Homelab Infrastructure
Kubernetes homelab with Grafana, Prometheus, Vault, WireGuard VPN, and Caddy reverse proxy
kubernetes k3d grafana prometheus wireguard caddy vault docker
My homelab runs a full SRE-grade observability stack on top of Kubernetes (k3d), with public exposure brokered through a VPS via WireGuard.
Architecture
The request path is designed to keep the homelab isolated from the public internet. Cloudflare terminates TLS at the edge, a VPS handles the reverse proxy, and a WireGuard tunnel carries traffic the rest of the way into the cluster:
Internet → Cloudflare → VPS (Caddy reverse proxy) → WireGuard tunnel → Homelab K8sStack
| Layer | Tool |
|---|---|
| Orchestration | Kubernetes via k3d |
| Monitoring | Prometheus + Grafana + Alertmanager |
| Logging | Loki + Grafana Alloy |
| Tracing | Tempo (OpenTelemetry) |
| Secrets | HashiCorp Vault |
| Reverse proxy | Caddy on a VPS |
| VPN | WireGuard tunnel |
| DNS / CDN | Cloudflare (mixed proxy mode) |
| CI/CD | GitHub Actions → GHCR → GitOps |
Monitoring
Every service ships telemetry to Grafana, which acts as the single pane of glass across all three observability signals:
- Dashboards — 35+ panels covering cluster, application, and infrastructure health.
- Alerting — routed through Alertmanager to Telegram.
- SLOs — burn-rate policies drive paging decisions rather than raw thresholds.