Infrastructure
Notes From a Private Cloud Gremlin
Private cloud, homelab, containers, and the unreasonable joy of making infrastructure actually yours.
- Infrastructure
- Docker
- PKI
- Homelab
- Security
I run my own infrastructure partly because it’s practical and partly because I’m a gremlin about it. Both reasons are real. These are field notes from the shelf-with-blinking-lights side of my work — the homelab and private cloud that sit behind a lot of how I think about systems. None of the specifics that would matter to an attacker are in here; the point is the habits, not the topology.
Why private infrastructure matters
Running your own stack is the best way I know to understand how systems actually behave when nobody is abstracting the hard parts away. Managed platforms are wonderful, and I use them — but they also quietly handle the failure modes that teach you the most. The lab hands those back to you.
Let me be clear about what this isn’t: I’m not pretending a homelab replaces public cloud, or that running things yourself is automatically cheaper or better. The value isn’t bragging rights or some imagined cost win. It’s judgment. Owning the whole stack, end to end, builds an intuition for tradeoffs that you can’t get from a dashboard that always says green.
The homelab teaches taste
Managed services hide failure modes. A homelab shows them to you at 1am, usually right after you were sure you were done. That’s the point, not the bug. You learn what good defaults feel like, what “observable” actually means once you’ve stared at a system that wasn’t, and why boring, reliable choices keep winning.
You don’t develop taste by reading about it. You develop it by fixing the thing you broke.
Every outage I caused myself made me a better engineer for the work that pays — the same instincts showed up in earlier networking and consulting work, where “it works on the bench” and “it survives a real site” are very different claims.
Complexity has a carrying cost
The gremlin’s favorite trap is adding things because they’re cool. Every service, every clever layer, every “I’ll just self-host that too” carries a cost you pay later: patching, monitoring, backups, and the mental overhead of remembering how it all fits together at 1am when you are not at your sharpest.
So I try to make complexity earn its keep. Before something joins the lab, it has to answer for itself: what does this let me do that I couldn’t before, and am I willing to operate it on a bad day? A lot of ideas don’t survive that question, and the lab is healthier for the ones I said no to. Simple-but-boring beats clever-but-fragile almost every time you have to actually live with it.
Security is a design habit
The lab is where I get to practice security as a habit instead of a checklist — something baked into how a thing is built rather than sprinkled on afterward. In plain terms, that means:
- Segmentation: things that don’t need to talk to each other shouldn’t be able to.
- Least privilege: every service gets the narrowest access that still lets it do its job, and nothing more.
- Secrets discipline: credentials live in managed secret storage, never in config files, command history, or — heaven help me — a screenshot.
- Recovery: a backup you’ve never restored is a rumor, so the restore path gets exercised, not assumed.
- Documentation: future-me is a different person with none of today’s context, and writing things down is how I stay on speaking terms with him.
Security is cheapest when it’s part of the base design, not a later retrofit.
None of that is exotic. It’s the same discipline that scales up to real environments — which is exactly why the lab is a good place to make it automatic.
Containers changed the shape of the lab
Containers turned the homelab from a pile of hand-fed pets into something closer to a herd. Services became repeatable, disposable, and easy to reason about: spin one up, tear it down, version the whole definition, rebuild it the same way next time. That repeatability is what makes experimentation cheap, because the cost of “let me just try something” drops to almost nothing.
But containers didn’t delete the architecture work — they relocated it. Now the interesting questions are about boundaries, networks, data that has to outlive the container, and how services find each other. The drift moved out of the hand-tuned box and into the way the pieces are wired together. That’s a better problem to have, but it’s still a problem you have to actually design, not one the tool solves for you.
Operations are part of architecture
It’s tempting to think the architecture is the diagram and operations is the boring stuff that happens afterward. The lab cured me of that. How a system gets deployed, observed, backed up, patched, and recovered is part of its design — a system you can’t operate calmly under stress is badly architected, no matter how elegant the diagram looks.
So “can I run this on a bad day?” is an architecture question, not an afterthought. The full version of how I think about this lives in the private cloud and homelab case study; these notes are the cozier, more honest margin around it.
What I’m still figuring out
Plenty, and that’s the fun part. Tighter segmentation between services. More of the certificate lifecycle automated so I’m not the bottleneck. Monitoring that tells me why something broke instead of just that it did. Backups I trust because I’ve restored them recently, not because the job reported success.
The lab is never finished, and I’ve made peace with that — a finished lab would mean I’d stopped learning, which is the only thing it’s really for. If you’re building or running your own infrastructure and want to trade notes, my inbox is open; if you want to see where this thinking shows up in paid work, the work page is the place to start.