Andromeda
Dashboard Quick Links System Overview About
Dashboard Quick Links System Overview About

Access Gateway

Identify for entry

No account? Request access

Invitation Access

Invite code required

Have an account? Login here

Home Lab Cluster

Live service telemetry from Proxmox

Quick Links

Direct access to self-hosted services

System Overview

Node-level performance metrics

Live telemetry integration coming soon — chart containers are ready for data binding.
⚡

CPU Usage

Pending
CPU LOAD — AWAITING DATA
Nodes pve01, pve02, pve03 Interval 30 s
🧠

Memory Usage

Pending
RAM UTILIZATION — AWAITING DATA
Nodes pve01, pve02, pve03 Interval 30 s
💾

Storage

Pending
DISK CAPACITY — AWAITING DATA
Pools local-lvm, ceph, nfs Interval 5 min
🌐

Network I/O

Pending
NETWORK THROUGHPUT — AWAITING DATA
Interfaces vmbr0, vmbr1 Interval 10 s

Andromeda — Home Lab Mission Control

A self-hosted infrastructure dashboard providing real-time telemetry, service monitoring, and secure access to homelab services.

Architecture

🌐 Browser
▶
⚡ Pages Function
Proxy
▶
☁️ Cloudflare
Edge
▶
🔒 Cloudflare
Tunnel
▶
📦 cloudflared
LXC
▶
🖥️ Proxmox VE
API

Every API request from the browser is intercepted by a Cloudflare Pages Function running at the edge. The function authenticates the request using a session cookie, injects the Proxmox API token from a secret environment variable, and proxies the call through a Cloudflare Tunnel to a cloudflared LXC container running on the Proxmox node. The Proxmox VE API responds with live cluster data — the browser never sees the credentials.

Tech Stack

🟨
Vanilla JS
No framework — SPA router, DOM rendering, and fetch all hand-rolled.
⚡
Cloudflare Pages Functions
Edge-side API proxy — keeps credentials server-side and out of the browser.
🗄️
Cloudflare D1
SQLite at the edge — stores user accounts with SHA-256 hashed passwords.
🔒
Cloudflare Tunnel
Zero-trust inbound tunnel — no open ports on the home network.
🖥️
Proxmox VE API
RRD telemetry and cluster resource data sourced directly from the hypervisor.
📊
Chart.js
Lightweight canvas charts for CPU, memory, storage, and network I/O.
🌐
Tailscale
WireGuard mesh VPN — direct access to services from any device on the tailnet.

Features

🔑

Auth

Invite-code gated registration and session-cookie login. Passwords are hashed with SHA-256 via the Web Crypto API before storage in Cloudflare D1.

Troubleshooting Story

Login returned 200 but the page never changed. The HttpOnly flag on the session cookie made it invisible to JavaScript, so the router always saw the user as unauthenticated and silently redirected back to the login screen.

📡

Dashboard

Live service health grid showing all Proxmox LXC containers and VMs. Status dots pulse green for online, amber for standby, and grey for offline. Auto-refreshes every 30 seconds.

Troubleshooting Story

The service grid returned "missing API token" even though the environment variable was set. Debug logging revealed a trailing space in the variable name — the code looked up PROXMOX_TOKEN_VALUE but Cloudflare stored PROXMOX_TOKEN_VALUE . Invisible characters, real bug.

🔗

Quick Links

Clickable tiles for every self-hosted service — Nextcloud, Vaultwarden, Jellyfin, AdGuard, Matrix, and more. Each tile shows a live status dot sourced from the Proxmox API. Tailscale URLs are used for direct mesh access.

📈

System Overview

Four live Chart.js charts rendering one hour of RRD telemetry from the Proxmox node: CPU utilisation, memory usage, root disk capacity, and network I/O. Refreshes every 60 seconds.

Troubleshooting Story

Chart.js loaded from a CDN URL pointing to a nonexistent version. The CDN returned an HTML error page, the browser rejected it for MIME type mismatch, and the failed script tag cascaded — breaking every script that loaded after it, including the router and login.

Infrastructure

The homelab runs on a single Proxmox VE node hosting 11 LXC containers — each service isolated in its own container with dedicated resource limits. A dedicated cloudflared container maintains the outbound Cloudflare Tunnel, eliminating the need for any open inbound ports on the home network. Tailscale is installed on the node and key containers, providing a WireGuard-encrypted mesh network for direct device-to-service access from anywhere on the tailnet without routing through the public internet.