how I transformed a Mini PC into a private cloud, running virtual machines, containers, and CI/CD pipelines, all while ensuring secure remote access with Cloudflare Zero Trust. This setup mirrors real-world cloud infrastructure but remains fully self-hosted. 🏠☁️

---

🛠 My Hardware Setup

• Mini PC: Lenovo ThinkCentre M710q
  • CPU: Intel Core i5-7400T
  • RAM: 8GB DDR4
  • Storage: 256GB SSD
• Router: GL.iNet MT3000 (Beryl AX)
• Network Bridge: vmbr0 (Proxmox-managed)

---

🖥️ Architecture Overview

Architecture of my self-hosted cloud setup

The architecture consists of six main components:

1. 👤 User Access (Cloudflare Zero Trust)

   • Ensures secure, remote access without exposing ports.
   • Acts as a proxy between users and my self-hosted services.

2. 💾 Private Cloud (Mini PC with Proxmox VE)

   • Runs Proxmox as the hypervisor to manage VMs.
   • Uses vmbr0 as a virtual bridge for networking.

3. ⚙️ VM Provisioning (Terraform + Cloud-Init)

   • Automates VM creation on Proxmox.
   • Cloud-Init configures VMs with static IPs on boot.

4. 📦 Dockerized Applications

   • Each VM runs Docker to host essential services:
     • Casa OS (Personal Cloud OS)
     • Plex (Media Streaming)
     • Vaultwarden (Password Management)
     • Kavita (eBook Management)
     • Portainer (Container Management UI)

5. 🔄 CI/CD Automation (GitHub Actions)

   • Triggers Terraform updates when infrastructure changes.
   • Ensures consistent VM provisioning.

6. 🔗 Secure Connectivity & Networking

   • Cloudflare tunnels protect services from direct exposure.
   • VMs communicate via Proxmox-managed networking.

---

🔹 Workflow & Connectivity

1️⃣ Secure User Access via Cloudflare Zero Trust

• The entry point for accessing any self-hosted services is Cloudflare Zero Trust. This eliminates the need to expose ports on my home network, significantly enhancing security.
• Instead of relying on traditional VPNs, users authenticate through Cloudflare, which applies access policies, identity-based authentication, and additional security layers.
• Once authenticated, Cloudflare acts as a secure reverse proxy, allowing authorized users to connect seamlessly to internal applications hosted within my private cloud.

2️⃣ Proxmox as the Core of the Private Cloud

• The Lenovo ThinkCentre M710q Mini PC serves as my private cloud infrastructure, running Proxmox Virtual Environment (VE) as the hypervisor.
• Proxmox manages multiple virtual machines (VMs), each dedicated to different services. Networking between these VMs is handled through a virtual bridge (vmbr0), which allows internal communication while keeping them isolated from the external network.
• This approach provides the flexibility to deploy different operating systems and environments while maintaining efficient resource allocation.

3️⃣ Automated VM Provisioning with Terraform & Cloud-Init

• Instead of manually creating and configuring VMs, I use Terraform, an Infrastructure as Code (IaC) tool, to automate VM deployment.
• Terraform provisions new VMs on Proxmox, defining their configurations such as CPU, memory, disk size, and network settings.
• Cloud-Init is then used within each VM to automatically apply post-installation configurations. This includes:
  • Setting static IP addresses to ensure predictable networking.
  • Pre-configuring SSH access and system users.
  • Applying any additional customizations needed for specific workloads.
• This automated approach saves time, ensures consistency, and makes scaling effortless.

4️⃣ CI/CD Automation with GitHub Actions

• GitHub Actions is used to automate updates and configuration changes.
• Whenever I make modifications to the Terraform configuration files, GitHub Actions triggers a CI/CD pipeline that:
  • Validates the Terraform configuration.
  • Applies changes to the infrastructure on Proxmox.
  • Ensures that any modifications to networking, security, or VM settings are instantly reflected.
• This keeps my infrastructure version-controlled, allowing me to track changes and quickly rollback if needed.

5️⃣ Cloudflare Tunnels for Secure Connectivity

• Instead of exposing services directly to the internet, I use Cloudflare Tunnels to securely route traffic.
• Cloudflare’s tunnel service establishes an outbound-only connection from my network to Cloudflare’s edge servers, eliminating the need for port forwarding.
• Each application, whether it’s Plex for media streaming, Vaultwarden for password management, Kavita for eBook hosting, or Portainer for Docker container management, is accessible only through Cloudflare-protected URLs.
• This ensures that unauthorized external traffic never reaches my home network, adding an extra layer of protection.

This fully automated, self-hosted cloud setup combines Proxmox, Terraform, Cloud-Init, Docker, and Cloudflare to create a secure, scalable, and maintainable environment. By leveraging CI/CD pipelines and Infrastructure as Code (IaC), I can dynamically manage VMs, automate updates, and ensure all services remain protected and accessible from anywhere in the world.

---

🚀 Why This Setup Is Powerful

✅ Private Cloud – No reliance on external providers.

✅ Fully Automated – Terraform provisions and configures VMs.

✅ Secure – No open ports, all traffic secured via Cloudflare.

✅ Efficient – Docker ensures lightweight, containerized deployments.

✅ CI/CD-Driven – Infrastructure as Code keeps everything repeatable.

This setup allows me to self-host my own cloud-like environment, making it a great showcase of cloud engineering, automation, and security best practices.

💬 What do you think about self-hosting? Have you built something similar? Let’s discuss in the comments! 👇

---