Acheron Home Lab

A headless Ubuntu server (i9-9900K, RTX 3080 10 GB, 64 GB RAM) runs everything as Docker Compose stacks behind a single Caddy reverse proxy with automatic TLS via the Cloudflare DNS-01 challenge. Each service gets its own subdomain; origin ports bind to localhost, so the reverse proxy is the only ingress path - a discipline that also sidesteps the Docker-bypasses-the-firewall gotcha. Ollama and Tailscale run natively under systemd for direct GPU and kernel access.

Ollama serves models directly on the GPU: a general assistant, a fast-coding variant, a deeper-reasoning model, and a security-focused variant, each with custom Modelfiles that expand the context window for agent-style multi-step tasks. Open WebUI is the front-end; SearXNG provides self-hosted meta-search; a headless browser renders result pages into readable text before they reach the model.

The result is a private, ChatGPT-style assistant with live web results and zero queries leaving the network. The same Ollama instance also backs the SIEM's AI triage pipeline - security summaries never leave the network either.

A self-hosted Wazuh SIEM is the security backbone: the manager and dashboard run at home in Docker, and agents run on every host - home server and both cloud VPS. High-severity alerts are scored by a local model before anything reaches my chat channel, turning raw alert JSON into a one-line verdict.

Host hardening sits underneath the SIEM: SSH is Tailscale-only on every machine, UFW enforces an explicit allowlist, fail2ban adds a second layer, and patching is kept current across the fleet. The Tailscale mesh means SSH and all inter-host admin traffic ride an encrypted WireGuard overlay and never touch the public internet.

Production does not run at home. A production cloud VPS runs FastAPI services against a shared Postgres and Redis, behind Caddy, with an isolated staging stack alongside. A separate tooling VPS carries the self-hosted GitHub Actions runner, a log receiver, and an Uptime Kuma status page - deliberately off the production host so the thing reporting on production isn't the same machine.

Both VPS join the same Tailscale mesh. Deploys go from the tooling host to production over the overlay network, never a public IP. Nightly restic backups run to off-site storage, and anything that looks threat-shaped routes to Wazuh.

Keep the blast radius small: personal data stays at home, only public APIs run in the cloud. No public admin surface - SSH and inter-host admin traffic ride the tailnet. Defense in depth, where even a port already covered by one control gets a second layer. And every non-obvious choice is captured as a short architecture decision record, so future-me has context rather than mystery.