Skip to main content
The Modern Homelab Kit brings multi-node hybrid infrastructure to your homelab. Designed for advanced users who need public-facing services, cloud+local server setups, and full observability across nodes.
Schema-only — This StackKit has a CUE schema defined but is not yet functional. Use the Base Kit for production deployments.

Overview

Key features

Multi-Node Docker

Deploy across cloud VPS and local servers

Coolify PaaS

Professional deployment platform for multi-node setups

VPN Overlay

Headscale/Tailscale for secure inter-node communication

Full Observability

Prometheus, Grafana, Loki (PLG) monitoring stack

Automatic TLS

Let’s Encrypt certificates via Traefik

Public Access

Services accessible from the internet by default

Requirements

ResourceCloud Node (VPS)Local NodeTotal Minimum
Nodes1 VPS1+ local2+
CPU2 cores4 cores6 cores
RAM4 GB8 GB12 GB
Storage50 GB SSD100 GB150 GB
NetworkPublic IPv4, 1 GbpsLAN access
Additional prerequisites:
  • Own domain with DNS control (e.g., Cloudflare, Hetzner DNS)
  • DNS provider API access for automated TLS provisioning
  • SSH access to all nodes
The Modern Homelab Kit has higher complexity and resource requirements than the Base Kit. If you only need a single local server, use the Base Kit instead.

Architecture deep dive

Hybrid topology

The Modern Homelab Kit connects cloud and local infrastructure using a VPN overlay: Traffic flow:
  1. Public requests hit Traefik on the cloud VPS
  2. Traefik routes to Coolify-managed applications
  3. Applications on local nodes are reached via the Headscale VPN tunnel
  4. Local nodes never expose ports to the public internet

Observability stack

ComponentPurposeDefault Config
PrometheusMetrics collection15d retention, 15s scrape interval
GrafanaVisualizationPre-built dashboards
LokiLog aggregation7d retention
PromtailLog shippingPer-node agent
Node ExporterHardware metricsPer-node agent
cAdvisorContainer metricsPer-node agent
AlertmanagerAlert routingDiscord/Email

Quick start

1

Define your hybrid setup

kombination.yaml
stackkit: modern-homelab

domain: homelab.example.com
email: you@example.com

nodes:
  - name: cloud-entry
    type: cloud
    provider:
      type: hetzner
      region: fsn1
      size: cx21
      image: debian-12

  - name: local-server
    type: local
    network:
      localIp: 192.168.1.100
      subnet: 192.168.1.0/24
2

Configure VPN overlay

vpn:
  enabled: true
  provider: headscale
  magicDns: true
3

Enable services

services:
  # Reverse proxy (cloud node)
  traefik:
    enabled: true
    acme: true
    acmeEmail: you@example.com

  # PaaS platform (cloud node)
  coolify:
    enabled: true

  # VPN control server (cloud node)
  headscale:
    enabled: true

  # Monitoring
  prometheus:
    enabled: true
    retention: 15d

  grafana:
    enabled: true

  loki:
    enabled: true
    retention: 7d
4

Deploy infrastructure

stackkit validate
stackkit generate
stackkit deploy

Configuration reference

Node configuration

nodes:
  - name: cloud-entry
    type: cloud
    hostname: cloud-entry

    provider:
      type: hetzner        # hetzner, digitalocean, vultr, linode
      region: fsn1
      size: cx21           # 2 vCPU, 4 GB RAM
      image: debian-12

    docker:
      version: "24.0"
      dataRoot: /var/lib/docker

    ssh:
      user: root
      port: 22

VPN configuration

vpn:
  enabled: true
  provider: headscale
  derpEnabled: true
  derpRegions:
    - default
  magicDns: true
The VPN overlay creates an encrypted mesh between all nodes. Headscale is the self-hosted Tailscale control server — no third-party dependency required.

Monitoring configuration

observability:
  prometheus:
    retention: 15d
    storage: 50Gi
    scrapeInterval: 15s

  grafana:
    dashboards:
      - node-health
      - docker-containers
      - traefik-traffic
      - coolify-deployments

  loki:
    retention: 7d

  alertmanager:
    receivers:
      - name: discord
        webhook: https://discord.com/api/webhooks/xxx
      - name: email
        to: alerts@example.com

Platform components

Coolify — Multi-node PaaS

Coolify manages deployments across your nodes. Unlike Dokploy (used in the Base Kit for single nodes), Coolify provides:
  • Multi-node deployment via SSH
  • Git-based deployments (push to deploy)
  • Built-in database management
  • Application monitoring and logs
  • Resource limits per container
coolify:
  autoUpdate: false
  pushEnabled: true
  instanceSettings:
    isRegistrationEnabled: false
    isAutoUpdateEnabled: false
  resources:
    cpuLimit: "2.0"
    memoryLimit: "2048m"

Service placement

Services are placed on specific nodes based on their role:
ServicePlacementReason
TraefikCloud nodePublic entry point, TLS termination
CoolifyCloud nodeNeeds SSH access to all nodes
HeadscaleCloud nodeVPN coordination server
Prometheus + GrafanaCloud nodeAccessible remotely
ApplicationsLocal node(s)Data stays on-premises
Storage/NASLocal node(s)Physical disk access
Promtail + Node ExporterAll nodesPer-node monitoring agents

Adding more nodes

# Add to kombination.yaml
nodes:
  # ... existing nodes

  - name: local-media
    type: local
    network:
      localIp: 192.168.1.101
      subnet: 192.168.1.0/24
    labels:
      role: media-server

stackkit deploy --node local-media
The new node is automatically joined to the Headscale VPN mesh and registered in Coolify.

Security

Network isolation

  • Local nodes are never directly exposed to the internet
  • All inter-node traffic is encrypted via Headscale VPN
  • Traefik handles TLS termination for public services
  • Coolify enforces resource limits per container

Authentication

auth:
  provider: pocketid      # PocketID for SSO
  twoFactor: true
  allowedDomains:
    - example.com

Firewall rules

The StackKit configures firewall rules automatically:
PortCloud NodeLocal NodePurpose
22OpenLAN onlySSH access
80OpenClosedHTTP redirect
443OpenClosedHTTPS traffic
41641OpenOpenHeadscale/WireGuard
All othersClosedClosed

Comparison with other StackKits

FeatureBase KitHigh Availability KitModern Homelab Kit
Nodes12+ (local)2+ (cloud + local)
PlatformDocker + DokployDocker SwarmDocker + Coolify
NetworkLocal onlyLocal LANVPN overlay (Headscale)
Public AccessOptional (Cloudflare Tunnel)OptionalDefault
MonitoringBasic (Uptime Kuma)Prometheus + GrafanaFull PLG stack
Domain RequiredNoNoYes
ComplexityLowMediumHigh
Statusv1.0 (production)vision-onlyschema-only

Troubleshooting

  1. Check Headscale status: headscale nodes list
  2. Verify Tailscale agent on local node: tailscale status
  3. Test connectivity: tailscale ping <cloud-node>
  4. Check firewall: ensure UDP port 41641 is open on both sides
  1. Verify VPN tunnel is established
  2. Check SSH access via VPN IP: ssh root@<tailscale-ip>
  3. Ensure Docker is running on the target node
  4. Check Coolify server settings for the correct VPN IP
  1. Verify DNS records point to cloud node public IP
  2. Check Traefik ACME logs: docker logs traefik
  3. Ensure port 80 and 443 are open on the cloud node
  4. Verify DNS provider API credentials in Traefik config
  1. Verify Promtail and Node Exporter are running on all nodes
  2. Check Prometheus targets: navigate to prometheus.yourdomain.com/targets
  3. Ensure VPN tunnel is stable (metrics travel over VPN)
  4. Check Grafana data source configuration

Migration from the Base Kit

1

Backup all data

stackkit backup --all --output ./backup
2

Provision cloud node

Add a cloud node to your kombination.yaml and provision it:
stackkit: modern-homelab  # Changed from base-kit

nodes:
  - name: cloud-entry
    type: cloud
    provider:
      type: hetzner
      region: fsn1
      size: cx21
      image: debian-12

  - name: local-server   # Your existing server
    type: local
    network:
      localIp: 192.168.1.100
3

Deploy hybrid infrastructure

stackkit generate
stackkit deploy
4

Restore data on local node

stackkit restore --from ./backup --node local-server

Next steps

Monitoring Setup

Configure the PLG observability stack

Coolify Guide

Deploy applications with Coolify