Hybrid infrastructure

kombify Cloud enables you to manage cloud VPS and local home servers as a single logical infrastructure, with secure networking and unified configuration.

What is hybrid infrastructure?

Traditional infrastructure management treats cloud and on-premises as separate worlds. kombify Cloud unifies them:

Cloud resources

VPS instances from Hetzner, AWS, Azure, or any cloud provider

Local resources

Physical servers, Raspberry Pis, NAS devices in your homelab

Result: One spec file, one control plane, one network mesh.

Architecture

┌─────────────────────────────────────────────────────────────────────────────┐
│                         kombify Cloud CONTROL PLANE                            │
│                           (kombify TechStack Core)                           │
└────────────────────────────┬────────────────────────────────────────────────┘
                             │
              ┌──────────────┴──────────────┐
              │                             │
              ▼                             ▼
    ┌─────────────────┐           ┌─────────────────┐
    │  Cloud Nodes    │           │  Local Nodes    │
    │  (VPS)          │           │  (Homelab)      │
    ├─────────────────┤           ├─────────────────┤
    │ • Hetzner VPS   │           │ • Main Server   │
    │ • AWS EC2       │           │ • Raspberry Pi  │
    │ • Azure VM      │           │ • NAS Device    │
    └────────┬────────┘           └────────┬────────┘
             │                             │
             └──────────────┬──────────────┘
                            │
                            ▼
                  ┌─────────────────┐
                  │  Headscale VPN  │
                  │  (Mesh Network) │
                  └─────────────────┘

Node types

kombify Cloud distinguishes between different node types:

Type	Location	Provider	Use case
VPS	Cloud	`hetzner`, `aws`, `azure`	Public-facing services, edge locations
Local	Homelab	`local`	Private services, storage, compute
Hybrid	Both	Mixed	Distributed applications

Example: Hybrid setup

kombination.yaml

version: "1.0"
name: hybrid-homelab
kit: modern-homelab

nodes:
  # Cloud VPS for public services
  - name: vps-web
    type: main
    provider: hetzner
    location: nbg1
    size: cx11
    ssh:
      user: root
    
  # Local server for private services
  - name: local-storage
    type: worker
    provider: local
    ssh:
      host: 192.168.1.100
      user: admin
  
  # Local compute node
  - name: local-compute
    type: worker
    provider: local
    ssh:
      host: 192.168.1.101
      user: admin

services:
  # Public services on VPS
  - name: traefik
    node: vps-web
    type: reverse-proxy
    config:
      public_domain: myapp.com
  
  # Private services on local
  - name: plex
    node: local-storage
    type: media-server
  
  - name: nextcloud
    node: local-storage
    type: file-sync

Secure networking with Headscale

kombify Cloud uses Headscale (self-hosted Tailscale) to create a secure mesh network between all nodes.

How it works

Headscale deployment

kombify TechStack automatically deploys Headscale on your main node:

services:
  - name: headscale
    type: vpn-control-plane
    auto_deploy: true

Node registration

Each node registers with Headscale and receives a WireGuard configuration:

# Automatic during provisioning
headscale nodes register --user homelab

Mesh connectivity

All nodes can communicate securely via their Headscale IPs:

vps-web:        100.64.0.1
local-storage:  100.64.0.2
local-compute:  100.64.0.3

Benefits

Zero-trust security

Encrypted WireGuard tunnels between all nodes

NAT traversal

Access local nodes from anywhere without port forwarding

Private networking

Services communicate over private mesh, not public internet

Self-hosted

No reliance on Tailscale cloud infrastructure

Provider support

Supported providers

Provider	Status	Node types	Authentication
Local	✅ Stable	Physical servers, VMs	SSH key
Hetzner Cloud	🟡 Planned	VPS	API token
AWS	🟡 Planned	EC2	IAM credentials
Azure	🟡 Planned	VMs	Service principal
Docker	✅ Stable	Containers	Docker socket

Provider configuration

nodes:
  - name: homelab-server
    provider: local
    ssh:
      host: 192.168.1.100
      user: admin
      key_path: ~/.ssh/id_ed25519

Use cases

1. Public web + private storage

# VPS for public-facing web services
- name: vps-web
  provider: hetzner
  services: [traefik, web-app]

# Local NAS for storage
- name: local-nas
  provider: local
  services: [nextcloud, plex]

Why: Keep sensitive data at home, serve public content from cloud

2. Edge computing

# Multiple edge locations
- name: edge-us-east
  provider: aws
  region: us-east-1

- name: edge-eu-west
  provider: hetzner
  location: nbg1

# Central homelab for management
- name: homelab-control
  provider: local

Why: Low-latency access for users in different regions

3. Backup and redundancy

# Primary homelab
- name: primary-server
  provider: local
  services: [traefik, immich, authelia]

# Cloud backup target
- name: backup-vps
  provider: hetzner
  services: [restic-server]

Why: Local performance with off-site backups for disaster recovery

Networking considerations

Firewall rules

kombify TechStack automatically configures firewalls based on service requirements:

services:
  - name: traefik
    type: reverse-proxy
    firewall:
      allow:
        - port: 80
          source: 0.0.0.0/0
        - port: 443
          source: 0.0.0.0/0
        - port: 8080
          source: 100.64.0.0/10  # Headscale mesh only

DNS management

Public DNS
Local DNS
Split DNS

For cloud nodes with public IPs:

services:
  - name: traefik
    config:
      domain: myapp.com
      dns_provider: cloudflare
      dns_api_token: ${CLOUDFLARE_TOKEN}

For homelab nodes:

services:
  - name: traefik
    config:
      domain: homelab.local
      dns_provider: local

Different domains for public and private:

services:
  - name: traefik
    config:
      public_domain: myapp.com
      private_domain: homelab.local

Best practices

Use VPS for public services

Deploy public-facing services (web apps, APIs) on cloud VPS for:

Better uptime (no home internet dependency)
DDoS protection
Geographic distribution

Keep sensitive data local

Store personal data, backups, and media on local servers:

Full control over data
No cloud storage costs
Faster local access

Use Headscale for all communication

Route all inter-node traffic through the VPN mesh:

Encrypted by default
Works across NAT
No exposed ports

Implement health checks

Monitor connectivity between cloud and local nodes:

monitoring:
  health_checks:
    - name: vpn-connectivity
      type: ping
      targets: [vps-web, local-storage]
      interval: 60s

Next steps

StackKits system

Learn about infrastructure blueprints

Simulation first

Test hybrid setups with kombify Simulate

Deploy hybrid infrastructure

Follow the kombify TechStack quickstart

Networking guide

Configure VPN and networking

Platform

StackKits

​What is hybrid infrastructure?

Cloud resources

Local resources

​Architecture

​Node types

​Example: Hybrid setup

​Secure networking with Headscale

​How it works

​Benefits

Zero-trust security

NAT traversal

Private networking

Self-hosted

​Provider support

​Supported providers

​Provider configuration

​Use cases

​1. Public web + private storage

​2. Edge computing

​3. Backup and redundancy

​Networking considerations

​Firewall rules

​DNS management

​Best practices

​Next steps