2025–2026 Infrastructure / Networking / Security GitHub ↗

Overview

This private cloud runs every self-hosted service behind zero public ingress. A 3-node Proxmox VE 8.1 cluster provides high availability over Ceph; the network is segmented into four VLANs by trust level; and the only path in from the internet is a Cloudflare Tunnel gated by Access policies, with Tailscale as an authenticated mesh fallback. The design eliminated 100% of public IP exposure while keeping global tunnel latency under 50ms.

Network Topology

Zero-Trust Access Flow

Implementation

1

Form the HA cluster

pvecm create tyf-cluster && pvecm add 192.168.10.11
2

Expose a service via Cloudflare Tunnel (no open ports)

cloudflared tunnel route dns tyf-tunnel cloud.tyfsadik.org
3

Automate ZFS snapshots with sanoid

sanoid --configdir=/etc/sanoid --cron # hourly/daily/30-day retention
rpool/data@autosnap_2026-06-17_00:00:00_daily   ... 30 kept
took 12 snapshots, pruned 3

Key Results

  • Eliminated 100% of public IP exposure by routing all ingress through Cloudflare Tunnel.
  • Achieved under 50ms tunnel latency for global access via Cloudflare's edge.
  • Automated 24-hour ZFS snapshots with a 30-day retention policy via sanoid/syncoid.
  • Maintained service continuity through Proxmox HA failover across 3 nodes.
Proxmox VECephVLANCloudflare TunnelTailscaleZFSZero Trust