Overview
Key features
Multi-Node Docker
Deploy across cloud VPS and local servers
Coolify PaaS
Professional deployment platform for multi-node setups
VPN Overlay
Headscale/Tailscale for secure inter-node communication
Full Observability
OTLP collector baseline with optional central gateway, retention, and dashboards
Automatic TLS
Let’s Encrypt certificates via Traefik
Public Access
Services accessible from the internet by default
Requirements
| Resource | Cloud Node (VPS) | Local Node | Total Minimum |
|---|---|---|---|
| Nodes | 1 VPS | 1+ local | 2+ |
| CPU | 2 cores | 4 cores | 6 cores |
| RAM | 4 GB | 8 GB | 12 GB |
| Storage | 50 GB SSD | 100 GB | 150 GB |
| Network | Public IPv4, 1 Gbps | LAN access | — |
- Own domain with DNS control (e.g., Cloudflare, Hetzner DNS)
- DNS provider API access for automated TLS provisioning
- SSH access to all nodes
Architecture deep dive
Hybrid topology
The Modern Homelab Kit connects cloud and local infrastructure using a VPN overlay: Traffic flow:- Public requests hit Traefik on the cloud VPS
- Traefik routes to Coolify-managed applications
- Applications on local nodes are reached via the Headscale VPN tunnel
- Local nodes never expose ports to the public internet
Observability stack
| Component | Purpose | Default Config |
|---|---|---|
| OTel Collector | Metrics baseline | Per-node collector, OTLP export |
| monitoring-core gateway | Fan-in | Optional central OTLP gateway |
| VictoriaMetrics | Metrics retention | Optional backend for multi-node or longer retention |
| Grafana | Visualization | Optional dashboard surface when backend tier is enabled |
| Logs lane | Log forwarding | Opt-in; only enable when the deployment needs it |
Quick start
Configuration reference
Node configuration
- Cloud Node
- Local Node
VPN configuration
Monitoring configuration
Platform components
Coolify — Multi-node PaaS
Coolify manages deployments across your nodes. While the Base Kit defaults to Coolify for single-environment setups, the Modern Homelab Kit leverages its multi-node capabilities for hybrid topologies:- Multi-node deployment via SSH
- Git-based deployments (push to deploy)
- Built-in database management
- Application monitoring and logs
- Resource limits per container
Service placement
Services are placed on specific nodes based on their role:| Service | Placement | Reason |
|---|---|---|
| Traefik | Cloud node | Public entry point, TLS termination |
| Coolify | Cloud node | Needs SSH access to all nodes |
| Headscale | Cloud node | VPN coordination server |
| Prometheus + Grafana | Cloud node | Accessible remotely |
| Applications | Local node(s) | Data stays on-premises |
| Storage/NAS | Local node(s) | Physical disk access |
| Promtail + Node Exporter | All nodes | Per-node monitoring agents |
Adding more nodes
Security
Network isolation
- Local nodes are never directly exposed to the internet
- All inter-node traffic is encrypted via Headscale VPN
- Traefik handles TLS termination for public services
- Coolify enforces resource limits per container
Authentication
Firewall rules
The StackKit configures firewall rules automatically:| Port | Cloud Node | Local Node | Purpose |
|---|---|---|---|
| 22 | Open | LAN only | SSH access |
| 80 | Open | Closed | HTTP redirect |
| 443 | Open | Closed | HTTPS traffic |
| 41641 | Open | Open | Headscale/WireGuard |
| All others | Closed | Closed | — |
Comparison with other StackKits
| Feature | Base Kit | High Availability Kit | Modern Homelab Kit |
|---|---|---|---|
| Nodes | 1 | 2+ (local) | 2+ (cloud + local) |
| Platform | Docker + Coolify | Docker Swarm | Docker + Coolify |
| Network | Local only | Local LAN | VPN overlay (Headscale) |
| Public Access | Optional (Cloudflare Tunnel) | Optional | Default |
| Monitoring | OTLP collector baseline | OTLP collector + gateway planning | Collector baseline + monitoring-core |
| Domain Required | No | No | Yes |
| Complexity | Low | Medium | High |
| Status | v1.0 (production) | vision-only | schema-only |
Troubleshooting
VPN connection issues
VPN connection issues
- Check Headscale status:
headscale nodes list - Verify Tailscale agent on local node:
tailscale status - Test connectivity:
tailscale ping <cloud-node> - Check firewall: ensure UDP port 41641 is open on both sides
Coolify cannot reach local node
Coolify cannot reach local node
- Verify VPN tunnel is established
- Check SSH access via VPN IP:
ssh root@<tailscale-ip> - Ensure Docker is running on the target node
- Check Coolify server settings for the correct VPN IP
TLS certificate errors
TLS certificate errors
- Verify DNS records point to cloud node public IP
- Check Traefik ACME logs:
docker logs traefik - Ensure ports 80 and 443 are open on the cloud node
- Verify DNS provider API credentials in Traefik config
Monitoring gaps
Monitoring gaps
- Verify OTel Collector is running on all nodes
- Check the OTLP receiver or gateway endpoint is reachable over the VPN path
- Inspect TechStack
/api/v1/monitor/healthfor ingest-lane and backend diagnostics - If enabled, verify VictoriaMetrics and Grafana separately from the collector baseline
Migration from the Base Kit
Next steps
Monitoring Setup
Configure the PLG observability stack
Coolify Guide
Deploy applications with Coolify
