How I Built My Self-Hosted Cloud with Proxmox, Terraform & Docker

how I transformed a Mini PC into a private cloud, running virtual machines, containers, and CI/CD pipelines, all while ensuring secure remote access with Cloudflare Zero Trust. This setup mirrors real-world cloud infrastructure but remains fully self-hosted. 🏠☁️

---

🛠 My Hardware Setup

• Mini PC: Lenovo ThinkCentre M710q
  • CPU: Intel Core i5-7400T
  • RAM: 8GB DDR4
  • Storage: 256GB SSD
• Router: GL.iNet MT3000 (Beryl AX)
• Network Bridge: vmbr0 (Proxmox-managed)

---

🖥️ Architecture Overview

Architecture of my self-hosted cloud setup

The architecture consists of six main components:

1. 👤 User Access (Cloudflare Zero Trust)

   • Ensures secure, remote access without exposing ports.
   • Acts as a proxy between users and my self-hosted services.

2. 💾 Private Cloud (Mini PC with Proxmox VE)

   • Runs Proxmox as the hypervisor to manage VMs.
   • Uses vmbr0 as a virtual bridge for networking.

3. ⚙️ VM Provisioning (Terraform + Cloud-Init)

   • Automates VM creation on Proxmox.
   • Cloud-Init configures VMs with static IPs on boot.

4. 📦 Dockerized Applications

   • Each VM runs Docker to host essential services:
     • Casa OS (Personal Cloud OS)
     • Plex (Media Streaming)
     • Vaultwarden (Password Management)
     • Kavita (eBook Management)
     • Portainer (Container Management UI)

5. 🔄 CI/CD Automation (GitHub Actions)

   • Triggers Terraform updates when infrastructure changes.
   • Ensures consistent VM provisioning.

6. 🔗 Secure Connectivity & Networking

   • Cloudflare tunnels protect services from direct exposure.
   • VMs communicate via Proxmox-managed networking.

---

🔹 Workflow & Connectivity

1️⃣ Secure User Access via Cloudflare Zero Trust

• The entry point for accessing any self-hosted services is Cloudflare Zero Trust. This eliminates the need to expose ports on my home network, significantly enhancing security.
• Instead of relying on traditional VPNs, users authenticate through Cloudflare, which applies access policies, identity-based authentication, and additional security layers.
• Once authenticated, Cloudflare acts as a secure reverse proxy, allowing authorized users to connect seamlessly to internal applications hosted within my private cloud.

2️⃣ Proxmox as the Core of the Private Cloud

• The Lenovo ThinkCentre M710q Mini PC serves as my private cloud infrastructure, running Proxmox Virtual Environment (VE) as the hypervisor.
• Proxmox manages multiple virtual machines (VMs), each dedicated to different services. Networking between these VMs is handled through a virtual bridge (vmbr0), which allows internal communication while keeping them isolated from the external network.
• This approach provides the flexibility to deploy different operating systems and environments while maintaining efficient resource allocation.

3️⃣ Automated VM Provisioning with Terraform & Cloud-Init

• Instead of manually creating and configuring VMs, I use Terraform, an Infrastructure as Code (IaC) tool, to automate VM deployment.
• Terraform provisions new VMs on Proxmox, defining their configurations such as CPU, memory, disk size, and network settings.
• Cloud-Init is then used within each VM to automatically apply post-installation configurations. This includes:
  • Setting static IP addresses to ensure predictable networking.
  • Pre-configuring SSH access and system users.
  • Applying any additional customizations needed for specific workloads.
• This automated approach saves time, ensures consistency, and makes scaling effortless.

4️⃣ CI/CD Automation with GitHub Actions

• GitHub Actions is used to automate updates and configuration changes.
• Whenever I make modifications to the Terraform configuration files, GitHub Actions triggers a CI/CD pipeline that:
  • Validates the Terraform configuration.
  • Applies changes to the infrastructure on Proxmox.
  • Ensures that any modifications to networking, security, or VM settings are instantly reflected.
• This keeps my infrastructure version-controlled, allowing me to track changes and quickly rollback if needed.

5️⃣ Cloudflare Tunnels for Secure Connectivity

• Instead of exposing services directly to the internet, I use Cloudflare Tunnels to securely route traffic.
• Cloudflare’s tunnel service establishes an outbound-only connection from my network to Cloudflare’s edge servers, eliminating the need for port forwarding.
• Each application, whether it’s Plex for media streaming, Vaultwarden for password management, Kavita for eBook hosting, or Portainer for Docker container management, is accessible only through Cloudflare-protected URLs.
• This ensures that unauthorized external traffic never reaches my home network, adding an extra layer of protection.

This fully automated, self-hosted cloud setup combines Proxmox, Terraform, Cloud-Init, Docker, and Cloudflare to create a secure, scalable, and maintainable environment. By leveraging CI/CD pipelines and Infrastructure as Code (IaC), I can dynamically manage VMs, automate updates, and ensure all services remain protected and accessible from anywhere in the world.

---

🚀 Why This Setup Is Powerful

✅ Private Cloud – No reliance on external providers.

✅ Fully Automated – Terraform provisions and configures VMs.

✅ Secure – No open ports, all traffic secured via Cloudflare.

✅ Efficient – Docker ensures lightweight, containerized deployments.

✅ CI/CD-Driven – Infrastructure as Code keeps everything repeatable.

This setup allows me to self-host my own cloud-like environment, making it a great showcase of cloud engineering, automation, and security best practices.

💬 What do you think about self-hosting? Have you built something similar? Let’s discuss in the comments! 👇

---

Comments

[Anemarie DiCola]

Your post "How I Built My Self-Hosted Cloud with Proxmox, Terraform & Docker" contains great information on configuring an efficient and scalable self-hosted cloud system. From Proxmox virtualization, Terraform infrastructure-as-code, to Docker containerization, it is a complete guide on Cloud Application Development. It would be excellent to add more information regarding security best practices and automation techniques to further improve the deployment process.

[Tejas Patil]

Thank you, Anemarie! I appreciate your feedback and your keen interest in security and automation best practices. 🔒⚙️
I’d love to dive deeper into security enhancements and automation techniques in a follow-up post!

[Aavash Parajuli]

Is it AI written? 🗿

[Anemarie DiCola]

No

[Hadil Ben Abdallah]

This is next-level home lab wizardry! Turning a Mini PC into a fully automated private cloud with Proxmox, Terraform, and Cloudflare Zero Trust is pure genius. The fact that you’ve got CI/CD pipelines managing infrastructure and secure access without exposing ports is so cool.
Thanks for sharing

[Tejas Patil]

Thanks, Hadil! 😊 Really appreciate it!

[Dat Le]

Wow, this is incredible! 🎉 I'm super impressed by how you built this self-hosted cloud with Proxmox, Terraform, and Docker. 💻 How did you ensure seamless scaling and performance of your virtual machines and containers? 🚀 Also, did you encounter any challenges while setting up Cloudflare Zero Trust for remote access? 🤔 Would love to hear more about your experience!

[Tejas Patil]

Thanks, Dat! 😊

For scaling and performance, I optimized resources by:

1. Assigning CPU/memory limits per VM/container.
2. Proxmox clusters are ideal for scaling across multiple nodes with HA & live migration, but since I’m running a single-node setup, I focused on resource optimization.
3. Cloudflare Zero Trust was smooth, but the key part was setting it up in Docker and tweaking authentication/tunnel configs."

This keeps it concise, structured, and clear while maintaining engagement.

[Franklin Strube]

This is really cool and inspirational to me! I love self-hosting, and this is a good alternative to the "serverless" trend.

[Tejas Patil]

Thanks, Franklin! 😊 Self-hosting gives full control and flexibility no reliance on third-party cloud providers! Glad you found it inspiring.

[nadeem zia]

Good Explanation

[Tejas Patil]

Thank you, Nadeem!