Architecture

This post is mainly about the initial description of the ext4’s architecture.

Stack

flow

All the servers are connected through headscale overlay network. This makes things so much easy to handle such as nginx load balancing, docker swarm connection, etc over an encrypted wireguard tunnel. Sure, it increases the latency (~6-10ms) but it’s quite negligible.

I could have choosen k3s but I already use it in my homelab and wanted to try something new. I looked at nomad but I went with swarm anyway, given that I am very much familiar with docker. Contrary to the rumors, docker swarm is still being actively maintained.

After using it for more than a month, I have no complaints. The docker compose syntax is the same, services stay HA thanks to it’s ingress network which is installed by default.

For a broad overview of the swarm, I have installed swarmpit. It’s really helpful when I am outside with just my phone (GOS btw) and could easily manage the swarm from the browser directly.

If it weren’t obvious, I am using my favorite and battle-tested fs i.e. ext4. Currently, there aren’t many CSI for docker swarm so I settled on mounting moosefs on every node at same directory which works well.

Updates, backup and few daily jobs are being handled by ansible. I get full log of the updated packages of each host through ntfy.

Uptime monitoring is done with gatus. It’s a really great alternative to uptimekuma. I get downtime alerts through ntfy.

For metrics and logs, I am using the same thing as everyone: prom+grafana+loki. It’s bare bones and I plan to improve that setup soon.

Authentication is very important. I looked at a lot of options. Authentik, authelia, kanidm, keyclock. But I settled on using pocket-id for two reasons:

  • I wanted strictly passkey authentication which is far more secure than regular passwords. Passkeys are impossible to phish or brute-force, as of now.
  • I wanted a simple SSO which is lightweight.

Pocket-id is the winner here. The biggest problem is that lot of apps still don’t have native OIDC support. Therefore, I have to use oauth2proxy which is also lightweight and easy to configure and manage.

Base distro is archlinux (except for one node). It’s stable, fast and no unecessary bloat.

Lastly, I am running nodes for a few p2p networks. Currently, I have setup yggdrasil and radicle.xyz nodes. I plan to add a node in dn42.dev soon.

A blog for updates regarding the services I host.

Brief overview about the initial architecture.

By frost, 2025-09-03

On this page: