Skip to main content
The Modern Homelab Kit brings multi-node hybrid infrastructure to your homelab. Designed for advanced users who need public-facing services, cloud+local server setups, and full observability across nodes.
Schema-only — This StackKit has a CUE schema defined but is not yet functional. Use the Base Kit for production deployments.

Overview

Key features

Multi-Node Docker

Deploy across cloud VPS and local servers

Coolify PaaS

Professional deployment platform for multi-node setups

VPN Overlay

Headscale/Tailscale for secure inter-node communication

Full Observability

OTLP collector baseline with optional central gateway, retention, and dashboards

Automatic TLS

Let’s Encrypt certificates via Traefik

Public Access

Services accessible from the internet by default

Requirements

ResourceCloud Node (VPS)Local NodeTotal Minimum
Nodes1 VPS1+ local2+
CPU2 cores4 cores6 cores
RAM4 GB8 GB12 GB
Storage50 GB SSD100 GB150 GB
NetworkPublic IPv4, 1 GbpsLAN access
Additional prerequisites:
  • Own domain with DNS control (e.g., Cloudflare, Hetzner DNS)
  • DNS provider API access for automated TLS provisioning
  • SSH access to all nodes
The Modern Homelab Kit requires both cloud and local infrastructure. If you only need a single environment (local or cloud), use the Base Kit instead.

Architecture deep dive

Hybrid topology

The Modern Homelab Kit connects cloud and local infrastructure using a VPN overlay: Traffic flow:
  1. Public requests hit Traefik on the cloud VPS
  2. Traefik routes to Coolify-managed applications
  3. Applications on local nodes are reached via the Headscale VPN tunnel
  4. Local nodes never expose ports to the public internet

Observability stack

ComponentPurposeDefault Config
OTel CollectorMetrics baselinePer-node collector, OTLP export
monitoring-core gatewayFan-inOptional central OTLP gateway
VictoriaMetricsMetrics retentionOptional backend for multi-node or longer retention
GrafanaVisualizationOptional dashboard surface when backend tier is enabled
Logs laneLog forwardingOpt-in; only enable when the deployment needs it

Quick start

1

Define your hybrid setup

stack-spec.yaml
stackkit: modern-homelab

domain: homelab.example.com
email: you@example.com

nodes:
  - name: cloud-entry
    type: cloud
    provider:
      type: hetzner
      region: fsn1
      size: cx21
      image: debian-12

  - name: local-server
    type: local
    network:
      localIp: 192.168.1.100
      subnet: 192.168.1.0/24
2

Configure VPN overlay

vpn:
  enabled: true
  provider: headscale
  magicDns: true
3

Enable services

services:
  # Reverse proxy (cloud node)
  traefik:
    enabled: true
    acme: true
    acmeEmail: you@example.com

  # PaaS platform (cloud node)
  coolify:
    enabled: true

  # VPN control server (cloud node)
  headscale:
    enabled: true

addons:
  - monitoring-core

observability:
  monitoring:
    signals:
      metrics: true
      logs: true
    gateway:
      enabled: true
    backend:
      enabled: true
      grafana:
        enabled: true
4

Deploy infrastructure

stackkit validate
stackkit generate
stackkit deploy

Configuration reference

Node configuration

nodes:
  - name: cloud-entry
    type: cloud
    hostname: cloud-entry

    provider:
      type: hetzner        # hetzner, digitalocean, vultr, linode
      region: fsn1
      size: cx21           # 2 vCPU, 4 GB RAM
      image: debian-12

    docker:
      version: "24.0"
      dataRoot: /var/lib/docker

    ssh:
      user: root
      port: 22

VPN configuration

vpn:
  enabled: true
  provider: headscale
  derpEnabled: true
  derpRegions:
    - default
  magicDns: true
The VPN overlay creates an encrypted mesh between all nodes. Headscale is the self-hosted Tailscale control server — no third-party dependency required.

Monitoring configuration

observability:
  monitoring:
    signals:
      metrics: true
      logs: true
    collector:
      profile: full
    gateway:
      enabled: true
    backend:
      enabled: true
      retentionPeriod: 30d
      grafana:
        enabled: true

Platform components

Coolify — Multi-node PaaS

Coolify manages deployments across your nodes. While the Base Kit defaults to Coolify for single-environment setups, the Modern Homelab Kit leverages its multi-node capabilities for hybrid topologies:
  • Multi-node deployment via SSH
  • Git-based deployments (push to deploy)
  • Built-in database management
  • Application monitoring and logs
  • Resource limits per container
coolify:
  autoUpdate: false
  pushEnabled: true
  instanceSettings:
    isRegistrationEnabled: false
    isAutoUpdateEnabled: false
  resources:
    cpuLimit: "2.0"
    memoryLimit: "2048m"

Service placement

Services are placed on specific nodes based on their role:
ServicePlacementReason
TraefikCloud nodePublic entry point, TLS termination
CoolifyCloud nodeNeeds SSH access to all nodes
HeadscaleCloud nodeVPN coordination server
Prometheus + GrafanaCloud nodeAccessible remotely
ApplicationsLocal node(s)Data stays on-premises
Storage/NASLocal node(s)Physical disk access
Promtail + Node ExporterAll nodesPer-node monitoring agents

Adding more nodes

# Add to stack-spec.yaml
nodes:
  # ... existing nodes

  - name: local-media
    type: local
    network:
      localIp: 192.168.1.101
      subnet: 192.168.1.0/24
    labels:
      role: media-server
stackkit deploy --node local-media
The new node is automatically joined to the Headscale VPN mesh and registered in Coolify.

Security

Network isolation

  • Local nodes are never directly exposed to the internet
  • All inter-node traffic is encrypted via Headscale VPN
  • Traefik handles TLS termination for public services
  • Coolify enforces resource limits per container

Authentication

auth:
  provider: pocketid      # PocketID for SSO
  twoFactor: true
  allowedDomains:
    - example.com

Firewall rules

The StackKit configures firewall rules automatically:
PortCloud NodeLocal NodePurpose
22OpenLAN onlySSH access
80OpenClosedHTTP redirect
443OpenClosedHTTPS traffic
41641OpenOpenHeadscale/WireGuard
All othersClosedClosed

Comparison with other StackKits

FeatureBase KitHigh Availability KitModern Homelab Kit
Nodes12+ (local)2+ (cloud + local)
PlatformDocker + CoolifyDocker SwarmDocker + Coolify
NetworkLocal onlyLocal LANVPN overlay (Headscale)
Public AccessOptional (Cloudflare Tunnel)OptionalDefault
MonitoringOTLP collector baselineOTLP collector + gateway planningCollector baseline + monitoring-core
Domain RequiredNoNoYes
ComplexityLowMediumHigh
Statusv1.0 (production)vision-onlyschema-only

Troubleshooting

  1. Check Headscale status: headscale nodes list
  2. Verify Tailscale agent on local node: tailscale status
  3. Test connectivity: tailscale ping <cloud-node>
  4. Check firewall: ensure UDP port 41641 is open on both sides
  1. Verify VPN tunnel is established
  2. Check SSH access via VPN IP: ssh root@<tailscale-ip>
  3. Ensure Docker is running on the target node
  4. Check Coolify server settings for the correct VPN IP
  1. Verify DNS records point to cloud node public IP
  2. Check Traefik ACME logs: docker logs traefik
  3. Ensure ports 80 and 443 are open on the cloud node
  4. Verify DNS provider API credentials in Traefik config
  1. Verify OTel Collector is running on all nodes
  2. Check the OTLP receiver or gateway endpoint is reachable over the VPN path
  3. Inspect TechStack /api/v1/monitor/health for ingest-lane and backend diagnostics
  4. If enabled, verify VictoriaMetrics and Grafana separately from the collector baseline

Migration from the Base Kit

1

Backup all data

stackkit backup --all --output ./backup
2

Provision cloud node

Add a cloud node to your stack-spec.yaml and provision it:
stackkit: modern-homelab  # Changed from base-kit

nodes:
  - name: cloud-entry
    type: cloud
    provider:
      type: hetzner
      region: fsn1
      size: cx21
      image: debian-12

  - name: local-server   # Your existing server
    type: local
    network:
      localIp: 192.168.1.100
3

Deploy hybrid infrastructure

stackkit generate
stackkit deploy
4

Restore data on local node

stackkit restore --from ./backup --node local-server

Next steps

Monitoring Setup

Configure the PLG observability stack

Coolify Guide

Deploy applications with Coolify