One of the things I'm looking forward to after the move is being able to expand my homelab. Right now my lab is, like everything else in my life, deliberately temporary. Balancing a server on a lack coffee table is not ideal installation by the documentation. But anyway, here's the lab as it is now:
Dell Poweredge R710 (named Wildemount). The main workhorse of the lab, 24 cores of CPU and 192GB of RAM. This website you're looking is, at time of writing, hosted right on this machine. It runs Proxmox, meaning it's serving multiple virtual machines.
Above that is a really old mac mini (named Issylra). This is also a proxmox server. The R710 runs the majority of services in the lab, but the mac mini runs my reverse proxy and unifi console so they can stay up when the Dell goes down.
I use Docker for most things with multiple docker hosts serving different purposes. Each of my docker hosts is named after a port in the Critical Role universe to keep with the theme. Nicodranis, Zoon, Damali and Darktow. Darktow is on vlan 60. If you know Critical Role well and look at what vlan 60 is in the list below this might make sense to you.
The last box in this little mini lab is a protectli box running pfSense, my firewall. The downstream network runs through netgear managed switches allowing me to use vlans to organise the network. Broadly speaking my vlan config is:
10 Infastructure. The router and the switches.
20 Servers. The vlan that the dell, mac mini and most of their VMs run on. The vlan is heavily firewalled. More or less anyone can access the servers on port 443 (for web uis), vlans 30, 40 and 60 all have access to SMB but nothing from WAN. Everything else is blocked, except for SSH access, which is available only to machines on vlan 30, the trusted management network.
30 Trusted. Nothing actually sits on this network by default, it's a second wifi network that I only connect to when I want unrestricted access to the servers vlan from another machine. It's kind of like the same principle as using sudo to protect elevated priviledges on a linux system. Even if someone compromises my PC (or any other device in the untrusted network) they can't actually do much to my servers except consume their web uis. To actually shell into a server they'd need access to the trusted wifi network which has a hidden ssid and seperate password, which isn't stored in any keychains. The other route is teleport which has two factor authentication on it.
40 Untrusted. This is where almost all of our devices live, PCs, laptops, phones, etc. They have access to the servers via port 443 (and a few exceptions needed for things like Plex) but otherwise are partitioned.
50 Silo. This is for IoT devices. It has no internet access and very limited access to other networks, only what's necessary for things to function.
60 VPN. Anything on vlan 60 is routed to a VPN set up in pfSense. They have very, very limited access to other networks. Specifically, they can mount drives from my NAS via SMB. That's it. This way I can remote into an ubuntu VM from any machine that goes through the VPN to privately browse and manage downloading my linux ISO collection.
It's been serving me well so far but after the move I should have space to get a rack and expand this just a little bit. I'll post more as it happens.