LabSecure Control Plane: Building Observability and Container Management for My Home Lab
Continuing from “The Pi Guardian,” I took my home network from secure to observable.
🏗 Introduction
In my previous post — The Pi Guardian: Defending My Home Network with Nginx and Automation — I explained how I used two Raspberry Pis, Nginx, and Cloudflare to secure and automate incoming traffic to my self-hosted applications.
That setup worked beautifully until the number of workloads grew.
I could deploy and access my services securely, but I couldn’t easily track performance, container health, or system metrics across devices.
That’s when I started the LabSecure Control Plane project — an effort to unify monitoring and management for my home lab infrastructure.
⚙️ The Problem
With multiple Raspberry Pis and a TrueNAS SCALE server running different workloads, visibility quickly became a challenge:
Which containers are running where?
How much CPU/memory is each consuming?
What happens if one node goes down?
Manual SSH logins and docker ps weren’t scalable.
🧩 Phase 1 Goals
Centralized Container Management → control all hosts from one dashboard.
Unified Observability Pipeline → collect and visualize host + container metrics.
Automated Deployment → avoid manual tool installs via Ansible.
🏗 Architecture Overview
Figure 1: Architecture diagram showing the LabSecure Control Plane with TrueNAS SCALE as the control plane and two Raspberry Pis as workload nodes.
🖥 Multi-Host Container Management with Portainer
Portainer CE provides a unified interface to manage Docker containers across all hosts.
Server runs on TrueNAS SCALE
Agents on both Raspberry Pis
Direct TCP connection for real-time status and logs
Figure 2: Portainer CE managing containers across multiple workloads — both Raspberry Pis connected and active.
📈 Observability Stack with Prometheus
Metrics are collected via Node Exporter and cAdvisor on each Pi, then aggregated in Prometheus on TrueNAS.
This setup tracks CPU, memory, disk I/O, and container resource usage in real time.
Figure 3: Prometheus targets confirming all exporters and monitoring agents are active across workloads.
🔧 Automation with Ansible
All components are deployed using Ansible playbooks — no manual SSH installs needed.
Roles handle Portainer Agents, Node Exporters, and cAdvisor configuration, making redeployment idempotent and repeatable.
Example command:
ansible-playbook playbooks/setup-phase1.yml --tags monitoring
💡 Key Takeaways
Observability builds confidence — you can’t secure what you can’t see.
Automation scales time, even in a home lab.
DevOps principles translate well from enterprise to personal projects.
🚀 What’s Next (Phase 2)
The next phase focuses on building a Node.js/Express backend that integrates with Portainer and Prometheus APIs, storing metrics in SQLite and visualizing them through a React dashboard.
Stay tuned for that update — and if you’re building something similar, I’d love to compare notes!
🏁 Closing Thoughts
Together with The Pi Guardian, this project marks my journey from securing to observing my infrastructure — step by step turning a few Raspberry Pis and a NAS into a miniature, production-grade lab.
