Practical Ansible homelab automation guide — playbook structure, Docker container deployment with community.docker, ansible-vault secrets, Jinja2 templates, Git workflow, and full project template.
Step-by-step Docker MACVLAN and IPVLAN guide — give containers real LAN IPs for Pi-hole, Home Assistant, Scrypted. Host communication fix, Proxmox gotcha, multi-network Compose examples.
Practical Docker container resource limits guide for homelabs — CPU quota/pinning, memory hard/soft limits, swap control, block I/O throttling, cgroup v2 differences, and Docker Compose examples.
Complete Linux sysctl kernel tuning guide for homelab servers. Network buffers, BBR congestion control, OOM management, fs.inotify limits, and Docker-specific sysctl configs.
Keeping Docker containers updated is the kind of chore you automate once and forget about — until a container silently runs a four-month-old image with five CVEs because you forgot to docker compose pull && up -d. Watchtower solves this. It watches your running containers, checks for new images, and restarts them with the latest tag — all on a cron schedule. But a naive “update everything” setup will break your database container and nuke your uptime. ...
You set up UFW. You configured default deny incoming, opened only ports 22 and 443. You checked ufw status verbose — everything looks right. Then you spin up a Postgres container publishing port 5432, and suddenly port 5432 is open to the whole internet. Your UFW rules didn’t stop it. This isn’t a bug. Docker modifies iptables directly in ways that bypass user-level firewall tools like UFW. Every docker run -p creates a raw iptables DNAT rule that sits above UFW’s INPUT chain. The result: containers are exposed regardless of your UFW policy. ...
If your Docker homelab has more than three web services, you need a reverse proxy. Without one, every container exposes its own port, you manage certificates by hand (or skip HTTPS entirely), and changing a service’s URL means editing Nginx configs and reloading. Traefik solves all of this. It watches the Docker socket, discovers new containers automatically, provisions Let’s Encrypt certificates for any hostname you define via Docker labels, and handles middleware (auth, rate limiting, headers) without touching a static config file. ...
Every homelab needs observability. Not because you’re running a production SLA — because you can’t fix what you can’t see. Running out of disk on the ZFS pool at 3 AM, a Docker container silently OOM-killed, or the Frigate NVR eating 100% CPU for hours — these are the things you catch with a monitoring stack, not by noticing the UI feels sluggish. This post covers a full Prometheus + Grafana + Loki stack deployed on Docker in a Proxmox LXC, with metrics from the host, Docker containers, and system logs collected into one dashboard. ...
Docker Compose is the default orchestration tool for most homelab setups. It’s not Kubernetes, but it doesn’t need to be — a well-structured Compose file with proper environment management, networking, and health checks will serve a single-host stack for years without drama. This post covers the patterns I use across my Proxmox Docker hosts. These aren’t theoretical — they’re what’s running right now on the homelab. Note: Some examples are partial Compose snippets meant to demonstrate one pattern at a time. When copying them into a real compose.yml, make sure referenced services, images, secrets, volumes, and networks are also defined. ...
If you run Proxmox VE, you’ve got two container runtimes at your fingertips — LXC (built into Proxmox) and Docker (nested in an LXC or VM). Both are “containers” in the broad sense, but they solve different problems. Picking wrong means performance you don’t need or isolation you don’t have. This post walks through the decision criteria, backed by configs from an existing homelab running Proxmox 8.x with VLAN segmentation. ...