Architecture
Three-continent Hybrid Cloud Infrastructure
Waco TX · Phoenix AZ · Amsterdam NL · 5 Zones · 3 Cloud Providers
Waco TX · Phoenix AZ · Amsterdam NL · 5 Zones · 3 Cloud Providers
01
Developer & Pipeline
CI/CD · DevSecOps
source
GitHub Repo
hugo portfolio · homelab-iac tf
security gates
GitHub Actions
parallel security · scan on every push
performance
Lighthouse CI
perf ≥ 90 · a11y ≥ 90
deploy
GitHub Pages
OIDC auth · no stored secrets
also triggers → Terraform plan on .tf changes via OIDC → AWS
02
Edge Security & Global Delivery
Cloudflare · DNS · ZT Tunnels
Public traffic — portfolio
DNS + CDN
Cloudflare Edge
prajwolbikramadhikari.com.np
email security
DNS Records
DMARC p=reject · SPF -all · DKIM
Private access — homelab services
tunnel id
Zero Trust Tunnel
outbound-only
exposed subdomains
7 Services
grafana · prometheus · n8n · adguard · homer · cadvisor · npm
03
Infrastructure Control Plane
AWS · Terraform IaC · GitOps
IaC engine
Terraform
manages Cloudflare · DNS + OCI instances
state storage
AWS S3
terraform-state · versioned encrypted
state locking
DynamoDB
terraform-state-lock · prevents conflicts
access control
IAM + OIDC
GitHub Actions trust · no stored keys
04
Hybrid Compute & Storage
K3s · Docker · Three Continents
🇺🇸
Waco, Texas
On-premise · Debian laptop
K3s masterDocker services
Prometheus
global aggregator · scrapes all 3 nodes
Grafana
cross-cloud dash · global latency
n8n
event automation · incident routing
AdGuard Home
local DNS · ad blocking
Homer
homelab dashboard · service overview
NPM
Nginx Proxy Mgr · reverse proxy
tunnel agent
cloudflared
outbound-only to CF ZT · exposes all 7 services
🇺🇸
Phoenix, Arizona
Oracle Cloud Free Tier
K3s workerOCI ARM Ampere A1
K3s worker
4 vCPU · 24GB RAM · 200GB storage · ARM
Prometheus agent
node exporter · federated to Waco
AdGuard Home
public DNS · redundant resolver
mesh VPN
Tailscale
100.x.x.x stable IP · WireGuard under hood
🇳🇱
Amsterdam, NL
Insomnia 24/7 · shared shell
no rootUser-land processes (tmux)
Node exporter
bound to 127.0.0.1:9100 · user-land binary
Probe script
cron every 5min · latency → Pushgateway
connectivity
Reverse SSH tunnel
localhost:19100 on Waco = NL node exporter
Connection fabric
Waco (master)
⟷
Phoenix (worker)
Tailscale mesh VPN · WireGuard
Waco (homelab)
⟷
Amsterdam (NL)
Reverse SSH tunnel · port 19100
Waco → NL
→
rsync backups
SSH · K3s etcd + Terraform state
All services
→
public internet
Cloudflare ZT tunnel · outbound only
05
Global Observability & Automation
Prometheus · Grafana · n8n · Discord
Federated monitoring
scrape targets
3 geographic nodes
Waco · Phoenix · Amsterdam · via Tailscale + SSH
probes
Blackbox exporter
portfolio uptime · NL latency via cron push
dashboards
Grafana
global latency panel · cross-cloud health
Event-driven automation (n8n)
trigger 1
GitHub webhook
workflow_run failure → Discord alert
trigger 2
Alertmanager
node down / critical → Discord + remediation
trigger 3
Health poll
Oracle + NL check · every 2 min
output
Discord
rich embeds · severity routing
Zone legend
Zone 1 — CI/CD pipeline
Zone 2 — Cloudflare edge
Zone 3 — AWS IaC control plane
Zone 4 — Hybrid compute
Zone 5 — Observability + automation
CI/CD live
Cloudflare DNS + tunnels live
Terraform IaC — in progress
K3s cluster — planned
Prometheus federation — planned
n8n automation — planned