Skip to content

Learning Tracker (Path B)

Goal: Rebuild homelab fluency, explore capabilities, build career-relevant skills.

Last updated: 2026-06-05 (Session 9).

Status note: Path B has been deferred (intentionally) during Sessions 4-9

Foundation pressure: every session has had a tactical blocker (network rebuild, recovery, storage architecture decision, PBS deployment, DNS LXC, Traefik) that consumed the time. Curriculum items below have been touched in passing during foundation work (B.2 Proxmox via PBS + LXCs, B.3 Networking via VLAN trunks + DNS + Traefik) but no item has been formally completed with hands-on practical + writeup.

This is deferred, not removed. After Phase 3.5 (monitoring + log shipping) wraps, the plan is to flip into learning-driven mode for some sessions:

  • B.5 Containers + k8s is the prime candidate: by then the G5 cluster (Phase 6) will exist as a 3-node platform, ideal as a k8s testbed alongside the LXC-based foundation. k3s first (simpler), kubeadm later if depth is wanted. The HA cluster Proxmox provides for the production VMs is functionally similar to k8s for "keep services running"; learning k8s on the same hardware then gives both the practical skill AND the comparison with the LXC pattern.
  • B.7 Backup + DR is partly covered by Session 7-8 PBS work but the restore drill is still gated on a real end-to-end test; that becomes a formal learning beat once D.1 Nextcloud is close to going live.
  • B.4 IaC benefits most from Path A (Assembyl/CommerceBridge staging in Phase 6) coming online.

Framing correction (Session 9, 2026-06-05): in conversation I once described k8s as "probably never for this homelab". That contradicted both CLAUDE.md §9 (which has k8s as a planned future build) and this learning tracker. Corrected here: k8s is a planned learning target on the future G5 cluster, not foundation-stack production; LXC remains the production-stack choice for low-complexity foundation services. Two parallel tracks, not a dismissal of one.

Methodology

Pick one curriculum item, complete with hands-on practical exercise, document what was learned in this file. Don't skip practical exercises - they're where actual learning happens.

Path A / Path D alignment (added 2026-05-31)

After locking the home-cloud architecture (home-cloud-tracker.md), several curriculum items now serve dual purpose for production infrastructure, not just learning:

  • B.2 (Proxmox deep dive) — cloud-init templates directly speed up Path A and Path D VM provisioning. Prioritise.
  • B.3 (Networking) — now covers the locked architecture: Cloudflare API + Let's Encrypt DNS-01, Authelia config, Traefik routing. Practical exercises updated below.
  • B.4 (Infrastructure as Code) — Terraform + Ansible become the way to make Path A + Path D reproducible (and family-handover-friendly via documented IaC).
  • B.7 (Backup and DR) — PBS + restore drills are MANDATORY before Path D goes live with family data. Not optional learning anymore; gates D.1.

Items below marked [A+D] are now load-bearing for production, not just curriculum.

B.1 Linux administration refresh

  • Topics: systemd, journals, ip/iproute2, bridges/bonds/VLANs, LVM/mdadm/btrfs, nftables, SSH hardening
  • Practical: Build hardened SSH bastion VM
  • Status: PARTIALLY COVERED in foundation work (bonds, persistence)

B.2 Proxmox deep dive [A+D]

  • Topics: Cluster concepts, VM vs LXC, backups (PBS), snapshots, cloud-init templates
  • Practical: Build cloud-init template for fast Debian 12 VM provisioning
  • Status: NOT STARTED
  • High value - enables Path A AND Path D faster (same VM-provisioning need)

B.3 Networking fundamentals [A+D]

  • Topics: VLANs, pfSense/OPNsense rules, internal DNS (VM 500 serving .hm.iamkay.eu), reverse proxies (Traefik), WireGuard, Cloudflare API + Let's Encrypt DNS-01 wildcard issuance, Authelia SSO + MFA config, Traefik routing by hostname with middleware chains for auth*
  • Practical:
  • *.hm.iamkay.eu resolving internally via VM 500
  • Wildcard *.hm.iamkay.eu cert via Let's Encrypt DNS-01 against Cloudflare API
  • Traefik fronting two test services, both behind Authelia
  • WireGuard endpoint working for laptop -> MGMT VLAN admin
  • Status: PARTIALLY COVERED in foundation work (VLAN design). Topics expanded 2026-05-31 to match locked home-cloud architecture.

B.4 Infrastructure as Code [A+D]

  • Topics: Terraform with Proxmox provider, Ansible for config management, GitOps with GitLab CI
  • Practical: Spin up complete staging environment (Path A: Assembyl staging) OR Nextcloud/Jellyfin stack (Path D) from one git push
  • Status: NOT STARTED
  • Synergy with A.4 AND D.1/D.2 - if learned early, makes both production builds cleaner and family-handover-friendlier (everything in git)

B.4.5 Git hosting alternative — Gitea (added 2026-06-06)

  • Topics: Single-binary Git hosting, SQLite vs PG, Gitea Actions (GitHub-Actions-compatible)
  • Practical: Stand up Gitea on G5 #1 or G5 #2 (after Phase 6 PVE install) ALONGSIDE the production GitLab CE; mirror a few real repos across both; run the same CI workflow on each; document the operational diff (resource cost, upgrade cadence, feature gaps)
  • Status: NOT STARTED (queued for the G5 PVE-ready window)
  • Why: GitLab CE was chosen for Path A production (5+ active projects, heavy roadmap, CI/registry feature parity with GitHub). Kay's interest 2026-06-06 in seeing Gitea side-by-side belongs in Path B as a comparison study — informs whether Gitea would suffice for some future smaller project (saving GitLab's 8 GB RAM footprint) and teaches the trade-space of "heavy DevOps platform vs lightweight Git server."

B.5 Containers and orchestration

  • Topics: Docker, Compose, K3s/RKE2, Helm, kubeadm
  • Practical:
  • Docker-in-LXC pattern for one of the foundation services (e.g. re-deploy something we built native in a Docker variant; compare ops experience)
  • K3s on the G5 cluster (Phase 6) — 3-node k3s install once G5 #3 arrives; deploy a non-load-bearing app (uptime kuma? a learning app?) to it; document the install + lifecycle + how it differs from the Proxmox HA + LXC pattern that runs production services
  • GitOps experiment: pair B.5 with B.4 — define cluster apps via ArgoCD or Flux, push to a self-hosted GitLab (Path A's GitLab CE), watch the cluster converge
  • Status: NOT STARTED (deferred during foundation work, Sessions 4-9)
  • Target window: after Phase 3.5 monitoring lands AND the G5 cluster has stood up. G5 #3 (the cluster-completing 3rd node) arrives ~September 2026 per Kay's 2026-06-05 statement — realistic window is ~October-November 2026 once cluster is stable. Earlier learning is possible on the 2 G5s already on hand (k3s on a single node, or 2-node cluster with a corosync-qdevice temporary tiebreaker) — see homelab-tracker.md Phase 6 interim-usage section.
  • Connects to homelab-tracker.md Phase 6 (HA Proxmox cluster — same physical hardware can run k8s workloads alongside) and CLAUDE.md §9 (Future HA k8s cluster placeholder).

B.6 Observability

  • Topics: Prometheus, Grafana, Loki, Alertmanager, ipmi_exporter
  • Practical: Dashboards for G7 hardware + Assembyl staging environment
  • Status: NOT STARTED
  • Connects to homelab-tracker observability box item

B.7 Backup and disaster recovery [A+D] — GATES D.1

  • Topics: 3-2-1 rule, Proxmox Backup Server, off-site cold storage (Cloudflare R2 or Backblaze B2), restore drills, encryption verification
  • Practical: Full restore drill on a throwaway VM, time it, document gaps
  • Status: NOT STARTED
  • MANDATORY before Path D ships: D.1 (Nextcloud) cannot go live with family data until PBS local + off-site verified end-to-end via a real restore drill. Not optional learning anymore.

B.8 Security

  • Topics: Network segmentation (Path C foundation), WireGuard, Authelia/Keycloak, Vault/ESO
  • Practical: MFA on all internal services
  • Status: NOT STARTED

B.9 Advanced topics

  • Topics: HA, GitOps with ArgoCD, service mesh, distributed storage (Ceph/Longhorn)
  • Status: FAR FUTURE - only after foundation, projects, and security are solid