Back to lemonlink.eu

Homelab Architect

Documenting my journey of building, securing, and scaling a personal enterprise-grade homelab environment with Proxmox, Docker, and self-hosted services.

Launching Micro-SaaS Products: SnapAPI, BgRemove & ConvertFast

After years of building infrastructure for myself, I decided to productize that knowledge into three API-first micro-SaaS products designed for developers who need reliable, fast utility services without the overhead of building them from scratch.

The Product Trio

Each product solves a specific, high-demand developer problem:

  • SnapAPI — A screenshot-as-a-service API that captures pixel-perfect renders of any URL with custom viewport sizes, full-page scrolling, and dark mode support. Built on Puppeteer with intelligent caching.
  • BgRemove — A background removal API powered by AI segmentation. Upload any image and get a transparent PNG in seconds—no Photoshop required. Handles hair, fur, and complex edges with surprising accuracy.
  • ConvertFast — A universal file conversion API supporting 50+ formats. Documents, images, audio, video—drag, drop, convert. Includes batch processing and webhook notifications.

The pSEO Strategy: 10,500+ Landing Pages

Rather than competing on paid ads, I invested heavily in programmatic SEO. Each API endpoint generates hundreds of landing pages targeting long-tail keywords. SnapAPI has pages for "screenshot API for React," "screenshot API for Vue," "screenshot 4K API," and so on. Combined across all three products, the network now spans over 10,500 unique, useful landing pages—all statically generated, fast, and indexed.

The strategy is simple: when developers search for specific solutions, they find a purpose-built page that speaks directly to their stack and use case.

Stripe Integration & Pricing

All three products share a unified Stripe billing backend with tiered pricing:

  • Free tier — 100 requests/month for testing and small projects
  • Starter ($9/mo) — 5,000 requests with standard support
  • Pro ($29/mo) — 50,000 requests with priority support and webhooks
  • Enterprise — Custom volume pricing with SLA guarantees

Stripe handles subscriptions, usage metering, and automatic invoicing. The integration includes customer portals for self-service plan management and invoice downloads.

Promotion & Distribution

Beyond pSEO, I'm distributing through developer marketplaces, API aggregator platforms like RapidAPI, and strategic content marketing. Each product has comprehensive documentation, interactive API explorers, and copy-paste code snippets in 8 languages. The goal is zero-friction adoption—developers should be making their first API call within 60 seconds of landing on the site.

Family Routines App: Gamifying Children's Daily Tasks

As a parent, getting kids to consistently complete their daily chores and routines can feel like an uphill battle. So I built an app that turns responsibility into a game—and my kids actually ask to use it.

The Stack: Modern & Type-Safe

The app is built on a cutting-edge stack designed for rapid iteration and type safety across the entire codebase:

  • React 19 — Latest React with concurrent features and server components where appropriate
  • tRPC — End-to-end type-safe APIs with automatic client inference
  • Hono — Lightweight, fast HTTP framework running on the edge
  • Drizzle ORM — Type-safe SQL with a syntax that feels natural
  • MySQL — Reliable relational storage for families, routines, and progress data
  • Capacitor — Native iOS/Android builds from the same React codebase

Virtual Pet Companion

At the heart of the app is a virtual pet that grows and evolves based on task completion. Kids earn food, toys, and accessories for their pet by finishing routines. Miss a day? The pet gets sad. Complete a streak? The pet levels up and unlocks rare items. It's surprising how motivating a pixelated companion can be.

Vehicles & Rewards System

Beyond the pet, kids earn virtual currency for completing tasks which can be spent in the vehicle garage—unlocking cars, spaceships, boats, and fantastical mounts. Each vehicle has stats and can be upgraded, creating a secondary collection meta-game that keeps engagement high.

Achievements & Streaks

The achievement system recognizes milestones: 7-day streaks, early riser badges, helper awards for completing extra tasks, and team achievements when siblings collaborate. Push notifications (via Capacitor) remind kids of pending routines without parent nagging.

Parent Portal

Parents get a comprehensive dashboard to create custom routines, set recurring tasks, review completion history, and manage rewards. The portal shows weekly analytics, identifies patterns, and suggests adjustments. Multiple children can be managed from a single account with individualized routines per kid.

The app is live at family.lemonlink.eu and available as a progressive web app with native builds coming soon.

Homelab Restructure Complete: VLAN 20 Migration

The final phase of my network restructuring is complete. All 7 production VMs have been successfully migrated to VLAN 20, completing the transition from a flat network to a properly segmented infrastructure with logical IP addressing.

The Migration Scope

Over the course of several weeks, I methodically moved each critical service from the flat 192.168.5.0/24 network to the dedicated VLAN 20 with its 192.168.20.0/16 subnet. The /16 allocation was intentional—VM IDs map directly to IP suffixes, making identification instantaneous:

  • Caddy Proxy / Docker Host (ID 3) → 192.168.20.3
  • netboot.xyz (ID 232) → 192.168.20.232
  • TrueNAS (ID 200) → 192.168.20.200
  • Music Server (ID 224) → 192.168.20.224
  • AMP Node (ID 236) → 192.168.20.236
  • ZimaOS (ID 236) → 192.168.20.236
  • Additional utility VMs → Assigned by ID

IP Renumbering Strategy

The renumbering wasn't just about moving subnets—it was about creating a self-documenting network. When I see 192.168.20.200, I immediately know it's TrueNAS. When I see 192.168.20.3, I know it's the primary Docker host. This convention eliminates the mental overhead of cross-referencing IP spreadsheets.

Proxmox as Inter-VLAN Router

Proxmox handles routing between VLAN 20 and the flat network via iptables NAT rules. This allows selective services to remain accessible from the LAN while keeping the majority of VM traffic isolated. Caddy reverse proxy on 192.168.20.3 serves as the public-facing gateway, terminating TLS and routing to internal services.

What I Learned

Migrating live services taught me the value of DNS records over hardcoded IPs. By using internal DNS names (via Pi-hole), I could renumber IPs without chasing down every configuration file. Services that relied on static IP references required the most downtime—lesson learned for future deployments.

The network is now cleaner, more secure, and infinitely more scalable. Next up: implementing firewall rules between VLANs for true micro-segmentation.

Building an AI Co-Pilot: OpenClaw & Self-Learning Systems

My homelab just got a major upgrade—a persistent AI collaborator called OpenClaw that doesn't just answer questions, it actively manages, documents, and improves my entire infrastructure autonomously.

Unlike typical chatbots that forget everything between sessions, OpenClaw maintains continuity through rigorous file-based memory. It tracks which skills work best, learns from every mistake, and even runs weekly self-compaction to distill insights into actionable wisdom.

The Odysseus Features

I integrated four advanced modules inspired by the legendary problem-solver:

  • Deep Research Engine — Multi-step web research that validates facts across sources before presenting conclusions.
  • Task & Reminder System — Persistent task tracking with automatic priority detection and deadline reminders.
  • Calendar Integration — Event scheduling for maintenance windows, backups, and migrations with conflict detection.
  • Email Triage — Automated email processing that categorizes by urgency and extracts action items.

Self-Learning Infrastructure

The Hermes-inspired learning system tracks skill effectiveness, runs pre-flight safety checks before dangerous operations, and maintains a living "Lessons Learned" database. When something fails—like when I accidentally broke Docker by stopping systemd-resolved without a DNS fallback—it logs the root cause and prevention strategy permanently.

Automated Documentation

OpenClaw writes directly to my Bookstack documentation wiki and maintains a local git repository that syncs to Gitea. Every network change, deployment, or migration is documented in real-time with CEST timestamps (Swedish time). The changelog becomes a living history of infrastructure evolution.

Network Restructuring: VLAN Migration & Pi-hole Deployment

After months of running everything on a flat network, I finally implemented proper network segmentation with VLANs—and learned some hard lessons along the way.

The VLAN Migration

I created a dedicated VLAN with a /16 subnet to accommodate VM IDs as IP suffixes. This means each VM gets an IP matching its ID—beautifully intuitive. Proxmox acts as the inter-VLAN router with iptables NAT rules bridging the VLAN to the flat network.

Over the course of a single day, I migrated five critical VMs from the flat network to their new VLAN addresses:

  • netboot-xyz → VLAN segment
  • TrueNAS → VLAN segment
  • prod-docker-host → VLAN segment
  • Music-Server → VLAN segment
  • AMP-Node → VLAN segment

Pi-hole + Unbound on macvlan

Deploying Pi-hole taught me a critical lesson: never expose port 53 directly on the Docker host if systemd-resolved is running. I broke Docker completely by stopping systemd-resolved without configuring an alternative DNS first—image pulls failed, containers wouldn't start.

The solution was macvlan networking. Pi-hole now lives on its own MAC address on the physical network, completely avoiding port conflicts. Paired with Unbound as a recursive resolver, I now have network-wide ad-blocking and DNSSEC-validated queries without relying on external DNS providers.

Homarr Dashboard

To visualize everything, I built a sleek dark-themed Homarr dashboard with glassmorphism effects and amber accents. The "Start" board features critical apps (Gitea, Bookstack, Vaultwarden, Portainer, Proxmox, TrueNAS, Music, Mail, Nextcloud) plus widgets for clock, weather, and search. The landing page pulls real integration data from each service.

Securing the Perimeter: Why I Use Mock Services

When you start self-hosting over 50+ services on your own hardware, one of the biggest challenges is figuring out how to showcase your work without putting your entire infrastructure at risk.

A beautifully designed homelab landing page is incredibly satisfying to look at. Naturally, you might want to share screenshots or even the live URL with friends or potential employers.

However, exposing the direct login pages to sensitive internal panels—like Portainer (which has literal root access to my containers), Nextcloud (my private file storage), or Netdata (system metrics)—is a massive security risk. Even behind strong passwords, presenting an active login form to the open internet invites brute-force attacks and zero-day exploitation.

The Solution: Real Frontends, Disabled Backends

Instead of exposing my live services, the public-facing dashboard links to exact replicas of those login pages. I achieved this by writing Python scripts (using BeautifulSoup) that scrape the raw HTML, CSS, and SVG logos directly from my internal apps. It then automatically rewrites the asset paths, strips out all backend form-submit logic, and injects a preventDefault() JavaScript block.

For aggressive SPA frameworks like Stirling-PDF or Netdata, I go a step further, aggressively cleaning out the framework scripts that attempt to fire JSON requests to missing APIs, substituting them with identical static HTML overlays.

The result? If you click "Netdata" on my dashboard, you see the exact Netdata loading screen. But it's fundamentally sandboxed. This allows me to confidently show off my stack in public, while restricting actual authentications strictly to my internal Tailscale mesh VPN.

The Foundation: Proxmox, TrueNAS, and RPi5

Every great homelab needs a reliable foundation. My core infrastructure is split between a robust Dell PowerEdge server and a highly efficient Raspberry Pi 5.

The Dell PowerEdge runs Proxmox VE, hosting heavy-duty VMs and LXC containers, including a dedicated environment for my Caddy reverse proxy to handle traffic routing safely. Backing all of this is TrueNAS SCALE, managing a 12TB storage array mapped across the network for media and encrypted backups.

Meanwhile, the Raspberry Pi 5 runs Docker with Portainer to manage dozens of essential, always-on utility containers that sip power. This includes my entire Home Assistant smart home stack (with MQTT and ESPHome), network management via Pi-hole and Nginx Proxy Manager, plus gaming servers like Minecraft and Mumble.

Automating UI Deployments

To navigate this growing ecosystem, I recently revamped my homepage dashboard into a sleek, dark-themed experience with amber-yellow accents. To keep it updated effortlessly, I built Python automation scripts utilizing the requests library.

These scripts fetch the latest SVGs from official repositories (like Gitea and GitHub), update UI cards dynamically, and orchestrate direct uploads to my proxy server via paramiko SSH commands. Deploying visual updates to my entire homelab is now an automated, single-click process.

Self-Hosting My Data: Nextcloud & Vaultwarden

Moving away from SaaS dependency was the primary driving force behind building my Proxmox-based homelab. Managing my data efficiently in-house guarantees data sovereignty and true ownership.

A major part of my daily workflow relies on Nextcloud for secure file storage along with Collabora Online natively integrated for editing documents. Alongside this, I rely on Vaultwarden for encrypted password management synced smoothly across my proxy connection. Having my digital life backed by a TrueNAS ZFS pool gives incredible peace of mind.

Code and Repositories

As a developer, I also emphasize keeping my source code under my own control. I host an internal Gitea instance running smoothly in Docker. From utility scripts like IPMI Fan Control to Python applications and tools like EU-Icon-Extractor and EU-Utility, it's incredibly satisfying to push commits entirely within my own private cloud infrastructure—though many projects automatically mirror to my public GitHub.

The entire frontend design language for these platforms relies on clean, dark aesthetics and smooth CSS micro-animations. With my Dell Poweredge handling virtualization and Tailscale locking down access, I've established a high-performance, ultra-secure gateway to my digital home.