My homelab/homeprod deployed with Ansible

Jinja 81.5%
Nix 12.3%
HCL 6%
Shell 0.2%

Find a file

renovate 06561a4f67 Merge pull request 'chore(deps): update ghcr.io/searxng/searxng docker tag to v2026.6.20-fd42d4fda' (#718 ) from renovate/ghcr.io-searxng-searxng-2026.x into devel		2026-06-21 07:06:41 +03:00
ansible	chore(deps): update ghcr.io/searxng/searxng docker tag to v2026.6.20-fd42d4fda	2026-06-21 04:06:37 +00:00
opentofu	chore(deps): update terraform proxmox to v0.110.0	2026-06-18 04:12:52 +00:00
.envrc	feat: add flake-based dev environment	2025-09-27 09:58:18 +03:00
.gitignore	feat: add opentofu	2026-05-02 12:44:30 +03:00
.yamllint	fix: setup .yamllint according to ansible-lint recommendations	2026-02-21 13:35:03 +02:00
flake.lock	chore(deps): lock file maintenance	2026-06-18 04:13:22 +00:00
flake.nix	refactor(flake): update path to install ansible	2026-05-02 17:04:35 +03:00
README.md	feat(docs): update availability docs	2026-04-03 11:18:52 +03:00
renovate.json	feat(renovate): add nix manager	2026-04-26 17:52:11 +03:00

README.md

Artur's Homelab

This repo contains Ansible roles to deploy my homelab/self-hosted stack with Ansible.

Overview

I like the idea of Infrastructure of Code, Automations, and reproducible builds. This is my attempt to achieve this for my homelab.

What's a homelab?

It's a hardware and software experimental laboratory for you to test and break > bleeding-edge technologies. And learn, learn so much about how the internet works, what's behind the scenes of common cloud services and large websites, and much more.

At the same time, a homelab can be your production environment to run self-hosted services to enhance your quality of life, while achieving maximum privacy, because all of you data is under your control.

To learn more, consult /c/selfhosted, /r/homelab, and /r/selfhosted.

Hardware

Intel NUC11ATKC4:
- CPU: Intel Celeron N5105 @ 2.00GHz
- RAM: 32GB
- SSD: 1TB
Dell OptiPlex 3000 Micro:
- CPU: Intel(R) Core(TM) i5-12500T @ 4.40GHz
- RAM: 64GB
- SSD: 2TB

Software

All the services are deployed via Podman Quadlets.

Software	Purpose
Actual Budget	Budgeting
Authentik	Single-Sign On
Changedetection	Detect website changes
FreshRSS	Follow RSS feeds
Librechat	API access to multiple LLMs
Paperless-ngx	Document management
Readeck	Read-it-later
Stirling-PDF	PDF manipulation
Grafana	Observe homelab with nice charts
Homepage	...Homepage
Prometheus	Collect data for Grafana
Speedtest-tracker	Measure Internet speed
Uptime Kuma	Monitor uptime
Infisical	Secret management

I also deploy Forgejo for version control and Immich for photos with Nix. See my NixOS repo here.

Bitwarden and ansible-vault

This article explains how to retrieve ansible-vault password from Bitwarden.

Add to ansible.cfg:

[defaults]
vault_password_file = ./vault-pass.sh

Then ./vault-pass.sh:

#!/usr/bin/env bash

set -e

rbw get "ansible-vault"

If rbw does not have a password cached, it will ask you.

caddy reverse proxy

See details in roles/deploy_caddy/README.md.

Tailscale deployment

export TAILSCALE_KEY=<tailscale_key>.
ansible-playbook playbooks/install_tailscale.yaml.
To reauth a Tailscale node run the first command and then ansible-playbook playbooks/reauth_tailscale.yaml.

Proxmox Backup Server

See details in roles/setup_pbs/README.md.

LibreChat Troubleshooting

See details in roles/deploy_services/README.md.

Roadmap

Implement Hashicorp Vault/Infisical or other external secret management to remove my reliance on Ansible Vault. Update: partially implemented. I now deploy Infisical on a separate VM.
Tailscale deployment
Merge this repo with my Caddy deployment

Availability

The repo is available on my personal Forgejo instance, Codeberg and GitHub.

The GitHub repo is updated every 144 hours. Codeberg repo is updated every 8 hours.

Thanks

Ansible Collection - devsec.hardening. I used their code to dynamically generate my sshd configuration.