Docker, VPNs, and IaC: Building a Homelab That Doesn’t Waste Your Damn Time

Let’s cut the nostalgia. Your first homelab? Mine was a sad dual-core laptop sweating bullets in the corner. It “worked” – if you enjoy debugging at 2 AM and security practices that’d give a SOC analyst nightmares. It was a toy. A learning experience, sure, but fragile, inconsistent, and frankly, embarrassing. When I finally upgraded to real server hardware, I didn’t migrate the mess. I nuked it. Started from scratch. Because infrastructure isn’t art – it’s engineering. And engineering demands repeatability, security, and not wasting your finite life on manual crap.

Why a Scorched-Earth Policy Was Non-Negotiable

That old setup? Spaghetti code in YAML form. Ad-hoc deployments. Zero audit trail. If it broke (and it did), recovery was archaeology, not operations. The new gear deserved better. Infrastructure as Code (IaC) isn’t a buzzword; it’s the bedrock of sanity. Version control. Declarative config. Reproducibility. If it’s not in Git, it doesn’t exist. Period.

The Stack: Proxmox, Docker Compose, and Git (The Holy Trinity)

Proxmox as the hypervisor. Lightweight. KVM-based. Does the job without VMware’s tax. Inside it? A lean Ubuntu VM. Everything runs under Docker Compose. Why?

• Disaster Recovery: Server melts? git clone, docker compose up -d. Back online before your coffee’s cold.
• Consistency: The exact same config runs on my laptop, the server, or a cloud VM. No snowflakes.
• Version Control: Every change is tracked. Rollbacks are a git revert away. History matters.

The Services (The Workhorses):

• Jellyfin: Open-source Plex. Does streaming right without phoning home.
• *The arr Suite (Radarr/Sonarr/Prowlarr/Bazarr): Automation. They find it, grab it, organize it, subtitle it. Set it and (mostly) forget it.
• qBittorrentVPN: Locked inside a Gluetun VPN container. Torrent traffic only goes through the VPN tunnel. My ISP gets zero hints. Local LAN access for Jellyfin? Unaffected. Clean separation.
• Watchtower + Unattended-Upgrades: Yes, auto-updates. Heresy in production? Absolutely. Essential for a homelab? Damn right. I value my time. The risk/reward calculus here is simple: low risk (it’s my lab), massive time reward. If it breaks? See Disaster Recovery above. Takes minutes.

Security: It’s Not Optional, It’s the Default

Forget bolting it on later. Security starts at design.

• Internal Docker Networks: Containers chat over private, isolated networks. Why expose ports to the host unless absolutely necessary? You wouldn’t punch random holes in your firewall. Don’t do it in Docker.
• VPN Container Choke Point: Torrent traffic gets one path: out via the VPN container. Everything else stays local. No leaks. No excuses. This is basic network segmentation.
• No Public Facing Ransomware Invites (Yet): Unlike the dark days of the laptop lab, nothing is exposed directly to the internet. A reverse proxy (Traefik/Caddy) comes next, but only with strict auth. Baby steps done right.

The Hard-Won Truths (My Homelab Manifesto)

1. IaC Pays Off IMMEDIATELY, Even Solo: Ansible to provision the Proxmox VM. Terraform for my AWS tinkering. Docker Compose for the apps. Everything as code. Rebuilding is trivial. Experimentation is safe. Documentation is automatic. This isn’t overkill; it’s the minimum viable professionalism. If you’re manually SSH’ing to configure things in 2025, you’re doing it wrong.
2. Internal Docker Networking is Criminally Underrated: It’s simple. It’s free. It drastically shrinks your attack surface. Stop exposing ports like it’s 1999. Use internal: networks and connect only what needs to talk. Period.
3. Hardware is Overrated; Design is King: My “server”? Refurbished enterprise gear. It’s not bleeding edge. The power comes from clean architecture, automation, and IaC. A well-designed system on modest hardware runs circles around a expensive box running manual junk. Focus on the how, not the GHz.

The Result: Engineering Wins

Gone are the nights of babysitting services. Updates happen. Content appears. Jellyfin streams. If I break something experimenting? Fixed in minutes, not hours. This homelab isn’t just functional; it’s resilient. It’s a platform for learning useful skills, not a time sink.

The lesson isn’t subtle: Stop tolerating fragile setups. Embrace IaC ruthlessly. Lock down security from line one. Automate relentlessly where the risk allows. Rebuild with intent. Your time is worth more than fighting your own infrastructure.

Follow my journey with infrastructure, development, and open source at willemnekker.com/blog or connect with me on LinkedIn.