium in Docker → Primary DNS & router. Or: DNS LXC/VM (Pi-hole/AdGuard) (planned) |
| Reverse proxy | Traefik or Nginx Proxy Manager | HTTPS, single entry point, host-based routing | Reverse proxy + TLS |
| Backup | Proxmox Backup Server (PBS) or VM backup to NAS | Incremental backups, restore capability | Backup strategy & PBS |
| VPN | WireGuard or Tailscale | Secure remote access without opening many ports | VPN (WireGuard or Tailscale) |
| Dashboard | Homepage, Homarr, or Heimdall | Central links to all services | Dashboard setup |
Good-to-Have Tools and Services
| Component | Suggested tool(s) | Purpose | Tutorial (planned) |
|---|---|---|---|
| Monitoring | Prometheus + Grafana, or Pulse | Metrics, dashboards, alerts | Monitoring stack |
| Uptime & certs | Uptime Kuma | Uptime checks, certificate expiry | Uptime Kuma |
| Containers | Docker (in LXC or VM) + Portainer (optional) | Run containerized apps | Docker on Proxmox |
| Identity | Authelia or Keycloak | SSO for web apps | Identity (Authelia/Keycloak) |
| Notifications | Gotify, ntfy, webhooks | Alerts to phone/chat | Notifications |
Optional Services (By Need)
| Category | Examples |
|---|---|
| Network | OPNsense / pfSense VM (firewall, VLANs) |
| Media | Jellyfin, Sonarr, Radarr |
| Storage / sync | Nextcloud, PhotoPrism |
| Secrets | Vaultwarden (Bitwarden-compatible) |
| Code & CI | Gitea, Woodpecker CI / Drone |
| Kubernetes | K3s or kubeadm on VMs |
Proxmox-Specific Notes
- Single node: One Proxmox host can run 20–30+ VMs/LXCs; start here.
- Storage: Local ZFS, NFS, or iSCSI (e.g. from TrueNAS) for VM disks; plan for backup destination (second disk, NAS, or PBS).
- LXCs vs VMs: Use LXCs for lightweight services (DNS, proxy, Docker host); use VMs when you need a full kernel or non-Linux.
- Screenshots and diagrams: The tutorials in this project will use a real Proxmox homelab; you can match your setup to the same layout and add your own screenshots as you go.
Network (Simplified)
- Management: Proxmox host, PBS, and critical infra (e.g. VLAN for management only if you scale).
- Services: VLAN or subnet for app VMs/LXCs; reverse proxy as single HTTPS entry.
- VPN: WireGuard/Tailscale for remote access; no need to expose dashboard or Proxmox UI to the internet.
(Optional) As you grow: separate VLANs for management, services, IoT, and guest—documented in later tutorials.
Tutorial Roadmap (From This Project)
We will add step-by-step tutorials so you can build this homelab end to end:
- Proxmox Homelab Setup — Tutorial landing: order of operations and links to each step.
- Technitium DNS (full stack, available) — Create VM 112-Technitium-DNS_Server (Ubuntu 24, 4GB, 2 cores, static IP) → Docker, Docker Compose & utilities → Technitium DNS in Docker → Technitium as primary DNS & router DHCP. End-to-end DNS with router DHCP.
- Proxmox VE install & base config — Install, storage, network, and first LXC (planned).
- DNS (Pi-hole / AdGuard) — LXC or VM, internal DNS and ad-blocking (planned; or use Technitium chain above).
- Reverse proxy + TLS — Traefik or Nginx Proxy Manager, HTTPS for services (planned).
- Backup — Proxmox Backup Server or scheduled backups to NAS/local (planned).
- VPN — WireGuard or Tailscale for secure access (planned).
- Dashboard — Homepage/Homarr so all services are one click away (planned).
- Monitoring (good-to-have) — Prometheus + Grafana or Pulse (planned).
- Docker on Proxmox (good-to-have) — LXC or VM as Docker host (planned; or use Technitium VM as Docker host).
- Optional services — Per-service tutorials (identity, media, Git, etc.) as we add them.
Each tutorial will link back to this project and to the homelab blog.
Project Structure (Logical)
Proxmox host
├── Proxmox VE (host)
├── VM: DNS — e.g. 112-Technitium-DNS_Server (Technitium in Docker) or LXC: Pi-hole / AdGuard
├── LXC/VM: Reverse proxy (Traefik / NPM)
├── LXC/VM: Docker host (optional; Technitium VM can double as one)
├── LXC/VM: Dashboard (Homepage / Homarr)
├── VM: Proxmox Backup Server (or backup target)
├── VPN: WireGuard or Tailscale (on host or small VM)
└── Optional: OPNsense, Jellyfin, Gitea, etc.Related Content
- Homelab: Why Every DevOps Engineer Should Have One — Why homelab, pros/cons, must-have vs good-to-have services.
- Proxmox Homelab Setup (Tutorial) — Step-by-step path; per-service tutorials link from there.
- Technitium DNS stack: Create VM 112-Technitium-DNS_Server → Docker & utilities → Technitium in Docker → Primary DNS & router.
As we publish each service tutorial, we’ll add it to the roadmap above and keep this project as the single place for architecture, tools, and diagrams.