Production-ready Docker homelab infrastructure with security-first architecture
Note
About This Documentation: The documentation and guides in this project are AI-assisted. However, all Docker Compose configurations, service definitions, and infrastructure code are manually written and reviewed by the maintainer to ensure security, reliability, and correctness.
Omakase is a comprehensive Infrastructure-as-Code solution for self-hosting 25+ services in a secure, automated, and maintainable way. Born from a production homelab setup, it has been generalized to support different deployment scenarios while maintaining core security and operational principles.
Key Technologies: Docker Compose, Traefik (reverse proxy), Authelia (SSO), CrowdSec (IPS), Infisical (secrets)
- Multi-layer security: SSO authentication, intrusion prevention, network isolation
- Zero secrets in git: External secret management with Infisical
- Container hardening: Mandatory security options, resource limits, non-root execution
- Automated threat detection: CrowdSec collaborative security
- Automated deployments: CI/CD pipeline with GitHub Actions
- Dependency updates: Renovate bot manages Docker image updates
- Automated backups: Daily encrypted backups to cloud storage
- Self-documenting: Comprehensive documentation built and deployed automatically
- Battle-tested architecture: Running in production for years
- Modular design: Each service isolated with dedicated compose file
- Flexible deployment: Bare metal, VMs, LXC, cloud - your choice
- Comprehensive monitoring: Centralized logging, metrics, and dashboards
Infrastructure: Traefik, Authelia, CrowdSec, Portainer, Homepage, Dozzle Media: Jellyfin, Sonarr, Radarr, Bazarr, Deluge Productivity: Nextcloud, Paperless-NGX, Vaultwarden, NocoDB Photos: Immich Development: Windmill, Local-AI And many more...
- β Security-first architecture
- β External secret management
- β Network isolation per service
- β Infrastructure-as-Code approach
- β Automated encrypted backups
- π SSL termination (Traefik direct, HAProxy upstream, Cloudflare, etc.)
- π Platform (Proxmox LXC, bare metal, VMs, NAS, cloud)
- π Storage backend (ZFS, local filesystem, NFS, cloud)
- π Secret management deployment (self-hosted, cloud, alternatives)
- π Environment strategy (single, multi-host, profiles)
Learn more about architectural flexibility β
- Docker Engine 24.0+ and Docker Compose v2.20+
- Linux host (Debian/Ubuntu recommended)
- Infisical for secret management
# 1. Clone repository
git clone https://github.com/esoso/omakase.git
cd omakase
# 2. Configure secrets in Infisical
# See documentation for complete setup guide
# 3. Deploy
make upOmakase supports various deployment options:
| Scenario | Best For | Complexity | Cost |
|---|---|---|---|
| Proxmox LXC β | Advanced homelab | Medium | Hardware only |
| Bare Metal | Dedicated hardware | Low | Hardware only |
| Virtual Machine | Testing & dev | Low | Hardware/cloud |
| NAS | Existing NAS | Low | Hardware only |
| Cloud VPS | Remote access | Low | β¬20-50/month |
View all deployment options β
The project is based on a production setup with:
- OPNSense firewall with HAProxy for SSL termination
- Proxmox VE hypervisor with multiple LXC containers
- Separate environments: Production, Development, Infisical, CI/CD
- ZFS storage with bind mounts for production data
- Automated backups to Backblaze B2
This architecture is not mandatory - adapt to your infrastructure while maintaining security principles.
- Prerequisites - What you need before starting
- Installation - Step-by-step setup guide
- Configuration - Configure services and secrets
- Deployment Scenarios - Choose your deployment platform
- Operations - Backup, monitoring, maintenance
- Traefik - Reverse proxy and routing
- Authelia - SSO authentication
- CrowdSec - Intrusion prevention
- Cetusguard - Docker socket proxy
make up # Deploy stack (dev environment)
make down # Stop all services
make restart # Restart services
make pull # Update Docker images
make config # Show configuration with secrets
make network # Show network allocations
make clean # Clean unused resources
make pwgen # Generate secure passwordsSee all available commands β
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch (
feat/new-service,fix/issue-123) - Follow conventional commits
- Submit a pull request
Read contribution guidelines β
- π¬ GitHub Discussions - Ask questions, share ideas
- π Issue Tracker - Report bugs, request features
- π Documentation - Comprehensive guides and reference
- π Changelog - Version history and updates
Current Version: 2.4.198+ (auto-versioned)
Omakase is actively maintained and running in production. The project follows semantic versioning and uses automated dependency updates through Renovate.
Special thanks to the r/selfhosted community for inspiration and support.
This project is open source and available under the MIT License. See LICENSE for details.